Security Podcast topic: typical day's tasks?

Proposed topic: for the less technical curious listeners: what are the tasks you do on a typical day?

  • writing code?
  • implementing patches?
  • researching?

All/none of the above? Never a typical day?

This is a timely question - Joe and I discuss this in this weeks episode of the Ubuntu Security Podcast -

To expand a bit on what is discussed in that podcast episode: there are various tasks that need performing every day - CVE Triage for new CVEs for the Ubuntu Security Tracker, Bug Triage, interactions with our community (like this :grinning:) - and there is a rotation schedule for these so that each week a new person does the given task every day for that week.

We also have ongoing work of preparing security updates and then publishing them, performing code reviews as part of the Main Inclusion Review process, maintaining various packages in Ubuntu such as AppArmor, UFW etc, and the ongoing maintenance and development of AppArmor as an upstream project too. We are also quite heavily involved in the security aspects of snaps and so spend time designing and implementing security policies and interfaces for snaps, reviewing new snaps uploaded to the snap store, and advising developers on the best ways to construct their snap applications to meet the needs of strict confinement via the snapcraft forum.

Finally, we also look after the security certifications for Ubuntu as well, which involves working with customers and certification bodies to certify the different Ubuntu releases against FIPS, Common Criteria etc, and to develop the DISA STIG and CIS benchmarks for Ubuntu.

For the specific points you ask about, the code we write is generally to support our internal tooling or the various projects we maintain (as listed above). When doing security updates, we do not usually write patches from hand and instead prefer to rely on using official upstream fixes when they are available. Often these will need to be backported to our older LTS or ESM releases though which involves a certain amount of coding fixes by hand. As part of the MIR process we often uncover security issues in existing projects during the research phase, and so these get reported to their upstream projects so they can be fixed there and then integrated back into Ubuntu so that all Linux and other users can benefit - not just Ubuntu.