OCPNODE-4065: blocked-edges/4.21.0-SigstoreSignatureMirroring: 4.20.12 -> 4.21 risk

[wking]

4.20.13 has the guard baked in, but it didn't make it in time for 4.20.12, and we want all the generally-available paths into 4.21 to be covered. This risk declaration covers the gap, and hopefully 4.21.1 will only include 4.20.13 and newer as update sources (I'm also bumping build-data).

[openshift-ci-robot]

@wking: This pull request references OCPNODE-4065 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.22.0" version, but no target version was set.

Details

In response to this:

4.20.13 has the guard baked in, but it didn't make it in time for 4.20.12, and we want all the generally-available paths into 4.21 to be covered. This risk declaration covers the gap, and hopefully 4.21.1 will only include 4.20.13 and newer as update sources (I'm also bumping build-data).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wking]

4.20.12 cluster that knows it's exposed (build03):

For a cluster that knows it isn't exposed, https://amd64.ocp.releases.ci.openshift.org/ -> 4.20.12 -> aws-ovn-serial-1of2 -> PromeCIeus (with a +0.1 offset, to make the 0 result more visible):

[DavidHurta]

The impact statement states:

Updates from 4.20.(z<13) to 4.21

[wking]

4.20.12 is the only match for 4.20.(z<13) in 4.21.0's update source metadata:

$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.21.0-x86_64 | grep Upgrades
  Upgrades: 4.20.12, 4.20.13, 4.21.0-ec.0

due to #8624.

[DavidHurta]

Ooh, got it 🙇 Could we then simplify the statement to just mention that the affected update is 4.20.12 -> 4.21?

[wking]

Works for me. I've updated the OCPNODE-4065 Description section on Which 4.y.z to 4.y'.z' updates increase vulnerability? to start with:

Updates from 4.20.12 to 4.21.0.

Then I include additional text and the earlier release info output quote to explain the assertion of just 4.20.12.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: DavidHurta, wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [DavidHurta,wking]
• build-suggestions/OWNERS [DavidHurta,wking]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@wking: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.