stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat(concelier): multi-sprint batch (mirror domain + advisory sources + durable runtime + credentials)

Browse Source 
Bundled commit covering pre-session work from multiple Concelier sprints
already archived or in-flight:
- SPRINT_20260419_006: mirror domain / source key validation
- SPRINT_20260419_029 / 030: durable jobs orchestrator runtime + endpoint verification
- SPRINT_20260421_001: advisory source projection truthful counts
- SPRINT_20260421_002: FE advisory source consistency (connector-side bits)
- SPRINT_20260421_003: advisory connector runtime alignment
- SPRINT_20260422_003: source credential entry paths (in-flight)

Includes connector internals (ACSC / Adobe / CERT-BUND / Chromium / Cisco /
CVE-KEV / GHSA / JVN / KISA / MSRC / Oracle / Ubuntu), source management
endpoints, mirror domain management, federation endpoints, topology setup,
job registration, and associated dossier updates under
docs/modules/concelier/.

This commit groups ~229 file changes that accumulated across the above
sprints; individual changes are preserved at file granularity so blame
remains useful.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
2026-04-22 16:05:53 +03:00
parent 99a5ae923a
commit 607ce619fe
247 changed files with 15404 additions and 1304 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
docs/modules/concelier/operations/connectors/ubuntu.md
View File

@@ -1,9 +1,11 @@
# Concelier Ubuntu USN Connector - Operations Runbook
_Last updated: 2026-01-16_
_Last updated: 2026-04-21_
## 1. Overview
The Ubuntu connector ingests Ubuntu Security Notices (USN) and maps advisories to Ubuntu package versions.
The Concelier Ubuntu connector ingests Ubuntu Security Notices (USN) and maps advisories to Ubuntu package versions.
The same public notice feed also backs the default Excititor VEX mirror bootstrap. Ubuntu does not currently publish native CSAF for this path, so Excititor synthesizes deterministic CSAF documents from the notice JSON while preserving the upstream source URI in metadata.
## 2. Authentication
- No authentication required for public feeds.
@@ -19,8 +21,23 @@ concelier:
requestDelay: "00:00:00"
```
## 4. Offline and air-gapped deployments
- Mirror USN feeds into the Offline Kit and repoint `baseUri` to the mirror.
## 4. Excititor default public VEX bootstrap
- Index URI: `https://ubuntu.com/security/notices.json`
- Notice detail base URI: `https://ubuntu.com/security/notices/`
- Default page size: `20`
- Default max notices per fetch: `60`
- Default resume overlap: `3.00:00:00`
## 5. Common failure modes
Operational guidance:
- Keep the small page size and bounded fetch count unless Canonical publishes a stronger bulk-ingest contract. This avoids burst-fetching the full notice history during mirror bootstrap.
- Keep the resume overlap enabled so the mirror rechecks recently updated notices without needing a full backfill.
- Mirror both the paged `notices.json` index responses and the per-notice `USN-xxxx-x.json` documents for offline kits.
## 5. Offline and air-gapped deployments
- Mirror USN feeds into the Offline Kit and repoint `baseUri` to the mirror for advisory ingestion.
- For Excititor mirror bootstrap, mirror the `notices.json` index plus the per-notice JSON documents under the same path layout so synthesized CSAF documents remain deterministic.
## 6. Common failure modes
- USN schema updates or missing release references.
- Per-notice JSON documents lagging behind the index update window.
- Overly aggressive page sizes or fetch counts causing avoidable upstream pressure during first-run bootstrap.