Ubuntu Core Dev application for Jamie Strandboge

Jamie Strandboge jamie at canonical.com
Thu Apr 10 22:23:03 BST 2008 

Please consider this my application to become an Ubuntu Core Developer.


Background
----------
I am Jamie Strandboge and an Ubuntu Security Engineer. I have been
working for Canonical since September 2007, and I have been a MOTU since
Dec 2007. For more on who I am and my contributions, please see:

http://behindmotu.wordpress.com/2008/01/14/jamie-strandboge/
https://wiki.ubuntu.com/JamieStrandboge

As an Ubuntu Security Engineer, my primary focus is providing security
updates for packages in main. I also sponsor universe updates and mentor
those providing security updates. Listed below are some highlights of
the contributions I've made so far.


Security
--------
I've already uploaded many packages for Ubuntu's stable and development
releases through security updates. Notable updates include:

http://www.ubuntu.com/usn/usn-588-1 (mysql)
http://www.ubuntu.com/usn/usn-540-1 (flac)
http://www.ubuntu.com/usn/usn-529-1 (tk)

The MySQL update was very difficult, as upstream makes many changes to
their codebase in their stable 5.0 series. Two CVEs in particular stand
out: CVE-2007-2692 and CVE-2007-6303. No other major distribution at the
time of this writing has fixes for these CVEs for MySQL versions below
5.0.45 (many distributions forced their users to upgrade from an earlier
version to 5.0.45, but in reviewing the code and changes, this update
did not meet the criteria for a MicroVersionUpdate). The update went
through an SRU-style procedure and packages were uploaded to -proposed
first[1]. The update did have a corner-case regression on Dapper for one
user, due to the patch for CVE-2007-2692 exposing an upstream bug. This
regression was promptly fixed.

The flac update was extensive and difficult as the delta between
upstream's fixed version and Ubuntu's version was significant. Comparing
Ubuntu's patches against other distributions revealed that our patches
are the most complete of any distribution.

The tk update on the surface seemed a simple fix for tk8.4. Analysis
revealed that all versions of tk8.3 were also affected by a similar but
different bug (and it received a new CVE).

In addition to providing updates, I also help out with testing of other
developer's security updates, such as Kees Cook's excellent PCRE
update[2], and Alexander Sack's Firefox updates. I've also done a lot of
bug triage and help maintain, improve and update the Ubuntu CVE
Tracker[3].


Packages
--------
I am author and maintainer of ufw[4] and auth-client-config[5] (both in
main). ufw is the default firewall application for Ubuntu Hardy, and
auth-client-config is a PAM/NSS profile switcher.


AppArmor
--------
I developed the strategy for migrating complain mode apparmor profiles
from the universe apparmor-profiles package to an enforcing profile
shipped with the package that apparmor protects[6]. I developed/updated
apparmor profiles that are now included in mysql-server-5.0, bind9 and
slapd. Part of this work included patching apparmor to support a Debian
Policy compliant way to toggle complain mode in apparmor profiles.


Quality Assurance
-----------------
I have contributed significantly to QA Regression Testing[7] scripts and
documentation. I wrote several new tests, including test-openldap.py and
test-cupsys.py, as well as made additions and improvements to various
other scripts. I strive to be very thorough in my testing, some of which
can be seen in the documentation on testing in QA Regression Testing.


My Sponsors
-----------
My primary sponsors are:

Kees Cook (keescook)
Soren Hansen (soren)
Chuck Short (zul)

Others who have reviewed, uploaded and/or integrated my work:

Mathias Gug (mathiaz)
Martin Pitt (pitti)
Lamont Jones (lamont)
Steve Langasek (slangasek)


In Summary
----------
I am applying for ubuntu-core-dev so that I can better support Ubuntu. I
have made many contributions so far, and have also participated in
various aspects of the Ubuntu release cycle, including MIRs, FFEs, SRUs,
MicroVersionUpdates, and merges.  I've learned a lot since joining the
Ubuntu community (I am never afraid to ask questions), and want to thank
everyone who provided sponsorship, guidance and feedback thus far. I
look forward to answering any questions you may have.

Thank you for you consideration, and have a great day!

Jamie Strandboge

[1] https://bugs.launchpad.net/ubuntu/+source/mysql-dfsg-5.0/+bug/201009
[2] http://www.ubuntu.com/usn/usn-547-1
[3] https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
[4] https://wiki.ubuntu.com/UbuntuFirewall
[5] https://launchpad.net/auth-client-config/
[6] https://wiki.ubuntu.com/ApparmorProfileMigration
[7] https://code.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master

--
Jamie Strandboge          | Ubuntu Security Engineer
IRC:  jdstrand            | http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/motu-council/attachments/20080410/c4e57062/attachment.pgp

More information about the Motu-council mailing list