Process for providing security updates for chromium-browser
Rick Spencer
rick.spencer at canonical.com
Wed Aug 18 14:46:44 BST 2010
On Wed, 2010-08-18 at 13:38 +0100, Chris Coulson wrote:
> Hi,
>
> I'm currently working on trying to get Chromium in to main for Maverick,
> and part of that involves ensuring we have an efficient means to provide
> security updates for users. My understanding of what happens currently
> is (I'm not directly involved with supporting Chromium just yet):
>
> 1) Upstream provides a security update on the stable branch
> 2) We build this in the security PPA
> 3) This is pocket copied to *-proposed, where it sits for the usual 7
> day maturing period
> 4) It gets copied to *-security
>
> The issue with this process is that we are leaving users exposed to
> publicly disclosed vulnerabilities for 7 days. In addition to this,
> upstream are very keen on us being able to ship security updates in a
> more timely fashion.
>
> The process we use for updating Firefox and Thunderbird is different to
> this, in that we skip *-proposed (ie, we build in the security PPA and
> then copy the update to *-security after we've tested it).
>
> I would like permission to use a similar process for Chromium too.
Leaving users exposed to known exploits for a week while the updates are
in proposed does not seem acceptable to me.
The only other options that I see are to either not have it in any of
our repos and make users get it directly from Google, or have it in our
repos, but provide a system whereby Google update the browser directly
outside of our update-manager system.
I think the proposed solution (some testing and using security) is
better than either of those.
Cheers, Rick
More information about the technical-board
mailing list