Process for providing security updates for chromium-browser
Chris Coulson
chris.coulson at canonical.com
Wed Aug 18 19:12:15 BST 2010
On Wed, 2010-08-18 at 14:09 +0100, Mark Shuttleworth wrote:
> On 18/08/10 13:38, Chris Coulson wrote:
> > The issue with this process is that we are leaving users exposed to
> > publicly disclosed vulnerabilities for 7 days. In addition to this,
> > upstream are very keen on us being able to ship security updates in a
> > more timely fashion.
> >
> > The process we use for updating Firefox and Thunderbird is different to
> > this, in that we skip *-proposed (ie, we build in the security PPA and
> > then copy the update to *-security after we've tested it).
> >
> > I would like permission to use a similar process for Chromium too.
>
> This is fine for me. Is upstream willing to pre-disclose fixes of
> potential issues, so we can get a head start on testing?
>
This is something Jamie is trying to resolve at the moment. We should be
able to get release notifications to enable us to prepare and test
builds, although I don't think we would actually have access to details
about specific security issues until after release.
> > 2) The updates to the Chromium stable branch are purely for security
> > fixes, with features only appearing in new major versions (every 6
> > weeks). Mozilla tend to mix new features and other bug fixes in to their
> > regular security updates (eg, introducing out-of-process plugins in to
> > the 3.6.4 update, which was quite a major feature addition for a regular
> > security update)
>
> Chromium sounds better aligned to the way we like things, in this case.
>
> Mark
Regards,
Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/technical-board/attachments/20100818/803a5779/attachment.pgp
More information about the technical-board
mailing list