Process for providing security updates for chromium-browser

Kees Cook kees.cook at canonical.com
Fri Aug 27 00:33:36 BST 2010 

Hi,

On Wed, Aug 18, 2010 at 07:54:03PM +0100, Chris Coulson wrote:
> On Wed, 2010-08-18 at 19:21 +0200, Martin Pitt wrote:
> > Chris Coulson [2010-08-18 13:38 +0100]:
> > > - The stable branch receives updates for security fixes at a frequency
> > > of approximately every 10 - 14 days (this is based on the current upload
> > > pattern for Chromium). 
> > > - The time between fixing a security issue in stable and then releasing
> > > it to the stable channel is typically less than 1 day (this is the
> > > window in which we need to prepare and test the Ubuntu builds). 
> > > - New "major" versions are released to the stable channel approximately
> > > every 6 weeks. The purpose of these new major versions is to allow new
> > > features to trickle in to stable from the beta channel without users
> > > having to wait several months for a new version. 
> > > - Once a new stable version is released, support for the previous one is
> > > ended immediately.
> > 
> > With a release cycle like this, I think we need to ask ourselves what
> > benefit we can still provide by offering it as an Ubuntu package? It
> > seems that the only sensible thing we could do under those conditions
> > is to keep up with packaging, building, and publishing new versions
> > without having any time for sensible testing, and we already
> > discussed that we can't provide much testing in the first place.
> > 
> > Unlike almost (i. e. all except firefox) all of our other packages, we
> > can't sensibly support any given version as part of a stable release
> > anyway, so at the moment you release, people will have an outdated
> > browser and will need to update.
> > 
> > Under these conditions, IMHO they could just as well download the
> > entire thing straight from Google. It's no different bandwidth-wise
> > and QA-wise, and it's also in line with what Google actually wants us
> > to do (based on UDS discussions with them).
> > 
> > So I agree with Rick's proposal to just provide an installer for it,
> > much like we distribute the flash plugin.
> 
> I might be wrong here, but I think Google only distribute their own
> binaries for Chrome. I don't think they distribute official builds of
> Chromium, which means that we either need to build and distribute it
> ourselves or provide an installer for Chrome instead.

Right, we do not want to just be running the Google builds. They would lack
at least all the security hardening features in the Ubuntu compiler, etc.
If they built versions using Ubuntu's compiler, then maybe it would work,
but would they be willing to do the QA for all our prior stable releases? I
would assume not. :)

-Kees

-- 
Kees Cook
Ubuntu Security Team

More information about the technical-board mailing list