New Process Review: Post App Release Process

[Kees Cook]

Hi Jono,

On Fri, Jul 02, 2010 at 01:14:36PM -0700, Jono Bacon wrote:
>     https://wiki.ubuntu.com/PostReleaseApps/Process

"slow and complex and unapproachable":  I don't agree with this. Is there a
better way to say both "the process is complex" and "upstreams are
sometimes late" at the same time without it sounded bad for either us or
them? Maybe just drop "slow and unapproachable"?

"only applies to new applications and not to existing software that is
present in Ubuntu archives such as main/universe": if there is no way for
upstreams to do major version bumps of software (generally disallowed by
SRU), then what motivation is left for authors to get their software into
the core archive?

"No other software can depend on the application being submitted": this
would encourage library bundling, wouldn't it? That doesn't seem like the
best idea to me.

"and not content, documentation or media": perhaps reword as "and not
stand-alone content, documentation..." to avoid confusion over game data
packages.

Under "Assessment", do we want to explicitly state things like "does not
perform malicious actions" or create any additional policy like that?


How is the addition to the software center actually managed?  If it just
adds the PPA, this will not be okay. Anyone could get an ARB that is
accepted and then just fill their PPA with whatever they wanted. Will apt
be able to filter just the approved packages from their PPA?  (Or will
there be a separate PPA that packages are syncSourced to?)

Thanks,

-Kees

-- 
Kees Cook
Ubuntu Security Team