New Process Review: Post App Release Process

Kees Cook kees at ubuntu.com
Tue Jul 20 21:19:44 BST 2010 

On Tue, Jul 20, 2010 at 02:44:26AM -0700, Jono Bacon wrote:
> On Thu, 2010-07-15 at 13:46 -0700, Kees Cook wrote:
> > On Fri, Jul 02, 2010 at 01:14:36PM -0700, Jono Bacon wrote:
> > >     https://wiki.ubuntu.com/PostReleaseApps/Process
> > 
> > "slow and complex and unapproachable":  I don't agree with this. Is there a
> > better way to say both "the process is complex" and "upstreams are
> > sometimes late" at the same time without it sounded bad for either us or
> > them? Maybe just drop "slow and unapproachable"?
> 
> I changed this to "The current Ubuntu process for getting an application
> into an Ubuntu archive is not optimized for application authors". Do you
> feel this is more appropriate?

I like it better and I don't have a better suggestion at the moment. :)

> > "only applies to new applications and not to existing software that is
> > present in Ubuntu archives such as main/universe": if there is no way for
> > upstreams to do major version bumps of software (generally disallowed by
> > SRU), then what motivation is left for authors to get their software into
> > the core archive?
> 
> We generally believe that getting content in the archive is a fairly
> inaccessible process for application authors. It is intended for those
> who want to perform serious integration work in Ubuntu. The problem is
> that this is blocking application authors getting their apps in Ubuntu.
> 
> I don't believe this process will stop app authors wanting content in
> the archive; if an Ubuntu developer is willing to do this work, I am
> sure an app author will welcome it. This process resolves the issue of
> if they don't know an Ubuntu developer who can do this work - this will
> still provide an on-ramp for providing visibility for their app in the
> software center, but setting appropriate expectations.

Hm, the tech doc (you link to below) actually discusses both of these
areas. Updates are discussed (it sounds like the idea is to allow endless
version updates as long as they're QA tested), and the other issue is
mentioned as a "risk". It still seems to me like making software available
by default that isn't in the archive just means that we've lowered the
technical bar for software to be available in Ubuntu. I'm presently
unconvinced of this being a good thing, though I do recognize the benefit
of making more software available.

> > "No other software can depend on the application being submitted": this
> > would encourage library bundling, wouldn't it? That doesn't seem like the
> > best idea to me.
> 
> What this means in that the app being submitted cannot be a dependency
> (such as a library).

Right, so, it sounds like applications might attempt to include their own
copies of libraries that they need. I think this will lead to bloat and
lack of security updates. Would it be possible to disallow the use of
embedded libraries in submitted applications?

> > "and not content, documentation or media": perhaps reword as "and not
> > stand-alone content, documentation..." to avoid confusion over game data
> > packages.
> 
> Thanks for this. I fixed this in the process. It now says "only
> executable applications (and content that is part of them) are eligible,
> and not stand-alone content, documentation or media".

Cool; that seems much more clear to me.

> > Under "Assessment", do we want to explicitly state things like "does not
> > perform malicious actions" or create any additional policy like that?
> 
> Agreed. I have updated the process with this.

Excellent.

> > How is the addition to the software center actually managed?  If it just
> > adds the PPA, this will not be okay. Anyone could get an ARB that is
> > accepted and then just fill their PPA with whatever they wanted. Will apt
> > be able to filter just the approved packages from their PPA?  (Or will
> > there be a separate PPA that packages are syncSourced to?)
> 
> I am not involved in the technical implementation; I am just managing
> the submission and review process - see
> https://wiki.ubuntu.com/PostReleaseApps/Implementation for
> implementation details.

I've read through this now and I don't see any mention of this, though it
sounds like both the PPA and the pocket would be directly managed by the
approval committee, which means an author would not have arbitrary control
over the archive, so I'm satisfied there.

Thanks for doing the updates!

So, my remaining concerns are the "why would anyone ever put software in the
main archive if they can get into this repository?" and "everyone will just
bundle all their dependencies into their applications making security and
bloat nasty."

As an example that kind of touches both areas, why would Chromium ever want
to be in the main Ubuntu archive when they could go into this repository?
They bundle all their libraries and expect to do frequent version bumps.
(And if they should NOT be in the main archive, what is the benefit of
being in the main archive in the first place?)

-Kees

-- 
Kees Cook
Ubuntu Security Team

More information about the technical-board mailing list