Request for standing FFe for Chromium

Kees Cook kees.cook at
Tue Jun 1 14:53:35 BST 2010

On Fri, May 21, 2010 at 12:05:19PM +0200, Martin Pitt wrote:
> Matt Zimmerman [2010-05-09 12:40 +0200]:
> > On Wed, May 05, 2010 at 06:16:58PM -0400, Jorge O. Castro wrote:
> > > Hi Tech board!
> > > 
> > > The Google Chrome team just recently released a new beta, and people
> > > have been requesting for the corresponding Chromium build in Ubuntu.
> > > fta has explained[1] how the Chrome release process works. At the
> > > browser session at the last UDS we decided that Chromium should have
> > > the same kind of policy that firefox has, that is the ability to just
> > > upload the latest stable however I don't think this was ever finalized
> > > by the tech board. I don't know if it was ever proposed, so I am just
> > > communicating Fabien's concern since users keep asking him when it
> > > will get updated in Lucid and I guess he was under the impression that
> > > we would just be putting in the updates as they came from upstream.
> > > 
> > > At some point we'll also need to switch the package in the archive to
> > > follow the -stable channel when that is finished.
> > > 
> > > [1]
> > 
> > I think this is a matter for the release team, rather than the tech board.
> > Copying some of them.
> FWIW, other SRU exceptions were approved by the TB in the past (such
> as GNOME, firefox, hal-info, etc.).
> But with both my TB and my release hats on I +1 the permanent SRU
> approval. We do not have much choice here anyway, the support
> situation is even worse than with Firefox. There are only two sensible
> options, either we do not ship Chromium at all, or we keep putting the
> newest upstream releases into all stables.

While I recognize that there is little option besides doing SRUs, this is
different from the MicroReleaseException[1].  Doing general FFe and single
SRUs is up to the release team.

So, in this case, I think for a single SRU, it doesn't need to involve the
TB.  If you want a standing exception, that's more like a MRE, and for
that, I have to say -1 since there is no history about what makes a "good"
SRU with chromium.  I think once a few SRUs have been successful, then an
MRE will be very easily granted, but since there's no history yet, it's
hard to have confidence in a standing MRE, even if we have "no choice"
about it.



Kees Cook
Ubuntu Security Team

More information about the technical-board mailing list