Process for providing security updates for chromium-browser
Kees Cook
kees.cook at canonical.com
Mon Sep 13 18:44:11 BST 2010
On Wed, Aug 18, 2010 at 07:12:15PM +0100, Chris Coulson wrote:
> On Wed, 2010-08-18 at 14:09 +0100, Mark Shuttleworth wrote:
> > On 18/08/10 13:38, Chris Coulson wrote:
> > > The issue with this process is that we are leaving users exposed to
> > > publicly disclosed vulnerabilities for 7 days. In addition to this,
> > > upstream are very keen on us being able to ship security updates in a
> > > more timely fashion.
> > >
> > > The process we use for updating Firefox and Thunderbird is different to
> > > this, in that we skip *-proposed (ie, we build in the security PPA and
> > > then copy the update to *-security after we've tested it).
> > >
> > > I would like permission to use a similar process for Chromium too.
> >
> > This is fine for me. Is upstream willing to pre-disclose fixes of
> > potential issues, so we can get a head start on testing?
> >
> This is something Jamie is trying to resolve at the moment. We should be
> able to get release notifications to enable us to prepare and test
> builds, although I don't think we would actually have access to details
> about specific security issues until after release.
It seems that upstream has been totally silent about this, so I suspect the
only way forward currently is to just start doing the updates.
How many chromium updates have happened through -proposed so far? Has the
7-day waiting period helped uncover any regressions?
It sounds, unfortunately, like chromium updates keep adding build deps and
other things, which really makes it risky for skipping -proposed. Perhaps
reducing the waiting period could be a first step instead of just
eliminating it?
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the technical-board
mailing list