Process for providing security updates for chromium-browser

Jamie Strandboge jamie at canonical.com
Mon Sep 13 19:37:46 BST 2010 

On Mon, 2010-09-13 at 10:44 -0700, Kees Cook wrote:
> How many chromium updates have happened through -proposed so far? Has the
> 7-day waiting period helped uncover any regressions?
> 
Based on LP[1], 6 updates have hit lucid-security/lucid-proposed for the
5.0.375 release, with one in lucid-proposed now (6.0.472) and another
(non-security) update waiting to get into lucid-proposed once the
current one is published.

The 7 day waiting period has not uncovered any regressions that I am
aware of (ie, I don't recall having to sponsor a respin of anything due
to comments in an SRU bug). In fact, the 6.0.472.53 that is in
lucid-proposed now has regressions that upstream fixed in 6.0.472.55 but
these regressions were not reported to Ubuntu. This could simply be that
there aren't many chromium/lucid-proposed users out there to uncover
them.

> It sounds, unfortunately, like chromium updates keep adding build deps and
> other things, which really makes it risky for skipping -proposed. Perhaps
> reducing the waiting period could be a first step instead of just
> eliminating it?

Based on my previous comment, I'm not sure. It should be noted that
currently daily builds are done by fta (like the ubuntu-mozillateam does
with mozilla products). I don't know how many people run those off-hand,
but in many ways the testing is happening before they hit -proposed.
That said, those binaries are non-native and obviously unofficial.

Regarding "builds deps and other things", so far we seen that gyp,
libvpx and chromium-codecs-ffmpeg need to be (at least) occasionally
updated for new releases of chromium-browser. Specifically:
* gyp is required for the chromium build system. For lucid,
chromium-browser and chromium-codecs-ffmpeg are the only packages that
use it in their builds. mozc uses it in maverick.
* libvpx is required by the new chromium-codecs-ffmpeg which was in turn
required by the new chromium 6.0 release. This was introduced as a NEW
package in lucid (backported from maverick), with ffmpeg,
gst-plugins-bad0.10, chromium-codecs-ffmpeg, and ffmpeg-extra using it
in maverick.
* chromium-codecs-ffmpeg is runtime requirement of the chromium-browser,
and seems to require moving in step with chromium, at least for major
releases (eg, 5.0 -> 6.0).

It is unclear to me what other packages will need to be upgraded in step
with chromium. After looking at the above I wonder if we should adjust
the packaging for chromium for these like we did for mozilla, and embed
them (*gasp*). This should be ok for gyp and chromium-codecs-ffmpeg as
Google is the upstream and seems to more or less treat these packages in
the same way as chromium itself.

I would like to reiterate that if we move forward with pushing these
without SRU, it should be explicitly stated that the packaging should
not be updated except for getting the new upstream release to build. In
other words, packaging bugs still need an SRU (the current lucid updates
have all essentially been the maverick packaging rebuilt on lucid).

[1]https://launchpad.net/ubuntu/+source/chromium-browser/+publishinghistory

-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/technical-board/attachments/20100913/a009927c/attachment.pgp

More information about the technical-board mailing list