Proposed SRU policy amendment for package removals

Wed Nov 12 03:25:56 UTC 2014

Martin Pitt said:
> 
> Examples: [[https://lists.ubuntu.com/archives/ubuntu-devel/2007-September/024453.html|tor]], [[https://launchpad.net/bugs/1384355|ownclod]]

Both tor and owncloud are recurring examples!

http://packages.ubuntu.com/search?keywords=tor shows:
precise (12.04LTS): 0.2.2.35-1: [universe]
trusty (14.04LTS): 0.2.4.20-1: [universe]
utopic: 0.2.4.23-1: [universe]

The up to date version from torproject for 14.04 is currently 0.2.5.10-1~trusty+1.
https://www.torproject.org/docs/debian.html.en shows the recommended way of installing it.

Maybe I am missing something, why are we still shipping outdated versions of tor for every supported distribution?

If we just make an empty package that gives the user some direction on installing upstream, why don't we just do it for them.  Can the SRU policy be amended to include installing a good upstream repository like torproject?

I am not suggesting we do this for owncloud, but I think we should for tor.  Somebody can wordsmith the SRU policy better than I, but I'll take a shot:

In cases where upstream software is designed for security reasons and has a history of rapid development, installing an upstream sources.list and repository key will be considered.

Furthermore amending the SRU process as proposed doesn't really address the fundamental issue of universe packages are often not maintained and with something like tor the consequences can be very dangerous.

I have been looking for a session to cover the universe security issue at UOS, but I haven't seen any.  I have considered proposing a session titled "Security of the Universe", but I haven't made as much progress as I hoped...  One idea that will hopefully alert people about issues is:

Now that the debian-security-support package has landed in utopic, we should create a ubuntu-security-support package for each of the supported distributions and update it as the various security teams suggest.  The package simply checks a couple files and what is installed on the machine.
/usr/share/debian-security-support/security-support-ended
/usr/share/debian-security-support/security-support-limited

For example this is part of what was shown on a recent Debian wheezy install after I installed the package.

         * Source:pidgin                                                                                            
           Details: Support in oldstable is limited to IRC, Jabber/XMPP, Sametime and SIMPLE                

           Affected binary packages:                                                                      
           - libpurple-bin (installed version: 2.10.10-1~deb7u1)                            
           - libpurple0 (installed version: 2.10.10-1~deb7u1)                                
           - pidgin-data (installed version: 2.10.10-1~deb7u1)  

We should base the new Ubuntu package on the newer debian-security-support 2014.11.07 package in Debian because some hook features were added.

I have some other ideas, but those will require much more work and resources.

Chuck

PS. Security of the Universe
The working draft for a mission statement is:
First the universe archive, then NEO's, Black-holes and other astronomical phenomena.  

I know some people won't find it funny, but I like it.  It is sort of a natural joke when the pun is influenced from my father who was on the Jet Propulsion Lab navigation team for Voyager 1 and other unmanned space missions.