Future of MOTU

Emmet Hikory persia at ubuntu.com
Mon Feb 22 15:28:45 GMT 2010


Jamie Strandboge wrote:
> Emmet Hikory wrote:
>> iii) MOTU SWAT needs help, especially as it moves from "universe" to
>> "unseeded packages".  I believe that extended discussion is worthwhile
>> between the MOTU SWAT team and the Ubuntu Security team to determine
>> if all security efforts could follow a standardised process and be
>> handled by a single extended team (with some potential for separation
>> within the team to support embargoed information, disclosure
>> requirements, etc.).  If MOTU SWAT is to remain separate, some work
>> will need to be done on the tools to help better track what packages
>> need attention and when.
>
> I think in a lot of ways, this is already done. We just need more people
> to get involved in the process.

    Excellent.  It's always good to hear that things are already being
done.  You guys should announce stuff more widely (yes, I know, one
always has to be careful with disclosure).

> Due to limitations in Launchpad, MOTU-SWAT still needs to be a separate
> team from ubuntu-security (this is due to the ubuntu-security PPA
> containing embargoed items and the fact that you must be a member of
> ubuntu-security to publish from this PPA to the security pocket). We've
> long wanted MOTU-SWAT to be able to manage themselves and we can
> help/comment on procedures when the LP limitations are gone.
>
> That said, with the help of various MOTU folk[1] we identified
> improvements in the security sponsorship process and have implemented
> changes to address them and make our processes more like other teams[2].
> The ubuntu-security-sponsors team was created, which MOTU-SWAT is a
> member. Links for the security sponsorship processes are also integrated
> into the the main SponsorshipProcess[3], just like with other teams.
> Each week a member of the ubuntu-security team is assigned to process
> bugs in our SponsorsQueue. So far, we've been doing all review as well
> as publication, but MOTU-SWAT can get involved in the review process
> which is really the most important part (while the ubuntu-security team
> is required for publication, this is simply a matter of copying packages
> around).

    This matches my previous understanding that security was still
tracked on a component basis.  While we still will have components for
a while, I am expecting that we will have a growth in packagesets in
the medium-term, as the various teams who already care for loosely
defined packagesets request formal recognition from the Technical
Board.  With this change, the set of packages for which MOTU will have
explicit responsibility will be reduced, and there may end up being an
increasing gap between the union of "main" and "unseeded packages" and
coverage of the entire archive.  As a result, I'm not confident "MOTU
SWAT" remains an ideal identity for the set of people working on
security who don't have rights to pocket-copy packages to -security.
Also, while I admire the work the security team has done, I think that
it likely makes sense to reach out to all the defined development
teams (Ubuntu Desktop, Kubuntu, Mythbuntu, MOTU, potentially Edubuntu
if approved tomorrow, etc.) to seek additional assistance with patch
review, publication to the current development release, and
backporting to prior releases.

    As Archive Reorganisation moves forward, and components go away
entirely, I expect this becomes even more complicated, but I still
think that it is handled better by an integrated ubuntu-security team
(perhaps with only a subset authorised to pocket-copy) distribution
wide than by having a central "core security team" and additional
representative teams for each packageset providing security.

-- 
Emmet HIKORY



More information about the Ubuntu-motu mailing list