[Bug 1267393] Re: [MIR] juju-core, juju-mongodb

James Page james.page at ubuntu.com
Thu Jan 9 11:36:44 UTC 2014 

** Description changed:

  >> juju-mongodb <<
  
  Availability
  ------------
  
  In universe, available on all required architectures (x86, armhf, arm64,
  ppc64el).
  
  Rationale
  ---------
  
  MongoDB is a dependency for operating a Juju deployed Ubuntu
  environment.
  
  Security
  --------
  
  MongoDB has had some CVE's in the past, related to the use of the V8 and
  Spidermonkey Javascript engine in the Mongo Shell; however juju-mongodb
  builds without support for Javascript scripting, avoiding the historic
  CVE's (which where fixed upstream anyway).
  
  Quality assurance
  -----------------
  
  Package installs cleanly, package build process runs upstream smoke
  tests (minus jstests due to disabling javascript support).   Tests pass
  on all architectures.
  
  Dependencies
  ------------
  
  All in main already
  
  Standards compliance
  --------------------
  
  OK (well is scons but we won't hold that against it)
  
  Maintenance
  -----------
  
  Upstream MongoDB run stable releases with point updates; its intended
  that a MRE is applied for this package so point releases can be pushed
  as SRU's.
  
  Its also possible that we might need to bump a major version (2.4.x ->
  2.6.x); as this package is specific to Juju, we can constrain the impact
  and regression testing to Juju only.
  
  Background information
  ----------------------
  
  Why a separate package? it was agreed at the last vUDS that having a
  separate package allows us to limit a) use of v8 (disabled) which was a
  security concern and b) allows us to potentially update at a later date
  if need be only impacting juju itself.
  
  >> juju-core <<
  
  Availability
  ------------
  
  In universe, not yet available on arm64 or ppc64el.
  
  Rationale
  ---------
  
  Juju is the recommended service orchestration tool for Ubuntu; as such
  it really needs to be a core part of Ubuntu.
  
  Security
  --------
  
  No security history, but it was agreed that a security review would be
  undertaken as part of the MIR process.
  
  Quality assurance
  -----------------
  
  No tests are run as part of the package build process; however upstream
  do run these tests for all target series (12.04 -> 14.04) prior to
  release so the overall quality of the codebase it pretty good.
  
  The package has some basic DEP-8 tests that bootstrap a local Juju
  environment to ensure everything hangs together OK.
  
  Dependencies
  ------------
  
  juju-mongodb (see above)
  golang or gccgo TBC
  
  Currently all required go dependencies are snapshotted at specific
  upstream commits and bundled with Juju.
  
  Standards compliance
  --------------------
  
  OK
  
  Maintenance
  -----------
  
  Upstream Juju team intend to manage stable point releases against the
  version shipped in 14.04.  Ubuntu Server team will own the package in
  distro.
  
  Background information
  ----------------------
  
  Some decisions still need to be made, mainly around toolchain.
  Specifically the aim is to support a single Go toolchain in Ubuntu main
  for all architectures; golang-go does not support arm64 or ppc64el yet,
  whereas the gccgo implementation does.
  
  Required changes to support gccgo have been upstreamed into the Juju
  codebase.
+ 
+ Its also worth noting that the package and binaries in Ubuntu are used
+ for:
+ 
+    client tool (juju)
+    juju agent (jujud) - but only for local provider and where --upload-tools is used
+ 
+ Upstream released jujud binaries are/will be distributed officially via
+ simplestreams using a documented build process (details TBC).

** Description changed:

  >> juju-mongodb <<
  
  Availability
  ------------
  
  In universe, available on all required architectures (x86, armhf, arm64,
  ppc64el).
  
  Rationale
  ---------
  
  MongoDB is a dependency for operating a Juju deployed Ubuntu
  environment.
  
  Security
  --------
  
  MongoDB has had some CVE's in the past, related to the use of the V8 and
  Spidermonkey Javascript engine in the Mongo Shell; however juju-mongodb
  builds without support for Javascript scripting, avoiding the historic
  CVE's (which where fixed upstream anyway).
  
  Quality assurance
  -----------------
  
  Package installs cleanly, package build process runs upstream smoke
  tests (minus jstests due to disabling javascript support).   Tests pass
  on all architectures.
  
  Dependencies
  ------------
  
  All in main already
  
  Standards compliance
  --------------------
  
  OK (well is scons but we won't hold that against it)
  
  Maintenance
  -----------
  
  Upstream MongoDB run stable releases with point updates; its intended
  that a MRE is applied for this package so point releases can be pushed
  as SRU's.
  
  Its also possible that we might need to bump a major version (2.4.x ->
  2.6.x); as this package is specific to Juju, we can constrain the impact
  and regression testing to Juju only.
  
  Background information
  ----------------------
  
  Why a separate package? it was agreed at the last vUDS that having a
  separate package allows us to limit a) use of v8 (disabled) which was a
  security concern and b) allows us to potentially update at a later date
  if need be only impacting juju itself.
  
  >> juju-core <<
  
  Availability
  ------------
  
  In universe, not yet available on arm64 or ppc64el.
  
  Rationale
  ---------
  
  Juju is the recommended service orchestration tool for Ubuntu; as such
  it really needs to be a core part of Ubuntu.
  
  Security
  --------
  
  No security history, but it was agreed that a security review would be
  undertaken as part of the MIR process.
  
  Quality assurance
  -----------------
  
  No tests are run as part of the package build process; however upstream
  do run these tests for all target series (12.04 -> 14.04) prior to
  release so the overall quality of the codebase it pretty good.
  
  The package has some basic DEP-8 tests that bootstrap a local Juju
  environment to ensure everything hangs together OK.
  
  Dependencies
  ------------
  
  juju-mongodb (see above)
  golang or gccgo TBC
  
  Currently all required go dependencies are snapshotted at specific
  upstream commits and bundled with Juju.
  
  Standards compliance
  --------------------
  
  OK
  
  Maintenance
  -----------
  
  Upstream Juju team intend to manage stable point releases against the
  version shipped in 14.04.  Ubuntu Server team will own the package in
  distro.
  
  Background information
  ----------------------
  
  Some decisions still need to be made, mainly around toolchain.
  Specifically the aim is to support a single Go toolchain in Ubuntu main
  for all architectures; golang-go does not support arm64 or ppc64el yet,
  whereas the gccgo implementation does.
  
  Required changes to support gccgo have been upstreamed into the Juju
  codebase.
  
  Its also worth noting that the package and binaries in Ubuntu are used
  for:
  
-    client tool (juju)
-    juju agent (jujud) - but only for local provider and where --upload-tools is used
+    client tool (juju)
+    juju agent (jujud) - but only for local provider and where --upload-tools is used
  
  Upstream released jujud binaries are/will be distributed officially via
- simplestreams using a documented build process (details TBC).
+ simplestreams using a documented build process (details TBC).  The juju
+ client will use these tools on public clouds and potentially in private
+ cloud deployments where tools are synced into the cloud using the juju
+ client tool (juju sync-tools).

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to juju-core in Ubuntu.
https://bugs.launchpad.net/bugs/1267393

Title:
  [MIR] juju-core, juju-mongodb

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/juju-core/+bug/1267393/+subscriptions

More information about the Ubuntu-server-bugs mailing list