[Bug 522645] Re: [MIR] chromium-browser
Kees Cook
kees at ubuntu.com
Fri Feb 19 16:51:48 UTC 2010
With my security hat on: I think it is best to have the archive
components actually reflect our commitment to support a given package.
Since we now have an ability to show support lengths in binary packages
(thanks mvo!) I would be happier with this in main, marked for 18mon of
support, if it is intended to be supported.
With my MIR hat on: I haven't seen the MIR requirement list yet, but I can't imagine it will be favorable. It has had significant numbers of CVEs assigned to in a very short time:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=chromium
It uses webkit internally, which is a CVE disaster (and I'm already disappointed to have webkit in main):
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=webkit
How they will do stable support is not known, and we have no long-term commitment from upstream for anything in particular.
Based on this, I cannot recommend it for main. It is young software
with a poor security record, unknown supportability that hasn't been
packaged before Lucid. This should stay in universe, and I can't
recommend anything depending on it yet.
If it were to stay in universe, the security team doesn't need to be
involved in its support for Ubuntu to see how updates will work for it.
I just think it's a gamble for a product to depend on chromium at this
point.
--
[MIR] chromium-browser
https://bugs.launchpad.net/bugs/522645
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list