Ubuntu

Review sponsorship process and compare to security-sponsorship (Security)

Registered by Nicolas Valcarcel on 2009-11-09

Review Ubuntu sponsorship process and compare to Ubuntu Security team sponsorship process to improve it.

Blueprint information

Status:: Complete

Approver:: Robbie Williamson

Priority:: Essential

Drafter:: Nicolas Valcarcel

Direction:: Needs approval

Assignee:: Jamie Strandboge

Definition:: Approved

Series goal:: Accepted for lucid

Implementation:: Implemented

Milestone target:: lucid-alpha-2

Started by: Jamie Strandboge on 2009-12-11

Completed by: Jamie Strandboge on 2010-01-15

Related branches

Related bugs

Sprints

uds-l

Whiteboard

Work items:
create ubuntu-security-sponsors team: DONE
clarify policy on sending stuff to -proposed: DONE
put security update info into main SponsorshipProcess document: DONE
modify security team wiki pages to reflect new procedures: DONE
create wiki page for processing the security sponsors queue: DONE
announce changes to community: DONE
create report-todo-sponsoring script: DONE

Gobby text:
= Compare Universe and Security Sponsorship Processes =

* Standard Sponsorship http://wiki.ubuntu.com/SponsorshipProcess
  * overview: http://people.canonical.com/~dholbach/sponsoring/
  * Subscription indicates need for sponsorship
   * ubuntu-main-sponsors team is subscribed for main packages
   * ubuntu-universe-sponsors team is subscribed universe packages
   * unsub team if needed work remains outstanding for too long
  * Is a way to education/promote new ubuntu members
   * name in changelog (for first try or two and gradually get pickier), regardless of how much of their work is still in it

* Security Sponsorship
* subscribed ubuntu-security _and_ Status == In Progress _and_ patch attached

* Road blocks in the security sponsorship process
* do you have a PoC? this is too daunting
* testing requirements

* Proposed process
  * use the standard sponsorship process, except use "ubuntu-security-sponsors"
  * perhaps require SRU-like justification outlining why a contributor thinks the fix is good.
  * low confidence updates
   * put in -proposed (via security-proposed) depending on sponsor's confidence of the level of testing and intrusiveness of the patch (this is a risk versus benifit decision). Talk to SRU team
   * ubuntu-security-sponsors does the review and ack to upload
   * upload to security-proposed to build, then copy to -proposed
   * once in -proposed, subscribe motu-sru for verification-needed
    * who does this? pitti? ubuntu-security?
    * once verification-done, then pocket copy to -security and -updates

* Actions
* put information about security sponsorship into the main SponsorshipProcess document
* create a new team "ubuntu-security-sponsors" and use that as primary indicator for sponsorship

(?)

Work Items

This blueprint contains Public information

Everyone can see this information.

Subscribers

Andres Rodriguez

Daniel Holbach

Fabrice Coutadeur

Kees Cook

Marc Deslauriers

Nicolas Valcarcel

Scott Kitterman

Ubuntu Security Team