I, Alex Murray, apply for core-dev rights.

I am applying because:

• I'd like to eliminate delays in getting my work sponsored.
• I'd like to reduce the burden on my sponsors.

Who I am

I am a passionate software engineer with a strong focus on software security, living in Adelaide, Australia and a long-time Ubuntu user and community member. Since 2018 I have been doing my dream job as Tech Lead of the Ubuntu Security team at Canonical.

My Ubuntu story

My first use of Linux was back in the early 2000s through an introduction to Red Hat, after which I moved to Mandrake. As a student with too much time on my hands, I quickly moved onto Gentoo but once Ubuntu was released in 2004 and started growing momentum, I switched to it full-time with the Dapper Drake release in 2006. During this time I was also developing sensors-applet via sourceforge for the GNOME desktop environment. Whilst I joined Launchpad in 2006, inertia meant I didn't move sensors-applet to there until 2009. To support the 'new' Unity desktop environment, I started Hardware Sensors Indicator in 2011 - this project is mostly in maintenance mode now but is available both in the Ubuntu archive (finally) and as a snap.

I continued to use Ubuntu both at home and professionally as a software engineer, and most recently before joining Canonical was leading a team using Ubuntu in the automotive space to power vehicle-to-vehicle communication systems.

In 2018 I started my dream job working for Canonical as the Ubuntu Security Tech Lead. During this time I have worked on publishing security updates for various packages, advocating for and implementing various security features for the development releases including additional tool-chain hardening features, and private home directories to name a few, doing merges from Debian for various packages maintained by the Ubuntu Security Team, and helping out on upstream projects like AppArmor and snapd. I also like hacking on the internal tooling used by the Ubuntu Security team, adding features that help support our day-to-day workflows to bring timely security updates to end Ubuntu users.

I also started the Ubuntu Security Podcast which I publish weekly to inform the community about the recent work of the Ubuntu Security Team and to discuss various security topics related to Ubuntu in general.

I am a software engineer at heart and so not surprisingly most enjoy implementing new features - whether that be to end Ubuntu users working on the hardening features during recent development cycles, or to the Ubuntu Security team internally by adding new capabilities to our tools to aid in repeatable testing of security fixes and the like. I also enjoy working as a snap store reviewer, helping to guide snap publishers on how best to ensure their snaps can be published with strict confinement and the like.

My involvement

I have published various security updates to the stable Ubuntu releases, all of these can be seen at https://launchpad.net/~alexmurray/+synchronised-packages

I have also had various security updates, merges and feature work sponsored to the development releases which can be seen at https://udd.debian.org/cgi-bin/ubuntu-sponsorships.cgi?render=html&sponsor=&sponsor_search=name&sponsoree=alex.murray%40canonical.com&sponsoree_search=email and https://launchpad.net/~alexmurray/+uploaded-packages

The work I am most proud of is the continued high-quality security updates which I have published, which have had a low rate of regressions, as well as the recent feature work to implement private home directories in hirsute through updates to adduser and shadow. Finally, I am proud of the work of the whole Ubuntu Security (and to which I contributed significantly) to get AppArmor 3.0.0 into the groovy development release. For this, I filed the FFe, prepared and tested the final package and worked to get this sponsored into the release.

Areas of work

As mentioned above, I have worked on additional toolchain hardening features in conjunction with the Foundations team, in particular doko, during the eoan cycle. During this time I prototyped the initial implementation in gcc-9 and added support to `hardening-check` to detect when binaries / libraries had been compiled with these new options.

I also implemented the private home directories feature for hirsute. This had long been a contentious issue so I took the time to reach out to the community to consult on the decision before going ahead with the implementation. The implementation of this feature was however done on my own, and sponsored by the security team.

Things I could do better

I sometimes lose motivation for various pieces of work when it becomes unclear how I should proceed - I could then do better to pro-actively reach out and ask for help in these circumstances, rather than letting indecision cause the work to stagnate. I also could use some more experience with hints-ubuntu as I have only touched this once so far.

Plans for the future

General

I plan to keep trying to push for new hardening features and others to be implemented in upcoming Ubuntu releases. More immediately, I also plan to try and go back and finish off the final details of the previous round of hardening features by integrating support for this into `dpkg-buildflags` - this previously got waylayed by uncertainty over how to implement this in a manner that was amenable to being shipped upstream in Debian. In this case, as this is a useful piece of work for Ubuntu regardless, I think I would pursue shipping this first in Ubuntu and then trying to get it merged into Debian.

What I like least in Ubuntu

• - The Ubuntu wiki

  • - it has a lot of old information that has bitrotted and not been maintained, mixed with still relevant or even new information and it is hard for users to discern what is useful and what is not. Plus it is not the fastest wiki in the world.

  - The spread of various communication platforms - IRC, forums, wiki, mailing lists, AskUbuntu etc

  • - this make it hard to know where to go to find relevant information for any given topic compared to if there was one primary platform which was used to host all information
  - Trying to participate in the Ubuntu community from APAC
  • - A lot of discussions and meetings happen live via IRC and the like and this is quite hard for folks in APAC etc timezones to participate in when the vast majority of these are on EMEA / Americas friendly times

Comments

If you'd like to comment, but are not the applicant or a sponsor, do it here. Don't forget to sign with @SIG@.

Endorsements

As a sponsor, just copy the template below, fill it out and add it to this section.

Christian Ehrhardt

General feedback

I've not "sponsored" much of him, but I still have long history of working together on various bugs and or discussing on IRC about implications of some changes. From that I can state that he has an awesome general technical depth in many things. Alex is very communicative and an awesome engineer - all I've seen from him so far made me confident to trust in him.

Specific Experiences of working together

libseccomp is co-owned by security and server at times. So I was working with Alex to sort that out which worked fine. We also have "met" on various checks in regard to the MIR Team and security reviews for packages. We also have talked about hardening based build options, their impact and handling a few times. And finally he has reviewed more of my work than vice versa, as he is one of the people you can count on to get a good security review of a given change before you upload.

Areas of Improvement

Maybe other sponsors have worked with him differently, but from just my POV he has all the skills&trust needed - yet I've not seen any work around library-transitions, test hinting, unblocking proposed, seeds, ... - you know other things that core-dev's are expected to (be able to) do. Due to that from my POV, this is the area he could invest more (unless others say that he is already fine there as well).

Due to that my endorsement is based on the confidence I have based on the contact we had - but might not cover the full spectrum of a Ubuntu core-developer.

-- paelzer 2021-02-18 09:11:53

Marc Deslauriers

General feedback

I have been working with Alex on the security team for close to three years now. He is incredibly talented, knowledgeable, skilled, and has the attention to detail required to be an excellent CoreDev. He always does the required research when getting things done, and does them properly the first time.

Alex has contributed enormously to improve the security team tooling, and the modifications he has done demonstrates knowledge of the workings of the Ubuntu archive.

I wholeheartedly recommend him becoming a CoreDev and help contribute in making Ubuntu great.

Specific Experiences of working together

I have sponsored about a dozen of Alex's packages into the dev release. Many of them weren't just security updates, but also merges from Debian. He has always done an excellent job, and when I did find some minor nitpicks about a package, he gladly accepted them and modified the package to include them without issue.

Beyond the dev release, Alex has produced numerous security updates into the stable releases without issue.

Alex isn't afraid of revisiting long-standing decisions with new light when the time is right, and approaching them the right way by writing a proposal and getting everyone to agree to it. His recent work on changing the default home directory permissions, a long-standing sore point, is testament to that.

Areas of Improvement

While Alex's work has been mostly focused on reactive security updates, I would like to see him also tackle some more proactive security improvements in the archive.

-- mdeslaur 2021-02-18 13:00:53

Jamie Strandboge

General feedback

I have worked with Alex while on the security team for ~2.5 years and at times very closely. He is very knowledgeable, capable, skilled, thoughtful and has great attention to detail. He is also passionate about Ubuntu and respectful of others.

As mentioned by others, he has already contributed a lot to Ubuntu and the security team, and these contributions demonstrate his abilities very well. Alex becoming a core developer will allow him to do even more for Ubuntu, including security updates for the dev release and more proactive work.

I trust Alex as a person, as a developer and as someone who will ask questions before exercising his core developer access if he doesn't know or is unsure about something. Alex has exactly the qualities we want in core developers and I can't recommend him enough for core dev.

Specific Experiences of working together

I've not sponsored a lot of different packages for Alex, but have sponsored a few packages several times both into the development release and as SRUs: apparmor, libseccomp and iptables. Alex did much of the work for a non-trivial apparmor major version update in Ubuntu (required a lot of testing and iteration before uploading to get right), performed several libseccomp updates that added additional tests and maintenance helpers and handled bug fix updates to iptables. libseccomp in particular is a somewhat tricky package that he picked up and has done an excellent job with.

Beyond sponsoring, I also worked with Alex very closely while I was on the security team and performed design and implementation reviews on various projects he worked on that spanned tooling, security updates, firmware, secure boot, etc (the list goes on and on), and I'm confident in his abilities.

Finally, he and I worked together on snapd security reviews and Snap Store reviews to the point where I handed them off to him and by all accounts, he is doing a great job. The snapd reviews require a reasonably deep understanding of C (snap-confine is a setuid C program) and also a deep understanding of the system as a whole and how things work together (for iterface policy updates). Store reviews require an ability to learn, assess and apply a breadth of knowledge to processes and interacting with people on a wide range of software.

Altogether, this shows to me that Alex is ready and will make an excellent core developer.

Areas of Improvement

Ubuntu is vast and it difficult for any applicant to prove their ability in the myriad of areas a core developer might work, but Alex has proven himself in all the areas that he will typically work as a core developer on the security team. Importantly, Alex doesn't assume things and has proven to me that he'll research and ask questions and I trust Alex to continue in this manner before performing any new core developer activities. I'd love to see Alex do more proactive security in Ubuntu, and I think as a core developer he will be able to.

-- jdstrand 2021-03-02 15:53:53

TEMPLATE

== <SPONSORS NAME> ==
=== General feedback ===
## Please fill us in on your shared experience. (How many packages did you sponsor? How would you judge the quality? How would you describe the improvements? Do you trust the applicant?)

=== Specific Experiences of working together ===
''Please add good examples of your work together, but also cases that could have handled better.''
## Full list of sponsored packages can be generated here:
##  https://udd.debian.org/cgi-bin/ubuntu-sponsorships.cgi
=== Areas of Improvement ===