MainInclusionProcess

Differences between revisions 29 and 31 (spanning 2 versions)
Revision 29 as of 2018-09-18 10:07:02
Size: 3541
Editor: jdstrand
Comment:
Revision 31 as of 2018-09-18 10:25:49
Size: 3969
Editor: jdstrand
Comment: add note on who should change bug status when multiple team members are performing reviews
Deletions are marked like this. Additions are marked like this.
Line 10: Line 10:
 1. The [[https://launchpad.net/~ubuntu-mir|MIR team]] reviews the reports, and sets acceptable ones to ''In Progress'' or ''Fix Committed''. They might also delegate portions of the review to other teams, assign it to them, and set it to ''Incomplete''; common cases are getting a thorough security review from the [[https://launchpad.net/~ubuntu-security|security team]] (please see [[SecurityTeam/Auditing|SecurityTeam/Auditing]] for details on requesting an audit and the [[https://trello.com/b/HvFhIQpv/security-team|security team trello board]] (Reviews lane) for prioritized list of MIR security reviews), or getting a sign-off from particular team leads about maintenance commitments.  1. The [[https://launchpad.net/~ubuntu-mir|MIR team]] reviews the reports, and sets acceptable ones to ''In Progress'' or ''Fix Committed''. They might also delegate portions of the review to other teams, assign it to them, and set it to ''Incomplete''; common cases are getting a thorough security review from the [[https://launchpad.net/~ubuntu-security|security team]] (please see [[SecurityTeam/Auditing|SecurityTeam/Auditing]] for details on requesting an audit and the [[https://trello.com/b/HvFhIQpv/security-team|security team trello board]] (private board; Reviews lane) for prioritized list of MIR security reviews), or getting a sign-off from particular team leads about maintenance commitments.
  * In the case where an MIR needs a security review, a normal MIR review will happen by a member of the MIR team and the security review by a member of the security team. Among these team members, whoever does it the last review shall adjust the bug status accordingly (eg, if MIR team says ok then security says ok, the security team member should mark the bug as Fix Committed (see above for other statuses))

Do you need a MIR?

Packages in Ubuntu main (and restricted) are officially maintained, supported and recommended by the Ubuntu project. Security updates are provided for them as necessary by Canonical, and Canonical's standard support services apply to these packages.

Therefore, special consideration is necessary before adding new packages to these components.

  1. Thoroughly go through UbuntuMainInclusionRequirements, check that the package meets all the points there. Write down issues that violate the requirements. If this package has nontrivial problems, it is not eligible for main inclusion, and needs to be fixed first.

  2. File a bug report about the package, titled "[MIR] sourcepackagename". Include the rationale and description of the violations of UbuntuMainInclusionRequirements, and a confirmation that you checked the requirements carefully.

  3. Subscribe ubuntu-mir to the bug report (do not assign it to anyone), so that it appears in the MIR bug list.

  4. The MIR team reviews the reports, and sets acceptable ones to In Progress or Fix Committed. They might also delegate portions of the review to other teams, assign it to them, and set it to Incomplete; common cases are getting a thorough security review from the security team (please see SecurityTeam/Auditing for details on requesting an audit and the security team trello board (private board; Reviews lane) for prioritized list of MIR security reviews), or getting a sign-off from particular team leads about maintenance commitments.

    • In the case where an MIR needs a security review, a normal MIR review will happen by a member of the MIR team and the security review by a member of the security team. Among these team members, whoever does it the last review shall adjust the bug status accordingly (eg, if MIR team says ok then security says ok, the security team member should mark the bug as Fix Committed (see above for other statuses))

  5. Add the package to a seed, or as a (build-)dependency of a package in main. The package will not be moved to main automatically, but will show up in the component-mismatches list, or if the dependency is only in proposed, the component-mismatches-proposed list.

  6. Archive administrators will review the component-mismatches output, and for each package waiting to move into main, look for a corresponding bug.

  7. The submitter should then take responsibility for adding the package to the seeds as per SeedManagement or adding a dependency to it.

  8. The archive administrators will promote approved packages to main if some other package or the seeds want it (see component-mismatches output).

Notes:

  • Reports should always be named for SOURCE packages, not binary packages
  • New binary packages from existing source packages, where the source package is already in main, do not require reports.
  • If a new source package contains only code which is already in main (e.g., the result of a source package split or rename, or source packages with a version in the name), it may not need a full review. Submitting a bug with an explanation is sufficient.

Use this template for the MIR bug report:

[Availability]

[Rationale]

[Security]

[Quality assurance]

[Dependencies]

[Standards compliance]

[Maintenance]

[Background information]

CategoryProcess

MainInclusionProcess (last edited 2022-10-06 04:47:43 by fitojb)