Who I am

I am from Lévis, Québec, Canada, and have been working for Canonical Ltd. as a Ubuntu Security Engineer since November 2008. Previous to working for Canonical, I was a security and open-source consultant.

My Ubuntu story

I have been a Linux user since 1997.

I first tried Ubuntu when Breezy Badger came out, and was immediately impressed with the large quantity of packages in the repositories. For the Linux distribution I was using at the time, I had to maintain a large number of packages for my own use in order to get everything I needed. With Ubuntu, everything was already in the repositories, save for a few exceptions.

Since my packaging experience at that time was limited to building rpms, I started looking into deb packaging. By the time Dapper Drake came out, I switched to Ubuntu as my preferred distribution.

My involvement

I mainly do the following:

  • Triage security issues and CVE numbers in Ubuntu
  • Maintain the Ubuntu CVE Tracker
  • Produce updates packages that include security fixes
  • Backport upstream security patches to older releases we support
  • Write test scripts for all updates we publish
  • Write and publish Ubuntu Security Notices (USN)
  • Participate in the Security Team wiki, and roadmap
  • Develop active security features in Ubuntu
  • Participate with other teams on security issues

Examples of my work / Things I'm proud of

My launchpad page contains a list of bugs and packages I'm currently working on. This page contains some additional package information.

A list of Ubuntu Security Advisories I've published is available here.

I am one of the main contributors to the Ubuntu CVE Tracker and the QA Regression Testing tools.

I added a feature to the aide application to simplify reports by filtering files that got changed by security updates. See the Specification.

I recently added a disabled-by-default AppArmor profile to apache2 to be used with libapache2-mod-apparmor, along with an example profile for phpsysinfo. See the Specification.

In my own time, I have produced security updates for packages in Universe, such as phpmyadmin and vlc.

Things I could do better

I would like to spend more time writing documentation.

Plans for the future


I plan on continuing to produce high-quality security updates for packages in Ubuntu.

One of the areas I would like to work on in the future is to get a stronger Ubuntu security community going to try and address the large number of security vulnerabilities in Universe and Multiverse packages.

I would also like to get more involved in the authentication and smart card features of Ubuntu.

What I like least in Ubuntu

One of the things I like the least in Ubuntu right now, is the lack of a complete out-of-the-box solution for addressing typical security requirements for enterprise use. This includes secure authentication, logging, delegated administrative control, desktop lock-down, etc.

I would like to get more involved into producing use cases, documentation, and blueprints for enterprise usage.


If you'd like to comment, but are not the applicant or a sponsor, do it here. Don't forget to sign with @SIG@.



General feedback

I'll reiterate what I said in his MOTU application: Marc and I are on the same team and we work very closely together on a day to day basis. I absolutely recommend him for core-dev. His technical abilities are very high, he is experienced with bug triage and very good with the community. I have trusted his work as a member of the Ubuntu Security team for some time, and he has free reign for all stable releases of Ubuntu, so it only makes sense that he should be able to upload to the development release.

I look forward to his work for enterprise security requirements, particularly secure authentication.

Specific Experiences of working together

We've worked a lot together on AppArmor in Karmic, I reviewed (and appreciated) his changes to aide, he gave (and continues to give) excellent feedback and testing on my work, and I've sponsored many of his security uploads to the development release. While there are too many sponsored uploads to list here, one that immediately comes to mind that demonstrates his thoroughness and care is the recent openssl update for CVE-2009-2409. Through his testing and analysis he identified that two upstream patches were required to avoid a regression in Ubuntu. He applied them and then tested and uploaded a new package. While some other distributions released updates without this second patch and suffered a significant regression (mind you, after Marc's update), due to Marc's care, Ubuntu had a regression-free update.

Areas of Improvement

As I said in his MOTU application, Marc is great and a fast learner. What he doesn't know or is unsure about, he researches or asks before committing changes.

Kees Cook

General feedback

I work with Marc at Canonical and can vouch for his high level of skill in producing package updates. I trust his decisions; he is comprehensive in his analysis and testing, and understands how a distro fits together. I've sponsored many of his uploads to main (mostly security updates). They've all been excellent; he would make a fantastic core-dev. A good core-dev applicant is one where other core-devs get slightly confused since they thought the applicant already was a core-dev. Marc is in this camp for me. Smile :)

Specific Experiences of working together

Marc has done a lot of AppArmor testing (and improvements). The whole Ubuntu Security Team has been working to improve AppArmor, and working with Marc on these things has been a lot of fun. He finds (and frequently fixes) many little corner-cases that had gone unnoticed. As with his other work, his attention to detail has been a great benefit to the project.

Areas of Improvement

As Marc already mentions himself, I would like to see more documentation written. While Marc already keeps great records of work done and to be done, I think he could branch out further and provide more developer or end-user documentation for some of the projects he works on.


General feedback

As I have stated before on Marc's MOTU application, I still believe Marc has been a fantastic addition to the Ubuntu Team. Marc is very easy to get along with and does high quality work

Specific Experiences of working together

I have sponsored several of Marc's work for security updates to main most notably samba. I never had a problem with his work.

