PackageMaintainednessPresentation

Revision 10 as of 2008-08-07 19:12:07

Clear message

Summary

How to represent the security/critical fixes support level of the various applications in ubuntu.

Release note

None necessary.

Rationale

Canonical maintains packages in the Ubuntu archive for different periods, and “maintains” means different things depending on whether the package is Free Software (as currently represented by Main vs. Restricted). Ubuntu’s package management tools do not make it clear how long each package is maintained for, and what this means. They also confuse maintenance with support, and disambiguating this is important for explaining future support plans from Canonical and other support providers.

Scope

Canonical maintains:

  • packages that are part of Ubuntu Server for five years in LTS releases, and three years in non-LTS releases;
  • other packages in the Main repository for three years in LTS releases, and 18 months in non-LTS releases.

“Maintains”, in this sense, means:

  • If Canonical is able to modify and redistribute modified versions of the package (currently represented by the package being in “Main”), it provides fixes for security problems and other critical defects.
  • If Canonical does not have the source code and permission to redistribute modified versions (currently represented by the package being in “restricted”), it seeks fixes from the vendor for security problems and other critical defects.

“Maintains” should not be confused with “supports”, which is about tech support from Canonical’s support team or other providers. It is possible that we may advertise supported for software in package management tools in future, but for now we will not.

It is also possible that ArchiveReorganisation will mean we can no longer use a package’s presence in “Main“ to determine whether Canonical provides updates for it.

Use cases

  • Some server administrators want to be sure that all packages they install are maintained by Canonical. These admins use apt-get or aptitude, not Synaptic or Add/Remove Programs.

We have no other known use cases. However, we currently present maintainedness ambiguously in Synaptic and Add/Remove Programs, and we should at least present it unambiguously.

Design

Synaptic

  • In the “Filters” dialog, in addition to “Status”, “Section”, and “Properties”, there should be a new tab labelled “Maintenance”. This tab should have checkboxes (both checked by default) for “Currently maintained by Canonical” and “Not maintained by Canonical”. “Currently maintained” should mean that the Canonical maintenance period has not expired.

  • Upon upgrading to a version of Synaptic that implements this specification, a “Not Canonical-maintained” filter should be added to the Custom Filters, using the “Not maintained by Canonical” criterion. If there is a “Community Supported (installed)” filter, and that filter still has its default settings (returning all packages with “Ubuntu” origin that are not from “main” or “restricted” components), the “Not Canonical-maintained” filter should replace the “Community Supported (installed)” filter.

    Maintenance type

    If expires today or in the future

    If expired

    Canonical-maintained (Free Software)

    Canonical provides critical updates for fontforge in Ubuntu 8.04 until 28 April 2011.

    Canonical no longer provides updates for fontforge in Ubuntu 8.04. Updates may be available in a newer version of Ubuntu.

    Canonical-maintained (non-Free)

    Canonical provides critical updates supplied by the developers of linux-restricted-modules-2.6.24-19-generic until 28 April 2013.

    Canonical no longer provides updates for linux-restricted-modules-2.6.24-19-generic in Ubuntu 8.04. Updates may be available in a newer version of Ubuntu.

    Community (Free or non-Free)

    Canonical does not provide updates for alien-arena. Some updates may be provided by the Ubuntu community.
    The date should be presented in the long format specified by the current locale. attachment:synaptic-description.png

Add/Remove Applications

  • In the “Show” menu, “Supported applications” should be renamed to “Canonical-maintained applications”. Like the rest of the items in the menu, it should not have a tooltip.
  • An application’s maintenance status should be presented in small grey print at the end of its description, after a grey horizontal rule. (This text should replace the seal, heart, and Synaptic icons previously used in package descriptions.)
  • The maintenance status for an individual package should be presented in exactly the same way as for Synaptic Programs above, except that the application name should be used throughout instead of the package name. attachment:add-remove-description.png

apt-cache

apt-cache show package-name” should include information about how long Canonical will provide critical updates for the package. For example: 

> apt-cache show fontforge
Package: fontforge
Priority: optional
Section: x11
Installed-Size: 12004
Maintainer: Ubuntu Core Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Kęstutis Biliūnas <kebil@kaunas.init.lt>
Canonical provides critical updates until: 2011-04-28
Architecture: i386
Version: 0.0.20071110-1build2
Depends:...

The date should be presented in YYYY-MM-DD format.

aptitude

aptitude show package-name” should include information about how long Canonical will provide critical updates for the package. For example: 

> aptitude show fontforge
Package: fontforge
State: not installed
Version: 0.0.20071110-1build2
Priority: optional
Section: x11
Maintainer: Ubuntu Core Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Canonical provides critical updates until: 2011-04-28
Uncompressed Size: 12.3M
Depends:...

The date should be presented in YYYY-MM-DD format.

ubuntu.com

Current and future pages on the Ubuntu Web site, when referring to software updates, should use “maintained” instead of “supported“ and “maintenance” instead of “support” (except for the phrase “Long-Term Support”, which is now too well-known to change).

Implementation

Package infrastructure

The implementation should be done with debtags. We add a debtag "Facet" that does not use the word "support", and add tags like "canonical-5years" or "canonical-3years".

For the support status based on the installed version of ubuntu we add tags that match the meta-packages, e.g. "part-of::ubuntu-desktop", "part-of::ubuntu-studio-desktop" etc. This way the packaging tools can check for the installed meta packages and then figure out the support status based on that information. This way it can rank packages that are part of this group higher in e.g. searches.

The synaptic lp:~mvo/synaptic/ept branch has some support for debtags and with "debtags::getItemsHavingTag()" and "getItemsHavingTags()" it should straightforward to implement the required views and emblems. The tag information needs to be added to the debtags package, this includes the new facet in the vocabulary and the new tags.

For the python based applications the maintenance text can be displayed based on the information that is available via the python-debian debtags interface.

For the CLI tools we should modify apt-ftparchive so that the support time is added to the package record by apt-ftparchive

ubuntu.com

These pages should be updated to use the correct terminology:

Past-dated pages (such as news releases) need not be changed.

The ubuntu.com style guide should also be updated, to clarify when to use “maintained” vs. “supported“ and “maintenance” vs. “support”.

Test/Demo Plan

It's important that we are able to test new features, and demonstrate them to users. Use this section to describe a short plan that anybody can follow that demonstrates the feature is working. This can then be used during testing, and to show off after release.

This need not be added or completed until the specification is nearing beta.

Unresolved issues

  • We need to get the list of supported packages for the various support levels for each release. It needs to be discussed if this should be done via germinate or via a different method.
  • Where will “critical” be defined?
  • The column of Ubuntu logos in Synaptic's package lists need to be replaced with something. What do they mean? In the description they have a tooltip “This application is supported by the distribution” (eh?), but the “Community Supported (installed)” Custom Filter returns many packages with the logo as well as many without.
  • Show overall status of maintained packages over time. (A graph?)

CategorySpec