## page was renamed from UbuntuDownBelow/BOFs/UniverseSecurity
## page was renamed from UniverseSecurity
##(see the SpecSpec for an explanation)

= UniverseSecurity =

== Status ==

 * Created: <<Date(2005-04-25T01:09:39Z)>> by BrandonHale
 * Priority: MediumPriority
 * People: BrandonHaleLead, AndrewMitchellSecond 
 * Contributors: MartinPitt
 * Interested: 
 * Status: BreezyGoal, UduBof, DistroSpecification, ApprovedSpecification
 * Branch: 
 * Malone Bug: 
 * Packages: 
 * Depends: 
 * Dependents:
 <<FullSearch(UniverseSecurity)>>
 * UduSessions: 1

== Introduction ==

Universe is currently unsupported in Ubuntu after release for security fixes.
Debian fixes many of these packages, we can grab these fixes and push a fix to Ubuntu Universe.

[[http://www.ubuntulinux.org/wiki/SecurityUpdateProcedures]] covers most procedures for Ubuntu security updates for Main. This also applies to us.

== Rationale ==

Security is good and an essential element if Ubuntu is to gather the widest possible audience and user base. We should take steps to fix security issues in Universe.

Lacking security support for universe is an issue for people running servers with universe packages.  Common examples could be php4-universe, tomcat or spamassassin.

== Scope and Use Cases ==
 * There are currently slightly less than 8000 source packages in breezy's universe. A number of bugs are reported each week on lists such as full-disclosure & bugtraq that must be patched.

== Implementation Plan ==

 * Build Universe security team
  * Preferably MOTU, or recommended by a MOTU or maintainer
  * Well-signed GPG key
 * Define policies and procedures

We will provide security support for universe for one release cycle.  Eg, when Breezy is released Hoary universe support will end.  This period could expand as more members join universe security, up to 18 months as for main.  In cases where Debian security team uploads a point release of a package rather than a backported fix, it would be acceptable in most cases to upload a new version of a package to Universe, after a review of the package change.

=== Procedure ===

 * Watch this page for CANs fixed in Debian, they likely apply to universe 
  * http://people.ubuntu.com/~pitti/ubuntu-cve/
 * Coordinate and review updates on the [security-review http://lists.ubuntu.com/mailman/listinfo/security-review]
 * Where possible grab fixed package from Debian, and debdiff to pull a patch.
 * Apply to Ubuntu version and test.  Use changelog format from [[http://www.ubuntulinux.org/wiki/SecurityUpdateProcedures]]
 * Upload to security queue and notify MartinPitt

=== Data Preservation and Migration ===

No new major (non-point) releases of upstream software.  Incorporate fixes tested in Debian, and test on supported architectures for Ubuntu.

=== Packages Affected ===

Hoary/Breezy Universe.

=== User Interface Requirements ===

Will use apt/synaptic/update-manager.

== Outstanding Issues ==

 * Get access to various architectures for testing.
 * Get access to unreleased security bugs.
 * Integrate with Malone.

=== UDU BOF Agenda ===

=== UDU Pre-Work ===