UniverseSecurity

Status

• Created: 2005-04-25 by BrandonHale

• Priority: MediumPriority

• People: BrandonHaleLead, AndrewMitchellSecond

• Contributors: MartinPitt

• Interested:

• Status: BreezyGoal, UduBof, DistroSpecification, ApprovedSpecification

• Branch:
• Malone Bug:
• Packages:
• Depends:
• Dependents:
  1. ARM/Meeting/2008/20080207 (irc_meeting_log_20080207.txt)
  2. AddingMultimediaRepositories (sources.list)
  3. EgyptTeam/Events/2010-07-03-SummerTraining (Cairo.odp)
  4. Grantbow/UpdatedSlides (locos-ubuntu-2008-07.odp)
  5. MarylandTeam/Events/SoftwareFreedomDay2007 (sources.list)
  6. MarylandTeam/Events/SoftwareFreedomDay2007 (sources.list.original)
  7. MyriamSchweingruber (HowToHelp-with-FreeSoftware-v0.1.odp)
  8. Presentations (Ubuntu_SW_Insight_2k5_KR.odp)
  9. Presentations (introtoubuntu.odp)
  10. Presentations (ubuntu_debconf2-03-12-2005_ID.odp)
  11. QATeam/MainPackagesWithoutBugSubscribers (unsubscribed-packages.txt)
  12. QATeam/phillw/MainPackagesWithoutBugSubscribers (unsubscribed-packages.txt)
  13. ReleaseTeam/Meeting/2010-06-11 (#ubuntu-meeting.html)
  14. ReleaseTeam/Meeting/2010-06-18 (ubuntu-meeting.html)
  15. ReleaseTeam/Meeting/2010-06-25 (ubuntu-meeting.html)
  16. ReleaseTeam/Meeting/2010-07-09 (ubuntu-meeting.html)
  17. ReleaseTeam/Meeting/2010-07-16 (ubuntu-meeting.html)
  18. ReleaseTeam/Meeting/2010-07-30 (ubuntu-meeting.html)
  19. ScreencastTeam/TranslationStatus (20070911_updating_and_upgrading_en.srt)
  20. ServerTeam/Specs/HudsonSpec (hudson-1.381-dependencies-xref.txt)
  21. ServerTeam/Specs/JavaApplicationServers (geronimo-2.1.6-dependencies-compile-xref.txt)
  22. ServerTeam/Specs/JavaApplicationServers (geronimo-2.1.6-dependencies-uniq-xref.txt)
  23. ServerTeam/Specs/JonasPackaging (JONAS_5_2_0-dependencies-xref.txt)
  24. SwissTeam/InstallParty18Mai (ubuntu-vortrag.odp)
  25. Testing/ISO (120.4 on netbook msi l1350d no usb modem)
  26. TunisianTeam/Presentations (Ubuntu est-il un système sécuritairement sain_ - présentation4.odp)
  27. UbuntuDownUnder/BOFs
  28. UbuntuDownUnder/BOFs/UniverseSecurity
  29. UbuntuDownUnder/ScheduleTuesday
  30. UbuntuPresentations (introtoubuntu.odp)
  31. eboxServer (SERVER_EBOX.html)
  32. morcavon (우분투5.1시작가이드.html)

• UduSessions: 1

Introduction

Universe is currently unsupported in Ubuntu after release for security fixes. Debian fixes many of these packages, we can grab these fixes and push a fix to Ubuntu Universe.

http://www.ubuntulinux.org/wiki/SecurityUpdateProcedures covers most procedures for Ubuntu security updates for Main. This also applies to us.

Rationale

Security is good and an essential element if Ubuntu is to gather the widest possible audience and user base. We should take steps to fix security issues in Universe.

Lacking security support for universe is an issue for people running servers with universe packages. Common examples could be php4-universe, tomcat or spamassassin.

Scope and Use Cases

• There are currently slightly less than 8000 source packages in breezy's universe. A number of bugs are reported each week on lists such as full-disclosure & bugtraq that must be patched.

Implementation Plan

• Build Universe security team
  • Preferably MOTU, or recommended by a MOTU or maintainer
  • Well-signed GPG key
• Define policies and procedures

We will provide security support for universe for one release cycle. Eg, when Breezy is released Hoary universe support will end. This period could expand as more members join universe security, up to 18 months as for main. In cases where Debian security team uploads a point release of a package rather than a backported fix, it would be acceptable in most cases to upload a new version of a package to Universe, after a review of the package change.

Procedure

• Watch this page for CANs fixed in Debian, they likely apply to universe

  • http://people.ubuntu.com/~pitti/ubuntu-cve/

• Coordinate and review updates on the [security-review http://lists.ubuntu.com/mailman/listinfo/security-review]

• Where possible grab fixed package from Debian, and debdiff to pull a patch.

• Apply to Ubuntu version and test. Use changelog format from http://www.ubuntulinux.org/wiki/SecurityUpdateProcedures

• Upload to security queue and notify MartinPitt

Data Preservation and Migration

No new major (non-point) releases of upstream software. Incorporate fixes tested in Debian, and test on supported architectures for Ubuntu.

Packages Affected

Hoary/Breezy Universe.

User Interface Requirements

Will use apt/synaptic/update-manager.

Outstanding Issues

• Get access to various architectures for testing.
• Get access to unreleased security bugs.
• Integrate with Malone.

UDU BOF Agenda

UDU Pre-Work