UbuntuMainInclusionRequirements
|
Size: 3983
Comment: imported from the old wiki
|
Size: 4233
Comment: somebody already added i18n, subsumed by previous change
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = UbuntuMainInclusionRequirements = |
|
| Line 7: | Line 5: |
| This document describes the steps and requirements for a package to be | This document describes the requirements for a package to be |
| Line 12: | Line 10: |
| == Steps == To promote a package into ''main'', the following steps need to be taken: 0. The package must meet the requirements described in the following section. 0. A concise, but complete report should be created which documents the status of the requirements. The report should follow the format of the "Requirements" section. Ideally the report is put to the wiki at http://www.ubuntulinux.org/wiki/MainInclusionReportPackageName. 0. The request and the link to the report are sent to ubuntu-devel@lists.ubuntu.com. 0. A main developer reviews the report and accepts or denies the request. This is indicated by adding a line "Name: accepted" or "Name: rejected" to the "Reviewers" part of the report. 0. If it is accepted, the package is added to the appropriate seed. |
The MainInclusionProcess page describes the steps of the process. |
| Line 25: | Line 14: |
| The package must fulfill the following requirements: | The package must fulfil the following requirements: |
| Line 36: | Line 25: |
| * The status of important bugs in [http://bugs.debian.org Debian's], [https://launchpad.ubuntu.com/malone/distros/ubuntu Ubuntu's], and possibly upstream's bug tracking systems must be evaluated. | * The status of important bugs in [[http://bugs.debian.org|Debian's]], [[https://launchpad.ubuntu.com/malone/distros/ubuntu|Ubuntu's]], and possibly upstream's bug tracking systems must be evaluated. |
| Line 38: | Line 27: |
| 0. ''Standards compliance:'' The package should meet the [http://www.pathname.com/fhs/ FHS], [http://www.de.debian.org/doc/debian-policy/ Debian Policy], and (if applicable) the [http://www.netfort.gr.jp/~dancer/column/libpkg-guide/libpkg-guide.html Debian library packaging guide] standards. Major violations should be documented and justified. Also, the source packaging should be reasonably easy to understand and maintain. | * Nontrivial packages need maintenance commitment from an Ubuntu developer or team. 0. ''UI standards:'' * End-user applications must be internationalized (translatable), using the standard intltool/gettext build and runtime system and produce a proper PO template during build. * End-user applications must ship a standard conformant desktop file. 0. ''Standards compliance:'' The package should meet the [[http://www.pathname.com/fhs/|FHS]], [[http://www.de.debian.org/doc/debian-policy/|Debian Policy]], and (if applicable) the [[http://www.netfort.gr.jp/~dancer/column/libpkg-guide/libpkg-guide.html|Debian library packaging guide]] standards. Major violations should be documented and justified. Also, the source packaging should be reasonably easy to understand and maintain. |
| Line 40: | Line 33: |
| 0. ''Maintenance:'' The package must have an acceptable level of maintenance corresponding to its complexity. Simple packages (e.g. language bindings, simple Perl modules, small command-line programs, etc.) might not need very much maintenance effort. More complex packages will usually need a developer or team of developers paying attention to their bugs, whether that be in Ubuntu or elsewhere (often Debian). Packages that deliver major new headline features in Ubuntu should have Ubuntu developers willing to spend substantial time on them. | |
| Line 46: | Line 40: |
| * http://people.ubuntu.com/~pitti/ubuntu-cve/unfixed.html * http://people.ubuntu.com/~pitti/ubuntu-cve/unchecked.html * Check for security relevant binaries. If any is present, this requires a more in-depth security review. |
* Ubuntu CVE Tracker * http://people.ubuntu.com/~ubuntu-security/cve/main-all.html * http://people.ubuntu.com/~ubuntu-security/cve/universe-all.html * http://people.ubuntu.com/~ubuntu-security/cve/partner-all.html * Check for security relevant binaries. If any are present, this requires a more in-depth security review. |
Promoting a package into main
Scope
This document describes the requirements for a package to be considered for inclusion into the supported set of Ubuntu packages (into main), which entails that this package receives the full scope of security and QA support.
The MainInclusionProcess page describes the steps of the process.
Requirements
The package must fulfil the following requirements:
Availability: The package must already be in the Ubuntu universe, and must build for the architectures it is designed to work on.
Rationale: There must be a certain level of demand for the package, for example:
- The package is useful for a large part of our user base.
- The package is a new build dependency or dependency of a package that we already support.
- The package replaces another package we currently support and promises higher quality and/or better features, so that we can drop the old package from the supported set.
Security: The security history and the current state of security issues in the package must allow us to support the package for at least 18 months without exposing its users to an inappropriate level of security risks. This requires checking of several things that are explained in detail in the subsection Security checks.
Quality assurance:
- After installing the package it must be possible to make it working with a reasonable effort of configuration and documentation reading.
- There are no long-term outstanding bugs which affect the usability of the program to a major degree. To support a package, we must be reasonably convinced that upstream supports and cares for the package.
The status of important bugs in Debian's, Ubuntu's, and possibly upstream's bug tracking systems must be evaluated.
- The package should not deal with exotic hardware which we cannot support.
- Nontrivial packages need maintenance commitment from an Ubuntu developer or team.
UI standards:
- End-user applications must be internationalized (translatable), using the standard intltool/gettext build and runtime system and produce a proper PO template during build.
- End-user applications must ship a standard conformant desktop file.
Standards compliance: The package should meet the FHS, Debian Policy, and (if applicable) the Debian library packaging guide standards. Major violations should be documented and justified. Also, the source packaging should be reasonably easy to understand and maintain.
Dependencies: Any build or binary dependencies which are not yet in main.
Maintenance: The package must have an acceptable level of maintenance corresponding to its complexity. Simple packages (e.g. language bindings, simple Perl modules, small command-line programs, etc.) might not need very much maintenance effort. More complex packages will usually need a developer or team of developers paying attention to their bugs, whether that be in Ubuntu or elsewhere (often Debian). Packages that deliver major new headline features in Ubuntu should have Ubuntu developers willing to spend substantial time on them.
Security checks
- Check how many vulnerabilities the package had in the past and how they were handled by upstream and the Debian/Ubuntu package:
http://cve.mitre.org/cve/ -> search for the package as a keyword
- Ubuntu CVE Tracker
- Check for security relevant binaries. If any are present, this requires a more in-depth security review.
Executables which have the suid or sgid bit set.
Executables in /sbin, /usr/sbin.
Packages which install daemons (/etc/init.d/*)
Packages which open privileged ports (ports < 1024).
UbuntuMainInclusionRequirements (last edited 2020-03-24 15:52:43 by paelzer)