Ubuntu
chromium-browser package

[MIR] chromium-browser

Bug #522645 reported by Emmet Hikory
20
This bug affects 1 person
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

Binary package hint: chromium-browser

chromium-browser is still being compared against the MainInclusionRequirements : the description will be updated with soemthing meaningful as the investigation continues.

Emmet Hikory (persia)
Changed in chromium-browser (Ubuntu):
assignee: nobody → Alexander Sack (asac)
status: New → Incomplete
Revision history for this message
Alexander Sack (asac) wrote :

assigning to security team for an assessment if we can get this in main at all for lucid. I understand that chromium is pretty new, and that the security/update process is not well understood. also to consider is that chromium has not a stable release yet for linux.

On the other side, its really faster on arm and would improve our default experience.

The other option i see is to keep it in universe for lucid and try to treat it security wise as if it was in main (minus the USN publishing); this would give us some time to learn how well chromium security support/update procedures work for us to decide if we can support it officially in lucid+1.

Changed in chromium-browser (Ubuntu):
assignee: Alexander Sack (asac) → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Kees Cook (kees) wrote :

With my security hat on: I think it is best to have the archive components actually reflect our commitment to support a given package. Since we now have an ability to show support lengths in binary packages (thanks mvo!) I would be happier with this in main, marked for 18mon of support, if it is intended to be supported.

With my MIR hat on: I haven't seen the MIR requirement list yet, but I can't imagine it will be favorable. It has had significant numbers of CVEs assigned to in a very short time:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=chromium
It uses webkit internally, which is a CVE disaster (and I'm already disappointed to have webkit in main):
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=webkit
How they will do stable support is not known, and we have no long-term commitment from upstream for anything in particular.

Based on this, I cannot recommend it for main. It is young software with a poor security record, unknown supportability that hasn't been packaged before Lucid. This should stay in universe, and I can't recommend anything depending on it yet.

If it were to stay in universe, the security team doesn't need to be involved in its support for Ubuntu to see how updates will work for it. I just think it's a gamble for a product to depend on chromium at this point.

Kees Cook (kees)
Changed in chromium-browser (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Chris Evans (scarybeasts) wrote :

Some of the issues raised surrounding supportability are reasonable, and I'm not best qualified to comment on them.

I do, however, wish to take exception to the "poor security record" comment.

Firstly, any browser is really complicated so you have to statistically expect a bunch of security vulnerabilities over time.
Secondly, Chromium stacks up excellently against the other browsers. I don't want to post them here, but I've run the stats. In particular, Chromium's sandbox means that there are not often "critical" vulnerabilities (and these are the ones that tend to really matter). Other browsers tend to spew out critical-level fixes on a regular basis.
There are other factors. Chromium turns around fixes very fast. And if you look, you'll find a decent percentage of Chromium bugs found internally by that project and its associated security teams.

Revision history for this message
Evan Martin (Chromium) (evan-chromium) wrote :

While Chris is right, I expect our policy for security updates will probably not make you too happy.

We provide three "channels" of Google Chrome, which are correspond roughly to something like a "stable", "master", and "next" branch in other projects. These channels are aggressively autoupdated with fixes (security and otherwise) on Win/Mac such that versions other than the newest on each channel are effectively lost in the noise. This means we have a good record for getting fixes quickly out, but it also means that we do not provide security fixes for any non-current releases.

You can see http://en.wikipedia.org/wiki/Google_Chrome#Release_history for the release history of our stable releases. With each such release, security fixes for older major versions are immediately stopped. I understand that Ubuntu tries to provide long term support for some Ubuntu releases, and that this may be incompatible with our release process. I don't have any good answer for you.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for chromium-browser (Ubuntu) because there has been no activity for 60 days.]

Changed in chromium-browser (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Fabien Tassin (fta) wrote :

@Emmet, is it still wanted?

While this bug expired because of the lack of activity, the package itself evolved a lot.

It has a proven record of 0 day security updates, matching the upstream stable Chrome releases.
It has been approved for the SRU exception by the Technical Board.
It is now translated in Launchpad.

What else is needed to qualify for this MIR?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.