Comment 7 for bug 1706900

Seth Arnold (seth-arnold) wrote :

Hi Nils,

Ubuntu's security team does not use upstream assessments of
severity when assigning priorities. Our criteria are enumerated at
http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/README#L191 .

Upstream estimates of severity are usually focused strictly on the
service at hand while we need to prioritize our work across more than
ten thousand sources. This doesn't mean upstream severities are wrong,
but we must have some way to prioritize our work that's consistent.

The CVE tracker does indeed trigger the process to issuing security
updates. You can see this process at https://usn.ubuntu.com/usn/ where
we have issued 290 USNs so far this year. Less visible is the sponsored
updates to universe packages in collaboration with the community, which
do not get USNs.

We do not have service level agreements for security updates. Even
if such a thing were feasible for our team we believe this would be
counter-productive to overall security as many upstreams issue regression
fixes after security fixes get wider coverage.

Seven months for an issue with an upstream-provided patch is indeed too
long. We have recently hired a new team member; while his duties are
primarily providing extended support for 12.04 LTS to Ubuntu Advantage
customers, he will also perform additional updates and generalist duties
as time allows.

In addition, while it doesn't happen often, we are happy to sponsor
updates for packages in main. It would probably be best to check in with
us before beginning work on a sponsored update to ensure (a) we'd be
interested in the approach (b) that it wouldn't be duplicating work. For
more information see https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures
. This may help bring a specific update to our users more quickly.

Thanks