[MIR] snapd in trusty
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
I'm not familar with the MIR process if a package is already in main in other releases. I will just do it as a regular MIR bug.
[Availability]
- available in Ubuntu 16.04,16.10,17.04 in main
- available in Ubuntu 14.04 in the trusty-updates pocket in universe
[Rationale]
- the package is important for our users to get the latest snaps from upstreams and other vendors (e.g. mysql)
[Security]
- we have an active team of maintainers around the snapd codebase
- the Ubuntu security team is very involved with snapd and provides review and guidance and code
[Quality assurance]
- runs the unit tests during build
- uses autopkgtests with an extensive test suite
- active bug triage community
[Dependencies]
- dependencies are bundled via the go-vendor system because it would require too many backports to trusty
[Standards compliance]
- standard compliant expect for the use of the non-standard /snap directory
[Maintenance]
- actively maintained by a team inside Canonical
[Background information]
- snapcraft.io :)
Changed in snapd (Ubuntu): | |
assignee: | Ubuntu Security Team (ubuntu-security) → Michael Vogt (mvo) |
Changed in snapd (Ubuntu): | |
assignee: | Michael Vogt (mvo) → Ubuntu Security Team (ubuntu-security) |
Changed in snapd (Ubuntu): | |
assignee: | Ubuntu Security Team (ubuntu-security) → nobody |
Changed in snapd (Ubuntu): | |
status: | Fix Committed → Fix Released |
Oh yeah this is a weird situation. :) I guess it would normally make sense to re-review if the potentially older code was different than what was previously approved.
In this case, the code is the same as the newer releases? So I normally would expect a MIR rubber stamp.
BUT... the MIR team is not happy with snapd these days. See bug 1658181, which is a big security and MIR policy violation, implemented just a few months after getting MIR approval last time around. (Presumably done specifically to support trusty? I don't know, because no one that knows why it was done has commented.)
So bug 1658181 is a blocker. Though oddly, for trusty specifically an exception might be able to be made because the golang packages you need may not be in the archive. But for all *other* releases, it's definitely a blocker, after the fact. But that's not what this bug is about... I'll assign to security team to see what they want to do about supporting this.