Review sponsorship process and compare to security-sponsorship (Security)

Registered by Nicolas Valcarcel

Review Ubuntu sponsorship process and compare to Ubuntu Security team sponsorship process to improve it.

Blueprint information

Robbie Williamson
Nicolas Valcarcel
Needs approval
Jamie Strandboge
Series goal:
Accepted for lucid
Milestone target:
milestone icon lucid-alpha-2
Started by
Jamie Strandboge
Completed by
Jamie Strandboge

Related branches



Work items:
create ubuntu-security-sponsors team: DONE
clarify policy on sending stuff to -proposed: DONE
put security update info into main SponsorshipProcess document: DONE
modify security team wiki pages to reflect new procedures: DONE
create wiki page for processing the security sponsors queue: DONE
announce changes to community: DONE
create report-todo-sponsoring script: DONE

Gobby text:
= Compare Universe and Security Sponsorship Processes =

 * Standard Sponsorship
  * overview:
  * Subscription indicates need for sponsorship
   * ubuntu-main-sponsors team is subscribed for main packages
   * ubuntu-universe-sponsors team is subscribed universe packages
   * unsub team if needed work remains outstanding for too long
  * Is a way to education/promote new ubuntu members
   * name in changelog (for first try or two and gradually get pickier), regardless of how much of their work is still in it

 * Security Sponsorship
  * subscribed ubuntu-security _and_ Status == In Progress _and_ patch attached

 * Road blocks in the security sponsorship process
  * do you have a PoC? this is too daunting
  * testing requirements

 * Proposed process
  * use the standard sponsorship process, except use "ubuntu-security-sponsors"
  * perhaps require SRU-like justification outlining why a contributor thinks the fix is good.
  * low confidence updates
   * put in -proposed (via security-proposed) depending on sponsor's confidence of the level of testing and intrusiveness of the patch (this is a risk versus benifit decision). Talk to SRU team
   * ubuntu-security-sponsors does the review and ack to upload
   * upload to security-proposed to build, then copy to -proposed
   * once in -proposed, subscribe motu-sru for verification-needed
    * who does this? pitti? ubuntu-security?
    * once verification-done, then pocket copy to -security and -updates

 * Actions
  * put information about security sponsorship into the main SponsorshipProcess document
  * create a new team "ubuntu-security-sponsors" and use that as primary indicator for sponsorship


Work Items