Review sponsorship process and compare to security-sponsorship (Security)

Registered by Nicolas Valcarcel on 2009-11-09

Review Ubuntu sponsorship process and compare to Ubuntu Security team sponsorship process to improve it.

Blueprint information

Status:
Complete
Approver:
Robbie Williamson
Priority:
Essential
Drafter:
Nicolas Valcarcel
Direction:
Needs approval
Assignee:
Jamie Strandboge
Definition:
Approved
Series goal:
Accepted for lucid
Implementation:
Implemented
Milestone target:
milestone icon lucid-alpha-2
Started by
Jamie Strandboge on 2009-12-11
Completed by
Jamie Strandboge on 2010-01-15

Related branches

Sprints

Whiteboard

Work items:
create ubuntu-security-sponsors team: DONE
clarify policy on sending stuff to -proposed: DONE
put security update info into main SponsorshipProcess document: DONE
modify security team wiki pages to reflect new procedures: DONE
create wiki page for processing the security sponsors queue: DONE
announce changes to community: DONE
create report-todo-sponsoring script: DONE

Gobby text:
= Compare Universe and Security Sponsorship Processes =

 * Standard Sponsorship http://wiki.ubuntu.com/SponsorshipProcess
  * overview: http://people.canonical.com/~dholbach/sponsoring/
  * Subscription indicates need for sponsorship
   * ubuntu-main-sponsors team is subscribed for main packages
   * ubuntu-universe-sponsors team is subscribed universe packages
   * unsub team if needed work remains outstanding for too long
  * Is a way to education/promote new ubuntu members
   * name in changelog (for first try or two and gradually get pickier), regardless of how much of their work is still in it

 * Security Sponsorship
  * subscribed ubuntu-security _and_ Status == In Progress _and_ patch attached

 * Road blocks in the security sponsorship process
  * do you have a PoC? this is too daunting
  * testing requirements

 * Proposed process
  * use the standard sponsorship process, except use "ubuntu-security-sponsors"
  * perhaps require SRU-like justification outlining why a contributor thinks the fix is good.
  * low confidence updates
   * put in -proposed (via security-proposed) depending on sponsor's confidence of the level of testing and intrusiveness of the patch (this is a risk versus benifit decision). Talk to SRU team
   * ubuntu-security-sponsors does the review and ack to upload
   * upload to security-proposed to build, then copy to -proposed
   * once in -proposed, subscribe motu-sru for verification-needed
    * who does this? pitti? ubuntu-security?
    * once verification-done, then pocket copy to -security and -updates

 * Actions
  * put information about security sponsorship into the main SponsorshipProcess document
  * create a new team "ubuntu-security-sponsors" and use that as primary indicator for sponsorship

(?)

Work Items