Easy way to determine security support status

Registered by Marc Deslauriers on 2010-04-28

Investigate:
- Providing an early notification of EOL in update-manager
- Creating a GUI front end for ubuntu-support-status
- Investigate linking tool to CVE tracker to get a risk evaluation

Blueprint information

Status:
Not started
Approver:
Kees Cook
Priority:
Medium
Drafter:
Marc Deslauriers
Direction:
Needs approval
Assignee:
Marc Deslauriers
Definition:
Approved
Series goal:
Accepted for natty
Implementation:
Not started
Milestone target:
milestone icon ubuntu-11.04

Related branches

Sprints

Whiteboard

Work items:
[mvo] add nag to update-manager when a release is EOL: DONE
[mvo] add nag to motd/update-manager-core when a release is EOL: DONE
[mvo] add info dialog to update-manager when a release is EOL with no upgrade path (part of the normal upgrade process, but a special EOL releaseannoucement that explains it): DONE
[mvo] create logic that determines if a package is risky and needs to be uninstalled: POSTPONED
[mvo] add cleaning out insecure packages capabilities to computer janitor: POSTPONED

Maverick work items:
[mdeslaur] add wiki page with information on how to backup and reinstall that is linked from update-manager: WONTIMPLEMENT
[mdeslaur] prepare script to convert UCT pickle info into appropriate database for computer janitor: WONTIMPLEMENT

Gobby notes:
- Do a post-mortem on the support-status work done for lucid.
community supported packages don't have as many fixes

how to best alert people to demotions and EOL

EOL currently:
 * update manager shows a message box to user stating that release is EOL
 * shows up only once, unless they open update-manager (there is no nag)
 * flag is available in the server side

Ideas going forward:
 * nag weekly or daily or something
 * upload new version of update-manager with the nag feature
 * needs new code to use flag
 * part of EOL checklist is to flip the flag and upload to -security
 * nag feature should be smart about suggesting to reinstall vs upgrade
 * on server -- update motd or whatever the new notifier will be

Demotions currently:
 * synaptic
 * ubuntu-support-status
 * computer-janitor suggests to remove stuff for space

Ideas going forward:
 * possibly software center (not great experience)
 * computer janitor could suggest stuff for support
   - could export UCT by package information in a format for someone to use to
     make decisions on suggestions for removal in computer-janitor
   - medium or higher
   - have a grace period of 1 month
   - gives added incentive for package maintainers to update their packages

(?)

Work Items