PackageMaintainednessPresentation

Revision 5 as of 2008-08-06 16:15:56

Clear message

Summary

How to represent the security/critical fixes support level of the various applications in ubuntu.

Release note

None necessary.

Rationale

Canonical maintains packages in the Ubuntu archive for different periods, and “maintains” means different things depending on whether the package is Free Software (as currently represented by Main vs. Restricted). Ubuntu’s package management tools do not make it clear how long each package is maintained for, and what this means.

Scope

Canonical maintains:

  • packages that are part of Ubuntu Server for five years in LTS releases, and three years in non-LTS releases.
  • other packages in the Main repository for three years in LTS releases, and 18 months in non-LTS releases.

“Maintains”, in this sense, means:

  • If Canonical is able to modify and redistribute modified versions of the package (currently represented by the package being in “Main”), it provides fixes for security problems and other critical defects.
  • If Canonical does not have the source code and permission to redistribute modified versions (currently represented by the package being in “restricted”), it seeks fixes from the vendor for security problems and other critical defects.

“Maintains” should not be confused with “supports”, which is about paid assistance from Canonical’s support team or from other support providers. It is possible that we may advertise supportedness of software in package management tools in future, but for now we will not.

Use cases

  • Some server administrators want to be sure that all packages they install are maintained by Canonical. These admins use apt-get or aptitude, not Synaptic or Add/Remove Programs.

We have no other known use cases. However, we currently present maintainedness ambiguously in Synaptic and Add/Remove Programs, and we should present it unambiguously.

Design

Add/Remove Applications

In the “Show” menu, “Supported applications” should be renamed to “Canonical-maintained applications”. Like the rest of the items in the menu, it should not have a tooltip.

An application’s maintenance status should be presented in small grey print at the end of its description.

Maintenance type

If expires in the future

If expires today or in the past

Canonical-maintained (Free Software)

Canonical provides any critical updates for FontForge in Ubuntu 8.04 until 28 April 2011.

Canonical provided updates for FontForge in Ubuntu 8.04 until 28 April 2011. Further updates may be available in a newer version of Ubuntu.

Canonical-maintained (non-Free)

Canonical will seek any critical updates for Hypothetical Restricted Application from the vendor until 28 April 2011.

Canonical provided updates for Hypothetical Restricted Application until 28 April 2011. Further updates may be available in a newer version of Ubuntu.

Community (Free Software)

Updates for 3D Chess are provided by the Ubuntu community.

Community (non-Free)

The Ubuntu community seeks updates for Userful from the vendor.

(These maintenance types are currently represented by Main, Restricted, Universe, and Multiverse respectively.)

Synaptic

apt-cache

apt-cache show package-name” should include information about how long Canonical will provide critical updates for the package. For example: 

> apt-cache show fontforge
Package: fontforge
Priority: optional
Section: x11
Installed-Size: 12004
Maintainer: Ubuntu Core Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Kęstutis Biliūnas <kebil@kaunas.init.lt>
Canonical provides critical updates until: 2011-04-28
Architecture: i386
Version: 0.0.20071110-1build2
Depends:...

aptitude

aptitude show package-name” should include information about how long Canonical will provide critical updates for the package. For example: 

> aptitude show fontforge
Package: fontforge
State: not installed
Version: 0.0.20071110-1build2
Priority: optional
Section: x11
Maintainer: Ubuntu Core Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Canonical provides critical updates until: 2011-04-28
Uncompressed Size: 12.3M
Depends:...

Implementation

Package infrastructure

The implementation should be done with debtags. We add a debtag "Facet" that does not use the word "support", and add tags like "canonical-5years" or "canonical-3years".

For the support status based on the installed version of ubuntu we add tags that match the meta-packages, e.g. "part-of::ubuntu-desktop", "part-of::ubuntu-studio-desktop" etc. This way the packaging tools can check for the installed meta packages and then figure out the support status based on that information. This way it can rank packages that are part of this group higher in e.g. searches.

The synaptic lp:~mvo/synaptic/ept branch has some support for debtags and with "debtags::getItemsHavingTag()" and "getItemsHavingTags()" it should straightforward to implement the required views and emblems. The tag information needs to be added to the debtags package, this includes the new facet in the vocabulary and the new tags.

For the python based applications the emblems can be displayed based on the information that is available via the python-debian debtags interface.

For the CLI tools we should modify apt-ftparchive so that the support time is added to the package record by apt-ftparchive

Test/Demo Plan

It's important that we are able to test new features, and demonstrate them to users. Use this section to describe a short plan that anybody can follow that demonstrates the feature is working. This can then be used during testing, and to show off after release.

This need not be added or completed until the specification is nearing beta.

Unresolved issues

  • We need to get the list of supported packages for the various support levels for each release. It needs to be discussed if this should be done via germinate or via a different method.
  • Where will “critical” be defined?

CategorySpec