In general, the Ubuntu Security team is ok with snapd going into main in 14.04.
We trust that the snapd upstream developers will be responsive in fixing security issues and there's a documented history of them performing SRUs to stable Ubuntu releases. We can depend on them to prepare any necessary security updates and perform QA prior to the updates being published. @mvo please confirm that what I said above is true. As for the question of bundling, as long as the upstream project has a close relationship with the Ubuntu Security team, there's a demonstrable history of regular SRUs, and the dependency does not exist in the stable Ubuntu release, I'm reluctant but ok with bundling of new dependencies in stable Ubuntu releases. There are some open questions about how much help the Ubuntu Security team can actually provide in tracking security issues in snapd's bundled dependencies. We currently have no convenient way of determining existing bundled dependencies in snapd and have no notification mechanism when upstream adds a new bundled dependency. I'll discuss this more in bug 1658181. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1660550 Title: [MIR] snapd in trusty To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1660550/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
