With my security hat on: I think it is best to have the archive components actually reflect our commitment to support a given package. Since we now have an ability to show support lengths in binary packages (thanks mvo!) I would be happier with this in main, marked for 18mon of support, if it is intended to be supported.
With my MIR hat on: I haven't seen the MIR requirement list yet, but I can't imagine it will be favorable. It has had significant numbers of CVEs assigned to in a very short time: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=chromium It uses webkit internally, which is a CVE disaster (and I'm already disappointed to have webkit in main): http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=webkit How they will do stable support is not known, and we have no long-term commitment from upstream for anything in particular. Based on this, I cannot recommend it for main. It is young software with a poor security record, unknown supportability that hasn't been packaged before Lucid. This should stay in universe, and I can't recommend anything depending on it yet. If it were to stay in universe, the security team doesn't need to be involved in its support for Ubuntu to see how updates will work for it. I just think it's a gamble for a product to depend on chromium at this point. -- [MIR] chromium-browser https://bugs.launchpad.net/bugs/522645 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
