Rick, I have double-checked with Jamie and Tyler from the Security Team. You are doing the right thing by build-depending on those modules that are available as separate packages in xenial, thank you for this. However, this does not mean that these packages you build-depend on can go into main without going through the MIR process. To the contrary, adding the build-dependency is the trigger that lets us know that the packages *need* to go through the MIR process (and in particular, the security review of these modules). Otherwise, the juju team could in theory add new bundled modules indefinitely to the source without ever getting Security Team visibility on that code.
This will not block the feature freeze exception for juju-core 2.0, we will continue moving ahead with that in parallel, but we do need the juju team to start that MIR process for these new universe build-deps so that they can be properly reviewed prior to 16.04 release. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1545913 Title: [FFe] juju-core 2.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/juju-core/+bug/1545913/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
