My thoughts on this are that it may be acceptable to bundle dependencies in SRUs when the stable Ubuntu release doesn't already have the given dependency packaged. This would be acceptable to me in snapd's case since upstream has a very close relationship with Ubuntu Security, we trust that they'll be helpful in performing any necessary security updates, and they regularly SRU new upstream releases.
However, I'd like to see dependencies not be bundled in the current development release of Ubuntu. I think there will overlap between dependencies of projects such as snapd, lxd, juju, etc., and I'd prefer that those dependencies be packaged up and re-used to ease the maintenance burden. This also makes it possible for the Ubuntu Security team to more accurately track security issues in dependencies of snapd. Our current CVE triage process is more effective when archive packages exist for projects affected by CVEs. Note that this will likely change in the future as we see an increased need to identify and assist in the tracking of security issues in Canonical supported snaps. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658181 Title: snapd bundles golang dependencies despite being in main To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1658181/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
