[12:25] <sidi> Is there a document somewhere that describes the security checks done on packages in the Ubuntu repositories? And specifically, is there any difference in how main and community packages are checked/validated?
[12:31] <rbasak> sidi: try asking in #ubuntu-hardened. You may want to expand on what you mean by "security checks".
[12:37] <sidi> rbasak, thanks will ask there.
[12:37] <sidi> rbasak, i'm doing studies with Ubuntu users, part of which covers their perceptions of security and where they deem it safe to download software
[12:38] <sidi> i want to know if any forms of security check / process is in place to ensure that packages on main / universe are deemed secure and/or safe
[12:39] <sidi> whether testing, static analysis, dynamic analysis, refusing packages with known vulns, verifying the identity of developers and using third-party assessments to ensure that the developers' products are not malicious, etc.
[12:45] <persia> sidi: Be prepared for a lack of clear answers there: many of the packages in Ubuntu are derived unchanged (and unchecked) from Debian, many of which are code-identical to upstream.
[12:45]  * persia is not authoritative on security practices in Ubuntu
[13:09] <sidi> persia, i sort of expect that, yes :-)