diff options
Diffstat (limited to 'zarb-ml/mageia-dev/2011-August/007521.html')
| -rw-r--r-- | zarb-ml/mageia-dev/2011-August/007521.html | 120 |
1 files changed, 120 insertions, 0 deletions
diff --git a/zarb-ml/mageia-dev/2011-August/007521.html b/zarb-ml/mageia-dev/2011-August/007521.html new file mode 100644 index 000000000..3ed76fcd3 --- /dev/null +++ b/zarb-ml/mageia-dev/2011-August/007521.html @@ -0,0 +1,120 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Status%20report%20for%20Mageia%201%20updates%2C%0A%09and%20call%20for%20help%20from%20you%20packagers&In-Reply-To=%3C201108251912.26274.stormi%40laposte.net%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="007514.html"> + <LINK REL="Next" HREF="007540.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers</H1> + <B>Samuel Verschelde</B> + <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Status%20report%20for%20Mageia%201%20updates%2C%0A%09and%20call%20for%20help%20from%20you%20packagers&In-Reply-To=%3C201108251912.26274.stormi%40laposte.net%3E" + TITLE="[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers">stormi at laposte.net + </A><BR> + <I>Thu Aug 25 19:12:26 CEST 2011</I> + <P><UL> + <LI>Previous message: <A HREF="007514.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers +</A></li> + <LI>Next message: <A HREF="007540.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#7521">[ date ]</a> + <a href="thread.html#7521">[ thread ]</a> + <a href="subject.html#7521">[ subject ]</a> + <a href="author.html#7521">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>Le jeudi 25 août 2011 14:09:26, Stew Benedict a écrit : +><i> On 08/24/2011 08:50 PM, Samuel Verschelde wrote: +</I>><i> > Hi, +</I>><i> > +</I>><i> > I was told that QA Team's work's visibility needs to be improved, so as a +</I>><i> > team member I'll try to give you some sort of status report. +</I>><i> > +</I>><i> > - 1 has been validated by QA one month ago, but was assigned to security +</I>><i> > team following updates policy for security fixes, and got not answer. We +</I>><i> > have to improve either the policy or the security team here (or both). +</I>><i> +</I>><i> Do you have a pointer to this bug? I'm not finding it in bugzilla. I'm +</I>><i> not sure what I can do with it once assigned back to secteam, aside from +</I>><i> write an advisory text. I don't have admin rights to release it, etc. +</I>><i> (afaik). It was basically my understanding that the secteam role is to +</I>><i> initiate the bug, provide patches, POC, and advisory text and the +</I>><i> maintainer do the update and pass it on to QA. I've stopped even +</I>><i> intiating because they are just sitting there in the new/unassigned +</I>><i> state. some for 2 months or more now. While a shiny new KDE is nice, not +</I>><i> pushing updates for published vulnerabilities makes us look bad, imho. +</I> +It's <A HREF="https://bugs.mageia.org/show_bug.cgi?id=2239">https://bugs.mageia.org/show_bug.cgi?id=2239</A> + +I think the initial idea in the updates policy is that security fixes have to +be tested by secteam to ensure that the security problem is not there anymore, +because sometimes the upstream or the packager fixes it in a wrong way or does +a mistake, so we need to ensure the security problems are really fixed. +Otherwise we risk saying that a security issue is fixed when it's not. +Obviously, this can't happen if the security team doesn't grow. Maybe some +kind of joint effort from security and QA could help ? + +I already know updates that have been pushed without the security fixes being +tested. + +Also, the security bugs being open in bugzilla and not adressed by the +packagers is a really big issue, that we have to find a way to fix as soon as +possible. Can you give us a link to the list of pending security issues ? + +Best regards + +Samuel Verschelde +</PRE> + + + + + + + + + + + + + + + + + + + + + + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="007514.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers +</A></li> + <LI>Next message: <A HREF="007540.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#7521">[ date ]</a> + <a href="thread.html#7521">[ thread ]</a> + <a href="subject.html#7521">[ subject ]</a> + <a href="author.html#7521">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev +mailing list</a><br> +</body></html> |