diff options
Diffstat (limited to 'zarb-ml/mageia-dev/2011-August/007522.html')
| -rw-r--r-- | zarb-ml/mageia-dev/2011-August/007522.html | 138 |
1 files changed, 138 insertions, 0 deletions
diff --git a/zarb-ml/mageia-dev/2011-August/007522.html b/zarb-ml/mageia-dev/2011-August/007522.html new file mode 100644 index 000000000..6e3dcf14a --- /dev/null +++ b/zarb-ml/mageia-dev/2011-August/007522.html @@ -0,0 +1,138 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Status%20report%20for%20Mageia%201%20updates%2C%0A%20and%20call%20for%20help%20from%20you%20packagers&In-Reply-To=%3CE/.aV4%40r78.nl%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="007547.html"> + <LINK REL="Next" HREF="007525.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers</H1> + <B>Remco Rijnders</B> + <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Status%20report%20for%20Mageia%201%20updates%2C%0A%20and%20call%20for%20help%20from%20you%20packagers&In-Reply-To=%3CE/.aV4%40r78.nl%3E" + TITLE="[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers">remco at webconquest.com + </A><BR> + <I>Thu Aug 25 20:14:45 CEST 2011</I> + <P><UL> + <LI>Previous message: <A HREF="007547.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers +</A></li> + <LI>Next message: <A HREF="007525.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#7522">[ date ]</a> + <a href="thread.html#7522">[ thread ]</a> + <a href="subject.html#7522">[ subject ]</a> + <a href="author.html#7522">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>On Thu, Aug 25, 2011 at 08:09:26AM -0400, Stew wrote in +<<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">4E563B76.7080300 at gmail.com</A>>: +><i>On 08/24/2011 08:50 PM, Samuel Verschelde wrote: +</I>>><i>Hi, +</I>>><i> +</I>>><i>I was told that QA Team's work's visibility needs to be improved, so as a team +</I>>><i>member I'll try to give you some sort of status report. +</I>><i> +</I>>><i>- 1 has been validated by QA one month ago, but was assigned to security team +</I>>><i>following updates policy for security fixes, and got not answer. We have to +</I>>><i>improve either the policy or the security team here (or both). +</I>><i>Do you have a pointer to this bug? I'm not finding it in bugzilla. +</I>><i>I'm not sure what I can do with it once assigned back to secteam, +</I>><i>aside from write an advisory text. I don't have admin rights to +</I>><i>release it, etc. (afaik). It was basically my understanding that the +</I>><i>secteam role is to initiate the bug, provide patches, POC, and +</I>><i>advisory text and the maintainer do the update and pass it on to QA. +</I>><i>I've stopped even intiating because they are just sitting there in +</I>><i>the new/unassigned state. some for 2 months or more now. While a +</I>><i>shiny new KDE is nice, not pushing updates for published +</I>><i>vulnerabilities makes us look bad, imho. +</I> +I think what we need is a trinity of triage, secteam, and QA to work on +security related things. Triage team will assign or cc the security team +on security related bugs as efficiently as possible, from there security +team will work with the maintainer on the fix and hands it to qa for +(expedited) testing and release. + +My personal feeling is that security is too important a thing to leave up +to an individual maintainer or last committer to fix, especially when it +is remotely exploitable. Perhaps make a distinction on the severity of the +security issue? + +- If it needs an authenticated user for an exploit to work, assign it to + the maintainer, Cc security team. If there is no response from the + maintainer after x days (say 10 or so), security team takes over + responsibility. + +- If it is remotely exploitable and leads to a DoS or take over, security + team is instantly responsible and Cc's the maintainer on the bug and + works on a quick update. + +In my opinion it is more important to be concerned with the safety of our +users machines than with perhaps stepping on a sour maintainers toes. + +Perhaps in the next packagers meeting something like this can be agreed +on? The security team needs to have the needed privileges to quickly +handle security issues the best way it sees fit. + +Remmy +-------------- next part -------------- +A non-text attachment was scrubbed... +Name: not available +Type: application/pgp-signature +Size: 836 bytes +Desc: Digital signature +URL: </pipermail/mageia-dev/attachments/20110825/2bc2651f/attachment.asc> +</PRE> + + + + + + + + + + + + + + + + + + + + + + + + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="007547.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers +</A></li> + <LI>Next message: <A HREF="007525.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#7522">[ date ]</a> + <a href="thread.html#7522">[ thread ]</a> + <a href="subject.html#7522">[ subject ]</a> + <a href="author.html#7522">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev +mailing list</a><br> +</body></html> |