diff options
Diffstat (limited to 'zarb-ml/mageia-dev/2011-August/007525.html')
| -rw-r--r-- | zarb-ml/mageia-dev/2011-August/007525.html | 135 |
1 files changed, 135 insertions, 0 deletions
diff --git a/zarb-ml/mageia-dev/2011-August/007525.html b/zarb-ml/mageia-dev/2011-August/007525.html new file mode 100644 index 000000000..6b27cc81b --- /dev/null +++ b/zarb-ml/mageia-dev/2011-August/007525.html @@ -0,0 +1,135 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Status%20report%20for%20Mageia%201%20updates%2C%0A%09and%20call%20for%20help%20from%20you%20packagers&In-Reply-To=%3C201108252041.27743.maarten.vanraes%40gmail.com%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="007522.html"> + <LINK REL="Next" HREF="007545.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers</H1> + <B>Maarten Vanraes</B> + <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Status%20report%20for%20Mageia%201%20updates%2C%0A%09and%20call%20for%20help%20from%20you%20packagers&In-Reply-To=%3C201108252041.27743.maarten.vanraes%40gmail.com%3E" + TITLE="[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers">maarten.vanraes at gmail.com + </A><BR> + <I>Thu Aug 25 20:41:27 CEST 2011</I> + <P><UL> + <LI>Previous message: <A HREF="007522.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers +</A></li> + <LI>Next message: <A HREF="007545.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#7525">[ date ]</a> + <a href="thread.html#7525">[ thread ]</a> + <a href="subject.html#7525">[ subject ]</a> + <a href="author.html#7525">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>Op donderdag 25 augustus 2011 20:14:45 schreef Remco Rijnders: +><i> On Thu, Aug 25, 2011 at 08:09:26AM -0400, Stew wrote in +</I>><i> +</I>><i> <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">4E563B76.7080300 at gmail.com</A>>: +</I>><i> >On 08/24/2011 08:50 PM, Samuel Verschelde wrote: +</I>><i> >>Hi, +</I>><i> >> +</I>><i> >>I was told that QA Team's work's visibility needs to be improved, so as a +</I>><i> >>team member I'll try to give you some sort of status report. +</I>><i> >> +</I>><i> >>- 1 has been validated by QA one month ago, but was assigned to security +</I>><i> >>team following updates policy for security fixes, and got not answer. We +</I>><i> >>have to improve either the policy or the security team here (or both). +</I>><i> > +</I>><i> >Do you have a pointer to this bug? I'm not finding it in bugzilla. +</I>><i> >I'm not sure what I can do with it once assigned back to secteam, +</I>><i> >aside from write an advisory text. I don't have admin rights to +</I>><i> >release it, etc. (afaik). It was basically my understanding that the +</I>><i> >secteam role is to initiate the bug, provide patches, POC, and +</I>><i> >advisory text and the maintainer do the update and pass it on to QA. +</I>><i> >I've stopped even intiating because they are just sitting there in +</I>><i> >the new/unassigned state. some for 2 months or more now. While a +</I>><i> >shiny new KDE is nice, not pushing updates for published +</I>><i> >vulnerabilities makes us look bad, imho. +</I>><i> +</I>><i> I think what we need is a trinity of triage, secteam, and QA to work on +</I>><i> security related things. Triage team will assign or cc the security team +</I>><i> on security related bugs as efficiently as possible, from there security +</I>><i> team will work with the maintainer on the fix and hands it to qa for +</I>><i> (expedited) testing and release. +</I>><i> +</I>><i> My personal feeling is that security is too important a thing to leave up +</I>><i> to an individual maintainer or last committer to fix, especially when it +</I>><i> is remotely exploitable. Perhaps make a distinction on the severity of the +</I>><i> security issue? +</I>><i> +</I>><i> - If it needs an authenticated user for an exploit to work, assign it to +</I>><i> the maintainer, Cc security team. If there is no response from the +</I>><i> maintainer after x days (say 10 or so), security team takes over +</I>><i> responsibility. +</I>><i> +</I>><i> - If it is remotely exploitable and leads to a DoS or take over, security +</I>><i> team is instantly responsible and Cc's the maintainer on the bug and +</I>><i> works on a quick update. +</I>><i> +</I>><i> In my opinion it is more important to be concerned with the safety of our +</I>><i> users machines than with perhaps stepping on a sour maintainers toes. +</I>><i> +</I>><i> Perhaps in the next packagers meeting something like this can be agreed +</I>><i> on? The security team needs to have the needed privileges to quickly +</I>><i> handle security issues the best way it sees fit. +</I>><i> +</I>><i> Remmy +</I> ++1 +</PRE> + + + + + + + + + + + + + + + + + + + + + + + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="007522.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers +</A></li> + <LI>Next message: <A HREF="007545.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#7525">[ date ]</a> + <a href="thread.html#7525">[ thread ]</a> + <a href="subject.html#7525">[ subject ]</a> + <a href="author.html#7525">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev +mailing list</a><br> +</body></html> |