diff options
Diffstat (limited to 'zarb-ml/mageia-dev/2011-August/007540.html')
| -rw-r--r-- | zarb-ml/mageia-dev/2011-August/007540.html | 140 |
1 files changed, 140 insertions, 0 deletions
diff --git a/zarb-ml/mageia-dev/2011-August/007540.html b/zarb-ml/mageia-dev/2011-August/007540.html new file mode 100644 index 000000000..48586c869 --- /dev/null +++ b/zarb-ml/mageia-dev/2011-August/007540.html @@ -0,0 +1,140 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Status%20report%20for%20Mageia%201%20updates%2C%0A%20and%20call%20for%20help%20from%20you%20packagers&In-Reply-To=%3C4E56C323.40500%40gmail.com%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="007521.html"> + <LINK REL="Next" HREF="007541.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers</H1> + <B>Stew Benedict</B> + <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Status%20report%20for%20Mageia%201%20updates%2C%0A%20and%20call%20for%20help%20from%20you%20packagers&In-Reply-To=%3C4E56C323.40500%40gmail.com%3E" + TITLE="[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers">stewbintn at gmail.com + </A><BR> + <I>Thu Aug 25 23:48:19 CEST 2011</I> + <P><UL> + <LI>Previous message: <A HREF="007521.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers +</A></li> + <LI>Next message: <A HREF="007541.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#7540">[ date ]</a> + <a href="thread.html#7540">[ thread ]</a> + <a href="subject.html#7540">[ subject ]</a> + <a href="author.html#7540">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>On 08/25/2011 01:12 PM, Samuel Verschelde wrote: +><i> Le jeudi 25 août 2011 14:09:26, Stew Benedict a écrit : +</I>>><i> On 08/24/2011 08:50 PM, Samuel Verschelde wrote: +</I>>>><i> Hi, +</I>>>><i> +</I>>>><i> I was told that QA Team's work's visibility needs to be improved, so as a +</I>>>><i> team member I'll try to give you some sort of status report. +</I>>>><i> +</I>>>><i> - 1 has been validated by QA one month ago, but was assigned to security +</I>>>><i> team following updates policy for security fixes, and got not answer. We +</I>>>><i> have to improve either the policy or the security team here (or both). +</I>>><i> Do you have a pointer to this bug? I'm not finding it in bugzilla. I'm +</I>>><i> not sure what I can do with it once assigned back to secteam, aside from +</I>>><i> write an advisory text. I don't have admin rights to release it, etc. +</I>>><i> (afaik). It was basically my understanding that the secteam role is to +</I>>><i> initiate the bug, provide patches, POC, and advisory text and the +</I>>><i> maintainer do the update and pass it on to QA. I've stopped even +</I>>><i> intiating because they are just sitting there in the new/unassigned +</I>>><i> state. some for 2 months or more now. While a shiny new KDE is nice, not +</I>>><i> pushing updates for published vulnerabilities makes us look bad, imho. +</I>><i> It's <A HREF="https://bugs.mageia.org/show_bug.cgi?id=2239">https://bugs.mageia.org/show_bug.cgi?id=2239</A> +</I>><i> +</I>><i> I think the initial idea in the updates policy is that security fixes have to +</I>><i> be tested by secteam to ensure that the security problem is not there anymore, +</I>><i> because sometimes the upstream or the packager fixes it in a wrong way or does +</I>><i> a mistake, so we need to ensure the security problems are really fixed. +</I>><i> Otherwise we risk saying that a security issue is fixed when it's not. +</I>><i> Obviously, this can't happen if the security team doesn't grow. Maybe some +</I>><i> kind of joint effort from security and QA could help ? +</I>><i> +</I>><i> I already know updates that have been pushed without the security fixes being +</I>><i> tested. +</I>><i> +</I>><i> Also, the security bugs being open in bugzilla and not adressed by the +</I>><i> packagers is a really big issue, that we have to find a way to fix as soon as +</I>><i> possible. Can you give us a link to the list of pending security issues ? +</I>><i> +</I>While I don't disagree with the theory, it's not workable with the +current state, as I don't have enough free cycles to think about +actually updating any packages an/or doing the testing. One has to keep +in mind that in the past life this was nearly a full time job for 2 +people to identify, fix build, test, release updates for the supported +releases. The people that have inquired about helping with security +issues quickly go away when they find out how inglorious(sic) it is. + +Well, for instance, this is my "my bugs" list: + +<A HREF="https://bugs.mageia.org/buglist.cgi?bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailassigned_to1=1&emailreporter1=1&emailtype1=exact&email1=stewbintn%40gmail.com&field0-0-0=bug_status&type0-0-0=notequals&value0-0-0=UNCONFIRMED&field0-0-1=reporter&type0-0-1=equals&value0-0-1=stewbintn%40gmail.com">https://bugs.mageia.org/buglist.cgi?bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailassigned_to1=1&emailreporter1=1&emailtype1=exact&email1=stewbintn%40gmail.com&field0-0-0=bug_status&type0-0-0=notequals&value0-0-0=UNCONFIRMED&field0-0-1=reporter&type0-0-1=equals&value0-0-1=stewbintn%40gmail.com</A> + +and here's my "open security issues" list (if it works for others): + +<A HREF="https://bugs.mageia.org/buglist.cgi?cmdtype=runnamed&namedcmd=Open%20security%20issues">https://bugs.mageia.org/buglist.cgi?cmdtype=runnamed&namedcmd=Open%20security%20issues</A> + +First list is 8 bugs, 2nd is 25. 8 bugs wouldn't be an issue if they +were 1 week or 2 old, but 2 months for a known issue with a published +fix that everyone else has released is unacceptable. + +I think other have done things with tags etc. + +-- + +Stew Benedict + + +</PRE> + + + + + + + + + + + + + + + + + + + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="007521.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers +</A></li> + <LI>Next message: <A HREF="007541.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#7540">[ date ]</a> + <a href="thread.html#7540">[ thread ]</a> + <a href="subject.html#7540">[ subject ]</a> + <a href="author.html#7540">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev +mailing list</a><br> +</body></html> |