diff options
Diffstat (limited to 'zarb-ml/mageia-dev/2011-September/007734.html')
| -rw-r--r-- | zarb-ml/mageia-dev/2011-September/007734.html | 133 |
1 files changed, 133 insertions, 0 deletions
diff --git a/zarb-ml/mageia-dev/2011-September/007734.html b/zarb-ml/mageia-dev/2011-September/007734.html new file mode 100644 index 000000000..b778f426a --- /dev/null +++ b/zarb-ml/mageia-dev/2011-September/007734.html @@ -0,0 +1,133 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Status%20report%20for%20Mageia%201%20updates%2C%0A%09and%20call%20for%20help%20from%20you%20packagers&In-Reply-To=%3C201109011216.19806.stormi%40laposte.net%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="007801.html"> + <LINK REL="Next" HREF="007738.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers</H1> + <B>Samuel Verschelde</B> + <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Status%20report%20for%20Mageia%201%20updates%2C%0A%09and%20call%20for%20help%20from%20you%20packagers&In-Reply-To=%3C201109011216.19806.stormi%40laposte.net%3E" + TITLE="[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers">stormi at laposte.net + </A><BR> + <I>Thu Sep 1 12:16:19 CEST 2011</I> + <P><UL> + <LI>Previous message: <A HREF="007801.html">[Mageia-dev] Copying dependencies to Updates (Testing), or changing mgaapplet to use urpmi --auto-update instead of urpmi --update. +</A></li> + <LI>Next message: <A HREF="007738.html">[Mageia-dev] [RPM] cauldron core/release bluedevil-1.2-0.rc2.1.mga2 +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#7734">[ date ]</a> + <a href="thread.html#7734">[ thread ]</a> + <a href="subject.html#7734">[ subject ]</a> + <a href="author.html#7734">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>Le jeudi 25 août 2011 23:48:19, Stew Benedict a écrit : +><i> On 08/25/2011 01:12 PM, Samuel Verschelde wrote: +</I>><i> > Le jeudi 25 août 2011 14:09:26, Stew Benedict a écrit : +</I>><i> >> On 08/24/2011 08:50 PM, Samuel Verschelde wrote: +</I>><i> >>> Hi, +</I>><i> >>> +</I>><i> >>> I was told that QA Team's work's visibility needs to be improved, so as +</I>><i> >>> a team member I'll try to give you some sort of status report. +</I>><i> >>> +</I>><i> >>> - 1 has been validated by QA one month ago, but was assigned to +</I>><i> >>> security team following updates policy for security fixes, and got not +</I>><i> >>> answer. We have to improve either the policy or the security team here +</I>><i> >>> (or both). +</I>><i> >> +</I>><i> >> Do you have a pointer to this bug? I'm not finding it in bugzilla. I'm +</I>><i> >> not sure what I can do with it once assigned back to secteam, aside from +</I>><i> >> write an advisory text. I don't have admin rights to release it, etc. +</I>><i> >> (afaik). It was basically my understanding that the secteam role is to +</I>><i> >> initiate the bug, provide patches, POC, and advisory text and the +</I>><i> >> maintainer do the update and pass it on to QA. I've stopped even +</I>><i> >> intiating because they are just sitting there in the new/unassigned +</I>><i> >> state. some for 2 months or more now. While a shiny new KDE is nice, not +</I>><i> >> pushing updates for published vulnerabilities makes us look bad, imho. +</I>><i> > +</I>><i> > It's <A HREF="https://bugs.mageia.org/show_bug.cgi?id=2239">https://bugs.mageia.org/show_bug.cgi?id=2239</A> +</I>><i> > +</I>><i> > I think the initial idea in the updates policy is that security fixes +</I>><i> > have to be tested by secteam to ensure that the security problem is not +</I>><i> > there anymore, because sometimes the upstream or the packager fixes it +</I>><i> > in a wrong way or does a mistake, so we need to ensure the security +</I>><i> > problems are really fixed. Otherwise we risk saying that a security +</I>><i> > issue is fixed when it's not. Obviously, this can't happen if the +</I>><i> > security team doesn't grow. Maybe some kind of joint effort from +</I>><i> > security and QA could help ? +</I>><i> > +</I>><i> > I already know updates that have been pushed without the security fixes +</I>><i> > being tested. +</I>><i> > +</I>><i> > Also, the security bugs being open in bugzilla and not adressed by the +</I>><i> > packagers is a really big issue, that we have to find a way to fix as +</I>><i> > soon as possible. Can you give us a link to the list of pending security +</I>><i> > issues ? +</I>><i> +</I>><i> While I don't disagree with the theory, it's not workable with the +</I>><i> current state, as I don't have enough free cycles to think about +</I>><i> actually updating any packages an/or doing the testing. One has to keep +</I>><i> in mind that in the past life this was nearly a full time job for 2 +</I>><i> people to identify, fix build, test, release updates for the supported +</I>><i> releases. The people that have inquired about helping with security +</I>><i> issues quickly go away when they find out how inglorious(sic) it is. +</I>><i> +</I> +What has been decided during latest packager meeting is that it's the QA team +who will try to check that the security bugs are really fixed during QA testing +(when it's possible), so that the security team doesn't need to do it and can +concentrate on monitoring and finding about existing issues. + +So the procedure is : +- security team identifies issues and creates bug reports +- packagers fix bugs +- QA team validates + +This way I hope the security team work becomes doable with our current +ressources. It means also that we need a real commitment from packagers. QA +team is already ready and testing. + +Best regards + +Samuel Verschelde +</PRE> + + + + + + + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="007801.html">[Mageia-dev] Copying dependencies to Updates (Testing), or changing mgaapplet to use urpmi --auto-update instead of urpmi --update. +</A></li> + <LI>Next message: <A HREF="007738.html">[Mageia-dev] [RPM] cauldron core/release bluedevil-1.2-0.rc2.1.mga2 +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#7734">[ date ]</a> + <a href="thread.html#7734">[ thread ]</a> + <a href="subject.html#7734">[ subject ]</a> + <a href="author.html#7734">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev +mailing list</a><br> +</body></html> |