diff options
Diffstat (limited to 'zarb-ml/mageia-dev/20110415/004003.html')
| -rw-r--r-- | zarb-ml/mageia-dev/20110415/004003.html | 109 |
1 files changed, 109 insertions, 0 deletions
diff --git a/zarb-ml/mageia-dev/20110415/004003.html b/zarb-ml/mageia-dev/20110415/004003.html new file mode 100644 index 000000000..e2327e5f7 --- /dev/null +++ b/zarb-ml/mageia-dev/20110415/004003.html @@ -0,0 +1,109 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-dev] Meeting for secteam start + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Meeting%20for%20secteam%20start&In-Reply-To=%3CBANLkTikVjxTGZrHrvXS42Zusvyb0_-2v3Q%40mail.gmail.com%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="003999.html"> + <LINK REL="Next" HREF="004004.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-dev] Meeting for secteam start</H1> + <B>Pascal Terjan</B> + <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Meeting%20for%20secteam%20start&In-Reply-To=%3CBANLkTikVjxTGZrHrvXS42Zusvyb0_-2v3Q%40mail.gmail.com%3E" + TITLE="[Mageia-dev] Meeting for secteam start">pterjan at gmail.com + </A><BR> + <I>Fri Apr 15 18:16:43 CEST 2011</I> + <P><UL> + <LI>Previous message: <A HREF="003999.html">[Mageia-dev] Meeting for secteam start +</A></li> + <LI>Next message: <A HREF="004004.html">[Mageia-dev] Meeting for secteam start +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#4003">[ date ]</a> + <a href="thread.html#4003">[ thread ]</a> + <a href="subject.html#4003">[ subject ]</a> + <a href="author.html#4003">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>On Fri, Apr 15, 2011 at 13:35, Stew Benedict <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">stewbintn at gmail.com</A>> wrote: +><i> Sorry if I break the thread, just signed back up to the list. +</I>><i> Just to kick things off for secteam, I thought I'd list the process as I +</I>><i> remember it from when I worked with Vincent for a couple of years. +</I>><i> Not to say Mageia needs to follow any of this, and as we're a volunteer +</I>><i> organization, I suspect things will be structured a bit differently from +</I>><i> a staffing POV than "2 guys mostly dedicated to updates" +</I>><i> +</I>><i> Old Process: +</I>><i> +</I>><i> * monitor vendor-sec, discuss vulns, patches, negotiate release schedule, +</I>><i>   also watch other distro updates, for things we may have missed +</I> +I think we need to add them to a list at that point (some tickets somewhere) + +><i> * check our srpm database (Vincent later reworked this) for all the +</I>><i> places the affected source code +</I>><i>   may be buried (many packages embed copies of other source) +</I> +And add that info in the tickets as a list of needed actions, or maybe +have some blocking tickets + +><i> * apply/adapt patches for all supported releases/architectures (may have +</I>><i> been published on vendor-sec, +</I>><i>   or from another distro package, or extracted from upstream) +</I>><i> +</I>><i>   ** when we we supporting several releases, with Enterprise stuff +</I>><i> being quite old, reworking the patches at times was difficult +</I>><i>   ** policy changed over time and these days many things bump up to a +</I>><i> new release, rather than patching +</I>><i> +</I>><i> * build in chroot to preserve the original build env (moved to iurt +</I>><i> around the time I left) +</I>><i> +</I>><i>   ** if we had trouble building the package, contact the maintainer for +</I>><i> help +</I>><i> +</I>><i> * acquire or write a POC (proof of concept) to test that the vuln is +</I>><i> corrected, if not, re-patch/re-test +</I>><i> +</I>><i> * test the app for basic functionality, that we haven't introduced +</I>><i> regressions +</I>><i> +</I>><i>   ** bugfix updates went to QA for testing, this was a big +</I>><i> blocker/delay at times +</I>><i> +</I>><i> * write advisory text (usually copied from the CVE if there is one, or +</I>><i> bugzilla from a bugfix) +</I>><i> +</I>><i> * upload packages to main mirror, wait a few hours and release the +</I>><i> announcement (we had several scripts +</I>><i>   that facilitated getting packages in the right place, signing them, +</I>><i> uploading, etc.) +</I></PRE> + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="003999.html">[Mageia-dev] Meeting for secteam start +</A></li> + <LI>Next message: <A HREF="004004.html">[Mageia-dev] Meeting for secteam start +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#4003">[ date ]</a> + <a href="thread.html#4003">[ thread ]</a> + <a href="subject.html#4003">[ subject ]</a> + <a href="author.html#4003">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev +mailing list</a><br> +</body></html> |