diff options
Diffstat (limited to 'zarb-ml/mageia-dev/20110524/004937.html')
| -rw-r--r-- | zarb-ml/mageia-dev/20110524/004937.html | 134 |
1 files changed, 134 insertions, 0 deletions
diff --git a/zarb-ml/mageia-dev/20110524/004937.html b/zarb-ml/mageia-dev/20110524/004937.html new file mode 100644 index 000000000..5e89a3757 --- /dev/null +++ b/zarb-ml/mageia-dev/20110524/004937.html @@ -0,0 +1,134 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-dev] slight security improvement: should we update aria2 to 1.11.2? + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20slight%20security%20improvement%3A%20should%20we%0A%09update%09aria2%20to%201.11.2%3F&In-Reply-To=%3C1306237969.3942.38.camel%40akroma.ephaone.org%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="004935.html"> + <LINK REL="Next" HREF="004939.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-dev] slight security improvement: should we update aria2 to 1.11.2?</H1> + <B>Michael Scherer</B> + <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20slight%20security%20improvement%3A%20should%20we%0A%09update%09aria2%20to%201.11.2%3F&In-Reply-To=%3C1306237969.3942.38.camel%40akroma.ephaone.org%3E" + TITLE="[Mageia-dev] slight security improvement: should we update aria2 to 1.11.2?">misc at zarb.org + </A><BR> + <I>Tue May 24 13:52:48 CEST 2011</I> + <P><UL> + <LI>Previous message: <A HREF="004935.html">[Mageia-dev] slight security improvement: should we update aria2 to 1.11.2? +</A></li> + <LI>Next message: <A HREF="004939.html">[Mageia-dev] slight security improvement: should we update aria2 to 1.11.2? +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#4937">[ date ]</a> + <a href="thread.html#4937">[ thread ]</a> + <a href="subject.html#4937">[ subject ]</a> + <a href="author.html#4937">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>Le mardi 24 mai 2011 à 12:45 +0200, nicolas vigier a écrit : +><i> On Tue, 24 May 2011, Christiaan Welvaart wrote: +</I>><i> +</I>><i> > On Tue, 24 May 2011, Michael Scherer wrote: +</I>><i> > +</I>><i> >> I would keep this as a update after the release is out ( like they 4 +</I>><i> >> ruby cve, libzip one ( CVE-2011-0421 )) and others that came out since +</I>><i> >> yesterday. +</I>><i> >> +</I>><i> >> So maybe we could open bugs for this ? +</I>><i> > +</I>><i> >> There is 2 proposal : +</I>><i> >> - filling them on security, and have a saved search +</I>><i> > +</I>><i> > What do you mean by that, a security product? +</I>><i> +</I>><i> There is a component "Security" on bugzilla. +</I>><i> +</I>><i> > +</I>><i> >> - creating a tracker bug +</I>><i> >> +</I>><i> >> I would be in favor of the tracker bug : +</I>><i> >> - you can subscribe to it +</I>><i> >> - it will be clearer ( as bugfixes are not security so we may miss some +</I>><i> >> update to do ) +</I>><i> >> - it doesn't pollute the list of saved search +</I>><i> >> +</I>><i> >> But as pascal said, a tracker bug requires that each bug to be linked to +</I>><i> >> it, which is manual and error prone. +</I>><i> > +</I>><i> > I don't know much about bugzilla, but: +</I>><i> > - Add a keyword 'security' to all security bugs. +</I>><i> > (also manual and error prone?) +</I>><i> +</I>><i> We already have a security component. Would a keyword instead of a +</I>><i> component be better for this ? +</I> +What when we have more than 1 release ? + +I really think the security component is wrongly named. The bug is +against a rpm package, be it a security or non security fix, and +treating security fix differently than non security fixes add IMHO +unneeded complexity to the process. + +><i> It is also manual, but a keywork is easier to remember than a tracker +</I>><i> bug number. +</I> +That's a good point, I guess we can either place the link on bugzilla +main page, or use named bugs, or something like that ? + +><i> Maybe we can also think about a mailing list to receive all security +</I>><i> bugs. +</I> +It doesn't take non security related fix in account. + +Given the fact that there is no difference between the way we treat them +( ie, it is updates ), and given the fact than even later the difference +will be between embargoed updates and the rest, I guess that a generic +list for issue affecting a stable release would be better suited. + +But I am not sure it will help much, we need to think to the problem we +try to solve, and the way I see it, it is twofold : + +- we need to have a list of thing to update ( security or not, doesn't +matter now ) +- we need a way to be aware of changes to the aformentioned list + +The solutions must : +- be extensible with possibility of having a embargo in the future +- be as automated as possible +- be open to people that want to help +- take in account that we will have more than 1 release, maybe more than +1 project + +Anybody see others constraints ? +-- +Michael Scherer + +</PRE> + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="004935.html">[Mageia-dev] slight security improvement: should we update aria2 to 1.11.2? +</A></li> + <LI>Next message: <A HREF="004939.html">[Mageia-dev] slight security improvement: should we update aria2 to 1.11.2? +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#4937">[ date ]</a> + <a href="thread.html#4937">[ thread ]</a> + <a href="subject.html#4937">[ subject ]</a> + <a href="author.html#4937">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev +mailing list</a><br> +</body></html> |