+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">

+<HTML>

+ <HEAD>

+ <TITLE> [Mageia-dev] Security updates - Help needed (also forgot avidemux and gstreamer0.10-ffmpeg)

+ </TITLE>

+ <LINK REL="Index" HREF="index.html" >

+ <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Security%20updates%20-%20Help%20needed%20%28also%20forgot%0A%09avidemux%20and%20gstreamer0.10-ffmpeg%29&In-Reply-To=%3C3209681.5aHCvYlDaG%40tiger.ranger.dnsalias.com%3E">

+ <META NAME="robots" CONTENT="index,nofollow">

+ <META http-equiv="Content-Type" content="text/html; charset=us-ascii">

+ <LINK REL="Previous" HREF="017187.html">

+ <LINK REL="Next" HREF="017321.html">

+ </HEAD>

+ <BODY BGCOLOR="#ffffff">

+ <H1>[Mageia-dev] Security updates - Help needed (also forgot avidemux and gstreamer0.10-ffmpeg)</H1>

+ <B>Buchan Milne</B>

+ <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Security%20updates%20-%20Help%20needed%20%28also%20forgot%0A%09avidemux%20and%20gstreamer0.10-ffmpeg%29&In-Reply-To=%3C3209681.5aHCvYlDaG%40tiger.ranger.dnsalias.com%3E"

+ TITLE="[Mageia-dev] Security updates - Help needed (also forgot avidemux and gstreamer0.10-ffmpeg)">bgmilne at zarb.org

+ </A><BR>

+ <I>Fri Jul 13 16:27:02 CEST 2012</I>

+ <P><UL>

+ <LI>Previous message: <A HREF="017187.html">[Mageia-dev] Security updates - Help needed (also forgot avidemux and gstreamer0.10-ffmpeg)

+</A></li>

+ <LI>Next message: <A HREF="017321.html">[Mageia-dev] Security updates - Help needed (also forgot avidemux and gstreamer0.10-ffmpeg)

+</A></li>

+ <LI> <B>Messages sorted by:</B>

+ <a href="date.html#17319">[ date ]</a>

+ <a href="thread.html#17319">[ thread ]</a>

+ <a href="subject.html#17319">[ subject ]</a>

+ <a href="author.html#17319">[ author ]</a>

+ </LI>

+ </UL>

+ <HR>

+<!--beginarticle-->

+<PRE>On Thursday, 5 July 2012 20:34:02 David Walser wrote:

+&gt;<i> Guillaume Rousse wrote:

+</I>&gt;<i> &gt; So, before any further contribution from my side, I'd like the people in

+</I>&gt;<i> &gt; charge of security updates to find some internal agreement about what

+</I>&gt;<i> &gt; kind of help they expect from other people exactly. If that's just to

+</I>&gt;<i> &gt; push a non-discussable list of changes into spec files, they could as

+</I>&gt;<i> &gt; well ask for SVN commit and package submission rights, to do it

+</I>&gt;<i> &gt; directly. This would avoid a large amount of anger and frustration for

+</I>&gt;<i> &gt; everyone.

+</I>&gt;<i>

+</I>&gt;<i> Nobody is in charge, which is part of the problem. I think a lot of us

+</I>&gt;<i> packagers come from Mandriva where we were used to Oden being in charge of

+</I>&gt;<i> updates for stable distros, and therefore not having to worry about it.

+</I>

+While Mandriva had a security team (before Oden, Stew, and before that Stew

+and Vince). However, that doesn't mean you never had to worry about anything.

+

+&gt;<i> We

+</I>&gt;<i> are a community distro, we have no paid security manager. It is all of our

+</I>&gt;<i> responsibility to do security updates for stable distros.

+</I>&gt;<i>

+</I>&gt;<i> As far as what kind of help is expected, it varies per bug really. Some of

+</I>&gt;<i> them have maintainers that might want to give input. Some I would like to

+</I>&gt;<i> know from someone else more experienced or who has more at stake in a

+</I>&gt;<i> package how to handle an update when there are choices. Sometimes other

+</I>&gt;<i> distros have pushed an updated (bugfix-only) version, or patched other bugs

+</I>&gt;<i> as well, rather than just patched the security bug.

+</I>

+IMHO, for a security, the priority is to get the patched binaries out to

+vulnerable users as soon as possible.

+

+If there is a pre-existing minor issue with the originally released package

+which an experienced user of the software in question can get around without

+any problems, a separate bug should be filed, but the minor issue should

+*NEVER* delay the update.

+

+If the software doesn't start with the default config, the user isn't

+vulnerable, and we can take more time to fix their problem.

+

+If the admin has fixed the default config issue, then THEY ARE VULNERABLE. For

+*SECURITY* bugs, addressing their vulnerability is the priority.

+

+Otherwise, we may as well not distinguish between bugfix and security updates.

+

+My expectation is that:

+1)Old security fixes should have the highest priority

+2)Any new security fix should have higher priority than any bugfix

+3)Security updates should be provided within 1 week max

+

+Yes, QA team doesn't have enough resources. Guess what, neither do other

+teams. But, for me, it was frustrating to dedicate time (when I really didn't

+have it) to provide packages within 48 hours (24 for Mageia 2), and then have

+a 3-4 week delay in validation, mainly because of some minor pre-existing

+issues with the Mageia 1 package (which had been solved in the Mageia 2 relase

+package).

+

+Regards,

+Buchan

+-------------- next part --------------

+An HTML attachment was scrubbed...

+URL: &lt;/pipermail/mageia-dev/attachments/20120713/c9b894d2/attachment-0001.html&gt;

+</PRE>

+

+

+

+<!--endarticle-->

+ <HR>

+ <P><UL>

+ <!--threads-->

+ <LI>Previous message: <A HREF="017187.html">[Mageia-dev] Security updates - Help needed (also forgot avidemux and gstreamer0.10-ffmpeg)

+</A></li>

+ <LI>Next message: <A HREF="017321.html">[Mageia-dev] Security updates - Help needed (also forgot avidemux and gstreamer0.10-ffmpeg)

+</A></li>

+ <LI> <B>Messages sorted by:</B>

+ <a href="date.html#17319">[ date ]</a>

+ <a href="thread.html#17319">[ thread ]</a>

+ <a href="subject.html#17319">[ subject ]</a>

+ <a href="author.html#17319">[ author ]</a>

+ </LI>

+ </UL>

+

+<hr>

+<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev

+mailing list</a><br>

+</body></html>