From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-dev/2011-August/007522.html | 138 +++++++++++++++++++++++++++++ 1 file changed, 138 insertions(+) create mode 100644 zarb-ml/mageia-dev/2011-August/007522.html (limited to 'zarb-ml/mageia-dev/2011-August/007522.html') diff --git a/zarb-ml/mageia-dev/2011-August/007522.html b/zarb-ml/mageia-dev/2011-August/007522.html new file mode 100644 index 000000000..6e3dcf14a --- /dev/null +++ b/zarb-ml/mageia-dev/2011-August/007522.html @@ -0,0 +1,138 @@ + + + + [Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers + + + + + + + + + +

[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers

+ Remco Rijnders + remco at webconquest.com +
+ Thu Aug 25 20:14:45 CEST 2011 +

+
+ +
On Thu, Aug 25, 2011 at 08:09:26AM -0400, Stew wrote in
+<4E563B76.7080300 at gmail.com>:
+>On 08/24/2011 08:50 PM, Samuel Verschelde wrote:
+>>Hi,
+>>
+>>I was told that QA Team's work's visibility needs to be improved, so as a team
+>>member I'll try to give you some sort of status report.
+>
+>>- 1 has been validated by QA one month ago, but was assigned to security team
+>>following updates policy for security fixes, and got not answer. We have to
+>>improve either the policy or the security team here (or both).
+>Do you have a pointer to this bug? I'm not finding it in bugzilla. 
+>I'm not sure what I can do with it once assigned back to secteam, 
+>aside from write an advisory text. I don't have admin rights to 
+>release it, etc. (afaik). It was basically my understanding that the 
+>secteam role is to initiate the bug, provide patches, POC, and 
+>advisory text and the maintainer do the update and pass it on to QA. 
+>I've stopped even intiating because they are just sitting there in 
+>the new/unassigned state. some for 2 months or more now. While a 
+>shiny new KDE is nice, not pushing updates for published 
+>vulnerabilities makes us look bad, imho.
+
+I think what we need is a trinity of triage, secteam, and QA to work on 
+security related things. Triage team will assign or cc the security team 
+on security related bugs as efficiently as possible, from there security 
+team will work with the maintainer on the fix and hands it to qa for 
+(expedited) testing and release.
+
+My personal feeling is that security is too important a thing to leave up 
+to an individual maintainer or last committer to fix, especially when it 
+is remotely exploitable. Perhaps make a distinction on the severity of the 
+security issue?
+
+- If it needs an authenticated user for an exploit to work, assign it to 
+   the maintainer, Cc security team. If there is no response from the 
+   maintainer after x days (say 10 or so), security team takes over 
+   responsibility.
+
+- If it is remotely exploitable and leads to a DoS or take over, security 
+   team is instantly responsible and Cc's the maintainer on the bug and 
+   works on a quick update.
+
+In my opinion it is more important to be concerned with the safety of our 
+users machines than with perhaps stepping on a sour maintainers toes.
+
+Perhaps in the next packagers meeting something like this can be agreed 
+on? The security team needs to have the needed privileges to quickly 
+handle security issues the best way it sees fit.
+
+Remmy
+-------------- next part --------------
+A non-text attachment was scrubbed...
+Name: not available
+Type: application/pgp-signature
+Size: 836 bytes
+Desc: Digital signature
+URL: </pipermail/mageia-dev/attachments/20110825/2bc2651f/attachment.asc>
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

+ +
+More information about the Mageia-dev +mailing list
+ -- cgit v1.2.1