From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-dev/2011-August/007525.html | 135 +++++++++++++++++++++++++++++ 1 file changed, 135 insertions(+) create mode 100644 zarb-ml/mageia-dev/2011-August/007525.html (limited to 'zarb-ml/mageia-dev/2011-August/007525.html') diff --git a/zarb-ml/mageia-dev/2011-August/007525.html b/zarb-ml/mageia-dev/2011-August/007525.html new file mode 100644 index 000000000..6b27cc81b --- /dev/null +++ b/zarb-ml/mageia-dev/2011-August/007525.html @@ -0,0 +1,135 @@ + + + + [Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers + + + + + + + + + +

[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers

+ Maarten Vanraes + maarten.vanraes at gmail.com +
+ Thu Aug 25 20:41:27 CEST 2011 +

+
+ +
Op donderdag 25 augustus 2011 20:14:45 schreef Remco Rijnders:
+> On Thu, Aug 25, 2011 at 08:09:26AM -0400, Stew wrote in
+> 
+> <4E563B76.7080300 at gmail.com>:
+> >On 08/24/2011 08:50 PM, Samuel Verschelde wrote:
+> >>Hi,
+> >>
+> >>I was told that QA Team's work's visibility needs to be improved, so as a
+> >>team member I'll try to give you some sort of status report.
+> >>
+> >>- 1 has been validated by QA one month ago, but was assigned to security
+> >>team following updates policy for security fixes, and got not answer. We
+> >>have to improve either the policy or the security team here (or both).
+> >
+> >Do you have a pointer to this bug? I'm not finding it in bugzilla.
+> >I'm not sure what I can do with it once assigned back to secteam,
+> >aside from write an advisory text. I don't have admin rights to
+> >release it, etc. (afaik). It was basically my understanding that the
+> >secteam role is to initiate the bug, provide patches, POC, and
+> >advisory text and the maintainer do the update and pass it on to QA.
+> >I've stopped even intiating because they are just sitting there in
+> >the new/unassigned state. some for 2 months or more now. While a
+> >shiny new KDE is nice, not pushing updates for published
+> >vulnerabilities makes us look bad, imho.
+> 
+> I think what we need is a trinity of triage, secteam, and QA to work on
+> security related things. Triage team will assign or cc the security team
+> on security related bugs as efficiently as possible, from there security
+> team will work with the maintainer on the fix and hands it to qa for
+> (expedited) testing and release.
+> 
+> My personal feeling is that security is too important a thing to leave up
+> to an individual maintainer or last committer to fix, especially when it
+> is remotely exploitable. Perhaps make a distinction on the severity of the
+> security issue?
+> 
+> - If it needs an authenticated user for an exploit to work, assign it to
+>    the maintainer, Cc security team. If there is no response from the
+>    maintainer after x days (say 10 or so), security team takes over
+>    responsibility.
+> 
+> - If it is remotely exploitable and leads to a DoS or take over, security
+>    team is instantly responsible and Cc's the maintainer on the bug and
+>    works on a quick update.
+> 
+> In my opinion it is more important to be concerned with the safety of our
+> users machines than with perhaps stepping on a sour maintainers toes.
+> 
+> Perhaps in the next packagers meeting something like this can be agreed
+> on? The security team needs to have the needed privileges to quickly
+> handle security issues the best way it sees fit.
+> 
+> Remmy
+
++1
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

+ +
+More information about the Mageia-dev +mailing list
+ -- cgit v1.2.1