[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers

Thu Aug 25 23:48:19 CEST 2011

On 08/25/2011 01:12 PM, Samuel Verschelde wrote:
+> Le jeudi 25 août 2011 14:09:26, Stew Benedict a écrit :
+>> On 08/24/2011 08:50 PM, Samuel Verschelde wrote:
+>>> Hi,
+>>>
+>>> I was told that QA Team's work's visibility needs to be improved, so as a
+>>> team member I'll try to give you some sort of status report.
+>>>
+>>> - 1 has been validated by QA one month ago, but was assigned to security
+>>> team following updates policy for security fixes, and got not answer. We
+>>> have to improve either the policy or the security team here (or both).
+>> Do you have a pointer to this bug? I'm not finding it in bugzilla. I'm
+>> not sure what I can do with it once assigned back to secteam, aside from
+>> write an advisory text. I don't have admin rights to release it, etc.
+>> (afaik). It was basically my understanding that the secteam role is to
+>> initiate the bug, provide patches, POC, and advisory text and the
+>> maintainer do the update and pass it on to QA. I've stopped even
+>> intiating because they are just sitting there in the new/unassigned
+>> state. some for 2 months or more now. While a shiny new KDE is nice, not
+>> pushing updates for published vulnerabilities makes us look bad, imho.
+> It's https://bugs.mageia.org/show_bug.cgi?id=2239
+>
+> I think the initial idea in the updates policy is that security fixes have to
+> be tested by secteam to ensure that the security problem is not there anymore,
+> because sometimes the upstream or the packager fixes it in a wrong way or does
+> a mistake, so we need to ensure the security problems are really fixed.
+> Otherwise we risk saying that a security issue is fixed when it's not.
+> Obviously, this can't happen if the security team doesn't grow. Maybe some
+> kind of joint effort from security and QA could help ?
+>
+> I already know updates that have been pushed without the security fixes being
+> tested.
+>
+> Also, the security bugs being open in bugzilla and not adressed by the
+> packagers is a really big issue, that we have to find a way to fix as soon as
+> possible. Can you give us a link to the list of pending security issues ?
+>
+While I don't disagree with the theory, it's not workable with the 
+current state, as I don't have enough free cycles to think about 
+actually updating any packages an/or doing the testing. One has to keep 
+in mind that in the past life this was nearly a full time job for 2 
+people to identify, fix build, test, release updates for the supported 
+releases. The people that have inquired about helping with security 
+issues quickly go away when they find out how inglorious(sic) it is.
+
+Well, for instance, this is my "my bugs" list:
+
+https://bugs.mageia.org/buglist.cgi?bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailassigned_to1=1&emailreporter1=1&emailtype1=exact&email1=stewbintn%40gmail.com&field0-0-0=bug_status&type0-0-0=notequals&value0-0-0=UNCONFIRMED&field0-0-1=reporter&type0-0-1=equals&value0-0-1=stewbintn%40gmail.com
+
+and here's my "open security issues" list (if it works for others):
+
+https://bugs.mageia.org/buglist.cgi?cmdtype=runnamed&namedcmd=Open%20security%20issues
+
+First list is 8 bugs, 2nd is 25. 8 bugs wouldn't be an issue if they 
+were 1 week or 2 old, but 2 months for a known issue with a published 
+fix that everyone else has released is unacceptable.
+
+I think other have done things with tags etc.
+
+-- 
+
+Stew Benedict
+
+
+