[Mageia-dev] Status report for Mageia 1 updates, and call for?help from you packagers

Fri Aug 26 12:49:40 CEST 2011

Le vendredi 26 août 2011 12:33:34, nicolas vigier a écrit :
+> On Fri, 26 Aug 2011, Maarten Vanraes wrote:
+> > Op vrijdag 26 augustus 2011 00:57:26 schreef nicolas vigier:
+> > > On Thu, 25 Aug 2011, Maarten Vanraes wrote:
+> > > > Sure, i'm packaging as fast as my RL (and mga2 dev TODO list) allows
+> > > > me. I guess you should ask Anssi if i'm ready or not. I must say
+> > > > that i'm not sure if security bugs are actually my thing though. I
+> > > > never hacked servers, so i don't really know much about it. But in
+> > > > any case, i'm packaging, and i suppose
+> > > 
+> > > Doing security updates has nothing to do with hacking servers, it's
+> > > looking for the right patch to fix the issue, and updating the package
+> > > with the patch applied.
+> > 
+> > but don't you have to test it that it actually works?
+> 
+> And you don't know how to run an exploit ?
+> 
+> It's interesting that when there is some work to be done, you never know
+> how to do anything, but it's never a problem to talk about anything like
+> an expert, give your opinion about everything, say what should be done,
+> how it should be done, etc ...
+
+Well, AL13N is just saying what the current policy is, see  
+http://www.mageia.org/wiki/doku.php?id=updates_policy#roles
+
+"Security team" : "Design POC (Proof Of Concept) if necessary/possible to test 
+whether updated build is immune to issue"
+
+Now, if the policy needs to be changed and security fixes no more need to be 
+verified when they can be, it will be less work for everybody, but also a lower 
+security level (people make mistakes).
+
+Best regards
+
+Samuel Verschelde
+