[Mageia-dev] Status report for Mageia 1 updates, and call for?help from you packagers

Fri Aug 26 17:50:54 CEST 2011

Op vrijdag 26 augustus 2011 12:49:40 schreef Samuel Verschelde:
+> Le vendredi 26 août 2011 12:33:34, nicolas vigier a écrit :
+> > On Fri, 26 Aug 2011, Maarten Vanraes wrote:
+> > > but don't you have to test it that it actually works?
+> > 
+> > And you don't know how to run an exploit ?
+
+I have never done this before, perhaps secteam needs training for such?
+
+> > It's interesting that when there is some work to be done, you never know
+> > how to do anything, but it's never a problem to talk about anything like
+> > an expert, give your opinion about everything, say what should be done,
+> > how it should be done, etc ...
+
+Yes, that is interesting.
+
+I think it's only natural for people to have an opinion, and i know you do 
+alot of work on Mageia, but not everyone can do as much as you, and it's not 
+because i sometimes say a few things on IRC that i'm not doing anything.
+
+boklm: I must say that i feel like i have to defend myself, to your post:
+1. i don't think i speak "like an expert", but if you attribute this to me, i 
+can only think of this as a compliment, as people who speak like experts are 
+imho people who evidently know what they are talking about.
+
+2. none the less, even if i'm not planning on putting any time in somethign, 
+that doesn't refrain me from speaking my opinions, and i think i can determine 
+which solution is a quick & dirty fix, and which is a good one, IMHO. i supply 
+it, you're free to ignore it.
+
+3. as everyone, i too have priorities, even though mageia is high on it, it's 
+still below RL with wife and kids. as an estimate, except for IRC time, during 
+day and the meetings, as a reference, i think i can spend about 10-15hours on 
+mageia per week.
+
+4. even though my dayjob is in IT Security, i have never done penetration 
+testing or hacked someone. My priorities or on development and server 
+maintenance. None the less, as a "sysadmin" (dayjob), i am very interested 
+about stable systems, updates & security patches.
+
+5. i'm sure you know it'm a still a novice packager, but being a novice 
+packager doesn't refrain me to "package", and i "maintain" my packages as far 
+as i'm able to in the best of my abilities. Maybe Anssi is a stricter mentor 
+than others, but i see no issue with that.
+
+6. this may be a bad comparison, but it was my understanding that any 
+contribution, how small though it may be, is still valued. If you think my 
+contribution is not enough, or if you feel that i should just shut up if i 
+don't plan to spend some time on that, then i guess it's tough luck for you. 
+at least i'm contributing to something, i'm sure there's people reacting which 
+don't contribute at all. but as i said, you're free to ignore my advice.
+
+I hadn't planned on reacting to such posts, to not fill up the mailing list 
+with unecessary stuff as you so pointed out to me, but too much is too much, if 
+there are accusations (i perceive your post as such, though maybe i'm wrong, 
+please tell me if i am), i WILL defend myself.
+
+(imho, accusations shouldn't be on public mailing lists though)
+
+> Well, AL13N is just saying what the current policy is, see
+> http://www.mageia.org/wiki/doku.php?id=updates_policy#roles
+> 
+> "Security team" : "Design POC (Proof Of Concept) if necessary/possible to
+> test whether updated build is immune to issue"
+
+indeed, it's a requirement that i think is wanted.
+
+> Now, if the policy needs to be changed and security fixes no more need to
+> be verified when they can be, it will be less work for everybody, but also
+> a lower security level (people make mistakes).
+> 
+> Best regards
+> 
+> Samuel Verschelde
+
+