From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-dev/2011-June/005208.html | 151 +++++++++++++++++++++++++++++++ 1 file changed, 151 insertions(+) create mode 100644 zarb-ml/mageia-dev/2011-June/005208.html (limited to 'zarb-ml/mageia-dev/2011-June/005208.html') diff --git a/zarb-ml/mageia-dev/2011-June/005208.html b/zarb-ml/mageia-dev/2011-June/005208.html new file mode 100644 index 000000000..aa06867b3 --- /dev/null +++ b/zarb-ml/mageia-dev/2011-June/005208.html @@ -0,0 +1,151 @@ + + + + [Mageia-dev] Finalizing update process + + + + + + + + + +

[Mageia-dev] Finalizing update process

+ Ahmad Samir + ahmadsamir3891 at gmail.com +
+ Wed Jun 8 19:39:55 CEST 2011 +

+
+ +
On 8 June 2011 18:57, Christiaan Welvaart <cjw at daneel.dyndns.org> wrote:
+> On Wed, 8 Jun 2011, Michael Scherer wrote:
+>
+>> Le mercredi 08 juin 2011 à 10:40 +0200, Anne nicolas a écrit :
+>>>
+>>> Hi there
+>>>
+>>> We have some stuff to complete here:
+>>> http://mageia.org/wiki/doku.php?id=security
+>>>
+>>> <http://mageia.org/wiki/doku.php?id=security>Can we spend the 2 or 3
+>>> coming
+>>> days to finalize it and start updates submits?
+>>
+>> Pascal is working on this.
+>>
+>> So here is a proposal :
+>> - anybody can submit a package to updates_testing.
+>> - once submitted to testing, it should ask to QA to test, along with :
+>>  - a reason for the update ( likely bug number )
+>>  - potentially a priority ( ie, if this is just a translation update or
+>> a urgent 0 day exploit )
+>>  - a way to test the bug and see it is fixed
+>>  - text for the update
+>
+>> - qa validate the update ( with process to define )
+>
+>> - someone move the package from updates_testing to testing
+>
+> Someone from security (stable updates) team I guess?
+>
+>> - the bug is closed
+>> - a announce is sent ( on various medias to be defined ), with the text
+>> of update
+>
+> So who decides to reject an update and at what point? According to your
+> proposal, either QA people decide this or they waste time on updates that
+> later get rejected.
+>
+
+IMHO, rejection reasons:
+- The sec team doesn't think the update fixes a serious security
+vulnerability; so it's not updates but backports
+- The QA team couldn't validate, i.e. using the test case in the bug
+report, their test results didn't show that the bug is fixed
+
+>> So the points are :
+>> - no update can be uploaded without QA validation
+>
+> What does 'QA validation' mean exactly, can only certain people do it...?
+>
+
+IIUC, QA validation is that they use the test case given in the
+report; an example of a test case:
+- install package foo-1mga1 from */release
+- do foo bar, notice the app crashes
+- install the fixed package foo-1.1mga1 from */updates_testing
+- test again, the bug should be fixed
+
+if any of these steps fail, then it's not gonna get pushed as an
+update. And it should be the QA team doing the validation, i.e.
+experienced devs/packagers in the that team.
+
+>> - QA manage the checks, and so will requires help ( hence the security
+>> team or any packager can help, provided they know how to do QA )
+>
+> So a packager wants to fix a bug in package that is not very visible, sends
+> it to QA, then has to test it anyway? I'm not sure what you're saying here.
+>
+
+Not the packager committing the fix, (if he doesn't think it's fixed
+he won't ask for an update to begin with). But the QA team, this team
+could/should have packagers in it.
+
+>
+>    Christiaan
+>
+
+
+
+-- 
+Ahmad Samir
+
+ + + + + + + + + + + + + + + + +
+

+ +
+More information about the Mageia-dev +mailing list
+ -- cgit v1.2.1