From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-dev/2011-June/005209.html | 163 +++++++++++++++++++++++++++++++ 1 file changed, 163 insertions(+) create mode 100644 zarb-ml/mageia-dev/2011-June/005209.html (limited to 'zarb-ml/mageia-dev/2011-June/005209.html') diff --git a/zarb-ml/mageia-dev/2011-June/005209.html b/zarb-ml/mageia-dev/2011-June/005209.html new file mode 100644 index 000000000..dfe5b8cf2 --- /dev/null +++ b/zarb-ml/mageia-dev/2011-June/005209.html @@ -0,0 +1,163 @@ + + + + [Mageia-dev] Finalizing update process + + + + + + + + + +

[Mageia-dev] Finalizing update process

+ Ahmad Samir + ahmadsamir3891 at gmail.com +
+ Wed Jun 8 19:41:13 CEST 2011 +

+
+ +
On 8 June 2011 19:39, Ahmad Samir <ahmadsamir3891 at gmail.com> wrote:
+> On 8 June 2011 18:57, Christiaan Welvaart <cjw at daneel.dyndns.org> wrote:
+>> On Wed, 8 Jun 2011, Michael Scherer wrote:
+>>
+>>> Le mercredi 08 juin 2011 à 10:40 +0200, Anne nicolas a écrit :
+>>>>
+>>>> Hi there
+>>>>
+>>>> We have some stuff to complete here:
+>>>> http://mageia.org/wiki/doku.php?id=security
+>>>>
+>>>> <http://mageia.org/wiki/doku.php?id=security>Can we spend the 2 or 3
+>>>> coming
+>>>> days to finalize it and start updates submits?
+>>>
+>>> Pascal is working on this.
+>>>
+>>> So here is a proposal :
+>>> - anybody can submit a package to updates_testing.
+>>> - once submitted to testing, it should ask to QA to test, along with :
+>>>  - a reason for the update ( likely bug number )
+>>>  - potentially a priority ( ie, if this is just a translation update or
+>>> a urgent 0 day exploit )
+>>>  - a way to test the bug and see it is fixed
+>>>  - text for the update
+>>
+>>> - qa validate the update ( with process to define )
+>>
+>>> - someone move the package from updates_testing to testing
+>>
+>> Someone from security (stable updates) team I guess?
+>>
+>>> - the bug is closed
+>>> - a announce is sent ( on various medias to be defined ), with the text
+>>> of update
+>>
+>> So who decides to reject an update and at what point? According to your
+>> proposal, either QA people decide this or they waste time on updates that
+>> later get rejected.
+>>
+>
+> IMHO, rejection reasons:
+> - The sec team doesn't think the update fixes a serious security
+> vulnerability; so it's not updates but backports
+> - The QA team couldn't validate, i.e. using the test case in the bug
+> report, their test results didn't show that the bug is fixed
+>
+
+Adding to this:
+- the bug is fixed, but it caused regressions somewhere else in the
+package itself, or in packages depending on it.
+
+>>> So the points are :
+>>> - no update can be uploaded without QA validation
+>>
+>> What does 'QA validation' mean exactly, can only certain people do it...?
+>>
+>
+> IIUC, QA validation is that they use the test case given in the
+> report; an example of a test case:
+> - install package foo-1mga1 from */release
+> - do foo bar, notice the app crashes
+> - install the fixed package foo-1.1mga1 from */updates_testing
+> - test again, the bug should be fixed
+>
+> if any of these steps fail, then it's not gonna get pushed as an
+> update. And it should be the QA team doing the validation, i.e.
+> experienced devs/packagers in the that team.
+>
+>>> - QA manage the checks, and so will requires help ( hence the security
+>>> team or any packager can help, provided they know how to do QA )
+>>
+>> So a packager wants to fix a bug in package that is not very visible, sends
+>> it to QA, then has to test it anyway? I'm not sure what you're saying here.
+>>
+>
+> Not the packager committing the fix, (if he doesn't think it's fixed
+> he won't ask for an update to begin with). But the QA team, this team
+> could/should have packagers in it.
+>
+>>
+>>    Christiaan
+>>
+>
+>
+>
+> --
+> Ahmad Samir
+>
+
+
+
+-- 
+Ahmad Samir
+
+ + + + + + + + + + + + + + + + +
+

+ +
+More information about the Mageia-dev +mailing list
+ -- cgit v1.2.1