[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers

Thu Sep 1 12:16:19 CEST 2011

Le jeudi 25 août 2011 23:48:19, Stew Benedict a écrit :
+> On 08/25/2011 01:12 PM, Samuel Verschelde wrote:
+> > Le jeudi 25 août 2011 14:09:26, Stew Benedict a écrit :
+> >> On 08/24/2011 08:50 PM, Samuel Verschelde wrote:
+> >>> Hi,
+> >>> 
+> >>> I was told that QA Team's work's visibility needs to be improved, so as
+> >>> a team member I'll try to give you some sort of status report.
+> >>> 
+> >>> - 1 has been validated by QA one month ago, but was assigned to
+> >>> security team following updates policy for security fixes, and got not
+> >>> answer. We have to improve either the policy or the security team here
+> >>> (or both).
+> >> 
+> >> Do you have a pointer to this bug? I'm not finding it in bugzilla. I'm
+> >> not sure what I can do with it once assigned back to secteam, aside from
+> >> write an advisory text. I don't have admin rights to release it, etc.
+> >> (afaik). It was basically my understanding that the secteam role is to
+> >> initiate the bug, provide patches, POC, and advisory text and the
+> >> maintainer do the update and pass it on to QA. I've stopped even
+> >> intiating because they are just sitting there in the new/unassigned
+> >> state. some for 2 months or more now. While a shiny new KDE is nice, not
+> >> pushing updates for published vulnerabilities makes us look bad, imho.
+> > 
+> > It's https://bugs.mageia.org/show_bug.cgi?id=2239
+> > 
+> > I think the initial idea in the updates policy is that security fixes
+> > have to be tested by secteam to ensure that the security problem is not
+> > there anymore, because sometimes the upstream or the packager fixes it
+> > in a wrong way or does a mistake, so we need to ensure the security
+> > problems are really fixed. Otherwise we risk saying that a security
+> > issue is fixed when it's not. Obviously, this can't happen if the
+> > security team doesn't grow. Maybe some kind of joint effort from
+> > security and QA could help ?
+> > 
+> > I already know updates that have been pushed without the security fixes
+> > being tested.
+> > 
+> > Also, the security bugs being open in bugzilla and not adressed by the
+> > packagers is a really big issue, that we have to find a way to fix as
+> > soon as possible. Can you give us a link to the list of pending security
+> > issues ?
+> 
+> While I don't disagree with the theory, it's not workable with the
+> current state, as I don't have enough free cycles to think about
+> actually updating any packages an/or doing the testing. One has to keep
+> in mind that in the past life this was nearly a full time job for 2
+> people to identify, fix build, test, release updates for the supported
+> releases. The people that have inquired about helping with security
+> issues quickly go away when they find out how inglorious(sic) it is.
+> 
+
+What has been decided during latest packager meeting is that it's the QA team 
+who will try to check that the security bugs are really fixed during QA testing 
+(when it's possible), so that the security team doesn't need to do it and can 
+concentrate on monitoring and finding about existing issues.
+
+So the procedure is :
+- security team identifies issues and creates bug reports
+- packagers fix bugs
+- QA team validates
+
+This way I hope the security team work becomes doable with our current 
+ressources. It means also that we need a real commitment from packagers. QA 
+team is already ready and testing.
+
+Best regards
+
+Samuel Verschelde
+