[Mageia-dev] Meeting for secteam start

Fri Apr 15 14:35:40 CEST 2011

Sorry if I break the thread, just signed back up to the list.
+Just to kick things off for secteam, I thought I'd list the process as I
+remember it from when I worked with Vincent for a couple of years.
+Not to say Mageia needs to follow any of this, and as we're a volunteer
+organization, I suspect things will be structured a bit differently from
+a staffing POV than "2 guys mostly dedicated to updates"
+
+Old Process:
+
+* monitor vendor-sec, discuss vulns, patches, negotiate release schedule,
+   also watch other distro updates, for things we may have missed
+
+* check our srpm database (Vincent later reworked this) for all the
+places the affected source code
+   may be buried (many packages embed copies of other source)
+
+* apply/adapt patches for all supported releases/architectures (may have
+been published on vendor-sec,
+   or from another distro package, or extracted from upstream)
+
+   ** when we we supporting several releases, with Enterprise stuff
+being quite old, reworking the patches at times was difficult
+   ** policy changed over time and these days many things bump up to a
+new release, rather than patching
+
+* build in chroot to preserve the original build env (moved to iurt
+around the time I left)
+
+   ** if we had trouble building the package, contact the maintainer for
+help
+
+* acquire or write a POC (proof of concept) to test that the vuln is
+corrected, if not, re-patch/re-test
+
+* test the app for basic functionality, that we haven't introduced
+regressions
+
+   ** bugfix updates went to QA for testing, this was a big
+blocker/delay at times
+
+* write advisory text (usually copied from the CVE if there is one, or
+bugzilla from a bugfix)
+
+* upload packages to main mirror, wait a few hours and release the
+announcement (we had several scripts
+   that facilitated getting packages in the right place, signing them,
+uploading, etc.)
+
+-- 
+Stew Benedict
+New Tazewell, TN
+
+
+