[Mageia-dev] Security Update Process

Mon May 16 16:45:43 CEST 2011

OK,
+
+Mageia 1 is approaching quickly and we need to get our process in place
+for security updates. We talked a bit about it a few weeks ago, and I
+started a wiki page, but it needs more detail. Anne and I chatted on IRC
+and it looks like we'll want to cutoff the "on the iso " updates at the
+end of this week, so we need a process in place to release post-iso updates.
+
+ref: http://mageia.org/wiki/doku.php?id=security
+
+As I see it, initially we need, in no particular order:
+
+1) a means to build updates for the release (iurt setup for mga1?)
+2) a means to publish updates (mail list, web page)
+3) a means to manage/track the updates (bugzilla?)
+4) work out/publish the process so we all know how it works
+
+And then of course we need people to be aware of vulnerabilities as they
+are exposed. For now, we'll have be be slightly trailing until we can
+show a history of releasing updates and hopefully gain access to the
+closed list to get access to embargoed issues. Once that happens we will
+possibly need additional infrastructure changes to keep the work
+non-public before the embargo date.
+
+osvdb has a nice email aggregator that sends all the distro update
+announcements, and the oss-security list has many of the CVE requests.
+Unfortunately, my personal time hasn't allowed much more than a quick
+read as they go by :/ I know many of you have been doing security
+related bug reports and updates, which is great, thank-you. If anyone
+wants to take a larger role in managing the process I'm more than happy
+to let that happen. While I have experience, the time I'm able to commit
+is less than helpful.
+
+Comments, volunteers?
+
+
+
+-- 
+Stew Benedict
+New Tazewell, TN
+
+
+