[Mageia-dev] Security Update Process

Wed May 18 22:37:14 CEST 2011

Le lundi 16 mai 2011 à 18:08 +0200, Thierry Vignaud a écrit :
+> On 16 May 2011 18:05, Ahmad Samir <ahmadsamir3891 at gmail.com> wrote:
+> >>> Mageia 1 is approaching quickly and we need to get our process in place
+> >>> for security updates. We talked a bit about it a few weeks ago, and I
+> >>> started a wiki page, but it needs more detail. Anne and I chatted on IRC
+> >>> and it looks like we'll want to cutoff the "on the iso " updates at the
+> >>> end of this week, so we need a process in place to release post-iso updates.
+> >>>
+> >>> ref: http://mageia.org/wiki/doku.php?id=security
+> >>>
+> >>> As I see it, initially we need, in no particular order:
+> >>>
+> >>> 1) a means to build updates for the release (iurt setup for mga1?)
+> >>
+> >> A iurt setup for mga1 will exist anyway, what is missing is a way to
+> >> later upload to non public place.
+> >> Initially, we can just setup youri to restrict submitting a build to
+> >> updates_testing or updates to the secteam and it should be enough.
+> >>
+> >
+> > Ideally packagers should be able to submit to update_testing when they
+> > want to push a fixed package to ask for testing. So restricting
+> > submitting to updates sounds more logical?
+> 
+> What's more that matches what we were doing back @mdv.
+> The process was:
+> - trusted packagers upload into main/testing,
+> - all packager can upload into contrib/testing,
+> - ticket (for main/*) is opened & assigned to qa
+> - people || qa test
+> - if tests succeed, ticket is assigned to secteam
+> - secteam rebuild with its own sig & push the package
+
+I would propose the following :
+- packagers can upload to */updates_testing ( with some limitation and
+specific check )
+- ticket are opened for everything, assigned to QA
+- people || qa test 
+- if tests are ok, package is moved to */updates
+
+I see no need to rebuild again on a different system, as we do not have
+the ressources. 
+
+-- 
+Michael Scherer
+
+