zarb-ml/mageia-dev/2011-August/007521.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
 <HEAD>
   <TITLE> [Mageia-dev] Status report for Mageia 1 updates,	and call for help from you packagers
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Status%20report%20for%20Mageia%201%20updates%2C%0A%09and%20call%20for%20help%20from%20you%20packagers&In-Reply-To=%3C201108251912.26274.stormi%40laposte.net%3E">
   <META NAME="robots" CONTENT="index,nofollow">
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="007514.html">
   <LINK REL="Next"  HREF="007540.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[Mageia-dev] Status report for Mageia 1 updates,	and call for help from you packagers</H1>
    <B>Samuel Verschelde</B> 
    <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Status%20report%20for%20Mageia%201%20updates%2C%0A%09and%20call%20for%20help%20from%20you%20packagers&In-Reply-To=%3C201108251912.26274.stormi%40laposte.net%3E"
       TITLE="[Mageia-dev] Status report for Mageia 1 updates,	and call for help from you packagers">stormi at laposte.net
       </A><BR>
    <I>Thu Aug 25 19:12:26 CEST 2011</I>
    <P><UL>
        <LI>Previous message: <A HREF="007514.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers
</A></li>
        <LI>Next message: <A HREF="007540.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#7521">[ date ]</a>
              <a href="thread.html#7521">[ thread ]</a>
              <a href="subject.html#7521">[ subject ]</a>
              <a href="author.html#7521">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--beginarticle-->
<PRE>Le jeudi 25 ao&#251;t 2011 14:09:26, Stew Benedict a &#233;crit :
&gt;<i> On 08/24/2011 08:50 PM, Samuel Verschelde wrote:
</I>&gt;<i> &gt; Hi,
</I>&gt;<i> &gt; 
</I>&gt;<i> &gt; I was told that QA Team's work's visibility needs to be improved, so as a
</I>&gt;<i> &gt; team member I'll try to give you some sort of status report.
</I>&gt;<i> &gt; 
</I>&gt;<i> &gt; - 1 has been validated by QA one month ago, but was assigned to security
</I>&gt;<i> &gt; team following updates policy for security fixes, and got not answer. We
</I>&gt;<i> &gt; have to improve either the policy or the security team here (or both).
</I>&gt;<i> 
</I>&gt;<i> Do you have a pointer to this bug? I'm not finding it in bugzilla. I'm
</I>&gt;<i> not sure what I can do with it once assigned back to secteam, aside from
</I>&gt;<i> write an advisory text. I don't have admin rights to release it, etc.
</I>&gt;<i> (afaik). It was basically my understanding that the secteam role is to
</I>&gt;<i> initiate the bug, provide patches, POC, and advisory text and the
</I>&gt;<i> maintainer do the update and pass it on to QA. I've stopped even
</I>&gt;<i> intiating because they are just sitting there in the new/unassigned
</I>&gt;<i> state. some for 2 months or more now. While a shiny new KDE is nice, not
</I>&gt;<i> pushing updates for published vulnerabilities makes us look bad, imho.
</I>
It's <A HREF="https://bugs.mageia.org/show_bug.cgi?id=2239">https://bugs.mageia.org/show_bug.cgi?id=2239</A>

I think the initial idea in the updates policy is that security fixes have to 
be tested by secteam to ensure that the security problem is not there anymore, 
because sometimes the upstream or the packager fixes it in a wrong way or does 
a mistake, so we need to ensure the security problems are really fixed. 
Otherwise we risk saying that a security issue is fixed when it's not. 
Obviously, this can't happen if the security team doesn't grow. Maybe some 
kind of joint effort from security and QA could help ?

I already know updates that have been pushed without the security fixes being 
tested.

Also, the security bugs being open in bugzilla and not adressed by the 
packagers is a really big issue, that we have to find a way to fix as soon as 
possible. Can you give us a link to the list of pending security issues ?

Best regards

Samuel Verschelde
</PRE>


<!--endarticle-->
    <HR>
    <P><UL>
        <!--threads-->
	<LI>Previous message: <A HREF="007514.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers
</A></li>
	<LI>Next message: <A HREF="007540.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#7521">[ date ]</a>
              <a href="thread.html#7521">[ thread ]</a>
              <a href="subject.html#7521">[ subject ]</a>
              <a href="author.html#7521">[ author ]</a>
         </LI>
       </UL>

<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>