1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Status%20report%20for%20Mageia%201%20updates%2C%0A%09and%20call%20for%20help%20from%20you%20packagers&In-Reply-To=%3C201108252041.27743.maarten.vanraes%40gmail.com%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="007522.html">
<LINK REL="Next" HREF="007545.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers</H1>
<B>Maarten Vanraes</B>
<A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Status%20report%20for%20Mageia%201%20updates%2C%0A%09and%20call%20for%20help%20from%20you%20packagers&In-Reply-To=%3C201108252041.27743.maarten.vanraes%40gmail.com%3E"
TITLE="[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers">maarten.vanraes at gmail.com
</A><BR>
<I>Thu Aug 25 20:41:27 CEST 2011</I>
<P><UL>
<LI>Previous message: <A HREF="007522.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers
</A></li>
<LI>Next message: <A HREF="007545.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#7525">[ date ]</a>
<a href="thread.html#7525">[ thread ]</a>
<a href="subject.html#7525">[ subject ]</a>
<a href="author.html#7525">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>Op donderdag 25 augustus 2011 20:14:45 schreef Remco Rijnders:
><i> On Thu, Aug 25, 2011 at 08:09:26AM -0400, Stew wrote in
</I>><i>
</I>><i> <<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">4E563B76.7080300 at gmail.com</A>>:
</I>><i> >On 08/24/2011 08:50 PM, Samuel Verschelde wrote:
</I>><i> >>Hi,
</I>><i> >>
</I>><i> >>I was told that QA Team's work's visibility needs to be improved, so as a
</I>><i> >>team member I'll try to give you some sort of status report.
</I>><i> >>
</I>><i> >>- 1 has been validated by QA one month ago, but was assigned to security
</I>><i> >>team following updates policy for security fixes, and got not answer. We
</I>><i> >>have to improve either the policy or the security team here (or both).
</I>><i> >
</I>><i> >Do you have a pointer to this bug? I'm not finding it in bugzilla.
</I>><i> >I'm not sure what I can do with it once assigned back to secteam,
</I>><i> >aside from write an advisory text. I don't have admin rights to
</I>><i> >release it, etc. (afaik). It was basically my understanding that the
</I>><i> >secteam role is to initiate the bug, provide patches, POC, and
</I>><i> >advisory text and the maintainer do the update and pass it on to QA.
</I>><i> >I've stopped even intiating because they are just sitting there in
</I>><i> >the new/unassigned state. some for 2 months or more now. While a
</I>><i> >shiny new KDE is nice, not pushing updates for published
</I>><i> >vulnerabilities makes us look bad, imho.
</I>><i>
</I>><i> I think what we need is a trinity of triage, secteam, and QA to work on
</I>><i> security related things. Triage team will assign or cc the security team
</I>><i> on security related bugs as efficiently as possible, from there security
</I>><i> team will work with the maintainer on the fix and hands it to qa for
</I>><i> (expedited) testing and release.
</I>><i>
</I>><i> My personal feeling is that security is too important a thing to leave up
</I>><i> to an individual maintainer or last committer to fix, especially when it
</I>><i> is remotely exploitable. Perhaps make a distinction on the severity of the
</I>><i> security issue?
</I>><i>
</I>><i> - If it needs an authenticated user for an exploit to work, assign it to
</I>><i> the maintainer, Cc security team. If there is no response from the
</I>><i> maintainer after x days (say 10 or so), security team takes over
</I>><i> responsibility.
</I>><i>
</I>><i> - If it is remotely exploitable and leads to a DoS or take over, security
</I>><i> team is instantly responsible and Cc's the maintainer on the bug and
</I>><i> works on a quick update.
</I>><i>
</I>><i> In my opinion it is more important to be concerned with the safety of our
</I>><i> users machines than with perhaps stepping on a sour maintainers toes.
</I>><i>
</I>><i> Perhaps in the next packagers meeting something like this can be agreed
</I>><i> on? The security team needs to have the needed privileges to quickly
</I>><i> handle security issues the best way it sees fit.
</I>><i>
</I>><i> Remmy
</I>
+1
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="007522.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers
</A></li>
<LI>Next message: <A HREF="007545.html">[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#7525">[ date ]</a>
<a href="thread.html#7525">[ thread ]</a>
<a href="subject.html#7525">[ subject ]</a>
<a href="author.html#7525">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>
|