summaryrefslogtreecommitdiffstats
path: root/zarb-ml/mageia-dev/2011-June/005225.html
blob: 06497ac9a0c4812e8bc68044315cfe5ee45f61af (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
 <HEAD>
   <TITLE> [Mageia-dev] Finalizing update process
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Finalizing%20update%20process&In-Reply-To=%3C1307575517.26948.62.camel%40akroma.ephaone.org%3E">
   <META NAME="robots" CONTENT="index,nofollow">
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="005221.html">
   <LINK REL="Next"  HREF="005226.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[Mageia-dev] Finalizing update process</H1>
    <B>Michael Scherer</B> 
    <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Finalizing%20update%20process&In-Reply-To=%3C1307575517.26948.62.camel%40akroma.ephaone.org%3E"
       TITLE="[Mageia-dev] Finalizing update process">misc at zarb.org
       </A><BR>
    <I>Thu Jun  9 01:25:16 CEST 2011</I>
    <P><UL>
        <LI>Previous message: <A HREF="005221.html">[Mageia-dev] Finalizing update process
</A></li>
        <LI>Next message: <A HREF="005226.html">[Mageia-dev] Finalizing update process
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#5225">[ date ]</a>
              <a href="thread.html#5225">[ thread ]</a>
              <a href="subject.html#5225">[ subject ]</a>
              <a href="author.html#5225">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--beginarticle-->
<PRE>Le jeudi 09 juin 2011 &#224; 00:53 +0300, Ahmad Samir a &#233;crit :
&gt;<i> On 8 June 2011 23:40, Anssi Hannula &lt;<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">anssi.hannula at iki.fi</A>&gt; wrote:
</I>&gt;<i> &gt; On 08.06.2011 23:23, Ahmad Samir wrote:
</I>&gt;<i> &gt;&gt; On 8 June 2011 21:45, Samuel Verschelde &lt;<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">stormi at laposte.net</A>&gt; wrote:
</I>&gt;<i> &gt;&gt;&gt; Le mercredi 8 juin 2011 19:39:55, Ahmad Samir a &#233;crit :
</I>&gt;<i> &gt;&gt;&gt;
</I>&gt;<i> &gt;&gt;&gt;&gt; IMHO, rejection reasons:
</I>&gt;<i> &gt;&gt;&gt;
</I>&gt;<i> &gt;&gt;&gt;&gt; - The sec team doesn't think the update fixes a serious security
</I>&gt;<i> &gt;&gt;&gt;
</I>&gt;<i> &gt;&gt;&gt;&gt; vulnerability; so it's not updates but backports
</I>&gt;<i> &gt;&gt;&gt;
</I>&gt;<i> &gt;&gt;&gt; What about bugfix updates ? I guess fixing a bug is a valid reason for an
</I>&gt;<i> &gt;&gt;&gt; update, like it was in Mandriva's updates.
</I>&gt;<i> &gt;&gt;&gt;
</I>&gt;<i> &gt;&gt;&gt; Regards
</I>&gt;<i> &gt;&gt;&gt;
</I>&gt;<i> &gt;&gt;&gt; Samuel
</I>&gt;<i> &gt;&gt;
</I>&gt;<i> &gt;&gt; Right, I probably phrased that one wrongly; I meant:
</I>&gt;<i> &gt;&gt; fixes a serious bug, e.g. crashing, segfaulting
</I>&gt;<i> &gt;
</I>&gt;<i> &gt; I don't think we should exclude non-serious bugs :)
</I>&gt;<i> &gt;
</I>&gt;<i> 
</I>&gt;<i> Depends, overworking the sec team doesn't look like a good aspect...
</I>&gt;<i> (that's why I liked contrib in mdv, I could push an update any time,
</I>&gt;<i> without having to go though the bug report -&gt; QA -&gt; Sec team loop).
</I>
Well, I didn't asked to secteam to do anything except managing the
security aspect : 
- finding CVE
- finding patch ( with the help of maintainer )
- finding test and fixes

But the building and updating should be done by maintainer, as this
would scale better. Let the security team focus on the security aspect,
and be there as a help for maintainers and viceversa. We shouldn't
overload the secteam, while maintainers are here for that :)
 
One of the problem at Mandriva was that security and stable updates were
quite disconnected from maintainers, and so it didn't scale well. 

It didn't scale because people didn't know security procedure ( it was
not part of the expected curriculum of a packager, and often was done
without them implied ), it didn't scale because security was only for a
restricted set of salaree taking care of everything on separate
systems. 

I think we should focus on having :
- a system using already know procedure ( ie regular build system )
- make sure that taking care of update is something done regulary as
part as packager duty ( after all, that's the whole part of being
maintainer )

&gt;<i> &gt; (or version updates in some cases, like firefox/opera/flash or updating
</I>&gt;<i> &gt; an rc/beta version to a stable one, and maybe some online games that are
</I>&gt;<i> &gt; useless unless on latest version)
</I>&gt;<i> &gt;
</I>&gt;<i> 
</I>&gt;<i> I agree, (except for the games part, nowadays if it's less than 4GB
</I>&gt;<i> it's not really a &quot;game&quot;).
</I>
I guess we can start with a list of exception :

- stuff that should be updated to latest version, because the security
support for older releases ( firefox, chrome ) is too hard
-&gt; we update to latest version if there is no regression and a strong
reason to upgrade ( severe bugfixes, security issue, breakages ). 
Exception of this category should be very expectional

- stuff where there is strict bugfixes only release
( postgresql ), or update to a stable version ( which should be a bugfix
only release when compared to beta/rc :) )
-&gt; we upgrade to stable ( for rc/beta )
-&gt; we do version update if it is bug fixes and if the packager is ok
with it ( and if the rules of the bugfix branches are clearly documented
) 

- everything else 
-&gt; only minimal patches

The question of game is still open, ie, should it go in 1st category, or
should we have different rules to see what should be there or not ?

I guess this would only be for networked game ?

&gt;<i> Maybe the sec team should only work on sec fixes, and there should be
</I>&gt;<i> a sub-group of the sec team that handle the not
</I>&gt;<i> CVE|crash|segfaulting|buffer-overflow updates.
</I>
segfault, crash are the duty of packager, as well as wrong requires or
anything.
-- 
Michael Scherer

</PRE>











<!--endarticle-->
    <HR>
    <P><UL>
        <!--threads-->
	<LI>Previous message: <A HREF="005221.html">[Mageia-dev] Finalizing update process
</A></li>
	<LI>Next message: <A HREF="005226.html">[Mageia-dev] Finalizing update process
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#5225">[ date ]</a>
              <a href="thread.html#5225">[ thread ]</a>
              <a href="subject.html#5225">[ subject ]</a>
              <a href="author.html#5225">[ author ]</a>
         </LI>
       </UL>

<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>