1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-dev] slight security improvement: should we update aria2 to 1.11.2?
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20slight%20security%20improvement%3A%20should%20we%0A%09update%09aria2%20to%201.11.2%3F&In-Reply-To=%3C1306237969.3942.38.camel%40akroma.ephaone.org%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="004935.html">
<LINK REL="Next" HREF="004939.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-dev] slight security improvement: should we update aria2 to 1.11.2?</H1>
<B>Michael Scherer</B>
<A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20slight%20security%20improvement%3A%20should%20we%0A%09update%09aria2%20to%201.11.2%3F&In-Reply-To=%3C1306237969.3942.38.camel%40akroma.ephaone.org%3E"
TITLE="[Mageia-dev] slight security improvement: should we update aria2 to 1.11.2?">misc at zarb.org
</A><BR>
<I>Tue May 24 13:52:48 CEST 2011</I>
<P><UL>
<LI>Previous message: <A HREF="004935.html">[Mageia-dev] slight security improvement: should we update aria2 to 1.11.2?
</A></li>
<LI>Next message: <A HREF="004939.html">[Mageia-dev] slight security improvement: should we update aria2 to 1.11.2?
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#4937">[ date ]</a>
<a href="thread.html#4937">[ thread ]</a>
<a href="subject.html#4937">[ subject ]</a>
<a href="author.html#4937">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>Le mardi 24 mai 2011 à 12:45 +0200, nicolas vigier a écrit :
><i> On Tue, 24 May 2011, Christiaan Welvaart wrote:
</I>><i>
</I>><i> > On Tue, 24 May 2011, Michael Scherer wrote:
</I>><i> >
</I>><i> >> I would keep this as a update after the release is out ( like they 4
</I>><i> >> ruby cve, libzip one ( CVE-2011-0421 )) and others that came out since
</I>><i> >> yesterday.
</I>><i> >>
</I>><i> >> So maybe we could open bugs for this ?
</I>><i> >
</I>><i> >> There is 2 proposal :
</I>><i> >> - filling them on security, and have a saved search
</I>><i> >
</I>><i> > What do you mean by that, a security product?
</I>><i>
</I>><i> There is a component "Security" on bugzilla.
</I>><i>
</I>><i> >
</I>><i> >> - creating a tracker bug
</I>><i> >>
</I>><i> >> I would be in favor of the tracker bug :
</I>><i> >> - you can subscribe to it
</I>><i> >> - it will be clearer ( as bugfixes are not security so we may miss some
</I>><i> >> update to do )
</I>><i> >> - it doesn't pollute the list of saved search
</I>><i> >>
</I>><i> >> But as pascal said, a tracker bug requires that each bug to be linked to
</I>><i> >> it, which is manual and error prone.
</I>><i> >
</I>><i> > I don't know much about bugzilla, but:
</I>><i> > - Add a keyword 'security' to all security bugs.
</I>><i> > (also manual and error prone?)
</I>><i>
</I>><i> We already have a security component. Would a keyword instead of a
</I>><i> component be better for this ?
</I>
What when we have more than 1 release ?
I really think the security component is wrongly named. The bug is
against a rpm package, be it a security or non security fix, and
treating security fix differently than non security fixes add IMHO
unneeded complexity to the process.
><i> It is also manual, but a keywork is easier to remember than a tracker
</I>><i> bug number.
</I>
That's a good point, I guess we can either place the link on bugzilla
main page, or use named bugs, or something like that ?
><i> Maybe we can also think about a mailing list to receive all security
</I>><i> bugs.
</I>
It doesn't take non security related fix in account.
Given the fact that there is no difference between the way we treat them
( ie, it is updates ), and given the fact than even later the difference
will be between embargoed updates and the rest, I guess that a generic
list for issue affecting a stable release would be better suited.
But I am not sure it will help much, we need to think to the problem we
try to solve, and the way I see it, it is twofold :
- we need to have a list of thing to update ( security or not, doesn't
matter now )
- we need a way to be aware of changes to the aformentioned list
The solutions must :
- be extensible with possibility of having a embargo in the future
- be as automated as possible
- be open to people that want to help
- take in account that we will have more than 1 release, maybe more than
1 project
Anybody see others constraints ?
--
Michael Scherer
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="004935.html">[Mageia-dev] slight security improvement: should we update aria2 to 1.11.2?
</A></li>
<LI>Next message: <A HREF="004939.html">[Mageia-dev] slight security improvement: should we update aria2 to 1.11.2?
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#4937">[ date ]</a>
<a href="thread.html#4937">[ thread ]</a>
<a href="subject.html#4937">[ subject ]</a>
<a href="author.html#4937">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>
|
