1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-dev] slight security improvement: should we update aria2 to 1.11.2?
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20slight%20security%20improvement%3A%20should%20we%20update%0A%20aria2%20to%201.11.2%3F&In-Reply-To=%3Calpine.LMD.2.02.1105241358001.26733%40zem.cjw.nep%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="004937.html">
<LINK REL="Next" HREF="004931.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-dev] slight security improvement: should we update aria2 to 1.11.2?</H1>
<B>Christiaan Welvaart</B>
<A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20slight%20security%20improvement%3A%20should%20we%20update%0A%20aria2%20to%201.11.2%3F&In-Reply-To=%3Calpine.LMD.2.02.1105241358001.26733%40zem.cjw.nep%3E"
TITLE="[Mageia-dev] slight security improvement: should we update aria2 to 1.11.2?">cjw at daneel.dyndns.org
</A><BR>
<I>Tue May 24 14:47:47 CEST 2011</I>
<P><UL>
<LI>Previous message: <A HREF="004937.html">[Mageia-dev] slight security improvement: should we update aria2 to 1.11.2?
</A></li>
<LI>Next message: <A HREF="004931.html">[Mageia-dev] Push request
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#4939">[ date ]</a>
<a href="thread.html#4939">[ thread ]</a>
<a href="subject.html#4939">[ subject ]</a>
<a href="author.html#4939">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>On Tue, 24 May 2011, Michael Scherer wrote:
><i> Le mardi 24 mai 2011 à 12:45 +0200, nicolas vigier a écrit :
</I>>><i> On Tue, 24 May 2011, Christiaan Welvaart wrote:
</I>>><i>
</I>>>><i> On Tue, 24 May 2011, Michael Scherer wrote:
</I>
>>>><i> There is 2 proposal :
</I>>>>><i> - filling them on security, and have a saved search
</I>>>>><i> - creating a tracker bug
</I>>>>><i>
</I>>>>><i> I would be in favor of the tracker bug :
</I>>>>><i> - you can subscribe to it
</I>>>>><i> - it will be clearer ( as bugfixes are not security so we may miss some
</I>>>>><i> update to do )
</I>>>>><i> - it doesn't pollute the list of saved search
</I>>>>><i>
</I>>>>><i> But as pascal said, a tracker bug requires that each bug to be linked to
</I>>>>><i> it, which is manual and error prone.
</I>>>><i>
</I>>>><i> I don't know much about bugzilla, but:
</I>>>><i> - Add a keyword 'security' to all security bugs.
</I>>>><i> (also manual and error prone?)
</I>>><i>
</I>>><i> We already have a security component. Would a keyword instead of a
</I>>><i> component be better for this ?
</I>
><i> What when we have more than 1 release ?
</I>><i>
</I>><i> I really think the security component is wrongly named. The bug is
</I>><i> against a rpm package, be it a security or non security fix, and
</I>><i> treating security fix differently than non security fixes add IMHO
</I>><i> unneeded complexity to the process.
</I>
I agree with Michael: security is not a component: a security issue in a
package is still a bug in that package. (And I still consider each source
rpm a component like originally configured in the mandrake bugzilla).
>><i> It is also manual, but a keywork is easier to remember than a tracker
</I>>><i> bug number.
</I>><i>
</I>><i> That's a good point, I guess we can either place the link on bugzilla
</I>><i> main page, or use named bugs, or something like that ?
</I>
There is a 'version' in bugzilla, with only 'Cauldron' in it currently,
maybe that should be used. Setting this (or a target milestone) for a bug
is easy, just choose 'Mageia 1' from the list. So if you want to see all
updates in the list, make a search for bugs with version (or target
milestone) Mageia 1. A link on the main page would be fine with me. It's a
trivial search, however (:
>><i> Maybe we can also think about a mailing list to receive all security
</I>>><i> bugs.
</I>><i>
</I>><i> It doesn't take non security related fix in account.
</I>><i>
</I>><i> Given the fact that there is no difference between the way we treat them
</I>><i> ( ie, it is updates ), and given the fact than even later the difference
</I>><i> will be between embargoed updates and the rest, I guess that a generic
</I>><i> list for issue affecting a stable release would be better suited.
</I>><i>
</I>><i> But I am not sure it will help much, we need to think to the problem we
</I>><i> try to solve, and the way I see it, it is twofold :
</I>><i>
</I>><i> - we need to have a list of thing to update ( security or not, doesn't
</I>><i> matter now )
</I>><i> - we need a way to be aware of changes to the aformentioned list
</I>
Maybe there can be a trigger in bugzilla on all bugs that are newly
targeted or retargeted at a stable release?
><i> The solutions must :
</I>><i> - be extensible with possibility of having a embargo in the future
</I>
AFAIK bugzilla supports access restrictions on individual bugs.
><i> - be as automated as possible
</I>><i> - be open to people that want to help
</I>><i> - take in account that we will have more than 1 release, maybe more than
</I>><i> 1 project
</I>
Products and releases are already supported in the current bugzilla
configuration.
Christiaan
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="004937.html">[Mageia-dev] slight security improvement: should we update aria2 to 1.11.2?
</A></li>
<LI>Next message: <A HREF="004931.html">[Mageia-dev] Push request
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#4939">[ date ]</a>
<a href="thread.html#4939">[ thread ]</a>
<a href="subject.html#4939">[ subject ]</a>
<a href="author.html#4939">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>
|
