[Mageia-dev] Finalizing update process

Ahmad Samir ahmadsamir3891 at gmail.com
Wed Jun 8 19:39:55 CEST 2011 

On 8 June 2011 18:57, Christiaan Welvaart <cjw at daneel.dyndns.org> wrote:
> On Wed, 8 Jun 2011, Michael Scherer wrote:
>
>> Le mercredi 08 juin 2011 à 10:40 +0200, Anne nicolas a écrit :
>>>
>>> Hi there
>>>
>>> We have some stuff to complete here:
>>> http://mageia.org/wiki/doku.php?id=security
>>>
>>> <http://mageia.org/wiki/doku.php?id=security>Can we spend the 2 or 3
>>> coming
>>> days to finalize it and start updates submits?
>>
>> Pascal is working on this.
>>
>> So here is a proposal :
>> - anybody can submit a package to updates_testing.
>> - once submitted to testing, it should ask to QA to test, along with :
>>  - a reason for the update ( likely bug number )
>>  - potentially a priority ( ie, if this is just a translation update or
>> a urgent 0 day exploit )
>>  - a way to test the bug and see it is fixed
>>  - text for the update
>
>> - qa validate the update ( with process to define )
>
>> - someone move the package from updates_testing to testing
>
> Someone from security (stable updates) team I guess?
>
>> - the bug is closed
>> - a announce is sent ( on various medias to be defined ), with the text
>> of update
>
> So who decides to reject an update and at what point? According to your
> proposal, either QA people decide this or they waste time on updates that
> later get rejected.
>

IMHO, rejection reasons:
- The sec team doesn't think the update fixes a serious security
vulnerability; so it's not updates but backports
- The QA team couldn't validate, i.e. using the test case in the bug
report, their test results didn't show that the bug is fixed

>> So the points are :
>> - no update can be uploaded without QA validation
>
> What does 'QA validation' mean exactly, can only certain people do it...?
>

IIUC, QA validation is that they use the test case given in the
report; an example of a test case:
- install package foo-1mga1 from */release
- do foo bar, notice the app crashes
- install the fixed package foo-1.1mga1 from */updates_testing
- test again, the bug should be fixed

if any of these steps fail, then it's not gonna get pushed as an
update. And it should be the QA team doing the validation, i.e.
experienced devs/packagers in the that team.

>> - QA manage the checks, and so will requires help ( hence the security
>> team or any packager can help, provided they know how to do QA )
>
> So a packager wants to fix a bug in package that is not very visible, sends
> it to QA, then has to test it anyway? I'm not sure what you're saying here.
>

Not the packager committing the fix, (if he doesn't think it's fixed
he won't ask for an update to begin with). But the QA team, this team
could/should have packagers in it.

>
>    Christiaan
>



-- 
Ahmad Samir

More information about the Mageia-dev mailing list