[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers

Samuel Verschelde stormi at laposte.net
Thu Sep 1 12:16:19 CEST 2011 

Le jeudi 25 août 2011 23:48:19, Stew Benedict a écrit :
> On 08/25/2011 01:12 PM, Samuel Verschelde wrote:
> > Le jeudi 25 août 2011 14:09:26, Stew Benedict a écrit :
> >> On 08/24/2011 08:50 PM, Samuel Verschelde wrote:
> >>> Hi,
> >>> 
> >>> I was told that QA Team's work's visibility needs to be improved, so as
> >>> a team member I'll try to give you some sort of status report.
> >>> 
> >>> - 1 has been validated by QA one month ago, but was assigned to
> >>> security team following updates policy for security fixes, and got not
> >>> answer. We have to improve either the policy or the security team here
> >>> (or both).
> >> 
> >> Do you have a pointer to this bug? I'm not finding it in bugzilla. I'm
> >> not sure what I can do with it once assigned back to secteam, aside from
> >> write an advisory text. I don't have admin rights to release it, etc.
> >> (afaik). It was basically my understanding that the secteam role is to
> >> initiate the bug, provide patches, POC, and advisory text and the
> >> maintainer do the update and pass it on to QA. I've stopped even
> >> intiating because they are just sitting there in the new/unassigned
> >> state. some for 2 months or more now. While a shiny new KDE is nice, not
> >> pushing updates for published vulnerabilities makes us look bad, imho.
> > 
> > It's https://bugs.mageia.org/show_bug.cgi?id=2239
> > 
> > I think the initial idea in the updates policy is that security fixes
> > have to be tested by secteam to ensure that the security problem is not
> > there anymore, because sometimes the upstream or the packager fixes it
> > in a wrong way or does a mistake, so we need to ensure the security
> > problems are really fixed. Otherwise we risk saying that a security
> > issue is fixed when it's not. Obviously, this can't happen if the
> > security team doesn't grow. Maybe some kind of joint effort from
> > security and QA could help ?
> > 
> > I already know updates that have been pushed without the security fixes
> > being tested.
> > 
> > Also, the security bugs being open in bugzilla and not adressed by the
> > packagers is a really big issue, that we have to find a way to fix as
> > soon as possible. Can you give us a link to the list of pending security
> > issues ?
> 
> While I don't disagree with the theory, it's not workable with the
> current state, as I don't have enough free cycles to think about
> actually updating any packages an/or doing the testing. One has to keep
> in mind that in the past life this was nearly a full time job for 2
> people to identify, fix build, test, release updates for the supported
> releases. The people that have inquired about helping with security
> issues quickly go away when they find out how inglorious(sic) it is.
> 

What has been decided during latest packager meeting is that it's the QA team 
who will try to check that the security bugs are really fixed during QA testing 
(when it's possible), so that the security team doesn't need to do it and can 
concentrate on monitoring and finding about existing issues.

So the procedure is :
- security team identifies issues and creates bug reports
- packagers fix bugs
- QA team validates

This way I hope the security team work becomes doable with our current 
ressources. It means also that we need a real commitment from packagers. QA 
team is already ready and testing.

Best regards

Samuel Verschelde

More information about the Mageia-dev mailing list