[Mageia-dev] slight security improvement: should we update aria2 to 1.11.2?
Michael Scherer
misc at zarb.org
Tue May 24 13:52:48 CEST 2011
Le mardi 24 mai 2011 à 12:45 +0200, nicolas vigier a écrit :
> On Tue, 24 May 2011, Christiaan Welvaart wrote:
>
> > On Tue, 24 May 2011, Michael Scherer wrote:
> >
> >> I would keep this as a update after the release is out ( like they 4
> >> ruby cve, libzip one ( CVE-2011-0421 )) and others that came out since
> >> yesterday.
> >>
> >> So maybe we could open bugs for this ?
> >
> >> There is 2 proposal :
> >> - filling them on security, and have a saved search
> >
> > What do you mean by that, a security product?
>
> There is a component "Security" on bugzilla.
>
> >
> >> - creating a tracker bug
> >>
> >> I would be in favor of the tracker bug :
> >> - you can subscribe to it
> >> - it will be clearer ( as bugfixes are not security so we may miss some
> >> update to do )
> >> - it doesn't pollute the list of saved search
> >>
> >> But as pascal said, a tracker bug requires that each bug to be linked to
> >> it, which is manual and error prone.
> >
> > I don't know much about bugzilla, but:
> > - Add a keyword 'security' to all security bugs.
> > (also manual and error prone?)
>
> We already have a security component. Would a keyword instead of a
> component be better for this ?
What when we have more than 1 release ?
I really think the security component is wrongly named. The bug is
against a rpm package, be it a security or non security fix, and
treating security fix differently than non security fixes add IMHO
unneeded complexity to the process.
> It is also manual, but a keywork is easier to remember than a tracker
> bug number.
That's a good point, I guess we can either place the link on bugzilla
main page, or use named bugs, or something like that ?
> Maybe we can also think about a mailing list to receive all security
> bugs.
It doesn't take non security related fix in account.
Given the fact that there is no difference between the way we treat them
( ie, it is updates ), and given the fact than even later the difference
will be between embargoed updates and the rest, I guess that a generic
list for issue affecting a stable release would be better suited.
But I am not sure it will help much, we need to think to the problem we
try to solve, and the way I see it, it is twofold :
- we need to have a list of thing to update ( security or not, doesn't
matter now )
- we need a way to be aware of changes to the aformentioned list
The solutions must :
- be extensible with possibility of having a embargo in the future
- be as automated as possible
- be open to people that want to help
- take in account that we will have more than 1 release, maybe more than
1 project
Anybody see others constraints ?
--
Michael Scherer
More information about the Mageia-dev
mailing list