[Mageia-dev] Status report for Mageia 1 updates, and call for help from you packagers
stormi at laposte.net
Thu Aug 25 19:12:26 CEST 2011
Le jeudi 25 août 2011 14:09:26, Stew Benedict a écrit :
> On 08/24/2011 08:50 PM, Samuel Verschelde wrote:
> > Hi,
> > I was told that QA Team's work's visibility needs to be improved, so as a
> > team member I'll try to give you some sort of status report.
> > - 1 has been validated by QA one month ago, but was assigned to security
> > team following updates policy for security fixes, and got not answer. We
> > have to improve either the policy or the security team here (or both).
> Do you have a pointer to this bug? I'm not finding it in bugzilla. I'm
> not sure what I can do with it once assigned back to secteam, aside from
> write an advisory text. I don't have admin rights to release it, etc.
> (afaik). It was basically my understanding that the secteam role is to
> initiate the bug, provide patches, POC, and advisory text and the
> maintainer do the update and pass it on to QA. I've stopped even
> intiating because they are just sitting there in the new/unassigned
> state. some for 2 months or more now. While a shiny new KDE is nice, not
> pushing updates for published vulnerabilities makes us look bad, imho.
I think the initial idea in the updates policy is that security fixes have to
be tested by secteam to ensure that the security problem is not there anymore,
because sometimes the upstream or the packager fixes it in a wrong way or does
a mistake, so we need to ensure the security problems are really fixed.
Otherwise we risk saying that a security issue is fixed when it's not.
Obviously, this can't happen if the security team doesn't grow. Maybe some
kind of joint effort from security and QA could help ?
I already know updates that have been pushed without the security fixes being
Also, the security bugs being open in bugzilla and not adressed by the
packagers is a really big issue, that we have to find a way to fix as soon as
possible. Can you give us a link to the list of pending security issues ?
More information about the Mageia-dev