[Mageia-dev] Status report for Mageia 1 updates, and call for?help from you packagers

Samuel Verschelde stormi at laposte.net
Fri Aug 26 12:49:40 CEST 2011


Le vendredi 26 août 2011 12:33:34, nicolas vigier a écrit :
> On Fri, 26 Aug 2011, Maarten Vanraes wrote:
> > Op vrijdag 26 augustus 2011 00:57:26 schreef nicolas vigier:
> > > On Thu, 25 Aug 2011, Maarten Vanraes wrote:
> > > > Sure, i'm packaging as fast as my RL (and mga2 dev TODO list) allows
> > > > me. I guess you should ask Anssi if i'm ready or not. I must say
> > > > that i'm not sure if security bugs are actually my thing though. I
> > > > never hacked servers, so i don't really know much about it. But in
> > > > any case, i'm packaging, and i suppose
> > > 
> > > Doing security updates has nothing to do with hacking servers, it's
> > > looking for the right patch to fix the issue, and updating the package
> > > with the patch applied.
> > 
> > but don't you have to test it that it actually works?
> 
> And you don't know how to run an exploit ?
> 
> It's interesting that when there is some work to be done, you never know
> how to do anything, but it's never a problem to talk about anything like
> an expert, give your opinion about everything, say what should be done,
> how it should be done, etc ...

Well, AL13N is just saying what the current policy is, see  
http://www.mageia.org/wiki/doku.php?id=updates_policy#roles

"Security team" : "Design POC (Proof Of Concept) if necessary/possible to test 
whether updated build is immune to issue"

Now, if the policy needs to be changed and security fixes no more need to be 
verified when they can be, it will be less work for everybody, but also a lower 
security level (people make mistakes).

Best regards

Samuel Verschelde


More information about the Mageia-dev mailing list