[Mageia-dev] Status report for Mageia 1 updates, and call for?help from you packagers

Maarten Vanraes maarten.vanraes at gmail.com
Fri Aug 26 17:50:54 CEST 2011 

Op vrijdag 26 augustus 2011 12:49:40 schreef Samuel Verschelde:
> Le vendredi 26 août 2011 12:33:34, nicolas vigier a écrit :
> > On Fri, 26 Aug 2011, Maarten Vanraes wrote:
> > > but don't you have to test it that it actually works?
> > 
> > And you don't know how to run an exploit ?

I have never done this before, perhaps secteam needs training for such?

> > It's interesting that when there is some work to be done, you never know
> > how to do anything, but it's never a problem to talk about anything like
> > an expert, give your opinion about everything, say what should be done,
> > how it should be done, etc ...

Yes, that is interesting.

I think it's only natural for people to have an opinion, and i know you do 
alot of work on Mageia, but not everyone can do as much as you, and it's not 
because i sometimes say a few things on IRC that i'm not doing anything.

boklm: I must say that i feel like i have to defend myself, to your post:
1. i don't think i speak "like an expert", but if you attribute this to me, i 
can only think of this as a compliment, as people who speak like experts are 
imho people who evidently know what they are talking about.

2. none the less, even if i'm not planning on putting any time in somethign, 
that doesn't refrain me from speaking my opinions, and i think i can determine 
which solution is a quick & dirty fix, and which is a good one, IMHO. i supply 
it, you're free to ignore it.

3. as everyone, i too have priorities, even though mageia is high on it, it's 
still below RL with wife and kids. as an estimate, except for IRC time, during 
day and the meetings, as a reference, i think i can spend about 10-15hours on 
mageia per week.

4. even though my dayjob is in IT Security, i have never done penetration 
testing or hacked someone. My priorities or on development and server 
maintenance. None the less, as a "sysadmin" (dayjob), i am very interested 
about stable systems, updates & security patches.

5. i'm sure you know it'm a still a novice packager, but being a novice 
packager doesn't refrain me to "package", and i "maintain" my packages as far 
as i'm able to in the best of my abilities. Maybe Anssi is a stricter mentor 
than others, but i see no issue with that.

6. this may be a bad comparison, but it was my understanding that any 
contribution, how small though it may be, is still valued. If you think my 
contribution is not enough, or if you feel that i should just shut up if i 
don't plan to spend some time on that, then i guess it's tough luck for you. 
at least i'm contributing to something, i'm sure there's people reacting which 
don't contribute at all. but as i said, you're free to ignore my advice.

I hadn't planned on reacting to such posts, to not fill up the mailing list 
with unecessary stuff as you so pointed out to me, but too much is too much, if 
there are accusations (i perceive your post as such, though maybe i'm wrong, 
please tell me if i am), i WILL defend myself.

(imho, accusations shouldn't be on public mailing lists though)

> Well, AL13N is just saying what the current policy is, see
> http://www.mageia.org/wiki/doku.php?id=updates_policy#roles
> 
> "Security team" : "Design POC (Proof Of Concept) if necessary/possible to
> test whether updated build is immune to issue"

indeed, it's a requirement that i think is wanted.

> Now, if the policy needs to be changed and security fixes no more need to
> be verified when they can be, it will be less work for everybody, but also
> a lower security level (people make mistakes).
> 
> Best regards
> 
> Samuel Verschelde

More information about the Mageia-dev mailing list