[Mageia-dev] Finalizing update process

Ahmad Samir ahmadsamir3891 at gmail.com
Wed Jun 8 19:41:13 CEST 2011


On 8 June 2011 19:39, Ahmad Samir <ahmadsamir3891 at gmail.com> wrote:
> On 8 June 2011 18:57, Christiaan Welvaart <cjw at daneel.dyndns.org> wrote:
>> On Wed, 8 Jun 2011, Michael Scherer wrote:
>>
>>> Le mercredi 08 juin 2011 à 10:40 +0200, Anne nicolas a écrit :
>>>>
>>>> Hi there
>>>>
>>>> We have some stuff to complete here:
>>>> http://mageia.org/wiki/doku.php?id=security
>>>>
>>>> <http://mageia.org/wiki/doku.php?id=security>Can we spend the 2 or 3
>>>> coming
>>>> days to finalize it and start updates submits?
>>>
>>> Pascal is working on this.
>>>
>>> So here is a proposal :
>>> - anybody can submit a package to updates_testing.
>>> - once submitted to testing, it should ask to QA to test, along with :
>>>  - a reason for the update ( likely bug number )
>>>  - potentially a priority ( ie, if this is just a translation update or
>>> a urgent 0 day exploit )
>>>  - a way to test the bug and see it is fixed
>>>  - text for the update
>>
>>> - qa validate the update ( with process to define )
>>
>>> - someone move the package from updates_testing to testing
>>
>> Someone from security (stable updates) team I guess?
>>
>>> - the bug is closed
>>> - a announce is sent ( on various medias to be defined ), with the text
>>> of update
>>
>> So who decides to reject an update and at what point? According to your
>> proposal, either QA people decide this or they waste time on updates that
>> later get rejected.
>>
>
> IMHO, rejection reasons:
> - The sec team doesn't think the update fixes a serious security
> vulnerability; so it's not updates but backports
> - The QA team couldn't validate, i.e. using the test case in the bug
> report, their test results didn't show that the bug is fixed
>

Adding to this:
- the bug is fixed, but it caused regressions somewhere else in the
package itself, or in packages depending on it.

>>> So the points are :
>>> - no update can be uploaded without QA validation
>>
>> What does 'QA validation' mean exactly, can only certain people do it...?
>>
>
> IIUC, QA validation is that they use the test case given in the
> report; an example of a test case:
> - install package foo-1mga1 from */release
> - do foo bar, notice the app crashes
> - install the fixed package foo-1.1mga1 from */updates_testing
> - test again, the bug should be fixed
>
> if any of these steps fail, then it's not gonna get pushed as an
> update. And it should be the QA team doing the validation, i.e.
> experienced devs/packagers in the that team.
>
>>> - QA manage the checks, and so will requires help ( hence the security
>>> team or any packager can help, provided they know how to do QA )
>>
>> So a packager wants to fix a bug in package that is not very visible, sends
>> it to QA, then has to test it anyway? I'm not sure what you're saying here.
>>
>
> Not the packager committing the fix, (if he doesn't think it's fixed
> he won't ask for an update to begin with). But the QA team, this team
> could/should have packagers in it.
>
>>
>>    Christiaan
>>
>
>
>
> --
> Ahmad Samir
>



-- 
Ahmad Samir


More information about the Mageia-dev mailing list