[Mageia-dev] Security Update Process

[Stew Benedict]

OK,

Mageia 1 is approaching quickly and we need to get our process in place
for security updates. We talked a bit about it a few weeks ago, and I
started a wiki page, but it needs more detail. Anne and I chatted on IRC
and it looks like we'll want to cutoff the "on the iso " updates at the
end of this week, so we need a process in place to release post-iso updates.

ref: http://mageia.org/wiki/doku.php?id=security

As I see it, initially we need, in no particular order:

1) a means to build updates for the release (iurt setup for mga1?)
2) a means to publish updates (mail list, web page)
3) a means to manage/track the updates (bugzilla?)
4) work out/publish the process so we all know how it works

And then of course we need people to be aware of vulnerabilities as they
are exposed. For now, we'll have be be slightly trailing until we can
show a history of releasing updates and hopefully gain access to the
closed list to get access to embargoed issues. Once that happens we will
possibly need additional infrastructure changes to keep the work
non-public before the embargo date.

osvdb has a nice email aggregator that sends all the distro update
announcements, and the oss-security list has many of the CVE requests.
Unfortunately, my personal time hasn't allowed much more than a quick
read as they go by :/ I know many of you have been doing security
related bug reports and updates, which is great, thank-you. If anyone
wants to take a larger role in managing the process I'm more than happy
to let that happen. While I have experience, the time I'm able to commit
is less than helpful.

Comments, volunteers?



-- 
Stew Benedict
New Tazewell, TN