[Mageia-dev] Security Update Process

Pascal Terjan pterjan at gmail.com
Mon May 16 16:57:25 CEST 2011


On Mon, May 16, 2011 at 15:45, Stew Benedict <stewbintn at gmail.com> wrote:
> OK,
>
> Mageia 1 is approaching quickly and we need to get our process in place
> for security updates. We talked a bit about it a few weeks ago, and I
> started a wiki page, but it needs more detail. Anne and I chatted on IRC
> and it looks like we'll want to cutoff the "on the iso " updates at the
> end of this week, so we need a process in place to release post-iso updates.
>
> ref: http://mageia.org/wiki/doku.php?id=security
>
> As I see it, initially we need, in no particular order:
>
> 1) a means to build updates for the release (iurt setup for mga1?)

A iurt setup for mga1 will exist anyway, what is missing is a way to
later upload to non public place.
Initially, we can just setup youri to restrict submitting a build to
updates_testing or updates to the secteam and it should be enough.

> 2) a means to publish updates (mail list, web page)
> 3) a means to manage/track the updates (bugzilla?)
> 4) work out/publish the process so we all know how it works
>
> And then of course we need people to be aware of vulnerabilities as they
> are exposed. For now, we'll have be be slightly trailing until we can
> show a history of releasing updates and hopefully gain access to the
> closed list to get access to embargoed issues. Once that happens we will
> possibly need additional infrastructure changes to keep the work
> non-public before the embargo date.
>
> osvdb has a nice email aggregator that sends all the distro update
> announcements, and the oss-security list has many of the CVE requests.
> Unfortunately, my personal time hasn't allowed much more than a quick
> read as they go by :/ I know many of you have been doing security
> related bug reports and updates, which is great, thank-you. If anyone
> wants to take a larger role in managing the process I'm more than happy
> to let that happen. While I have experience, the time I'm able to commit
> is less than helpful.
>
> Comments, volunteers?


More information about the Mageia-dev mailing list