[Mageia-dev] Security updates - Help needed (also forgot avidemux and gstreamer0.10-ffmpeg)

Claire Robinson eeeemail at gmail.com
Thu Jul 5 23:43:21 CEST 2012 

> I spent some time today to help the QA team to manage those pending
> security updates. And for the second time in a week, I've been facing
> rather unpleasant attitude from someone else from the same team:
> https://bugs.mageia.org/show_bug.cgi?id=5939
>
> I wonder how we're supposed to work together when expressing an opinion
> about issues prioritization expose you to harsh comment from someone
> unable to express his disagreement without agressivity. That's not much
> point ressorting to "we're all in the same boat" kind of metaphor during
> IRC meeting to thereafter suggest to leave the board to people
> expressing concerns about the boat heading...
>
> So, before any further contribution from my side, I'd like the people in
> charge of security updates to find some internal agreement about what
> kind of help they expect from other people exactly. If that's just to
> push a non-discussable list of changes into spec files, they could as
> well ask for SVN commit and package submission rights, to do it
> directly. This would avoid a large amount of anger and frustration for
> everyone.
>

You seem to be frustrated by a false assumption. The assumption that 
something has changed over the past year of performing QA on security 
updates.

It hasn't. We haven't begun doing anything differently and we haven't 
started to ask for any more than we have done before, during all that time.

The reason we now have a backlog, which seems to be the cause of the 
frustration, is simply because we don't have enough volunteers. That is 
not really a reason to begin taking shortcuts, or cut out common sense, 
but it is something you can help with.

Our QA workload doubled overnight when Mageia 2 was released. At the 
time there were mainly only two of us to perform the task, as there had 
been throughout the lifespan of Mageia 1 until that point. One tested 
every update x86_64 and one tested every update i586.

As I'm sure you realise, that is nowhere near enough people to perform 
QA adequately on two live releases, especially just after release when 
many packaging bugs are being fixed. This is on top of having to work 
around bug 2317 which is only now beginning to receive attention.

I fully sympathise with the need to concentrate on security updates and 
the need to handle them efficiently. Nothing has changed in that regard. 
We handle them now the same as we have been doing since last August and 
it has never been a problem for anybody. Believe it or not, it is 
actually appreciated by most..

We have been trying to recruit new members and with some limited 
success. Those new members will hardly be inspired though to volunteer 
their time by this type of bullying. I myself would also like to think I 
didn't have to purposely avoid certain packagers update requests because 
of their aggressive behaviour. That situation would be of no benefit to 
anybody.

We always have and will continue to do our best to prioritise security 
updates. Unfortunately that has to happen at the expense of bugfix 
updates so there are a number of those waiting for our attention. David 
has also been pushing for maintainers to get various security bugs fixed 
so there has been a bit of an influx for QA to deal with.

This whole issue is being blown wildly out of proportion and it is 
really demoralising for those of us who already spend far too many hours 
a day actually doing the job.

If you really want to speed things up then please spend some time 
helping to shorten the list and lighten the load. We did request help 
two weeks ago in the packagers meeting.

You can find the validation procedure here: http://bit.ly/Ne2lPP

and the list of bugs awaiting QA here: http://bit.ly/LZMNhr

Throughout the life of Mageia 1 the QA list was usually between 20 and 
40 bugs long, it is now between 40 and 50 bugs long and is hovering 
around that point.

These recent attacks are causing even more work for us, which again 
helps nobody, and diverts our attention away from where it is really 
needed. Also I would point out that having to validate the same package 
several times obviously lessens the amount of time we can spend 
elsewhere, which compounds the problem.

If the current situation is indeed such an intolerable issue then 
perhaps we should think seriously if we currently have the resources to 
maintain two active releases or rethink our ability to open backports, 
instead of bullying those who are already stretched too thinly.

Regards
Claire

More information about the Mageia-dev mailing list