[Mageia-dev] Security updates - Help needed (also forgot avidemux and gstreamer0.10-ffmpeg)

David Walser luigiwalser at yahoo.com
Sun Jul 15 03:20:23 CEST 2012


Buchan Milne wrote:
> On Thursday, 5 July 2012 20:34:02 David Walser wrote:
>> Guillaume Rousse wrote:
>> > So, before any further contribution from my side, I'd like the people in
>> > charge of security updates to find some internal agreement about what
>> > kind of help they expect from other people exactly. If that's just to
>> > push a non-discussable list of changes into spec files, they could as
>> > well ask for SVN commit and package submission rights, to do it
>> > directly. This would avoid a large amount of anger and frustration for
>> > everyone.
>> 
>> Nobody is in charge, which is part of the problem.  I think a lot of us
>> packagers come from Mandriva where we were used to Oden being in charge of
>> updates for stable distros, and therefore not having to worry about it.
> 
> While Mandriva had a security team (before Oden, Stew, and before that Stew 
> and Vince). However, that doesn't mean you never had to worry about anything.

Sure, maybe the security manager would ask a maintainer for help with something sometimes, but they still had ultimately responsibility for 
the updates.  My point is that responsibility falls on all of us packagers now, and it's a perspective shift that needs to be made.

Also, I don't want anyone to get the idea that I'm in charge of security updates, even though I've kind of taken charge of it in a way, 
because when I finally started using Mageia at the end of last year, I noticed a lot of updates had been missed and nobody had taken charge 
of keeping track of such things.  So I try my best to keep track of it now and do my best to help get the needed updates out.  Please keep in 
mind that I do not have the level of experience of Vince or Oden and I have a full-time job which is not "make security updates for Mageia."  
I am doing my best, as is the QA team.

Mageia may not be the first to market with security updates (we're usually later than many other distros), but for highly critical zero-days 
and things being actively exploited, we've done well with packagers, QA, and sysadmins working together to get these updates out in a timely 
manner.  For other security updates, the important thing is that we get them out, not that we're first to market.

Finally Buchan, I have no complaints about the job you've done contributing to security updates for packages you maintain.  So if I ever 
sound like I'm complaining, it's not directed at you.



More information about the Mageia-dev mailing list