OK, Mageia 1 is approaching quickly and we need to get our process in place for security updates. We talked a bit about it a few weeks ago, and I started a wiki page, but it needs more detail. Anne and I chatted on IRC and it looks like we'll want to cutoff the "on the iso " updates at the end of this week, so we need a process in place to release post-iso updates.
ref: http://mageia.org/wiki/doku.php?id=security As I see it, initially we need, in no particular order: 1) a means to build updates for the release (iurt setup for mga1?) 2) a means to publish updates (mail list, web page) 3) a means to manage/track the updates (bugzilla?) 4) work out/publish the process so we all know how it works And then of course we need people to be aware of vulnerabilities as they are exposed. For now, we'll have be be slightly trailing until we can show a history of releasing updates and hopefully gain access to the closed list to get access to embargoed issues. Once that happens we will possibly need additional infrastructure changes to keep the work non-public before the embargo date. osvdb has a nice email aggregator that sends all the distro update announcements, and the oss-security list has many of the CVE requests. Unfortunately, my personal time hasn't allowed much more than a quick read as they go by :/ I know many of you have been doing security related bug reports and updates, which is great, thank-you. If anyone wants to take a larger role in managing the process I'm more than happy to let that happen. While I have experience, the time I'm able to commit is less than helpful. Comments, volunteers? -- Stew Benedict New Tazewell, TN