On 08/25/2011 01:12 PM, Samuel Verschelde wrote:
Le jeudi 25 août 2011 14:09:26, Stew Benedict a écrit :
On 08/24/2011 08:50 PM, Samuel Verschelde wrote:
Hi,
I was told that QA Team's work's visibility needs to be improved, so as a
team member I'll try to give you some sort of status report.
- 1 has been validated by QA one month ago, but was assigned to security
team following updates policy for security fixes, and got not answer. We
have to improve either the policy or the security team here (or both).
Do you have a pointer to this bug? I'm not finding it in bugzilla. I'm
not sure what I can do with it once assigned back to secteam, aside from
write an advisory text. I don't have admin rights to release it, etc.
(afaik). It was basically my understanding that the secteam role is to
initiate the bug, provide patches, POC, and advisory text and the
maintainer do the update and pass it on to QA. I've stopped even
intiating because they are just sitting there in the new/unassigned
state. some for 2 months or more now. While a shiny new KDE is nice, not
pushing updates for published vulnerabilities makes us look bad, imho.
It's https://bugs.mageia.org/show_bug.cgi?id=2239
I think the initial idea in the updates policy is that security fixes have to
be tested by secteam to ensure that the security problem is not there anymore,
because sometimes the upstream or the packager fixes it in a wrong way or does
a mistake, so we need to ensure the security problems are really fixed.
Otherwise we risk saying that a security issue is fixed when it's not.
Obviously, this can't happen if the security team doesn't grow. Maybe some
kind of joint effort from security and QA could help ?
I already know updates that have been pushed without the security fixes being
tested.
Also, the security bugs being open in bugzilla and not adressed by the
packagers is a really big issue, that we have to find a way to fix as soon as
possible. Can you give us a link to the list of pending security issues ?
While I don't disagree with the theory, it's not workable with the
current state, as I don't have enough free cycles to think about
actually updating any packages an/or doing the testing. One has to keep
in mind that in the past life this was nearly a full time job for 2
people to identify, fix build, test, release updates for the supported
releases. The people that have inquired about helping with security
issues quickly go away when they find out how inglorious(sic) it is.
Well, for instance, this is my "my bugs" list:
https://bugs.mageia.org/buglist.cgi?bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailassigned_to1=1&emailreporter1=1&emailtype1=exact&email1=stewbintn%40gmail.com&field0-0-0=bug_status&type0-0-0=notequals&value0-0-0=UNCONFIRMED&field0-0-1=reporter&type0-0-1=equals&value0-0-1=stewbintn%40gmail.com
and here's my "open security issues" list (if it works for others):
https://bugs.mageia.org/buglist.cgi?cmdtype=runnamed&namedcmd=Open%20security%20issues
First list is 8 bugs, 2nd is 25. 8 bugs wouldn't be an issue if they
were 1 week or 2 old, but 2 months for a known issue with a published
fix that everyone else has released is unacceptable.
I think other have done things with tags etc.
--
Stew Benedict
