On Tue, Apr 11, 2006 at 08:52:47PM +0200, VMiklos wrote: > i would say the infrastructure is mostly ready for testing. the security > support is a more complex question, but without a good infrastructure it > isn't possible at all. at the moment fdb2db, rf, syncd needs to be > improved for -stable, the new version of pacman and pacman-tools (the > later fixes only some warnings) is not yet released
First of all thanks for adding these features :) I love rf, so i won't start the SEC support without that :) Just an idea about it: We should add a file called RELEASE or so to the darcs tree. In that case rf would be able to handle these things automatically. So when i make changes in -stable repo it should upload to -stable. IMO it reduces the opportunity of mistakes. What do you think? Having syncd is also good. We should handle it manually too, but it's always cool to have things done automatically. And please add mail support on fail too so we can keep track what is really done. > so it allows us, but i would not say start heavily using it, first it > needs to be discussed. maybe start sec support from 0.5? the main > questions: > 1) who? only one people is not enough for this imho, but only a few > devels (2-3 or 3-4) should do it, else the development will not be > active enough IMO for reporting these SEC thins one developer is enough most the time. Of cource when i'm on holiday somebody should do it instead of me :) So having 2 guy for this is enough. But we have to had 2 dev if someone quits or so. In case of Frugalware the fixes are done by the maintainers. For example in debian the sec fixes are done by the security team. I don't know why is it good for them, so i don't want to follow this method. So SEC guys just report the bug and the m8r fixes it. In extraordinary cases (orphan package, m8r on holiday, etc) we'll find out what to do. I think in this case the SEC team should handle it. > 2) how? maybe voroskoi can tell us how he report those [SEC] bugs to the > bts The current method is quite good IMO. The SEC team should give as much information as it can. I mean links. Not novels :) We can discuss the problems in the BTS if something isn't clear. Is it possible to create a SEC group in BTS and add it to the notification list for every [SEC] bug? > 3) when? maybe if everything is discussed then we could start a "testing" > (to ensure that everything works well) support from pre2 or rc1 I agree. We have to start a testing support before the stable release to see and solve the occurrent problems. > 4) if we really start then more infrastructure: mailing lists, an common > form to post advistories, etc Yes, a mailing list is musthave. Here we can report the *fixed* issues. So i don't want to report the problem itself on this mailing list, just the frugalware specific fixes. A report should look similar: 1: Affected package with version number 2: Maybe a CVE or Secunia link 3: Link for the fixed packages both for -current and -stable 4: My bank account :) > to be clear, i help anybody with infrastructure development, but myself > i really hate reading such sec mailing lists, and probably i'm not > alone. that's why we would need a few people who can do this. if the > infrastructure is ok, then after creating a patch (you should decide to > do a version bump or extract the patch from the cvs, etc) it should not > take more time than a normal version bump (regarding that a secfix > provided by upstream needs less testing than a version bump imho) Backporting the patch seems to be more difficult, but especially in -stable we have to take care with bumps. The good news is that our situation is much better than debian's one as they have to backport to the ice age :) -- voroskoi _______________________________________________ Frugalware-devel mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-devel
