On Wed, Apr 12, 2006 at 08:44:37AM +0200, VOROSKOI Andras <[EMAIL PROTECTED]> wrote: > I love rf, so i won't start the SEC support without that :) Just an idea > about it: We should add a file called RELEASE or so to the darcs tree. > In that case rf would be able to handle these things automatically. So > when i make changes in -stable repo it should upload to -stable. IMO it > reduces the opportunity of mistakes. What do you think?
that's not a too big problem even without a RELEASE file. i mean to determine if we're in -current or -stable. the stable->0.4 conversion is the best if it's based on the symlink at /pub/frugalware (if necessary, i can add a repoman option for this so that rf can use it) > Having syncd is also good. We should handle it manually too, but it's > always cool to have things done automatically. And please add mail > support on fail too so we can keep track what is really done. hmm, do we have a task for this? > In case of Frugalware the fixes are done by the maintainers. For example > in debian the sec fixes are done by the security team. I don't know why > is it good for them, so i don't want to follow this method. So SEC guys > just report the bug and the m8r fixes it. In extraordinary cases (orphan > package, m8r on holiday, etc) we'll find out what to do. I think in this > case the SEC team should handle it. let's see. basically i don't know how much work to backport changes with our release cycle (6 months). for example when a newer version requires a newer lib, then we should extract the security fix - these kind of work is very different from the work which is done in -current. doing both paralelly is a nice idea - let's hope it's possible btw Gentoo has a separate sec team for this, too. so maybe we should consider this idea. something like: 1) SEC team notifies the m8r 2) m8r fixes the problem in -current 3) SEC team backports the fix to -stable or this would be too much for the SEC team? > The current method is quite good IMO. The SEC team should give as much > information as it can. I mean links. Not novels :) > We can discuss the problems in the BTS if something isn't clear. > Is it possible to create a SEC group in BTS and add it to the > notification list for every [SEC] bug? ironiq? if not, then we can still create an alias, for example [EMAIL PROTECTED] which points to the necessary people :) > > 4) if we really start then more infrastructure: mailing lists, an common > > form to post advistories, etc > > Yes, a mailing list is musthave. Here we can report the *fixed* issues. > So i don't want to report the problem itself on this mailing list, just > the frugalware specific fixes. > A report should look similar: > 1: Affected package with version number > 2: Maybe a CVE or Secunia link > 3: Link for the fixed packages both for -current and -stable > 4: My bank account :) probably after a few advistories we can make a script for this (less time, less typos). and maybe here we should consider signing these mails with gpg -> another question: a common key for the sec devels or one of each dev? i'm not sure about this (at Slack this is not a question, only Pat does such updates ;) ) udv / greetings, VMiklos -- Developer of Frugalware Linux, to make things frugal - http://frugalware.org _______________________________________________ Frugalware-devel mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-devel
