On Mon, May 16, 2011 at 15:45, Stew Benedict <stewbi...@gmail.com> wrote: > OK, > > Mageia 1 is approaching quickly and we need to get our process in place > for security updates. We talked a bit about it a few weeks ago, and I > started a wiki page, but it needs more detail. Anne and I chatted on IRC > and it looks like we'll want to cutoff the "on the iso " updates at the > end of this week, so we need a process in place to release post-iso updates. > > ref: http://mageia.org/wiki/doku.php?id=security > > As I see it, initially we need, in no particular order: > > 1) a means to build updates for the release (iurt setup for mga1?)
A iurt setup for mga1 will exist anyway, what is missing is a way to later upload to non public place. Initially, we can just setup youri to restrict submitting a build to updates_testing or updates to the secteam and it should be enough. > 2) a means to publish updates (mail list, web page) > 3) a means to manage/track the updates (bugzilla?) > 4) work out/publish the process so we all know how it works > > And then of course we need people to be aware of vulnerabilities as they > are exposed. For now, we'll have be be slightly trailing until we can > show a history of releasing updates and hopefully gain access to the > closed list to get access to embargoed issues. Once that happens we will > possibly need additional infrastructure changes to keep the work > non-public before the embargo date. > > osvdb has a nice email aggregator that sends all the distro update > announcements, and the oss-security list has many of the CVE requests. > Unfortunately, my personal time hasn't allowed much more than a quick > read as they go by :/ I know many of you have been doing security > related bug reports and updates, which is great, thank-you. If anyone > wants to take a larger role in managing the process I'm more than happy > to let that happen. While I have experience, the time I'm able to commit > is less than helpful. > > Comments, volunteers?