On 8 June 2011 19:39, Ahmad Samir <ahmadsamir3...@gmail.com> wrote: > On 8 June 2011 18:57, Christiaan Welvaart <c...@daneel.dyndns.org> wrote: >> On Wed, 8 Jun 2011, Michael Scherer wrote: >> >>> Le mercredi 08 juin 2011 à 10:40 +0200, Anne nicolas a écrit : >>>> >>>> Hi there >>>> >>>> We have some stuff to complete here: >>>> http://mageia.org/wiki/doku.php?id=security >>>> >>>> <http://mageia.org/wiki/doku.php?id=security>Can we spend the 2 or 3 >>>> coming >>>> days to finalize it and start updates submits? >>> >>> Pascal is working on this. >>> >>> So here is a proposal : >>> - anybody can submit a package to updates_testing. >>> - once submitted to testing, it should ask to QA to test, along with : >>> - a reason for the update ( likely bug number ) >>> - potentially a priority ( ie, if this is just a translation update or >>> a urgent 0 day exploit ) >>> - a way to test the bug and see it is fixed >>> - text for the update >> >>> - qa validate the update ( with process to define ) >> >>> - someone move the package from updates_testing to testing >> >> Someone from security (stable updates) team I guess? >> >>> - the bug is closed >>> - a announce is sent ( on various medias to be defined ), with the text >>> of update >> >> So who decides to reject an update and at what point? According to your >> proposal, either QA people decide this or they waste time on updates that >> later get rejected. >> > > IMHO, rejection reasons: > - The sec team doesn't think the update fixes a serious security > vulnerability; so it's not updates but backports > - The QA team couldn't validate, i.e. using the test case in the bug > report, their test results didn't show that the bug is fixed >
Adding to this: - the bug is fixed, but it caused regressions somewhere else in the package itself, or in packages depending on it. >>> So the points are : >>> - no update can be uploaded without QA validation >> >> What does 'QA validation' mean exactly, can only certain people do it...? >> > > IIUC, QA validation is that they use the test case given in the > report; an example of a test case: > - install package foo-1mga1 from */release > - do foo bar, notice the app crashes > - install the fixed package foo-1.1mga1 from */updates_testing > - test again, the bug should be fixed > > if any of these steps fail, then it's not gonna get pushed as an > update. And it should be the QA team doing the validation, i.e. > experienced devs/packagers in the that team. > >>> - QA manage the checks, and so will requires help ( hence the security >>> team or any packager can help, provided they know how to do QA ) >> >> So a packager wants to fix a bug in package that is not very visible, sends >> it to QA, then has to test it anyway? I'm not sure what you're saying here. >> > > Not the packager committing the fix, (if he doesn't think it's fixed > he won't ask for an update to begin with). But the QA team, this team > could/should have packagers in it. > >> >> Christiaan >> > > > > -- > Ahmad Samir > -- Ahmad Samir