[Mageia-dev] Security Update Process
OK, Mageia 1 is approaching quickly and we need to get our process in place for security updates. We talked a bit about it a few weeks ago, and I started a wiki page, but it needs more detail. Anne and I chatted on IRC and it looks like we'll want to cutoff the on the iso updates at the end of this week, so we need a process in place to release post-iso updates. ref: http://mageia.org/wiki/doku.php?id=security As I see it, initially we need, in no particular order: 1) a means to build updates for the release (iurt setup for mga1?) 2) a means to publish updates (mail list, web page) 3) a means to manage/track the updates (bugzilla?) 4) work out/publish the process so we all know how it works And then of course we need people to be aware of vulnerabilities as they are exposed. For now, we'll have be be slightly trailing until we can show a history of releasing updates and hopefully gain access to the closed list to get access to embargoed issues. Once that happens we will possibly need additional infrastructure changes to keep the work non-public before the embargo date. osvdb has a nice email aggregator that sends all the distro update announcements, and the oss-security list has many of the CVE requests. Unfortunately, my personal time hasn't allowed much more than a quick read as they go by :/ I know many of you have been doing security related bug reports and updates, which is great, thank-you. If anyone wants to take a larger role in managing the process I'm more than happy to let that happen. While I have experience, the time I'm able to commit is less than helpful. Comments, volunteers? -- Stew Benedict New Tazewell, TN
Re: [Mageia-dev] Security Update Process
2011/5/19 Dexter Morgan dmorga...@gmail.com: 2011/5/18 Jérôme (saispo) Soyer sai...@gmail.com: On Mon, May 16, 2011 at 4:45 PM, Stew Benedict stewbi...@gmail.com wrote: OK, Mageia 1 is approaching quickly and we need to get our process in place for security updates. We talked a bit about it a few weeks ago, and I started a wiki page, but it needs more detail. Anne and I chatted on IRC and it looks like we'll want to cutoff the on the iso updates at the end of this week, so we need a process in place to release post-iso updates. ref: http://mageia.org/wiki/doku.php?id=security As I see it, initially we need, in no particular order: 1) a means to build updates for the release (iurt setup for mga1?) 2) a means to publish updates (mail list, web page) 3) a means to manage/track the updates (bugzilla?) 4) work out/publish the process so we all know how it works And then of course we need people to be aware of vulnerabilities as they are exposed. For now, we'll have be be slightly trailing until we can show a history of releasing updates and hopefully gain access to the closed list to get access to embargoed issues. Once that happens we will possibly need additional infrastructure changes to keep the work non-public before the embargo date. osvdb has a nice email aggregator that sends all the distro update announcements, and the oss-security list has many of the CVE requests. Unfortunately, my personal time hasn't allowed much more than a quick read as they go by :/ I know many of you have been doing security related bug reports and updates, which is great, thank-you. If anyone wants to take a larger role in managing the process I'm more than happy to let that happen. While I have experience, the time I'm able to commit is less than helpful. Comments, volunteers? -- Stew Benedict New Tazewell, TN Ok for me to integrate the team, reporting CVE, fixing them quickly as i can, and enhancing security in the distro :) You can count me in. I guess you should use http://mageia.org/wiki/doku.php?id=security#members to register -- Anne http://www.mageia.org
Re: [Mageia-dev] Security Update Process
On Mon, May 16, 2011 at 4:45 PM, Stew Benedict stewbi...@gmail.com wrote: OK, Mageia 1 is approaching quickly and we need to get our process in place for security updates. We talked a bit about it a few weeks ago, and I started a wiki page, but it needs more detail. Anne and I chatted on IRC and it looks like we'll want to cutoff the on the iso updates at the end of this week, so we need a process in place to release post-iso updates. ref: http://mageia.org/wiki/doku.php?id=security As I see it, initially we need, in no particular order: 1) a means to build updates for the release (iurt setup for mga1?) 2) a means to publish updates (mail list, web page) 3) a means to manage/track the updates (bugzilla?) 4) work out/publish the process so we all know how it works And then of course we need people to be aware of vulnerabilities as they are exposed. For now, we'll have be be slightly trailing until we can show a history of releasing updates and hopefully gain access to the closed list to get access to embargoed issues. Once that happens we will possibly need additional infrastructure changes to keep the work non-public before the embargo date. osvdb has a nice email aggregator that sends all the distro update announcements, and the oss-security list has many of the CVE requests. Unfortunately, my personal time hasn't allowed much more than a quick read as they go by :/ I know many of you have been doing security related bug reports and updates, which is great, thank-you. If anyone wants to take a larger role in managing the process I'm more than happy to let that happen. While I have experience, the time I'm able to commit is less than helpful. Comments, volunteers? -- Stew Benedict New Tazewell, TN Ok for me to integrate the team, reporting CVE, fixing them quickly as i can, and enhancing security in the distro :)
Re: [Mageia-dev] Security Update Process
Le lundi 16 mai 2011 à 18:08 +0200, Thierry Vignaud a écrit : On 16 May 2011 18:05, Ahmad Samir ahmadsamir3...@gmail.com wrote: Mageia 1 is approaching quickly and we need to get our process in place for security updates. We talked a bit about it a few weeks ago, and I started a wiki page, but it needs more detail. Anne and I chatted on IRC and it looks like we'll want to cutoff the on the iso updates at the end of this week, so we need a process in place to release post-iso updates. ref: http://mageia.org/wiki/doku.php?id=security As I see it, initially we need, in no particular order: 1) a means to build updates for the release (iurt setup for mga1?) A iurt setup for mga1 will exist anyway, what is missing is a way to later upload to non public place. Initially, we can just setup youri to restrict submitting a build to updates_testing or updates to the secteam and it should be enough. Ideally packagers should be able to submit to update_testing when they want to push a fixed package to ask for testing. So restricting submitting to updates sounds more logical? What's more that matches what we were doing back @mdv. The process was: - trusted packagers upload into main/testing, - all packager can upload into contrib/testing, - ticket (for main/*) is opened assigned to qa - people || qa test - if tests succeed, ticket is assigned to secteam - secteam rebuild with its own sig push the package I would propose the following : - packagers can upload to */updates_testing ( with some limitation and specific check ) - ticket are opened for everything, assigned to QA - people || qa test - if tests are ok, package is moved to */updates I see no need to rebuild again on a different system, as we do not have the ressources. -- Michael Scherer
Re: [Mageia-dev] Security Update Process
Le 18/05/2011 22:38, Jérôme (saispo) Soyer a écrit : On Mon, May 16, 2011 at 4:45 PM, Stew Benedict stewbi...@gmail.com wrote: OK, Mageia 1 is approaching quickly and we need to get our process in place for security updates. We talked a bit about it a few weeks ago, and I started a wiki page, but it needs more detail. Anne and I chatted on IRC and it looks like we'll want to cutoff the on the iso updates at the end of this week, so we need a process in place to release post-iso updates. ref: http://mageia.org/wiki/doku.php?id=security As I see it, initially we need, in no particular order: 1) a means to build updates for the release (iurt setup for mga1?) 2) a means to publish updates (mail list, web page) 3) a means to manage/track the updates (bugzilla?) 4) work out/publish the process so we all know how it works And then of course we need people to be aware of vulnerabilities as they are exposed. For now, we'll have be be slightly trailing until we can show a history of releasing updates and hopefully gain access to the closed list to get access to embargoed issues. Once that happens we will possibly need additional infrastructure changes to keep the work non-public before the embargo date. osvdb has a nice email aggregator that sends all the distro update announcements, and the oss-security list has many of the CVE requests. Unfortunately, my personal time hasn't allowed much more than a quick read as they go by :/ I know many of you have been doing security related bug reports and updates, which is great, thank-you. If anyone wants to take a larger role in managing the process I'm more than happy to let that happen. While I have experience, the time I'm able to commit is less than helpful. Comments, volunteers? -- Stew Benedict New Tazewell, TN Ok for me to integrate the team, reporting CVE, fixing them quickly as i can, and enhancing security in the distro :) Ok for me too, integrate the team and work at reporting and fixing CVE, and/or enhancing security of mga! -- Sandro Cazzaniga - https://lederniercoupdarchet.wordpress.com IRC: Kharec (irc.freenode.net) Software/Hardware geek Conceptor Magnum's Coordinator/editor (http://wiki.mandriva.com/fr/Magnum) Mageia and Mandriva contributor
Re: [Mageia-dev] Security Update Process
On Mon, May 16, 2011 at 15:45, Stew Benedict stewbi...@gmail.com wrote: OK, Mageia 1 is approaching quickly and we need to get our process in place for security updates. We talked a bit about it a few weeks ago, and I started a wiki page, but it needs more detail. Anne and I chatted on IRC and it looks like we'll want to cutoff the on the iso updates at the end of this week, so we need a process in place to release post-iso updates. ref: http://mageia.org/wiki/doku.php?id=security As I see it, initially we need, in no particular order: 1) a means to build updates for the release (iurt setup for mga1?) A iurt setup for mga1 will exist anyway, what is missing is a way to later upload to non public place. Initially, we can just setup youri to restrict submitting a build to updates_testing or updates to the secteam and it should be enough. 2) a means to publish updates (mail list, web page) 3) a means to manage/track the updates (bugzilla?) 4) work out/publish the process so we all know how it works And then of course we need people to be aware of vulnerabilities as they are exposed. For now, we'll have be be slightly trailing until we can show a history of releasing updates and hopefully gain access to the closed list to get access to embargoed issues. Once that happens we will possibly need additional infrastructure changes to keep the work non-public before the embargo date. osvdb has a nice email aggregator that sends all the distro update announcements, and the oss-security list has many of the CVE requests. Unfortunately, my personal time hasn't allowed much more than a quick read as they go by :/ I know many of you have been doing security related bug reports and updates, which is great, thank-you. If anyone wants to take a larger role in managing the process I'm more than happy to let that happen. While I have experience, the time I'm able to commit is less than helpful. Comments, volunteers?
Re: [Mageia-dev] Security Update Process
On 16 May 2011 16:57, Pascal Terjan pter...@gmail.com wrote: On Mon, May 16, 2011 at 15:45, Stew Benedict stewbi...@gmail.com wrote: OK, Mageia 1 is approaching quickly and we need to get our process in place for security updates. We talked a bit about it a few weeks ago, and I started a wiki page, but it needs more detail. Anne and I chatted on IRC and it looks like we'll want to cutoff the on the iso updates at the end of this week, so we need a process in place to release post-iso updates. ref: http://mageia.org/wiki/doku.php?id=security As I see it, initially we need, in no particular order: 1) a means to build updates for the release (iurt setup for mga1?) A iurt setup for mga1 will exist anyway, what is missing is a way to later upload to non public place. Initially, we can just setup youri to restrict submitting a build to updates_testing or updates to the secteam and it should be enough. Ideally packagers should be able to submit to update_testing when they want to push a fixed package to ask for testing. So restricting submitting to updates sounds more logical? [...] -- Ahmad Samir
Re: [Mageia-dev] Security Update Process
On 16 May 2011 18:08, Thierry Vignaud thierry.vign...@gmail.com wrote: On 16 May 2011 18:05, Ahmad Samir ahmadsamir3...@gmail.com wrote: Mageia 1 is approaching quickly and we need to get our process in place for security updates. We talked a bit about it a few weeks ago, and I started a wiki page, but it needs more detail. Anne and I chatted on IRC and it looks like we'll want to cutoff the on the iso updates at the end of this week, so we need a process in place to release post-iso updates. ref: http://mageia.org/wiki/doku.php?id=security As I see it, initially we need, in no particular order: 1) a means to build updates for the release (iurt setup for mga1?) A iurt setup for mga1 will exist anyway, what is missing is a way to later upload to non public place. Initially, we can just setup youri to restrict submitting a build to updates_testing or updates to the secteam and it should be enough. Ideally packagers should be able to submit to update_testing when they want to push a fixed package to ask for testing. So restricting submitting to updates sounds more logical? What's more that matches what we were doing back @mdv. The process was: - trusted packagers upload into main/testing, - all packager can upload into contrib/testing, (Off-topic: I am not sure this was the case in mdv in the past 2-3years at least, all packagers could submit into main/testing). - ticket (for main/*) is opened assigned to qa - people || qa test - if tests succeed, ticket is assigned to secteam - secteam rebuild with its own sig push the package -- Ahmad Samir
