Missing update advisories

Bernd Bartmann Bernd.Bartmann at sohanet.de
Mon Nov 29 15:03:43 UTC 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeff Spaleta wrote:
| On Mon, 29 Nov 2004 12:43:15 +0100, Bernd Bartmann
| <bernd.bartmann at sohanet.de> wrote:
|
|>As such script doesn't seem to exist yet what do think of just opening
|>something like the tracker bug for FC3 where we add all the missing
|>update announcements. This means adding a separate bug to each package
|>without update announcement and using this as an blocker for the tracker
|>bug. If this looks ok to you I can volunteer and add these bugs.
|
|
| Getting individual bug reports against each component is the goal...
| but security issues
| makes the use of a tracking bug tricky.  There will be circumstances
| that will require bugs to be marked as private. Having a tracking bug
| for missing annoucements could very well mean the tracking bug itself
| will have to be marked private....defeating the point of the trackiing
| bug.  Individual bug reports to components, aren't as tricky... the
| package maintainer can mark individual reports as private if need be
| without impacting other components.
|
|
|>Also I think there should be a central instance (person) that sends out
|>all update announcement. Another thing that I already suggested over a
|>year ago is that all announcements should be GPG signed using a global
|>Fedora or Red Hat key.
|
|
| This requires automation in the build process and how maintainers
| interact with the build system and how you define a build master
| individual or automated signing.  I think there has been great
| reluctance to work on this part of the build system until after Fedora
| Extras officially launches.. in order to prevent having to redo this
| again once contributor updates start flowing.  I'm pretty sure other
| people recognize something along these lines has to be done.. but the
| focus has been on getting the build system opened up for non Red Hat
| contributors. Once this happens... I hope internal efforts can be
| refocused on identifying several rougher aspects of the red hat and
| contributor build process including annoucement generation that need
| some automation love.
|
| I personally see the only garunteed solution for annoucements is to
| demand annoucement text be in the system when a package maintain
| submits a build to be an update.  And such an annoucement requirement
| will have to be flexible enough to take into account security embargos
| so that an annoucement text can be requested to show up on a certain
| date...after the package is in the update tree if need be.  This is
| the only way to prevent packagers from forgetting about annoucement
| text generation. Right now, its not so tough to find a red hat
| employee to beat up on another red hat employee if you have access to
| any red hat people on a daily basis. But in the future... for fedora
| extras.. its going to be much harder to get access to far flung
| contributors who are using the same build process as Core maintainers.
| And i think people realize the problem exists and I hope they realize
| it will get worse once contributors can start spinning up packages
| into extras from the same build system. But any real process solution,
| is going to have to fit inside the details of the contributor build
| process.. which isn't finalized.  Its just one of those situations
| where  the problem is obvious, and the potential solution space is
| very wide.. but all specific constraints aren't in place yet to build
| a workable implementation that fits the larger process.

Jeff, this is all nice and your broader view for future things to come
is good too, but right now I only care about all the updates that were
already released and haven't seen any announcement yet.

Best regards.

- --
Dipl.-Ing. (FH) Bernd Bartmann <Bernd.Bartmann at sohanet.de>
I.S. Security and Network Engineer
SoHaNet Technology GmbH / Kaiserin-Augusta-Allee 10-11 / 10553 Berlin
Fon: +49 30 214783-44 / Fax: +49 30 214783-46
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBqzpPkQuIaHu84cIRArXtAJsHuyWNXV85tTV3S8lDJfar/MTmrQCdEUiZ
Uk6DKRPkKmgcfDCYzIflcmU=
=vS6s
-----END PGP SIGNATURE-----




More information about the fedora-devel-list mailing list