[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Problems with bodhi and security updates

Kevin Kofler wrote:
One thing you could try:
* change the type to Bugfix,
* request push to stable,
* change it back to Security.
Unless they fixed that, it'll bypass the security team approval process. ;-)

I accidentally discovered that because when I pushed the qimageblitz execstack fix, I requested a push to stable as a regular update, then realized it has security implications so I set the security flag, the result is that they're now sitting in stable and have "Security team approval: False".

Thats a rather ironic breakdown in the process I would think; a security fix should get out as rapidly as possible, but it should be verified to actually fix the security flaw as well... holding up the release of the fix to try it while other seemingly innocuous updates go out is just steeped in 'brokenness'.

A change in process to have the security team verifying that fixes actually close the bugs they are supposed to close after the update is released sounds (to a guy outside the security review process) like a better idea.
1. package that fixes security flaw is built
2. push fix to testing (does it install? does it break other stuff?)
3. push fix to stable
4. security team checks that the security hole is really fixed, mark it so
5. otherwise tell maintainer to go back and do it again

Its only increase in bandwidth for people who get the update (that might get replaced soon, and maybe doesn't fix the flaw). I'd rather have a maybe fix than a definitely not fixed yet, as long as some basic testing is still done.

Andrew Farris <lordmorgul gmail com> www.lordmorgul.net
 gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
----                                                                       ----

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]