how to improve the efficiency [Re: Round-up, 2004-11-28]
Pekka Savola
pekkas at netcore.fi
Fri Dec 3 10:00:58 UTC 2004
On Mon, 29 Nov 2004, Marc Deslauriers wrote:
> On Mon, 2004-11-29 at 09:02 +0200, Pekka Savola wrote:
>> accounts). Is there any chance of making the update creation and
>> verification a bit simpler, so that it wouldn't take so damned huge
>> amount of work to get an update out..?
>
> It would be nice to simplify the process so more users can contribute.
> Do you have any suggestions?
OK, let me try to see if I could improve this a bit.
Use of Bugzilla:
- having to register a fedora.us bugzilla account, it would be better
to use RH's bugzilla if possible/reasonable.
- bugzilla being too user-unfriedly; for example, the GUI at
http://bugzilla.fedora.us/query.cgi has _way_ too many options and
scares people away. You'll definitely want something simpler, like
the interface Red Hat is using.
Use of PGP signatures:
- Is it necessary to use PGP signatures when reporting at bugzilla?
Bugzilla already provides user authentication, so this only gives
relatively little additional protection. It's much simpler if you
would not need to hassle with PGP at all if you just want to report
whether a package works or not. It's (more) OK to require the use of
PGP for those who submit the actual packages, etc., though.
Documenting the process very clearly and providing tools to help in
the process:
- the QA Testing process needs to be much more explicit on what
_exactly_ should be done at each step of the process:
1) REQUIRED to do
2) RECOMMENDED to do
- For example: updates-testing says:
1. Download the binary RPM package from the updates-testing channel.
2. Verify the integrity of the downloaded package (see
http://www.fedoralegacy.org/about/security.php).
3. Install the package, and note any installation problems.
4. Use the package (as appropriate for the package), and note any
problems found.
These must be more explicit. What exactly must be verified at "2"?
How do you report being successful after "4"?
The same applies to the rest. We'll need a (hopefully short and
concise) list which we can point people to, and say "follow these 3
steps and you're done." If it's a lot of steps (more than, say, 5),
we'll want to create scripts to help in the process -- e.g., one which
compares the original SRPM and the updated SRPM and shows the results
(recursing through tarballs etc.); one that does the same for
binaries; etc. -- I think these have already circulated on a list half
a year ago or so.
There should also be more documentation at least on following:
1) documenting new vulnerabilities (I think Jesse has mostly been
doing this) -- in bugzilla?
2) how you proceed if there is new vulnerability in the same package
which is already in the process but not released to updates yet.
3) how do you go about from proposing an updated package (in response
to 1), and how that gets into the build system.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the fedora-legacy-list
mailing list