1-2-3 out, time for FC2?

Eric Rostetter rostetter at mail.utexas.edu
Mon Apr 10 18:28:27 UTC 2006 

Quoting Mike McCarty <Mike.McCarty at sbcglobal.net>:

> Eric Rostetter wrote:
>> Quoting Mike McCarty <Mike.McCarty at sbcglobal.net>:
>>
>>> I have volunteered some time for test if
>>
>> I will assume you mean the second part of QA, the "verify" step.
>
> Well, perhaps I used the word "test" in a technical sense.
> In my background, test means "verification of proper operation".

That is only part of testing.  For example, you don't want to release code
which operates properly, but isn't secure (contains a trojan, etc).

>> Now, here is the real kicker:
>>
>> You can do the first step of QA (publish votes rather than verify votes)
>> on ANY system and without compromising the system at all.  It only involves
>> comparing the files to other known files, etc.  You don't have to install
>> anything on the system.  So, you can help, within your constraints, if
>> you choose, by doing the first QA step rather than the second.
>
> Ok, if you can give me more information, I'll be glad to donate some
> time.

See http://www.fedoraproject.org/wiki/Legacy/QAPublish and follow the
info there.  Do the manditory steps, but skip any optional steps which
you can't do because of disk space, installation, etc.

My own "checklist" reads:

* Download the old (original) package.
* Download the new package.
* Download the original upstream source of the patches, if needed.

* Compare the changelogs:
         rpm -qp --changelog old.rpm > old.changes
         rpm -qp --changelog new.rpm > new.changes
         diff -u old.changes new.changes | grep "^+"
* Compare the file lists:
         rpmdiff old.rpm new.rpm
* Compare the files:
         mkdir old; (cd old; rpm2cpio ../old.rpm | cpio -i --make-directories)
         mkdir new; ( cd new; rpm2cpio ../new.rpm | cpio -i --make-directories)
         diff -uNr old new | more
* Compare the patches in the new package to the upstream patch sources.

* If exploit is available:
         * test exploit to see if it works.
         * build and install new package.
         * test exploit to see if it fails.

You don't have to follow the same proceedure though...

> Mike

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Go Longhorns!

More information about the fedora-legacy-list mailing list