[Frugalware-devel] security support

VMiklos vmiklos at frugalware.org
Sun Aug 20 20:08:24 CEST 2006


On Sat, Aug 19, 2006 at 05:00:45PM +0200, VOROSKOI Andras <voroskoi at frugalware.org> wrote:
> > 1) wait till the packages are on the server
> > 2) in a dedicated repo (or it can be homepage-ng if we would like) the
> > FSAs would be stored in a similar form as the current news (just with
> > the structure you've proposed) and after the push the mail would be
> > generated (sha1sums, gpg signing)
> 
> Sounds good.

Alex, then could you please design an xml for this under
homepage-ng/frugalware/xml?

> 
> > hmm, technically that would mean database structure changes, do we
> > really need it? we could just append a "-stable affected, too". (ok, not
> > the best solution, but as long as we don't have a dedicated bts engine
> > maintainer it's a problem)
> 
> Well, ok. But then you can not search for not fixed SEC bugs in -stable. Well, does not really matter.

what about adding a new "Fixed in -current" status? and all the the bugs
those are already fixed in -current but not yet in -stable would have
that status

a new question: what should be the whole prodecure? i mean something
like this:
1) you/the sec team open(s) a [SEC] bug
2) the maintainer fixes the issue in -current and decides if the issue
needs fixing in -stable or not. if yes, then changes its status to
"Fixed in -current" otherwise closes the task
3) the sec team regularly searches for "Fixed in -current" bugs, fixes
the issue in -stable and releases an FSA

is this approach ok?

udv / greetings,
VMiklos

-- 
Developer of Frugalware Linux, to make things frugal - http://frugalware.org


More information about the Frugalware-devel mailing list