On Wed, 10 Dec 2008 01:22:12 +0100 kevin.kofler@xxxxxxxxx (Kevin Kofler) wrote: > Colin Walters wrote: > > Just to be clear, the direct push into stable is my fault; not Red > > Hat's or other DBus developers or anyone else's. I had originally > > listed it for updates-testing, but then changed the update to > > security and in a moment of total stupidity also changed the > > listing for stable. > > Are you sure you were the one who requested the push to stable and > not the security team (when they gave their approval for the security > update)? The security team doesn't change where the update is set to go to. > I'm asking because the way Bodhi is set up, I think the security team > does not see where you actually intend security updates to be pushed > to, they all show up as requests for testing until they get approval, > and somehow they automatically get queued for stable on approval > unless explicitly canceled. That may be the case, but it's bodhi doing that, not the security team. We should confirm this behavior/fix it. > All this was so much simpler and more obvious before that useless > security team approval step was introduced (without really consulting > packagers outside of the security team). :-( What benefit does that > approval step bring us? It's obviously not QA or this update wouldn't > have ended up in stable! Security team checks the update for correctness with respect to CVE(s) fixed, that there is a tracking bug filed against the update, that it has some information about what the vulnerability is either in the update text or in the bug, that it points to upstream info about the bug, etc. There has been some talk of removing this step, but I think it's usefull for the above reasons. I have seen security updates come in with no bug attached, no CVE, and text of 'security update'. This is not usefull to our users, IMHO. I might be in a minority here tho, so perhaps the step should be removed. > > Kevin Kofler > kevin
Attachment:
signature.asc
Description: PGP signature
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
