Missing update advisories

Bernd Bartmann Bernd.Bartmann at sohanet.de
Mon Nov 29 11:43:15 UTC 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeff Spaleta wrote:
| On Mon, 22 Nov 2004 23:14:54 +0100, Bernd Bartmann wrote:
|
|>After FC3 final has been released several updates have been pushed out
|>to the mirrors and yet again we haven't seen any announcement for some
|>of them. Some announcements for FC2 and even FC1 are still missing too:
|
|
| as this list points out, this is a continuing process problem. The
| only garunteed engineered solution to prevent this from happening is
| to make filing an annoucement text a blocking requirement for
| submitting an package as an update. But that will require a level of
| automation and red-tape that I don't think anyone inside the fenceline
| really wants to or has time to implement.
|
| It's my understanding that the primary reason these annoucements
| aren't making it out the door is that individual maintainers are
| simply forgetting to create an annoucement text and submit it to the
| annouce list.
|
| As a compromise, i would like to suggest that a autobug filer script
| be created that would file a bugreport against a component if an
| update goes unannouced  for 3+ days in an effort to make the
| individual package maintainer aware of the problem in a timely
| fashion.  While the summary reports to the public lists are somewhat
| useful.... finding a way to poke the individual package maintainers
| more directly seems to be needed.  All the information needed should
| be available from the master mirror.. maybe just parsing the
| repository metadata
| would be enough.
|
| And I realize the existance of security issues greatly complicates
| when and how information is released. I'm trying to come up with
| discreet solution that makes sure annoucements don't fall through the
| cracks and are completely forgotten.
|
| thoughts? is a script designed to automate filing missing update
| announcement bugs a realistic and useful way forward?

As such script doesn't seem to exist yet what do think of just opening
something like the tracker bug for FC3 where we add all the missing
update announcements. This means adding a separate bug to each package
without update announcement and using this as an blocker for the tracker
bug. If this looks ok to you I can volunteer and add these bugs.

Also I think there should be a central instance (person) that sends out
all update announcement. Another thing that I already suggested over a
year ago is that all announcements should be GPG signed using a global
Fedora or Red Hat key.

Best regards.

- --
Dipl.-Ing. (FH) Bernd Bartmann <Bernd.Bartmann at sohanet.de>
I.S. Security and Network Engineer
SoHaNet Technology GmbH / Kaiserin-Augusta-Allee 10-11 / 10553 Berlin
Fon: +49 30 214783-44 / Fax: +49 30 214783-46
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBqwtTkQuIaHu84cIRAlU3AJwPt6dvhIEpHcHSES9Ap4jWAiO9QwCfQybl
L6dbBF4p4m4wVDWt09wLarM=
=iEVA
-----END PGP SIGNATURE-----

More information about the devel mailing list