How can we make security updates faster?

Michael Scherer misc at zarb.org
Mon May 28 21:49:55 UTC 2012 

Le lundi 28 mai 2012 à 12:57 -0400, Paul Wouters a écrit :
> Hi,
> 
> I've recently had release updates to two packages with CVE issues in
> then. A few weeks ago, pidgin-otr needed a lot of me prodding people
> to try it and give karma to get the security update out. Right now, my
> socat CVE security releases sits in all four branches with no karma after
> four days.
> 
> Is there something we can do to make these security updates move faster?
> 
> Perhaps a new mailinglist that just announces the security releases, to
> remind people to test them and give karma.
> 
> Perhaps a gui app for people running post latest full release fedora
> installs that checks if some software you are using is in need of karma?

I would take this road.

in fact, one issue I have with update is that to see if there is
something interesting to test, I go to :
https://admin.fedoraproject.org/updates/F17/testing

First page is usually useless for this task, packages are not signed and
not on mirror either, and I prefer to take the easiest road of using
yum.
2nd page is having the same problem usually, so i need to start looking
at the 3rd page to see testable packages but sometimes not.

Then I need to look at every package, see if there is one that I can
test either because it sound interesting, or because I use it.

If the package is new, I click on it see the update, and then click
again on the package name, to get to a page where i click to see a list
of update, and a list of link, and one to the description of the package
either pkgdb, or community. And if I want to see the website of the
package, i need to google. 

That's too much click just to see something to test. And I still didn't
installed it yet, and due to various mirrors lag, it sometimes doesn't
work and so I forget.

The same goes for any notification list or for bugzilla. When I receive
notification, the package is not yet installable, so I forget.

So yes, there need to have a way to connect people that care of a
software up to the point of testing it, and karma. Being able to say
"warn me if there is a new package to test of $FOO", and having a
notification ( popup, email, whatever ) would surely help. And a
reminder to give karma ( again, a popup after 1 day, saying "have you
tested this, does it work [yes] [ask me later] [do not ask me again] ",
something like fedora-easy-karma would be enough )

Taking only in account package in updates-testing indexes, this would
remove the mirror lag issue. 

-- 
Michael Scherer

More information about the devel mailing list