[gentoo-dev] Testing instructions for security bugs

[gentoo-dev] Testing instructions for security bugs

[Lars Weiler]

[-- Attachment #1: Type: text/plain, Size: 426 bytes --]

Hi devs,

I would like to ask if it is possible to add testing
instructions for security bugs on packages that need some
stable love?

Not only I had several times the problem, to find out if a
package really works on a given architecture beside
compiling fine.  The package maintainer could better add a
note on how to test a package than the arch-devs who first
have to find out, how a special package works.

Regards, Lars

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Testing instructions for security bugs

[Joshua J. Berry]

[-- Attachment #1: Type: text/plain, Size: 643 bytes --]

On Saturday 21 August 2004 19:24, Lars Weiler wrote:
> Hi devs,
>
> I would like to ask if it is possible to add testing
> instructions for security bugs on packages that need some
> stable love?

By "security bugs", what do you mean?  Testing FOR security bugs, or general 
testing after security@ has requested a bump?  Or something completely 
different?

-----------------------------------------
Joshua J. Berry

"I haven't lost my mind -- it's backed up on tape somewhere."
    -- /usr/games/fortune

NOTE: Please do not submit this email address to any mailing
lists or websites without prior permission.  Thank you.

[-- Attachment #2: Type: application/pgp-signature, Size: 190 bytes --]

Re: [gentoo-dev] Testing instructions for security bugs

[Lars Weiler]

[-- Attachment #1: Type: text/plain, Size: 377 bytes --]

* Joshua J. Berry <condordes@gentoo.org> [04/08/21 20:30 -0700]:
> By "security bugs", what do you mean?  Testing FOR
> security bugs, or general testing after security@ has
> requested a bump?  Or something completely different?

When security requested a bump.  And to extend this, also
packages where the maintainer requests a bump without a
security-reason.

Regards, Lars

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Testing instructions for security bugs

[Jason Wever]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 22 Aug 2004, Lars Weiler wrote:

> When security requested a bump.  And to extend this, also
> packages where the maintainer requests a bump without a
> security-reason.

I'll second this motion.  I've asked this a few times before but the 
general consensus is that people do not want to do work that while 
inconveniences them, saves time for a lot more people.  However there are 
some folks who are kind enough to provide test cases, and to them I am 
very grateful :)

If and when QA becomes a more serious force than it is now, I think this 
should be something to be considered to be added to the list of "stuff you 
need to do as a Gentoo package maintainer".

- -- 
Jason Wever
Gentoo/Sparc Co-Team Lead
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBKCdTdKvgdVioq28RAgKhAJsFvkUZ7+JrFbFVawU/YWXYX4BHGwCfXoWH
KumijjdxUJN2oNM8k1c7OZo=
=PTbd
-----END PGP SIGNATURE-----

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Testing instructions for security bugs

[Jason Huebel]

[-- Attachment #1: Type: text/plain, Size: 1025 bytes --]

On Saturday 21 August 2004 11:55 pm, Jason Wever wrote:
> I'll second this motion.  I've asked this a few times before but the
> general consensus is that people do not want to do work that while
> inconveniences them, saves time for a lot more people.  However there are
> some folks who are kind enough to provide test cases, and to them I am
> very grateful :)
>
> If and when QA becomes a more serious force than it is now, I think this
> should be something to be considered to be added to the list of "stuff you
> need to do as a Gentoo package maintainer".
>
> --
> Jason Wever
> Gentoo/Sparc Co-Team Lead

I like this too.  A request for a bump for security reasons should include a 
test case so that the arch maintainer can verify the fix worked.

-- 
Jason Huebel
Gentoo/amd64 Strategic Lead
Gentoo Developer Relations/Recruiter

GPG Public Key:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9BA9E230

"Do not weep; do not wax indignant. Understand."
Baruch Spinoza (1632 - 1677)

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Testing instructions for security bugs

[Kurt Lieber]

[-- Attachment #1: Type: text/plain, Size: 675 bytes --]

On Mon, Aug 23, 2004 at 03:45:49PM -0500 or thereabouts, Jason Huebel wrote:
> I like this too.  A request for a bump for security reasons should include a 
> test case so that the arch maintainer can verify the fix worked.

While I am not opposed to the idea, the security team isn't in a position
to take on this responsibility.  We don't have the staffing (or, quite
frankly, the interest) to figure out how to use every single package in our
tree.

If folks want this to be implemented, it needs to be the responsibility of
the package maintainers.  (and, if we decide to do this, I will be willing
to write test cases for the packages I maintain.)

--kurt

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Testing instructions for security bugs

[Jason Wever]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 23 Aug 2004, Kurt Lieber wrote:

> While I am not opposed to the idea, the security team isn't in a position
> to take on this responsibility.  We don't have the staffing (or, quite
> frankly, the interest) to figure out how to use every single package in our
> tree.

I agree.  Having security come up with these test cases is almost a 
replica of what is trying to be avoided.  As package maintainers are 
normally involved in the security bugs for said package, I don't think 
this should be a big stretch.

Plus coming up with a test case for a security bug eases the pain when you 
start slapping us arch people around to bump your package to a new stable 
rev :)

- -- 
Jason Wever
Gentoo/Sparc Co-Team Lead
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBKrzRdKvgdVioq28RAme8AJ4xrxzYMZfj8vBTLrBgiqnTpyqXrgCgkMkj
iTBW9yQ2FdHsaytyKL5nZJQ=
=ytiY
-----END PGP SIGNATURE-----

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Testing instructions for security bugs

[Lars Weiler]

[-- Attachment #1: Type: text/plain, Size: 512 bytes --]

* Jason Wever <weeve@gentoo.org> [04/08/23 21:58 -0600]:
> I agree.  Having security come up with these test cases is almost a 
> replica of what is trying to be avoided.  As package maintainers are 
> normally involved in the security bugs for said package, I don't think 
> this should be a big stretch.

Yes, that was also my intention to ask the
package-maintainer for a test-case.

The question now is, if the security-team is able to ask for
the test-case and would also do it?

Regards, Lars

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Testing instructions for security bugs

[Kurt Lieber]

[-- Attachment #1: Type: text/plain, Size: 450 bytes --]

On Tue, Aug 24, 2004 at 06:03:23AM +0200 or thereabouts, Lars Weiler wrote:
> The question now is, if the security-team is able to ask for
> the test-case and would also do it?

If we want test cases for our ebuilds, doesn't it make more sense to
require that as part of the ebuild process in the first place?

As others have pointed out, having test cases is useful not only for
security bugs, but for arch stable bumping, etc.  

--kurt

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]