#mageia-dev log

21:01:30 <misc> #startmeeting
21:01:30 <Inigo_Montoya> Meeting started Wed Jan  4 21:01:30 2012 UTC.  The chair is misc. Information about MeetBot at http://wiki.debian.org/MeetBot.
21:01:30 <Inigo_Montoya> Useful Commands: #action #agreed #help #info #idea #link #topic.
21:01:31 <erzulie> [ MeetBot - Debian Wiki ]
21:03:14 <misc> so besides me, who is here for the meeting ?
21:03:20 <rindolf> misc: I am.
21:03:32 <rindolf> misc: though I may go to sleep soon.
21:03:38 <leuhmanu> o/
21:03:51 * doktor5000_ raises arm
21:04:10 <ryoshu> I'm listening to you
21:04:11 <misc> rindolf:yep, sorry about mixed up time
21:04:32 <bkor> me
21:04:49 <misc> ok
21:04:55 <misc> #topic alpha 3
21:05:12 <misc> so the only thing to announce is that we are near alpha 3
21:05:29 * Stormi here too
21:05:47 <rindolf> Bye all.
21:05:49 <rindolf> Good night.
21:05:58 <misc> https://wiki.mageia.org/en/Mageia_2_development
21:05:59 <erzulie> [ Mageia 2 development - Mageia wiki ]
21:06:37 <misc> the publication is planned on 12/01/12
21:06:53 <misc> #info alpha 3 is still planned for 12/01
21:07:33 <misc> as usual , we do a freeze before, and we ask to people to postpone heavy change after the alpha 3 release
21:08:45 <misc> anne has more info than me, but she is not here tonight
21:09:58 <misc> anyway, i do not have more to add on the topic :/, so if people have questions, try to direct them on the ml
21:10:27 <misc> leuhmanu: bug triage ?
21:10:38 <misc> or Stormi, coincoin, qa ?
21:10:56 <leuhmanu> nothing to add for the bugsquad
21:11:04 <Stormi> about QA, the number of update candidates has raised recently
21:11:07 <misc> #topic bugsquad
21:11:13 <misc> #info nothing to say
21:11:16 <misc> #topic QA
21:11:48 <Stormi> maybe because of a lot of recent security updates
21:11:53 <leuhmanu> yep thanks to a lot of missing security bugs
21:12:28 <Stormi> so any help is welcome to reduce the number to a more sustainable one
21:12:41 <Stormi> otherwise there can be some delay in security updates
21:13:04 <misc> #info help is needed to cope with numerous security updates
21:13:14 <misc> what kind of help, to be precise ?
21:13:20 <leuhmanu> #url for the buglist https://bugs.mageia.org/buglist.cgi?cmdtype=dorem&remaction=run&namedcmd=waiting%20for%20QA%20test&sharer_id=22
21:13:22 <erzulie> [ Log in to Bugzilla ]
21:13:41 <Stormi> testing update candidates
21:13:48 <Stormi> following https://wiki.mageia.org/en/QA_process_for_validating_updates
21:13:49 <erzulie> [ QA process for validating updates - Mageia wiki ]
21:15:40 <misc> ok
21:15:42 <doktor5000> if we're at it, is there any progress/change about security team?
21:15:58 <leuhmanu> I guess no
21:16:49 <misc> nothing to add for QA team ?
21:17:20 <Stormi> The other topic would be the alpha
21:17:31 <misc> yep, but i guess that's the same as usual ?
21:17:36 <Stormi> I think so
21:17:45 <misc> so you can explain :)
21:18:27 <Stormi> Well, I haven't participated in the alpha 2 tests, but globally a limited number of people are given links to the ISOs in advance and test them in a timely manner
21:18:35 <Stormi> and report blocking bugs
21:19:05 <Stormi> the qa-discuss mailing list is used for discussion
21:19:10 <Stormi> as well as #mageia-qa
21:19:31 <Stormi> so anyone really wanting to test before release of alpha3 can hang there and show their interest
21:20:45 <misc> #info same process as usual for alpha 3, tester for iso before the release, irc on #mageia-qa, ml on qa-discuss
21:20:46 <Stormi> for those kind of tests, what's really needed is a few people available for a few days, rather than lots of testers with only minutes to spare
21:21:32 <doktor5000> out of curiosity, wouldn't it be generally better for more widespread testing in the same timeframe to make them directly available to the public?
21:21:35 <misc> ( for those, there is security ipdate )
21:22:03 <Stormi> doktor5000: it makes the pre-release testing phase hard to handle
21:22:11 <misc> doktor5000: well, I would be in favor, but people must not think that's the real alpha
21:22:31 <misc> and as Stormi say, this force people to contact the team
21:23:09 <Stormi> yep, someone who wants to test can come in and join, usually they'll be given access to the isos
21:24:01 <stblack> could be useful to say what to test, I mean only the install process or other or all.
21:24:36 <misc> I didn't particpate but that's explained, i think
21:24:49 <Stormi> there's a wiki page : https://wiki.mageia.org/en/QA_process_for_testing_installations
21:24:50 <erzulie> [ QA process for testing installations - Mageia wiki ]
21:26:25 <Stormi> and there's usually a collaborative pad where people report their testing results (qa-discuss ML is good for that too)
21:29:00 <Stormi> I think that's all for QA
21:29:47 <misc> ok
21:29:54 <misc> no one for mentoring ?
21:29:56 <AL13N> about alpha3, i'll still submit the fixes for mariadb, but i'm just correctly trying to get readline to become GPLv2 + GPLv3
21:30:39 <Stormi> For mentoring I think what we can infer from the mailing list is that there are still candidates coming, and need mentors for them
21:31:31 <Stormi> one of them having been waiting for one month and having packaging background
21:31:45 <leuhmanu> speaking about mentoring
21:31:59 <leuhmanu> is there a plan to fix some bugs https://wiki.mageia.org/en/Packagers_Howto_start#Work_suggestions_for_apprentices ?
21:32:02 <erzulie> [ Packagers Howto start - Mageia wiki ]
21:33:25 <misc> leuhmanu: ie ?
21:33:45 <leuhmanu> resolving bugs with a patch :)
21:33:51 <leuhmanu> or easy to fix
21:34:32 <leuhmanu> we have keyword in the bugzilla
21:35:31 <misc> just add them, and notify mentor
21:35:39 <leuhmanu> but know people/padawan that there are some nice jobs ?
21:36:04 <leuhmanu> ok I will ping andre then
21:38:20 <misc> #topic mentoring
21:38:42 <misc> #action leuhmanu remind mentors to use the junior job keyword bugs for apprentice
21:44:50 <doktor5000> about security team, IMHO we need someone who is dedicated to opening security bugreports, links to CVEs, maybe gives links to POCs, and maybe even gives a link to upstream commits for that, and checks which distro version is susceptible to a given security issue
21:45:16 <doktor5000> like what stewb did
21:45:19 <misc> doktor5000: that was the point
21:45:28 <misc> but nothing prevent anyone from doing it now
21:46:04 <doktor5000> misc: well, if anyone can do it, usually that translates to nobody does it regularly
21:46:08 <pterjan> I do it every few months for a few bugs
21:46:23 <misc> doktor5000: yes, but i mean we just need to ask to someone to do
21:46:36 <pterjan> I think we need several people
21:47:00 <pterjan> there are several to investigate everyday
21:47:15 <doktor5000> misc: pterjan: well at least one dedicated person only for this, maybe two would be better
21:47:18 <pterjan> I had started looking at ways to script it
21:47:27 <pterjan> (checking versions)
21:47:33 <pterjan> but did not progress much
21:47:59 <doktor5000> pterjan: i think that's what fedora is doing, they usually get the cve's directly into their bugzilla, IINM
21:48:30 <doktor5000> maybe someone can ask vdanen about that? anyone still in contact with him?
21:48:41 <misc> I think vdanen is rather busy
21:48:50 <pterjan> no but ask if they have scripts
21:49:07 <misc> I guess I can ask, I think vdanen still remember me
21:49:17 <pterjan> I am sure he remembers me :]
21:49:50 <misc> pterjan: that's the problem I think, he still remember you
21:50:12 <misc> #topic security
21:50:33 <ryoshu> is cjw alive?
21:50:51 <misc> #action misc try to contact vdanen to see if there is script for pushing cve to bugzilla
21:51:01 <ryoshu> he is mentoring kicer86... and the apprentice has no contact with the mentor
21:51:06 <Maeztro> Stormi: I have four or five apprentices from blogdrake, but they have been very busy lately and our mentoring process is kinda stalled with most of them right now, so I'll take him :)
21:51:06 <misc> #info someone is needed to take care of sec bug
21:51:19 <Stormi> Maeztro: great
21:51:51 <misc> ok so can i close the meeting ?
21:52:19 <pterjan> http://web.archiveorange.com/archive/v/lEZ53Zdetx1VBBDGM8fC
21:52:19 <erzulie> [ fedora-security/tools/scripts add-cve-bug, 1.1.2.1, 1.1.2.2 - Commit messages about changes in fedora-security module - ArchiveOrange ]
21:52:21 <Maeztro> Stormi: :)
21:53:26 <pterjan> http://jur-linux.org/git/?p=cvs-fedora-security.git;a=summary
21:53:27 <erzulie> [ jur-linux - cvs-fedora-security.git/summary ]
21:54:36 <bkor> urgh, perl
21:55:41 <pterjan> but anyway adding to bugzilla is not the difficult part
21:56:01 <misc> http://git.fedorahosted.org/git/?p=fedora-security.git;a=summary is the canonical url
21:56:03 <erzulie> [ Fedora Hosted Git Repositories - fedora-security.git/summary ]
21:56:09 <pterjan> checking if we have a package from that software, and which versions, and if they are impacted is the interesting one
21:56:35 <misc> ( http://osvdb.org/ is interesting too )
21:56:36 <erzulie> [ OSVDB: The Open Source Vulnerability Database ]
21:56:44 <leuhmanu> nice
21:56:57 <pterjan> misc: yes I started looking at it
21:57:25 <pterjan> having a file similar to http://git.fedorahosted.org/git/?p=fedora-security.git;a=blob;f=audit/f11;h=0c2188a1594b146e3d7c65889b42ca99821259d7;hb=HEAD would be a good start actually
21:57:26 <erzulie> [ Fedora Hosted Git Repositories - fedora-security.git/blob - audit/f11 ]
21:58:24 <doktor5000> pterjan: boils down to someone dedicated auditing all packages, no?
21:58:46 <pterjan> doktor5000: no because anyone can add to this file when they have time
21:58:59 <pterjan> and the not yet looked at ones are tracked
21:59:54 <pterjan> and we can see later how to analyse some to fill part of it automatically, and create bugs from the VULNERABLE lines
22:00:05 <Stormi> better tools, less work :)
22:00:29 <misc> there is also this : http://www.awe.com/mark/blog/20110518.html
22:00:30 <erzulie> [ Mark J Cox : Red Hat Security Advisories in CVRF ]
22:01:05 <pterjan> yeah we can probably also steal from their updates and/or debian ones :)
22:01:08 <misc> in fact, i guess we should try to propose a discussion about this in fosdem, or ask to others distros how they do
22:02:50 <pterjan> I can have a look again and see the available parsable sources
22:03:12 <leuhmanu> does Oden only read the dedicated ml ?
22:03:33 <leuhmanu> (if somebody know :) )
22:03:58 <misc> pterjan: maybe put this in youri :)
22:04:02 <misc> leuhmanu: ?
22:05:04 <pterjan> yes that could be a check
22:05:20 <pterjan> "this package has a listed cve which was not reviewed and put in the file"
22:05:52 <doktor5000> pterjan: that sounds nice
22:06:12 <AL13N> that's a good one!
22:06:47 <AL13N> blocking cauldron, until the fix for mga1 is done
22:07:53 <AL13N> i mean submissions of course
22:11:50 <misc> ok so can we close the meeting ?
22:12:01 <leuhmanu> yep
22:12:13 <misc> #endmeeting