[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [oss-security] Contributing Back



Hi Joe, hi Anthony -

I'll over-quote a bit since it's an old thread:

On Mon, Jul 15, 2019 at 09:28:01PM +0200, Solar Designer wrote:
> On Mon, Jul 15, 2019 at 11:54:23AM -0700, Anthony Liguori wrote:
> > On Mon, Jul 15, 2019 at 11:47 AM Joe McManus <joe.mcmanus AT canonical.com> wrote:
> > > > On Tue, Jul 09, 2019 at 07:00:36PM -0600, Joe McManus wrote:
> > > > > Hey All - The Ubuntu Security Team would like to sign up for items 3,4
> > > > > & 5 from the technical list <
> > > > > https://oss-security.openwall.org/wiki/mailing-lists/distros#contributing-back
> > > > > >:
> > > > >
> > > > > 3 - Review and/or test the proposed patches and point out potential issues
> > > > >   with them [...]
> > > > > 4 - Check if related issues exist in the same piece of software [...]
> > > > > 5 - Check if related issues exist in implementations of similar
> > > > >   functionality in other software [...]
> [...]
> > > Yes, this will be taken care of by Ubuntu Security Team members who
> > > are already on the list, however if after some time we need to cycle
> > > someone in or out I might come asking. I know you don't want to add
> > > anyone so we will do our best to prevent this from happening.
> > >
> > > For 3 we can be either primary or backup, just let me know your
> > > preference and we'll do the work.
> > 
> > I would be happy for y'all to be primary.  We don't ship as many
> > packages as Ubuntu does so there will be more things that you are
> > likely to test compared to what we do.
> 
> OK, I've just listed Ubuntu as primary for 3, 4, 5.  Amazon is now
> backup for 3.
> 
> Please note that these items include "and inform the list of the work
> done even if no issues were encountered" (item 3), "and inform the list
> either way" (items 4, 5), so we'll expect replies to the list as per
> these items for each and every issue reported to there.

I am not seeing this "inform the list either way" stuff actually
happening.  Without it, no other distro has a way to know the work is
actually being done.  Once I had pointed this need out a while before,
Amazon briefly started making those mandatory postings for task 3, until
they were replaced by Ubuntu as primary.  In fact, given the lack of
such postings by Ubuntu, I would still expect Amazon to take over for
task 3, which they're the backup for, and it looks like they did that
exactly once:

As far as I can see, the last time Amazon handled task 3 was on July 25,
which is 10 days after Ubuntu became primary for that task.  This was
much appreciated.  Unfortunately, as far as I can see, neither distro
(visibly) handled these tasks ever since, with one exception:

Ubuntu did point out that a patch didn't have a corresponding testsuite
change, and thus tests failed, in a posting on October 10.  So hopefully
they were doing the work, except for the "inform the list either way"
part - but that's an important part!

It is possible that I missed or don't recall some other occasions, but I
think I got the overall picture right.

Joe, Anthony - can you please have your distros start handling these
tasks fully, as described?

Thanks in advance,

Alexander