[gentoo-dev] Testing instructions for security bugs

* Joshua J. Berry <condordes@gentoo.org> [04/08/21 20:30 -0700]:

> By "security bugs", what do you mean? Testing FOR
> security bugs, or general testing after security@ has
> requested a bump? Or something completely different?

When security requested a bump. And to extend this, also
packages where the maintainer requests a bump without a
security-reason.

Regards, Lars

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBKCBJUyqC+0dcR0wRAua9AKDyTaA0n1Yf+oXymWFN5s lC/Zx7OgCgmo6U
sZNsvnKpfDs8IK4zMLF6ZgA=
=q7+g
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 22 Aug 2004, Lars Weiler wrote:

> When security requested a bump. And to extend this, also
> packages where the maintainer requests a bump without a
> security-reason.

I'll second this motion. I've asked this a few times before but the
general consensus is that people do not want to do work that while
inconveniences them, saves time for a lot more people. However there are
some folks who are kind enough to provide test cases, and to them I am
very grateful :)

If and when QA becomes a more serious force than it is now, I think this
should be something to be considered to be added to the list of "stuff you
need to do as a Gentoo package maintainer".

- --
Jason Wever
Gentoo/Sparc Co-Team Lead
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBKCdTdKvgdVioq28RAgKhAJsFvkUZ7+JrFbFVawU/YWXYX4BHGwCfXoWH
KumijjdxUJN2oNM8k1c7OZo=
=PTbd
-----END PGP SIGNATURE-----

--
gentoo-dev@gentoo.org mailing list

On Saturday 21 August 2004 11:55 pm, Jason Wever wrote:

> I'll second this motion. I've asked this a few times before but the
> general consensus is that people do not want to do work that while
> inconveniences them, saves time for a lot more people. However there are
> some folks who are kind enough to provide test cases, and to them I am
> very grateful :)
>
> If and when QA becomes a more serious force than it is now, I think this
> should be something to be considered to be added to the list of "stuff you
> need to do as a Gentoo package maintainer".
>
> --
> Jason Wever
> Gentoo/Sparc Co-Team Lead

I like this too. A request for a bump for security reasons should include a
test case so that the arch maintainer can verify the fix worked.

--
Jason Huebel
Gentoo/amd64 Strategic Lead
Gentoo Developer Relations/Recruiter

GPG Public Key:
http://pgp.mit.edu:11371/pks/lookup?...rch=0x9BA9E230

"Do not weep; do not wax indignant. Understand."
Baruch Spinoza (1632 - 1677)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQBBKleDbNgbbJup4jARApbbAKCOJFmdhb1CAl0YrHxqOf gVZCKU4wCffFb9
X2wlEr9rJoDUK4G3y8Bco7U=
=d9QP
-----END PGP SIGNATURE-----

On Mon, Aug 23, 2004 at 03:45:49PM -0500 or thereabouts, Jason Huebel wrote:

> I like this too. A request for a bump for security reasons should include a
> test case so that the arch maintainer can verify the fix worked.

While I am not opposed to the idea, the security team isn't in a position
to take on this responsibility. We don't have the staffing (or, quite
frankly, the interest) to figure out how to use every single package in our
tree.

If folks want this to be implemented, it needs to be the responsibility of
the package maintainers. (and, if we decide to do this, I will be willing
to write test cases for the packages I maintain.)

--kurt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBKoJ6JPpRNiftIEYRAl46AJ98BuLqTDCs8vCnCHrwAB V56SW6KACbBCz6
eoUcsZ1dkcsu7gjwpj+coHQ=
=pN4X
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 23 Aug 2004, Kurt Lieber wrote:

> While I am not opposed to the idea, the security team isn't in a position
> to take on this responsibility. We don't have the staffing (or, quite
> frankly, the interest) to figure out how to use every single package in our
> tree.

I agree. Having security come up with these test cases is almost a
replica of what is trying to be avoided. As package maintainers are
normally involved in the security bugs for said package, I don't think
this should be a big stretch.

Plus coming up with a test case for a security bug eases the pain when you
start slapping us arch people around to bump your package to a new stable
rev :)

- --
Jason Wever
Gentoo/Sparc Co-Team Lead
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBKrzRdKvgdVioq28RAme8AJ4xrxzYMZfj8vBTLrBgiq nTpyqXrgCgkMkj
iTBW9yQ2FdHsaytyKL5nZJQ=
=ytiY
-----END PGP SIGNATURE-----

--
gentoo-dev@gentoo.org mailing list

* Jason Wever <weeve@gentoo.org> [04/08/23 21:58 -0600]:

> I agree. Having security come up with these test cases is almost a
> replica of what is trying to be avoided. As package maintainers are
> normally involved in the security bugs for said package, I don't think
> this should be a big stretch.

Yes, that was also my intention to ask the
package-maintainer for a test-case.

The question now is, if the security-team is able to ask for
the test-case and would also do it?

Regards, Lars

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBKr4LUyqC+0dcR0wRArW7AKDaGAWWJBymjPfmmY/rY7NojUNGQQCaAh82
0kDguCth27wkWbKNj8gHorc=
=IE8d
-----END PGP SIGNATURE-----

On Tue, Aug 24, 2004 at 06:03:23AM +0200 or thereabouts, Lars Weiler wrote:

> The question now is, if the security-team is able to ask for
> the test-case and would also do it?

If we want test cases for our ebuilds, doesn't it make more sense to
require that as part of the ebuild process in the first place?

As others have pointed out, having test cases is useful not only for
security bugs, but for arch stable bumping, etc.

--kurt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBKwdWJPpRNiftIEYRAqiEAKCPu8nRvKdr+jnosHcL1A/QuKcNeACeIong
vCiCzxcpLGMYV2v4+8qu3wk=
=vbbp
-----END PGP SIGNATURE-----