Re: Contributing Back

[Anthony Liguori <anthony () codemonkey ws>]

On Tue, Nov 5, 2019 at 10:45 AM Solar Designer <solar () openwall com> wrote:
> Hi Joe, hi Anthony -
>
> I'll over-quote a bit since it's an old thread:
>
> On Mon, Jul 15, 2019 at 09:28:01PM +0200, Solar Designer wrote:
> > On Mon, Jul 15, 2019 at 11:54:23AM -0700, Anthony Liguori wrote:
> > > On Mon, Jul 15, 2019 at 11:47 AM Joe McManus <joe.mcmanus () canonical com> wrote:
> > > > > On Tue, Jul 09, 2019 at 07:00:36PM -0600, Joe McManus wrote:
> > > > > > Hey All - The Ubuntu Security Team would like to sign up for items 3,4
> > > > > > & 5 from the technical list <
> > > > > > https://oss-security.openwall.org/wiki/mailing-lists/distros#contributing-back
> > > > > > > :
> > > > > >
> > > > > > 3 - Review and/or test the proposed patches and point out potential issues
> > > > > >   with them [...]
> > > > > > 4 - Check if related issues exist in the same piece of software [...]
> > > > > > 5 - Check if related issues exist in implementations of similar
> > > > > >   functionality in other software [...]
> > [...]
> > > > Yes, this will be taken care of by Ubuntu Security Team members who
> > > > are already on the list, however if after some time we need to cycle
> > > > someone in or out I might come asking. I know you don't want to add
> > > > anyone so we will do our best to prevent this from happening.
> > > >
> > > > For 3 we can be either primary or backup, just let me know your
> > > > preference and we'll do the work.
> > >
> > > I would be happy for y'all to be primary.  We don't ship as many
> > > packages as Ubuntu does so there will be more things that you are
> > > likely to test compared to what we do.
> >
> > OK, I've just listed Ubuntu as primary for 3, 4, 5.  Amazon is now
> > backup for 3.
> >
> > Please note that these items include "and inform the list of the work
> > done even if no issues were encountered" (item 3), "and inform the list
> > either way" (items 4, 5), so we'll expect replies to the list as per
> > these items for each and every issue reported to there.
>
> I am not seeing this "inform the list either way" stuff actually
> happening.  Without it, no other distro has a way to know the work is
> actually being done.  Once I had pointed this need out a while before,
> Amazon briefly started making those mandatory postings for task 3, until
> they were replaced by Ubuntu as primary.  In fact, given the lack of
> such postings by Ubuntu, I would still expect Amazon to take over for
> task 3, which they're the backup for, and it looks like they did that
> exactly once:
>
> As far as I can see, the last time Amazon handled task 3 was on July 25,
> which is 10 days after Ubuntu became primary for that task.  This was
> much appreciated.  Unfortunately, as far as I can see, neither distro
> (visibly) handled these tasks ever since, with one exception:
>
> Ubuntu did point out that a patch didn't have a corresponding testsuite
> change, and thus tests failed, in a posting on October 10.  So hopefully
> they were doing the work, except for the "inform the list either way"
> part - but that's an important part!
>
> It is possible that I missed or don't recall some other occasions, but I
> think I got the overall picture right.
>
> Joe, Anthony - can you please have your distros start handling these
> tasks fully, as described?

Ack.

Regards,

Anthony Liguori

> Thanks in advance,
>
> Alexander