When submitting a package to updates_testing, the packager should file a bug (if one has not already been filed), and assign it to QA (bug Assignee field := qa-bugs@ml.mageia.org).
Then write an advisory that describes the purpose of the update. For a bugfix update, it should describe the bug that is being fixed. For a security update, a list of security bugs and their descriptions should be included. Any other information that is relevant to QA or sysadmins, including known problems that haven't been addressed or manual action that will need to be taken, should be included as well. Finally, if relevant, there should be a list of references (links) included as well.
Once an update has been validated by the QA team and released, the advisory will be available on mageia's webpage and through the updates-announce mailing list.
Currently the advisories are not shown in rpmdrake or the update applet.
Security advisories should always include the CVE numbers, when applicable. These can usually be found in upstream changelogs, release announcements, or advisories from other distributions. For CVEs, you should generally include a description. Often these can be found in the CVE itself, and these can be found at http://cve.mitre.org/. When a CVE is marked as reserved, descriptions can usually be found in advisories from other distributions, upstream changelogs, RedHat's bugzilla, or Debian's bugzilla.
References for the advisory should include sources of information that were used to write the advisory or create the update. For security updates, this should include the CVE URLs from http://cve.mitre.org/. References may also include other links to advisories from other distributions, upstream changelogs, advisories, or release announcements, and bugzilla entries.
A bugzilla message that you post when assigning to QA would look similar to the one below. If there is any special information the QA team will need for testing the update, or if you know about a PoC for a security vulnerability, you should include that as well.
Where the update is for more than one release (eg. mga3 and mga4) they can normally be handled on one bug report. Where this is likely to cause confusion please separate into as many as needed, use common sense here. Currently Bugzilla is unable to show a bug affects more than one 'Version'. When using one bug report for two releases the 'Version' should be set to the highest involved and the MGA3TOO keyword should be added to the 'Whiteboard' to show it affects Mageia 3 too. Use the correct keyword as it applies to you.
Please remember to list all SRPM's and RPM's.
I have uploaded a patched/updated package for Mageia 5.
You can test this by applying sauce to the french fries and placing on your tongue.
Suggested advisory:
========================
Updated xmoto packages fix security vulnerabilities:
What Ya Macallit found a vulnerability in xmoto before 1.2.3
where french fries could be served cold by turning off the frier
before they are fully cooked (CVE-1234-5678).
This update also adds french fries support to the xmoto package.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1234-5678
http://www.xmoto.org/relnotes/1.2/xmoto-1.2.3.html
========================
Updated packages in {core,tainted}/updates_testing:
========================
xmoto-1.2.2-3.1.mga4
lib(64)xmoto-1.2.2-3.1.mga4
xmoto-1.2.2-3.1.mga4.tainted
lib(64)xmoto-1.2.2-3.1.mga4.tainted
Source RPMs:
xmoto-1.2.2-3.1.mga4.src.rpm
xmoto-1.2.2-3.1.mga4.tainted.src.rpm
