[development] Think there's a security problem in your module? Here's what to do.

[Derek Wright]

On Jan 17, 2008, at 1:07 PM, DragonWize wrote:

> if they are watching the logs (which they most likely are, to what  
> is extent is debatable) then they know when the security hole is  
> committed which is long before the fix is committed. I can not make  
> it any clearer that, IMHO, that reason is full of false hope.


There's a *huge* volume of existing code.  New hackers are coming  
around all the time, but I doubt they're going to be able to  
immediately audit everything all at once.  I suspect (but have no  
proof) that many are looking at changes, and starting to methodically  
search for problems, but haven't yet completely grokked the entire  
existing codebase.  Maybe I'm just being overly optimistic about this  
bit of security by obscurity. ;)  I'm guessing that in the cost/ 
benefit analysis of a hacker, it's better to really focus on the most  
popular contribs first, since exploits you might find will have a  
better "payoff".  It does far more good to watch views, cck,  
pathauto, etc, with everything you've got, than to wade through the  
vast swamp of modules that are only used by dozens, not thousands of  
sites.

Either way, I maintain it still does *not* hurt to avoid calling any  
public attention at all to a known vulnerability, until there's an  
official release that fixes it which all of your users could  
immediately upgrade to as soon as they're notified.  The "good" users  
can't upgrade anyway, and if nothing else, it means sites are only  
vulnerable to the sophisticated, rich hackers, not the "half-wit"  
script-kiddies that are trying to exploit lower hanging fruit as it  
streams by their RSS readers.

If the security team had many more resources and a lot more automated/ 
streamlined process (which I think webchick's proposal gets us much  
closer to), we could potentially move to a weekly rhythm for security  
updates.  Every wednesday would become security day, and anything  
fixed in the previous week would be disclosed and released.  Drupal  
site maintainers would get used to running "drush pm update"[1] for  
all their sites a few times throughout near the end of the day on  
wednesday. :) Most people could just setup cron jobs to do that, if  
they really wanted (though module maintainers would have to become  
even more aware and careful about how they handle release management  
for their contributions, and conquer the (in the end, relatively  
simple) art of making sure you commit the right patches to the right  
branch(es) at the right time in the right order.

-Derek (dww)