On Jan 18, 2008 5:49 AM, Angela Byron <drupal-devel@webchick.net> wrote:
Not only is it all technically feasible, it wouldn't even be *that* much work to setup the initial proposal you described, and at least the automated simpletests for the core repo on cvs.sec.d.o.
Oh, wow! That was totally not the "ARE YOU ON *CRACK*??" response I was expecting. :)
Ok, so. New and improved workflow!
1. Security hole found! OMG! 2. Head to security.drupal.org and login (same as d.o credentials) 3. Post an issue informing the security team about the bug (they're emailed automatically on new issues). This issue is private to only you and the security team members. 4. Work with the Security Team in the issue to come up with/test a patch that fixes the bug.
I like the process up to here. It helps the contrib maintainers to understand the process. It would need serious testing to make sure that we don't accidentally leak more information than necessary.
5. Once a consensus is reached, commit it to your module on cvs.security.drupal.org. Run through your normal testing procedures and make sure things look good.
I don't see how this adds much more value over: wget http://example.com/path_to_patch patch -p0 < security_patch_revision_3.patch But, if you and dww both really like this and want to work on it I certainly won't stand in the way. It seems lower value to me but I am not in charge of your schedules.
6. Follow the Security Team's instructions on how to go about creating/announcing the release.
Yes, please. Regards, Greg -- Greg Knaddison Denver, CO | http://knaddison.com World Spanish Tour | http://wanderlusting.org/user/greg