I've noticed that more and more security advisories are reported by module maintainers. In the past, if I noticed a security problem, I would fix it and commit the change without saying anything. It was sort of embarrassing to me to have an SA filed. However, that didn't mean that users would pick up the fixed version. Are maintainers now flagging their own issues as a way to "force" people to update to the newest code? Nancy
It's irresponsible NOT to have an SA issued for security updates. Everybody makes mistakes there's no reason to be embarrassed for that. You should be embarrassed for leaving your users vulnerable by not informing them of the situation. IMO, you'll win more respect by correcting those mistakes promptly when you realize them, and going the extra mile to inform your users. Put another way, wouldn't you rather be the one to report your own issue than to have someone else report it? I can assure you that the Drupal Security team is a bunch of nice people who are eager to help. We won't bite your head off. :-) All the Best, Matt Chapman "Occasional Maker of Mistakes and Recently Recruited Member of the Drupal Security Team" On Fri, Aug 6, 2010 at 11:10 AM, nan wich <nan_wich@bellsouth.net> wrote:
I've noticed that more and more security advisories are reported by module maintainers. In the past, if I noticed a security problem, I would fix it and commit the change without saying anything. It was sort of embarrassing to me to have an SA filed. However, that didn't mean that users would pick up the fixed version.
Are maintainers now flagging their own issues as a way to "force" people to update to the newest code?
Nancy
Hi, one caveat. The Drupal security team only release security announcements and releases for certain types of releases. See Which Releases Get Security Advisory? in http://drupal.org/security-advisory-policy So if you are in your development branch and you find a security issue you just introduced, just go ahead and fix it yourself with a security tag. If you discover a vulnerability that's in a release type that is covered report it to the security team. If anyone else on the security team wants to clarify further go ahead. Cheers, Kieran On Fri, Aug 6, 2010 at 11:10 AM, nan wich <nan_wich@bellsouth.net> wrote:
I've noticed that more and more security advisories are reported by module maintainers. In the past, if I noticed a security problem, I would fix it and commit the change without saying anything. It was sort of embarrassing to me to have an SA filed. However, that didn't mean that users would pick up the fixed version.
Are maintainers now flagging their own issues as a way to "force" people to update to the newest code?
*Nancy*
-- Get a free, hosted Drupal 7 site: http://www.drupalgardens.com 415-992-8124
I wouldn't get interested if it was on the dev branch. This is on the official release, so I guess I'll write it up and send it in. Nancy Injustice anywhere is a threat to justice everywhere. -- Dr. Martin L. King, Jr. ________________________________ From: Kieran Lal <kieran@acquia.com> To: development <development@drupal.org> Sent: Fri, August 6, 2010 2:35:12 PM Subject: Re: [development] Security Updates Hi, one caveat. The Drupal security team only release security announcements and releases for certain types of releases. See Which Releases Get Security Advisory? in http://drupal.org/security-advisory-policy So if you are in your development branch and you find a security issue you just introduced, just go ahead and fix it yourself with a security tag. If you discover a vulnerability that's in a release type that is covered report it to the security team. If anyone else on the security team wants to clarify further go ahead. Cheers, Kieran On Fri, Aug 6, 2010 at 11:10 AM, nan wich <nan_wich@bellsouth.net> wrote: I've noticed that more and more security advisories are reported by module maintainers. In the past, if I noticed a security problem, I would fix it and commit the change without saying anything. It was sort of embarrassing to me to have an SA filed. However, that didn't mean that users would pick up the fixed version.
Are maintainers now flagging their own issues as a way to "force" people to update to the newest code? Nancy
-- Get a free, hosted Drupal 7 site: http://www.drupalgardens.com/ 415-992-8124
I'd also like to point out, Nancy, that oftentimes a site will run for 6 months to a year or even longer without updating a module as long as that module is a stable release and does not have any security releases. I've personally seen webmasters make the conscious decision to leave a module (and even core) alone rather than test the improved, updated release to make sure it still works the way their current one does. It's the old adage "PHP doesn't wear out". ;) I encourage everyone to report any potential security flaw they find in released open source code. In this manner, and as you've described below, we will all help to make FOSS safer and more enjoyable. Yay! :) -- Joel Farris "An intellectual snob is someone who can listen to the William Tell Overture and not think of The Lone Ranger." ~ Dan Rather
On Aug 6, 2010, at 11:49 AM, nan wich wrote:
I wouldn't get interested if it was on the dev branch. This is on the official release, so I guess I'll write it up and send it in.
Nancy Injustice anywhere is a threat to justice everywhere. -- Dr. Martin L. King, Jr.
From: Kieran Lal <kieran@acquia.com> To: development <development@drupal.org> Sent: Fri, August 6, 2010 2:35:12 PM Subject: Re: [development] Security Updates
Hi, one caveat.
The Drupal security team only release security announcements and releases for certain types of releases. See Which Releases Get Security Advisory? in http://drupal.org/security-advisory-policy
So if you are in your development branch and you find a security issue you just introduced, just go ahead and fix it yourself with a security tag. If you discover a vulnerability that's in a release type that is covered report it to the security team.
If anyone else on the security team wants to clarify further go ahead.
Cheers, Kieran
On Fri, Aug 6, 2010 at 11:10 AM, nan wich <nan_wich@bellsouth.net> wrote: I've noticed that more and more security advisories are reported by module maintainers. In the past, if I noticed a security problem, I would fix it and commit the change without saying anything. It was sort of embarrassing to me to have an SA filed. However, that didn't mean that users would pick up the fixed version.
Nancy
While we are all reading this thread, can the module contributors take a few minutes and familiarize themselves with the process ... Writing Secure Code http://drupal.org/writing-secure-code How to report a security issue http://drupal.org/node/101494 Contacted by the security team, now what? http://drupal.org/node/101497 The above are the important ones to read now. There are more info for those who are interested in this page, and the sub book pages http://drupal.org/security-team -- Khalid M. Baheyeldin 2bits.com, Inc. http://2bits.com Drupal optimization, development, customization and consulting. Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra Simplicity is the ultimate sophistication. -- Leonardo da Vinci
participants (7)
-
Andrew Schulman -
Brian Vuyk -
Khalid Baheyeldin -
Kieran Lal -
Matt Chapman -
nan wich -
Senpai