[development] backporting sec patches

Ivan Sergio Borgonovo mail at webthatworks.it
Tue Apr 29 11:48:48 UTC 2008 

Since I will need a longer life cycle... I know I'll have to support
security patches for at least one more older release starting
from 5.X.

I know that patching your own 3, 4 web sites that lag behind is one
thing, providing patches for a whole community is another thing.
Providing security support for older modules it is even a larger task.

Making proactive security assessment for older versions is absolutely
out of my reach.

As a minimum I could provide svn patches for security problems that
have been discovered in newer versions and that apply to older
versions.

To make this effective I'd be informed in advance of the security
problems that have been signaled to the sec team before they get
public.

I could start to take care of this in a *very* informal way. That
means that I'll make aware people that they CAN'T relay on this
service and see how it goes.

Depending on how things go, it could be worth to learn something
about the Drupal release mechanism, see if other people can help...
etc... I don't know.

What I think I can handle is:
- getting informed in advance of DN and D(N-1) security problems in
core
- see if they need to be fixed in D(N-2) and publish a svn diff
somewhere concurrently to the DN/D(N-1) public security announcement.
- try my best to see if a module security problem can be fixed in
older core and provide a patch

What I know I won't be able to handle is assisting in fixing security
problems in older modules or providing a full tar of an older patched
version or manage DB update path.

That in the hope that:
- I could gain access to early warnings
- someone will reach me in the task so that if one is busy/ill/etc...
the other can still provide some support to the community, me
included.

If anyone is willing I could reach the sec team to get used to the
way they operate now, make some enemies, call some names, help a bit
fixing 5.X sec problems till 5.X will be obsoleted and evaluate in
the light of my new experience if and how I can sustain what I
proposed.

-- 
Ivan Sergio Borgonovo
http://www.webthatworks.it

More information about the development mailing list