[development] Think there's a security problem in your module? Here's what to do.

DragonWize dragonwize at gmail.com
Wed Jan 16 18:40:39 UTC 2008


I guess I am less than a halfwit even though I have a good amount of
PHP knowledge.

If I commit code, lets say I commit 10 files in my commit and one of
those files fixed a security flaw, whether the flaw was known to me or
not, I say upgrades to and fixes to v5 as usual. I don't see how I am
going to put a red sign on distinguishing it from any other of the
thousands of commits made.

In addition, if anyone wanted to do harm they would actively seek out
security flaws. You would find them much faster than waiting and
hoping that someone slips up in a commit message.

And lastly, it doesn't change the situation when you wait and commit
it later. That commit is made and no site is upgraded still.

So I believe I am still missing the point. I think it would be very
helpful if someone could give me a concrete realistic example of the
problem not committing will fix.

Thank you,
Alan


On 1/16/08, Gerhard Killesreiter <gerhard at killesreiter.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> DragonWize schrieb:
> > 1. non-upgraded sites are at risk otherwise there would be need to change.
> >
> > 2. making commit doesn't advertise anything unless you put a
> > description saying what the security flaw is and how to exploit it.
> > hopefully it is obvious to not ever do that, no matter when you commit
> > it.
>
> Every halfwit with a bit of php knowledge can see why a particular
> commit with a strange commit message would be a security fix.
>
>
> Cheers,
>         Gerhard
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFHjkzIfg6TFvELooQRAq6GAJ9lweU+hyy5PbAOuEVRWSiySuFvogCbBjjf
> Qk6mnYthpxCg9SykEg3xVNM=
> =a596
> -----END PGP SIGNATURE-----
>


-- 
Alan Doucette
Koi Technology, LLC
www.KoiTech.net


More information about the development mailing list