[development] Think there's a security problem in your module? Here's what to do.

Earl Miles merlin at logrus.com
Wed Jan 16 19:07:50 UTC 2008

DragonWize wrote:
> 2. making commit doesn't advertise anything unless you put a
>  description saying what the security flaw is and how to exploit it.
>  hopefully it is obvious to not ever do that, no matter when you commit
>  it.
> Even after the SA has been released you should never commit a message
> saying you fixed a security hole. That would be like putting the line
> # of the hole in the SA. You don't say what the hole is, where it is,
> or how to exploit it. This goes true for any commit you ever do.
> Because then they have to find, which they had to find it anyway so
> there is no difference between committing and not committing. In fact
> if you coordinate the commit with the SA you are just making it that
> much easier for them to find it.

Security through obscurity does not work. It just makes it harder to 
tell when it doesn't work.

If the author fixed a security bug, and black hat hackers are monitoring 
this, they *are* reading the code, and they *know* what they're looking 
for, and they are NOT going to share that data. It doesn't matter if the 
author annotated the fix in the CVS log or not.

More information about the development mailing list