[development] Think there's a security problem in your module? Here's what to do.

[andrew morton]

On Jan 16, 2008 9:08 PM, David Metzler <metzlerd at metzlerd.com> wrote:
> 2.  It seems to take the RTBC decision out of the contrib module
> owners  hands.   When is the patch tested enough? Who decides this?
> All of the handshaking and discussion regarding this with the
> security team adds to the time that the vulnerability is in circulation.

Not at all, they don't write the patch for you, you and your
co-maintainers come up with the fix. You RTBC it... As for any
secondary reviews by the security team extending the vulnerability
window, they've been very prompt when I've dealt with them and I
appreciated the second set of eyes. I'd feel really dumb posting a
security fix that didn't actually fix the bug but brought it to
everyone's attention.

> When I discovered a vulnerability in my CAS module, I was in
> discussion with other maintainers, off-line of course, and not with
> the security team who had other more productive tasks to be engaged
> in.  We were the best people to make the decision about when the code
> was RTBC.  And whether other bug fixes should be included in the
> Release for the purposes of stability. Other bug fixes were included
> with the relaase that we made.

You seem concerned about loosing control of your module to the
security team. I can tell you that this fear is unfounded. The
security team is here to help, not tie your hands. And as for more
productive tasks... this is exactly what they're here for.

I don't have the energy to get into a discussion on mixing security
and bug fixes in a release so I'll just say that I think it's a bad
idea. The best practice would be to get the minimum patch out to fix
the security hole and then then follow it up with additional fixes in
a later release.

andrew

andrew