[development] Think there's a security problem in your module?Here's what to do.

Daniel F. Kudwien news at unleashedmind.com
Thu Jan 17 12:56:53 UTC 2008

> > When I discovered a vulnerability in my CAS module, I was in 
> > discussion with other maintainers, off-line of course, and not with 
> > the security team who had other more productive tasks to be engaged 
> > in.  We were the best people to make the decision about 
> when the code 
> > was RTBC.  And whether other bug fixes should be included in the 
> > Release for the purposes of stability. Other bug fixes were 
> included 
> > with the relaase that we made.
> I don't have the energy to get into a discussion on mixing 
> security and bug fixes in a release so I'll just say that I 
> think it's a bad idea. The best practice would be to get the 
> minimum patch out to fix the security hole and then then 
> follow it up with additional fixes in a later release.
> andrew

Regarding mixing of unrelevant bug with security fixes: Please bear in mind
that there might also be users of your module that needed to make
customizations. If they are not able to understand and fix the security
issue only, they perhaps won't fix it at all.


More information about the development mailing list