[development] Think there's a security problem in your module? Here's what to do.

Thu Jan 17 20:36:09 UTC 2008

@DragonWize: as I said before, your input on this thread is very  
welcome.

I still disagree that reviewing and further improving the patches for  
security issues should be done directly under public version  
control.  Seems like there's a little bit of an impasse here, and I'm  
not sure what to do to further convince you why I think it's a bad  
idea.  I think I've been pretty clear about what I'm sure of and what  
we can't possibly know.  All you've done in reply is assert that you  
don't think our concerns are valid (without evidence, which neither  
side has) and assert that you think maintainers would feel more  
comfortable doing it your way (which doesn't address the security  
team's concerns and just further adds to the list of things we don't  
know -- are maintainers actually more comfortable doing it your way  
or not?).

I'll make my own assertion to add to the mix: the reason so many  
developers aren't following this process isn't because it's so  
burdensome and difficult for them that they willingly chose to ignore  
it, it's because so few people actually know this is the process the  
security team wants people to follow, given a basically complete lack  
of detailed documentation or awareness about it.

That said, there have definitely been some good ideas about possible  
changes to the procedure here.  Furthermore, this thread has sparked  
a big discussion about the process and generated a lot more  
awareness, which already made the thread incredibly valuable.

On Jan 17, 2008, at 11:00 AM, DragonWize wrote:

> This will always be a challenge but helps if you have a marketable  
> version of the information you are trying to get out to everyone.

I was *not* trying to "market" the process. ;)  I was trying to  
explain it, step by step, in developer-speak, not "marketing-speak".   
In starting this thread, I acted on my own, not as an official  
representative of the security team (or the "education group" within  
the security team).  This was not meant to be the final word, nor the  
only documented version of the process.  There *is no* documented  
version of this process in as much detail, so I just wanted to write  
a first draft to spark discussion and raise awareness.  I have  
succeeded on both counts.

Now, the point is to either a) get everyone to agree this is the  
right process and carefully document it in the d.o handbooks (which  
anyone who wants to contribute could do, not necessarily the over- 
taxed security team itself), or b) make whatever modifications to the  
process we all think are worth making for the overall goal of a more  
secure Drupal ecosystem, and write up *that* process in the same way.

Cheers,
-Derek (dww)

p.s. The security team is also discussing creating a mandatory  
announcement-only list for all users with a CVS account, so that we  
can more effectively "get developers on board" about this and other  
topics, without relying on the devel list.