[development] Think there's a security problem in your module? Here's what to do.
Derek Wright
drupal at dwwright.net
Thu Jan 17 20:36:09 UTC 2008
@DragonWize: as I said before, your input on this thread is very
welcome.
I still disagree that reviewing and further improving the patches for
security issues should be done directly under public version
control. Seems like there's a little bit of an impasse here, and I'm
not sure what to do to further convince you why I think it's a bad
idea. I think I've been pretty clear about what I'm sure of and what
we can't possibly know. All you've done in reply is assert that you
don't think our concerns are valid (without evidence, which neither
side has) and assert that you think maintainers would feel more
comfortable doing it your way (which doesn't address the security
team's concerns and just further adds to the list of things we don't
know -- are maintainers actually more comfortable doing it your way
or not?).
I'll make my own assertion to add to the mix: the reason so many
developers aren't following this process isn't because it's so
burdensome and difficult for them that they willingly chose to ignore
it, it's because so few people actually know this is the process the
security team wants people to follow, given a basically complete lack
of detailed documentation or awareness about it.
That said, there have definitely been some good ideas about possible
changes to the procedure here. Furthermore, this thread has sparked
a big discussion about the process and generated a lot more
awareness, which already made the thread incredibly valuable.
On Jan 17, 2008, at 11:00 AM, DragonWize wrote:
> This will always be a challenge but helps if you have a marketable
> version of the information you are trying to get out to everyone.
I was *not* trying to "market" the process. ;) I was trying to
explain it, step by step, in developer-speak, not "marketing-speak".
In starting this thread, I acted on my own, not as an official
representative of the security team (or the "education group" within
the security team). This was not meant to be the final word, nor the
only documented version of the process. There *is no* documented
version of this process in as much detail, so I just wanted to write
a first draft to spark discussion and raise awareness. I have
succeeded on both counts.
Now, the point is to either a) get everyone to agree this is the
right process and carefully document it in the d.o handbooks (which
anyone who wants to contribute could do, not necessarily the over-
taxed security team itself), or b) make whatever modifications to the
process we all think are worth making for the overall goal of a more
secure Drupal ecosystem, and write up *that* process in the same way.
Cheers,
-Derek (dww)
p.s. The security team is also discussing creating a mandatory
announcement-only list for all users with a CVS account, so that we
can more effectively "get developers on board" about this and other
topics, without relying on the devel list.
More information about the development
mailing list