[development] Think there's a security problem in your module? Here's what to do.
David Metzler
metzlerd at metzlerd.com
Fri Jan 18 02:51:39 UTC 2008
On Jan 17, 2008, at 2:37 AM, andrew morton wrote:
> On Jan 16, 2008 9:08 PM, David Metzler <metzlerd at metzlerd.com> wrote:
>> 2. It seems to take the RTBC decision out of the contrib module...
>>
>
> Not at all, they don't write the patch for you, you and your
> co-maintainers come up with the fix. You RTBC it... As for any
> secondary reviews by the security team extending the vulnerability
> window, they've been very prompt when I've dealt with them and I
> appreciated the second set of eyes. I'd feel really dumb posting a
> security fix that didn't actually fix the bug but brought it to
> everyone's attention.
I'm not doubting the intentions of the security team, nor the need
for quality code review, just the assumption that the fastest way to
get a release into the hands of the users is always done by single
threading this through the security team.
FYI: I also got a quick answer when I asked them the best way to
patch my bug (I did consult with them after all), and I was
appreciative of the info. but they didn't offer to review my code,
and they didn't try to manage my patch process at the time. Maybe
the next time it will be different....
>
>> When I discovered a vulnerability in my CAS module,....
>>
> You seem concerned about loosing control of your module to the
> security team. I can tell you that this fear is unfounded. The
> security team is here to help, not tie your hands. And as for more
> productive tasks... this is exactly what they're here for.
>
> I don't have the energy to get into a discussion on mixing security
> and bug fixes in a release so I'll just say that I think it's a bad
> idea. The best practice would be to get the minimum patch out to fix
> the security hole and then then follow it up with additional fixes in
> a later release.
I don't either, so lets just agree that I don't run releases the way
the security team wants me to. Oh well. I'd love to debate that
over a beer sometime :)
I'm not worried that the security team will take over my module. But
I am concerned that if I am authoring a module that deals with a
single sign-on protocol that the security team is not versed in and
isn't really used by that many of the drupal users (which I am), that
when it comes down to it, my modules "audit" as derek describes it,
will not (and I believe rightly so) be at the top of the priority
list of the security team. Meanwhile, I'm instructed to not commit or
release the fix. This is again predicated on the fact that someone
might be able to recognize the vulnerability based on the source code
that expresses the fix. I can't verify the patch/commit process, or
independently install and verify the vulnerability is fixed in a dev
or beta release until the security team puts out an announcement
saying the patch is ready for download. Doing testing of committed
code is my practice regardless of whether its a security related
patch or not.
Given our distro system, if we're really worried about hackers
sniffing commit logs, I would rather remove anonymous CVS access.
That way you stop the vulnerability sniffing all together. Like I
said I know I'm in the minority here and don't really expect to
change your mind on this one.
I been involved with enough volunteer organizations to know that it's
always an uphill battle to manage workload. I don't begrudge that,
but I try and keep my expectations tempered.
I really hope no-one on the security team is offended. I mean no
such offense. I really do respect and appreciate the service that
they provide and yes, I do consult with them when I do my security
related fixes.
>
> andrew
>
> andrew
More information about the development
mailing list