[development] Think there's a security problem in your module? Here's what to do.

Neil Drumm drumm at delocalizedham.com
Fri Jan 18 03:08:14 UTC 2008

On Jan 17, 2008 6:51 PM, David Metzler <metzlerd at metzlerd.com> wrote:
> On Jan 17, 2008, at 2:37 AM, andrew morton wrote:
> > On Jan 16, 2008 9:08 PM, David Metzler <metzlerd at metzlerd.com> wrote:
> >> 2.  It seems to take the RTBC decision out of the contrib module...
> >>
> >
> > Not at all, they don't write the patch for you, you and your
> > co-maintainers come up with the fix. You RTBC it... As for any
> > secondary reviews by the security team extending the vulnerability
> > window, they've been very prompt when I've dealt with them and I
> > appreciated the second set of eyes. I'd feel really dumb posting a
> > security fix that didn't actually fix the bug but brought it to
> > everyone's attention.
> I'm not doubting the intentions of the security team, nor the need
> for quality code review, just the assumption that the fastest way to
> get a release into the hands of the users is always done by single
> threading this through the security team.

We simultaneously send a security announcement (SA) to the 13k
subscribers. We can't give module maintainers permission to do that,
mailing lists of that size have to be treated with care.

It does add extra time to the module's release cycle, we do a batch of
security releases twice a month. We do our best to make sure everyone,
from back hats to non-technical webmasters, know about the
vulnerability at the same time.

Neil Drumm

More information about the development mailing list