[development] Think there's a security problem in your module? Here's what to do.

Khalid Baheyeldin kb at 2bits.com
Fri Jan 18 07:27:41 UTC 2008


> 3. Security team takes a copy of the currently vulnerable code and
> checks it into cvs-security.drupal.org at modules/foobar. Creates a CVS
> account for developer and gives them access to their module's directory
> only.


This is the part that is of concern to me.

First, is it scalable? It requires significant security team's manpower.

Second, a snapshot can get stale vs. the code at cvs.d.o, and all sorts of
interesting stuff can happen.

Third, back synching the cvs-security.d.o to cvs.d.o after the SA process
is done is a lot of work, and could introduce errors.

Sorry, I don't want to sound too negative, but the security team is
overloaded
as it is. The rest of your proposal makes sense, and does have lots of
benefits.
-- 
Khalid M. Baheyeldin
2bits.com, Inc.
http://2bits.com
Drupal optimization, development, customization and consulting.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20080118/0a43bf18/attachment.htm 


More information about the development mailing list