[development] Think there's a security problem in your module? Here's what to do.

Khalid Baheyeldin kb at 2bits.com
Fri Jan 18 07:27:41 UTC 2008

> 3. Security team takes a copy of the currently vulnerable code and
> checks it into cvs-security.drupal.org at modules/foobar. Creates a CVS
> account for developer and gives them access to their module's directory
> only.

This is the part that is of concern to me.

First, is it scalable? It requires significant security team's manpower.

Second, a snapshot can get stale vs. the code at cvs.d.o, and all sorts of
interesting stuff can happen.

Third, back synching the cvs-security.d.o to cvs.d.o after the SA process
is done is a lot of work, and could introduce errors.

Sorry, I don't want to sound too negative, but the security team is
as it is. The rest of your proposal makes sense, and does have lots of
Khalid M. Baheyeldin
2bits.com, Inc.
Drupal optimization, development, customization and consulting.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20080118/0a43bf18/attachment.htm 

More information about the development mailing list