[development] Think there's a security problem in your module? Here's what to do.

Angela Byron drupal-devel at webchick.net
Fri Jan 18 07:49:16 UTC 2008

 > Not only is it all technically feasible, it wouldn't even be *that* much
 > work to setup the initial proposal you described, and at least the
 > automated simpletests for the core repo on cvs.sec.d.o.

Oh, wow! That was totally not the "ARE YOU ON *CRACK*??" response I was 
expecting. :)

Ok, so. New and improved workflow!

1. Security hole found! OMG!
2. Head to security.drupal.org and login (same as d.o credentials)
3. Post an issue informing the security team about the bug (they're 
emailed automatically on new issues). This issue is private to only you 
and the security team members.
4. Work with the Security Team in the issue to come up with/test a patch 
that fixes the bug.
5. Once a consensus is reached, commit it to your module on 
cvs.security.drupal.org. Run through your normal testing procedures and 
make sure things look good.
6. Follow the Security Team's instructions on how to go about 
creating/announcing the release.

Sound about right?

Looks like, implementation-wise, we need:

1. Script to sync up non-security team, CVS account-holding d.o users 
and make them s.d.o users with only basic privileges (create 
issues/access own issues)
2. Script (or something) to sync CVS / CVS users between cvs.drupal.org 
and cvs.security.drupal.org.
3. Script to sync d.o projects / owners / maintainers with s.d.o 
projects / owners / maintainers.

So.. lots of synching. But in the end, I think this actually *saves* the 
Security Team tons of time, both at the outset (the developer is the one 
who initiates the process) and also in ongoing education (the team is no 
longer a "black box" where the developer is waiting for information but 
instead feeding out useful information to developers as the reviewing 
process is happening).

Huge +1 to the automated testing stuff too, but probably best to start 
simple first. :)

> Any objections?  Any volunteers?

I'm willing to work with you (or someone) to do this synching stuff. I 
don't think I have the time/knowledge to do it alone.


More information about the development mailing list