[development] Think there's a security problem in your module? Here's what to do.
Angela Byron
drupal-devel at webchick.net
Fri Jan 18 07:49:16 UTC 2008
> Not only is it all technically feasible, it wouldn't even be *that* much
> work to setup the initial proposal you described, and at least the
> automated simpletests for the core repo on cvs.sec.d.o.
Oh, wow! That was totally not the "ARE YOU ON *CRACK*??" response I was
expecting. :)
Ok, so. New and improved workflow!
1. Security hole found! OMG!
2. Head to security.drupal.org and login (same as d.o credentials)
3. Post an issue informing the security team about the bug (they're
emailed automatically on new issues). This issue is private to only you
and the security team members.
4. Work with the Security Team in the issue to come up with/test a patch
that fixes the bug.
5. Once a consensus is reached, commit it to your module on
cvs.security.drupal.org. Run through your normal testing procedures and
make sure things look good.
6. Follow the Security Team's instructions on how to go about
creating/announcing the release.
Sound about right?
Looks like, implementation-wise, we need:
1. Script to sync up non-security team, CVS account-holding d.o users
and make them s.d.o users with only basic privileges (create
issues/access own issues)
2. Script (or something) to sync CVS / CVS users between cvs.drupal.org
and cvs.security.drupal.org.
3. Script to sync d.o projects / owners / maintainers with s.d.o
projects / owners / maintainers.
So.. lots of synching. But in the end, I think this actually *saves* the
Security Team tons of time, both at the outset (the developer is the one
who initiates the process) and also in ongoing education (the team is no
longer a "black box" where the developer is waiting for information but
instead feeding out useful information to developers as the reviewing
process is happening).
Huge +1 to the automated testing stuff too, but probably best to start
simple first. :)
> Any objections? Any volunteers?
I'm willing to work with you (or someone) to do this synching stuff. I
don't think I have the time/knowledge to do it alone.
-Angie
More information about the development
mailing list