[development] Think there's a security problem in your module? Here's what to do.
Derek Wright
drupal at dwwright.net
Fri Jan 18 09:08:11 UTC 2008
On Jan 17, 2008, at 1:07 PM, DragonWize wrote:
> if they are watching the logs (which they most likely are, to what
> is extent is debatable) then they know when the security hole is
> committed which is long before the fix is committed. I can not make
> it any clearer that, IMHO, that reason is full of false hope.
There's a *huge* volume of existing code. New hackers are coming
around all the time, but I doubt they're going to be able to
immediately audit everything all at once. I suspect (but have no
proof) that many are looking at changes, and starting to methodically
search for problems, but haven't yet completely grokked the entire
existing codebase. Maybe I'm just being overly optimistic about this
bit of security by obscurity. ;) I'm guessing that in the cost/
benefit analysis of a hacker, it's better to really focus on the most
popular contribs first, since exploits you might find will have a
better "payoff". It does far more good to watch views, cck,
pathauto, etc, with everything you've got, than to wade through the
vast swamp of modules that are only used by dozens, not thousands of
sites.
Either way, I maintain it still does *not* hurt to avoid calling any
public attention at all to a known vulnerability, until there's an
official release that fixes it which all of your users could
immediately upgrade to as soon as they're notified. The "good" users
can't upgrade anyway, and if nothing else, it means sites are only
vulnerable to the sophisticated, rich hackers, not the "half-wit"
script-kiddies that are trying to exploit lower hanging fruit as it
streams by their RSS readers.
If the security team had many more resources and a lot more automated/
streamlined process (which I think webchick's proposal gets us much
closer to), we could potentially move to a weekly rhythm for security
updates. Every wednesday would become security day, and anything
fixed in the previous week would be disclosed and released. Drupal
site maintainers would get used to running "drush pm update"[1] for
all their sites a few times throughout near the end of the day on
wednesday. :) Most people could just setup cron jobs to do that, if
they really wanted (though module maintainers would have to become
even more aware and careful about how they handle release management
for their contributions, and conquer the (in the end, relatively
simple) art of making sure you commit the right patches to the right
branch(es) at the right time in the right order.
-Derek (dww)
More information about the development
mailing list