[development] Think there's a security problem in your module? Here's what to do.

Derek Wright drupal at dwwright.net
Fri Jan 18 09:08:31 UTC 2008

On Jan 17, 2008, at 11:49 PM, Angela Byron wrote:

> New and improved workflow!
> ...
> Sound about right?

Yes, sounds great.  Almost incorporates all of fgm's concerns/input  
about using the same tools for a maintainer's usual workflow, without  
it all happening publicly.  Seems like it should satisfy DragonWize  
and David Metzler's concerns about easy collaboration with other  
project maintainers, transparency, using revision control, beta  
testers, and having familiar tools.  Certainly satisfies me, and I'm  
pretty sure the rest of the security team would agree.

> Looks like, implementation-wise, we need:
> 1. Script to sync up non-security team, CVS account-holding d.o  
> users and make them s.d.o users with only basic privileges (create  
> issues/access own issues)

Right.  New role on sec.d.o, and a script to sync all users in the  
"CVS users" role on d.o over to sec.d.o.

> 2. Script (or something) to sync CVS / CVS users between  
> cvs.drupal.org and cvs.security.drupal.org.

The script to sync CVS could just be a fine grained, manually  
triggered, 1 way rsync from different directories in cvs.d.o to the  
different private repos on cvs.sec.d.o.

Users would just be to dump the CVS access tab for each project on  
sec.d.o into the CVSROOT/passwd file for that project's private repo  
on cvs.sec.d.o.

> 3. Script to sync d.o projects / owners / maintainers with s.d.o  
> projects / owners / maintainers.

Seems like pretty trivial stuff here.  I don't even care about all  
the fields.  Title, shortname,  owner, cvs access tab, and perhaps  
body would do.  The rest is fluff as far as sec.d.o is concerned.

> So.. lots of synching. But in the end, I think this actually  
> *saves* the Security Team tons of time, both at the outset (the  
> developer is the one who initiates the process) and also in ongoing  
> education (the team is no longer a "black box" where the developer  
> is waiting for information but instead feeding out useful  
> information to developers as the reviewing process is happening).

Yes.  After the initial work to setup the new system, I think this  
will hugely ease the job of the sec team, and will significantly aid  
in the education aspects of our work.  We can even try to get the  
module maintainers to write the first drafts of the SAs for a change,  
and be more directly involved in editing/reviewing those, too. ;)

> Huge +1 to the automated testing stuff too, but probably best to  
> start simple first. :)

Agreed.  One step at a time, but that's definitely low hanging fruit  
as soon as the basics are up, working, and documented.

>> I'm willing to work with you (or someone) to do this synching  
>> stuff. I don't think I have the time/knowledge to do it alone.

As always, webchick, I'd love to work with you on this.  I'd just be  
thrilled to see some other hands show up.  You and I end up working  
together on a lot of improvements to Drupal on our own (in spite of  
our nearly constant efforts to try to get others involved)...

-Derek (dww)

More information about the development mailing list