[development] Think there's a security problem in your module? Here's what to do.
Derek Wright
drupal at dwwright.net
Fri Jan 18 09:08:42 UTC 2008
On Jan 17, 2008, at 11:27 PM, Khalid Baheyeldin wrote:
> First, is it scalable?
Very. In fact, it's VASTLY more scalable than the existing process/
workflow.
> It requires significant security team's manpower.
Not at all. Only to get the initial sync stuff working.
> Second, a snapshot can get stale vs. the code at cvs.d.o , and all
> sorts of interesting stuff can happen.
That's why we'll still try to use patches in the (sec.d.o) issue
queue, and if we have to, we just re-rsync the CVS dir on cvs.d.o to
that project's private repo on cvs.sec.d.o again while we're working
on something, re-apply the patches, etc.
Alternately, we could consider using vendor branches on these private
repos to help merge local changes.
If we wanted to get really crazy, we could start to experiment with
distributed revision control (e.g. git.sec.d.o) to help manage
private repos for _some_ of the projects on sec.d.o. I know people
who've have great luck importing a CVS checkout, "CVS" directory and
all, into other revision control systems. They make local
modifications and commit to the other RCS. Then, they run "cvs up"
in the checkout, the CVS directory kicks in, CVS tries to merge in
upstream changes, you resolve conflicts, and commit that again
locally to the alternate RCS. Could work great, at least for
projects where the maintainer is already familiar and would rather
work with another tool for this task, but that would depend at the
very least on people helping to complete the to-do list here:
http://groups.drupal.org/node/8102
and then implementing other versioncontrol API backend modules for
whatever tool(s) they wanted to be able to use for this.
> Third, back synching the cvs-security.d.o to cvs.d.o after the SA
> process
> is done is a lot of work, and could introduce errors.
Not at all. It's just the identical workflow for maintainers to
commit an RTBC patch from an issue to their official cvs.d.o
directory. Even if we got crazy with other RCSs, you just update
your workspace to the latest copy in $RCS, which is itself a "Locally
modified" CVS workspace from CVS's perspective. You run "cvs diff -
up" and you've got a perfectly synced, clean patch to apply upstream.
-Derek (dww)
More information about the development
mailing list