[development] Think there's a security problem in your module? Here's what to do.
Derek Wright
drupal at dwwright.net
Fri Jan 18 09:08:59 UTC 2008
On Jan 17, 2008, at 11:52 PM, DragonWize wrote:
> My two main concerns are:
>
> 1. The process has to be simple (ie not like U.S. Tax laws :))
Basically, think of it as the "security" subdomain of d.o. You have
a CVS repo, a project node, an issue queue, automated simpletesting,
everything you're used to on d.o, but only you, your co-maintainers,
your inner circle of alpha/beta testers, and the security team, gets
to see it. Is that simple enough?
> 2. Don't stop me from developing my module. As drupal becomes more
> a part of my business and my livelihood, taking 2 weeks off is not
> an option.
Ah ha, another miscommunication has been uncovered, yay! I never
said nor meant to imply "halt all development and stop committing any
changes to your module until further notice." Feel free to keep
developing your module, working on patches in the issue queue, fixing
bugs, working on new features in your new feature branches, whatever
you want. Just please try not to touch the vulnerable code at all,
try to keep your stable branches stable (as always), and definitely
try not to disclose the vulnerability in any way. Ideally, if you
can hold off for those 0-3 weeks from modifying the vulnerable code
at all in the public repo, that'd be best, but we're not going to
call you irresponsible or careless traitor to the security of the
project if you end up refactoring code that touches the vulnerability
or something. We're all reasonable people here, and we're operating
on the basic assumption that d.o CVS account holders are willing and
trying to Do The Right Thing(tm), given enough information and help.
We just ask a similar degree of goodwill and trust that the security
team isn't trying to impede on your livelihood as a Drupal
developer. Everyone profits and benefits tremendously from our
work. In fact, I doubt many people could make a living with Drupal
at all if we didn't have as kick-ass a security team as we do (and
that's directed at the giants on whose shoulders I'm standing).
> If your proposals fulfill these objectives then count me in.
>>
I believe they do. Welcome aboard. :)
-Derek (dww)
More information about the development
mailing list