[development] Think there's a security problem in your module? Here's what to do.

Derek Wright drupal at dwwright.net
Fri Jan 18 09:08:59 UTC 2008

On Jan 17, 2008, at 11:52 PM, DragonWize wrote:
> My two main concerns are:
> 1. The process has to be simple (ie not like U.S. Tax laws :))

Basically, think of it as the "security" subdomain of d.o.  You have  
a CVS repo, a project node, an issue queue, automated simpletesting,  
everything you're used to on d.o, but only you, your co-maintainers,  
your inner circle of alpha/beta testers, and the security team, gets  
to see it.  Is that simple enough?

> 2. Don't stop me from developing my module. As drupal becomes more  
> a part of my business and my livelihood, taking 2 weeks off is not  
> an option.

Ah ha, another miscommunication has been uncovered, yay!  I never  
said nor meant to imply "halt all development and stop committing any  
changes to your module until further notice."  Feel free to keep  
developing your module, working on patches in the issue queue, fixing  
bugs, working on new features in your new feature branches, whatever  
you want.  Just please try not to touch the vulnerable code at all,  
try to keep your stable branches stable (as always), and definitely  
try not to disclose the vulnerability in any way.  Ideally, if you  
can hold off for those 0-3 weeks from modifying the vulnerable code  
at all in the public repo, that'd be best, but we're not going to  
call you irresponsible or careless traitor to the security of the  
project if you end up refactoring code that touches the vulnerability  
or something.  We're all reasonable people here, and we're operating  
on the basic assumption that d.o CVS account holders are willing and  
trying to Do The Right Thing(tm), given enough information and help.   
We just ask a similar degree of goodwill and trust that the security  
team isn't trying to impede on your livelihood as a Drupal  
developer.  Everyone profits and benefits tremendously from our  
work.  In fact, I doubt many people could make a living with Drupal  
at all if we didn't have as kick-ass a security team as we do (and  
that's directed at the giants on whose shoulders I'm standing).

> If your proposals fulfill these objectives then count me in.

I believe they do.  Welcome aboard. :)

-Derek (dww)

More information about the development mailing list