[development] Think there's a security problem in your module? Here's what to do.

Greg Knaddison - GVS Greg at GrowingVentureSolutions.com
Fri Jan 18 17:16:51 UTC 2008

On Jan 18, 2008 5:49 AM, Angela Byron <drupal-devel at webchick.net> wrote:
>  > Not only is it all technically feasible, it wouldn't even be *that* much
>  > work to setup the initial proposal you described, and at least the
>  > automated simpletests for the core repo on cvs.sec.d.o.
> Oh, wow! That was totally not the "ARE YOU ON *CRACK*??" response I was
> expecting. :)
> Ok, so. New and improved workflow!
> 1. Security hole found! OMG!
> 2. Head to security.drupal.org and login (same as d.o credentials)
> 3. Post an issue informing the security team about the bug (they're
> emailed automatically on new issues). This issue is private to only you
> and the security team members.
> 4. Work with the Security Team in the issue to come up with/test a patch
> that fixes the bug.

I like the process up to here.  It helps the contrib maintainers to
understand the process.  It would need serious testing to make sure
that we don't accidentally leak more information than necessary.

> 5. Once a consensus is reached, commit it to your module on
> cvs.security.drupal.org. Run through your normal testing procedures and
> make sure things look good.

I don't see how this adds much more value over:

wget http://example.com/path_to_patch
patch -p0 < security_patch_revision_3.patch

But, if you and dww both really like this and want to work on it I
certainly won't stand in the way.  It seems lower value to me but I am
not in charge of your schedules.

> 6. Follow the Security Team's instructions on how to go about
> creating/announcing the release.

Yes, please.


Greg Knaddison
Denver, CO | http://knaddison.com
World Spanish Tour | http://wanderlusting.org/user/greg

More information about the development mailing list