[development] Think there's a security problem in your module? Here's what to do.

David Metzler metzlerd at metzlerd.com
Sat Jan 19 04:44:06 UTC 2008

First, Thanks for the willingess to consider changes.  I appreciate  
it.   I'm on board too.

I'd agree in starting small.  Having an issue queue where code could  
be posted shared and tested does go a long way to alleviating my  
concerns.  I could probably get by with the testing of an applied  
patch, or whole module file.

We should factor in some way of bringing in the user that reported  
the problem.  Particularly if they are doing so because they've been  
exploited.  This has never happened to me yet, but seems like the  
prudent thing to do.   I'm sure accommodations for bringing others  
into the issue queue can be made on a case by case basis at the  
security teams discretion.

I think I would probably use the custom CVS repository, but I know  
that I'm different enough in my use of CVS, and deployment  
strategies, that it may not be worth the effort to develop just for  
me.  Let's wait till we here more requests.

Thanks again for listening.


On Jan 18, 2008, at 1:32 PM, Derek Wright wrote:

> On Jan 18, 2008, at 12:14 PM, Angela Byron wrote:
>> I'm +1 to its removal, but defer to dww since he knows a lot  
>> better than me (or probably most of us ;)) what would be involved  
>> here, and how much work it would actually cost/save.

More information about the development mailing list