[development] Think there's a security problem in your module? Here's what to do.
Derek Wright
drupal at dwwright.net
Sat Jan 19 06:43:56 UTC 2008
On Jan 18, 2008, at 8:44 PM, David Metzler wrote:
> Thanks for the willingess to consider changes.
Gladly.
> I'd agree in starting small.
Completely. These grand plan threads always turn into lists of
issues, and often just implementing the first few go a long way in
fixing the problem.
> Having an issue queue where code could be posted shared and
> tested does go a long way to alleviating my concerns. I could
> probably get by with the testing of an applied patch, or whole
> module file.
Great.
> We should factor in some way of bringing in the user that reported
> the problem. Particularly if they are doing so because they've
> been exploited. This has never happened to me yet, but seems like
> the prudent thing to do. I'm sure accommodations for bringing
> others into the issue queue can be made on a case by case basis at
> the security teams discretion.
Yup, all good. An obvious solution here is make every project an OG
(closed/invite-only), which would solve *lots* of other problems at
the same time. I can't wait to do that on d.o itself.
> I think I would probably use the custom CVS repository, but I know
> that I'm different enough in my use of CVS, and deployment
> strategies, that it may not be worth the effort to develop just for
> me. Let's wait till we here more requests.
Sounds good.
> Thanks again for listening.
Agreed. Thanks,
-Derek
More information about the development
mailing list