[development] Think there's a security problem in your module? Here's what to do.

[Derek Wright]

On Jan 18, 2008, at 8:44 PM, David Metzler wrote:

> Thanks for the willingess to consider changes.

Gladly.

> I'd agree in starting small.

Completely.  These grand plan threads always turn into lists of  
issues, and often just implementing the first few go a long way in  
fixing the problem.

>   Having an issue queue where code could be posted shared and  
> tested does go a long way to alleviating my concerns.  I could  
> probably get by with the testing of an applied patch, or whole  
> module file.

Great.

> We should factor in some way of bringing in the user that reported  
> the problem.  Particularly if they are doing so because they've  
> been exploited.  This has never happened to me yet, but seems like  
> the prudent thing to do.   I'm sure accommodations for bringing  
> others into the issue queue can be made on a case by case basis at  
> the security teams discretion.

Yup, all good.  An obvious solution here is make every project an OG  
(closed/invite-only), which would solve *lots* of other problems at  
the same time.  I can't wait to do that on d.o itself.

> I think I would probably use the custom CVS repository, but I know  
> that I'm different enough in my use of CVS, and deployment  
> strategies, that it may not be worth the effort to develop just for  
> me.  Let's wait till we here more requests.

Sounds good.

> Thanks again for listening.

Agreed.  Thanks,
-Derek