Avoiding Future Security Bug Regressions
Max Kanat-Alexander
mkanat at bugzilla.org
Wed Feb 4 23:21:49 UTC 2009
On Thu, 05 Feb 2009 00:09:07 +0100 "Frédéric Buclin"
<lpsolit at gmail.com> wrote:
> The number of security bugs has nothing to do here. We could have
> checked in only one and still triggered the problems reported.
Well, for example, calling srand() at compile time happened
because of the process_bug CSRF patch, but it was particularly bad
because we were using tokens to protect private attachments.
> What you suggest wouldn't have prevented the regressions to
> occur,
It absolutely would have. We did a release within 9 hours--24
hours would have caught the most important problem. If we said "24
hours without a major regression from the security patches" it would
have caught all regressions that we've found so far.
> and bmo is probably not going to be upgraded all the time to
> test a security patch.
I don't know if you're just being argumentative on purpose, or
if there is a communication problem, but what I wrote above was clearly
that the policy would be limited to invasive patches.
> Also, I think this kind of discussion should first take place
> elsewhere before being posted here.
I figured that you would reply along with everybody else here,
and I wanted to write it as an email, and I felt it was something that
the community should be exposed to the discussion on. I also didn't
think it was that controversial.
-Max
--
http://www.everythingsolved.com/
Competent, Friendly Bugzilla and Perl Services. Everything Else, too.
More information about the developers
mailing list