Avoiding Future Security Bug Regressions
David Miller
justdave at bugzilla.org
Wed Feb 4 23:50:25 UTC 2009
Max Kanat-Alexander wrote on 2/4/09 6:21 PM:
> It absolutely would have. We did a release within 9 hours--24
> hours would have caught the most important problem. If we said "24
> hours without a major regression from the security patches" it would
> have caught all regressions that we've found so far.
>
>> and bmo is probably not going to be upgraded all the time to
>> test a security patch.
>
> I don't know if you're just being argumentative on purpose, or
> if there is a communication problem, but what I wrote above was clearly
> that the policy would be limited to invasive patches.
This particular patch would have been on bmo about a month earlier if
our management had their way. It was purposefully withheld from being
deployed on bmo until after the security release was ready to go out
because the nature of the patch made it obvious that the fix had been
applied and would immediately clue in anyone who hadn't already realized
it what would need to be done to exploit other Bugzilla installations
that didn't have it yet.
--
Dave Miller http://www.justdave.net/
System Administrator, Mozilla Corporation http://www.mozilla.com/
Project Leader, Bugzilla Bug Tracking System http://www.bugzilla.org/
More information about the developers
mailing list