Avoiding Future Security Bug Regressions

Max Kanat-Alexander mkanat at bugzilla.org
Thu Feb 5 02:11:21 UTC 2009


On Wed, 04 Feb 2009 18:50:25 -0500 David Miller <justdave at bugzilla.org>
wrote:
> This particular patch would have been on bmo about a month earlier if
> our management had their way.  

	Yeah, that's one reason why I think bmo is a good test bed,
because the security posture of Mozilla has stepped up so much recently
that I imagine they would welcome the opportunity to have early fixes
for any Bugzilla security problems (even if just 24 hours early).

> It was purposefully withheld from being
> deployed on bmo until after the security release was ready to go out
> because the nature of the patch made it obvious that the fix had been
> applied and would immediately clue in anyone who hadn't already
> realized it what would need to be done to exploit other Bugzilla
> installations that didn't have it yet.

	Yeah. That's why for things like that, I want to do it when the
release is basically entirely ready to go, and just test it for 24
hours. That would have caught the stuff we've found since the 3.2.1
release.

	-Max
-- 
http://www.everythingsolved.com/
Competent, Friendly Bugzilla and Perl Services. Everything Else, too.



More information about the developers mailing list