Avoiding Future Security Bug Regressions

David Miller justdave at bugzilla.org
Thu Feb 5 11:04:16 UTC 2009


SnowyOwl wrote on 2/5/09 5:26 AM:
> This is a question of b.m.o source version control being open OR
> closed (at least at times) to avoid premature disclosure.
> 
> If we manage to keep a "private branch" in future DVCS, namely, commit
> all patches except security sensitive into open branch and run b.m.o
> from private branch -- this may satisfy both sides.

bmo is already on a DVCS branch of its own (that could have been closed
if needed).  The point was that the fix was blatently obvious (you wound
up on a different domain name), and anyone with a slight knowledge of
web security would probably realize the reason why pretty quickly.

There's actually been several times in the past when we've had security
patches applied on bmo before they were publicly available.  Most of the
time they're not user-visible issues (sanitizing user input, etc).

This particular one just didn't lend itself well to that.

-- 
Dave Miller                                   http://www.justdave.net/
System Administrator, Mozilla Corporation      http://www.mozilla.com/
Project Leader, Bugzilla Bug Tracking System  http://www.bugzilla.org/



More information about the developers mailing list