Avoiding Future Security Bug Regressions
Bradley Baetz
bbaetz at acm.org
Thu Feb 5 16:19:59 UTC 2009
On Thu, Feb 5, 2009 at 5:04 AM, David Miller <justdave at bugzilla.org> wrote:
> SnowyOwl wrote on 2/5/09 5:26 AM:
>> This is a question of b.m.o source version control being open OR
>> closed (at least at times) to avoid premature disclosure.
>>
>> If we manage to keep a "private branch" in future DVCS, namely, commit
>> all patches except security sensitive into open branch and run b.m.o
>> from private branch -- this may satisfy both sides.
>
> bmo is already on a DVCS branch of its own (that could have been closed
> if needed). The point was that the fix was blatently obvious (you wound
> up on a different domain name), and anyone with a slight knowledge of
> web security would probably realize the reason why pretty quickly.
What we could have done is to put out an rc, with the promise that the
only difference to the final would be any regression fixes from the
security patch (and the version number bump). Admins on public
instances could have upgraded and would have been no worse off, while
internal/less critical installations could have waited.
In reality, bmo is our test suite. Thats not a good thing (and I don't
think mozilla likes it as much as they used to), but its the reality.
Bradley
More information about the developers
mailing list