Avoiding Future Security Bug Regressions

Max Kanat-Alexander mkanat at bugzilla.org
Thu Feb 5 18:18:41 UTC 2009


On Thu, 5 Feb 2009 10:19:59 -0600 Bradley Baetz <bbaetz at acm.org> wrote:
> What we could have done is to put out an rc, with the promise that the
> only difference to the final would be any regression fixes from the
> security patch (and the version number bump). 

	I think that would be confusing and difficult, since that would
be two release processes, and we don't have any mechanisms in place to
have RCs of point releases.

> Admins on public
> instances could have upgraded and would have been no worse off, while
> internal/less critical installations could have waited.

	In this particular case public instances would have been much
worse off--private attachments were accessible with a predictable token
when before they were secure. All existing CSRF protection was
defeated. Internal installations were always fine.

	-Max
-- 
http://www.everythingsolved.com/
Competent, Friendly Bugzilla and Perl Services. Everything Else, too.



More information about the developers mailing list