Avoiding Future Security Bug Regressions
Reed Loden
reed at reedloden.com
Wed Feb 4 22:43:31 UTC 2009
On Wed, 4 Feb 2009 14:23:37 -0800
Max Kanat-Alexander <mkanat at bugzilla.org> wrote:
> 1) No matter what, no more than one *invasive* security patch
> per release.
That doesn't make sense at all, imho. If there are critical security
bugs that need to get fixed, they should get fixed ASAP and not depend
on waiting until some future release. You shouldn't be risking users
just because you don't want Bugzilla to look bad that it has to release
twice within 24 hours. Security problems, especially with a bug
tracking database that contains sensitive testcases, are extremely bad
and shouldn't be treated like they can wait indefinitely.
If this same policy was applied to Firefox, we'd be releasing a new
version multiple times a month, as it's pretty common to have invasive
security patches in order to get bugs fixed. While developers do the
best they can to make branch patches small and contained, sometimes an
invasive patch is necessary.
~reed
--
Reed Loden - <reed at reedloden.com>
More information about the developers
mailing list