List Info

Thread: Re: Think there's a security problem in your module? Here's what to do.
Re: Think there's a security problem in your module? Here's what to do.
country flaguser name
United States		 2008-01-18 22:44:06 
First, Thanks for the willingess to consider changes.  I
appreciate  
it.   I'm on board too.

I'd agree in starting small.  Having an issue queue where
code could  
be posted shared and tested does go a long way to
alleviating my  
concerns.  I could probably get by with the testing of an
applied  
patch, or whole module file.

We should factor in some way of bringing in the user that
reported  
the problem.  Particularly if they are doing so because
they've been  
exploited.  This has never happened to me yet, but seems
like the  
prudent thing to do.   I'm sure accommodations for bringing
others  
into the issue queue can be made on a case by case basis at
the  
security teams discretion.

I think I would probably use the custom CVS repository, but
I know  
that I'm different enough in my use of CVS, and deployment 

strategies, that it may not be worth the effort to develop
just for  
me.  Let's wait till we here more requests.

Thanks again for listening.

Dave

On Jan 18, 2008, at 1:32 PM, Derek Wright wrote:

>
> On Jan 18, 2008, at 12:14 PM, Angela Byron wrote:
>
>> I'm +1 to its removal, but defer to dww since he
knows a lot  
>> better than me (or probably most of us ;)) what
would be involved  
>> here, and how much work it would actually
cost/save.
>
>
Re: Think there's a security problem in your module? Here's what to do.
country flaguser name
United States		 2008-01-19 00:43:56 
On Jan 18, 2008, at 8:44 PM, David Metzler wrote:

> Thanks for the willingess to consider changes.

Gladly.

> I'd agree in starting small.

Completely.  These grand plan threads always turn into lists
of  
issues, and often just implementing the first few go a long
way in  
fixing the problem.

>   Having an issue queue where code could be posted
shared and  
> tested does go a long way to alleviating my concerns. 
I could  
> probably get by with the testing of an applied patch,
or whole  
> module file.

Great.

> We should factor in some way of bringing in the user
that reported  
> the problem.  Particularly if they are doing so because
they've  
> been exploited.  This has never happened to me yet, but
seems like  
> the prudent thing to do.   I'm sure accommodations for
bringing  
> others into the issue queue can be made on a case by
case basis at  
> the security teams discretion.

Yup, all good.  An obvious solution here is make every
project an OG  
(closed/invite-only), which would solve *lots* of other
problems at  
the same time.  I can't wait to do that on d.o itself.

> I think I would probably use the custom CVS repository,
but I know  
> that I'm different enough in my use of CVS, and
deployment  
> strategies, that it may not be worth the effort to
develop just for  
> me.  Let's wait till we here more requests.

Sounds good.

> Thanks again for listening.

Agreed.  Thanks,
-Derek
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )