[asterisk-dev] What happened with the latest round of releases: or, "whoops"

Matthew Jordan mjordan at digium.com
Fri Jun 13 02:12:57 CDT 2014 

Apologies if this e-mail gets a bit rambling; by the time I send this it
will be past 2 AM here in the US and we've been scrambling to fix the
regression caused by r415972 without reintroducing the vulnerability it
fixed for the past 9 hours or so.

Clearly, there are things we should have done better to catch this before
the security releases went out yesterday. The regression was serious enough
that plenty of tests in the Test Suite caught the error - in fact,
development of a test on a local dev machine was how we discovered that the
regression had occurred.

At the same time, this problem exposes a hole in our security issue +
release process: namely, that in order to maintain security, transparency
of the issues and patches is sacrificed. The first instance where a
security issue is made public is when the commit for the issue occurs, and
at that point, a clock starts ticking: we have to get releases made as fast
as possible, as the vulnerabilities are now known. Typically, this means
the following:
(1) Security issues are visible only to bug marshals (those with commit
access) and the issue reporter
(2) Security issues are tagged typically with a "Security" label +
(hopefully) a good summary to aid in filters and searches
(3) Peer review of patches typically occurs on the issue with the reporter.
Often, only the reporter verifies the fixes
(4) Here at Digium, we do peer review all security fixes - but disregarding
communication that occurs on the issue, much of that occurs internally as
public e-mails would result in a disclosure of the vulnerability

So my question to you, fellow developers in the community: how can we
improve this? Can we do something different that would maintain security
for users of Asterisk, while encouraging more participation from the
community in the development, review, and testing of security patches?

Matt

-- 
Matthew Jordan
Digium, Inc. | Engineering Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20140613/f3a8a5c5/attachment-0001.html>

More information about the asterisk-dev mailing list