[OPEN-ILS-DEV] Draft overview of current process for handling security bugs

Bill Erickson berick at esilibrary.com
Thu Dec 27 14:46:21 EST 2012


Re-sending since my previous attempt failed.  -b

On Mon, Dec 17, 2012 at 1:54 PM, Bill Erickson <berick at esilibrary.com>wrote:

>
> On Mon, Dec 17, 2012 at 12:36 PM, Jeff Godin <jgodin at tadl.org> wrote:
>
>> Greetings-
>>
>> In an effort to document some of the process of handling security bugs in
>> Evergreen, I've drafted the following:
>>
>> http://evergreen-ils.org/dokuwiki/doku.php?id=dev:security
>>
>> None of this should be new, but it was decided at the last dev meeting
>> that it would be useful to get the current process written down somewhere,
>> as we consider changes especially with regard to testing of future security
>> releases.
>>
>> I would appreciate any edits or feedback, especially from others with
>> hands-on involvement in this process.
>>
>
> This looks great, Jeff.
>
> There was some talk in IRC a few weeks back about possibly announcing
> fixes to security bugs before they were merged and rolled into a set of
> releases.  In other words, the announcement (complete with code,
> upgrade-in-place instructions, and a call for testers) would be made as
> soon as a viable fix was available.  The idea there was to broaden the pool
> of testers so that when the final releases and/or upgrade-in-place
> instructions were cut, they were as ready as they could be.  Are we still
> considering this as an option or do we want to stick with the way we've
> been doing it?
>
> I'm personally in favor of earlier notification.  Apart from bringing in
> more testers, it allows us to perform the final stages of release cutting
> in public, which is significantly faster and less error-prone than doing it
> all behind closed doors.
>
> -b
>
> --
> Bill Erickson
> | Senior Software Developer
> | phone: 877-OPEN-ILS (673-6457)
> | email: berick at esilibrary.com
> | web: http://esilibrary.com
> | Equinox Software, Inc. / Your Library's Guide to Open Source
>
>
>


-- 
Bill Erickson
| Senior Software Developer
| phone: 877-OPEN-ILS (673-6457)
| email: berick at esilibrary.com
| web: http://esilibrary.com
| Equinox Software, Inc. / Your Library's Guide to Open Source
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://libmail.georgialibraries.org/pipermail/open-ils-dev/attachments/20121227/c39389c4/attachment.htm>


More information about the Open-ils-dev mailing list