[TYPO3-dev] security releases and regression issues
Marcus Krause
marcus#exp2010 at t3sec.info
Tue Oct 12 13:01:58 CEST 2010
Hi!
You can assume that regressions are considered to be annoying and we try
to reduce them to a minimum or avoid them at all.
Regressions have been internally discussed several times. It's not
something that comes to our attention by this thread for the first time.
Addressing some suggestions:
Jigal van Hemert schrieb am 10/12/2010 12:12 PM Uhr:
> [...]
> Will more unit tests and a continuous integration server help?
If appropriate, unit tests are created together with security fixes.
The more parts of code are covered with tests, the better we're prepared
for regressions. You certainly know that only small parts are covered by
tests.
> Tests by (core) developers with a non-disclosure contract?
This is already done. Currently:
In most cases, security fixes are created by security team members and
up to review in an internal mailing list. Then, patches are reviewed by
other security team members and core team members.
Usually this is done by some kind of taskforce consisting of core and
security team members.
Just like in the public core mailing list, not all team members have
time or are interested in specific topics. This is not something to
blame anyone for.
I personally don't see the integration (w or w/o NDA) of external
developers (non-core/non-security) in the review process for the near
future.
Improvements to the review process are being discussed and planned.
Of course we're interested in proposals which might be mentioned in this
thread. Any discussion is welcome.
See also
http://www.slideshare.net/oliverklee/everything-you-need-to-know-about-the-typo3-security-team
page 29ff
Marcus.
More information about the TYPO3-dev
mailing list