[TYPO3-core] Combining security and bugfix releases

Oliver Hader oliver.hader at typo3.org
Mon Dec 19 09:10:06 CET 2011 

Hi Christian,

Am 19.12.11 03:37, schrieb Christian Lerrahn:
> Hi guys,
> I've decided to dare publicly questioning the choice to make 4.5.9 a
> combined bugfix and security release here. I was rather worried
> when I saw that this was the case because I believe that security
> releases should never take their chances of breaking things unrelated
> to the security problem.
> 
> The bug obviously introduced in version 4.5.9 which was reported at
> http://forge.typo3.org/issues/32625 seems to prove my point. Now, in
> this bug's case, it can just be worked around via suitable
> configuration but what if it had been a total show stopper? There would
> have had to be a new release and people would have had to update again.
> 
> I believe that if the release manager feels like publishing bugfixes
> along with a security related release, two releases should be issued in
> one day. That way, the conservative admin can go for the first one
> which only fixes the security problem and the the more daring one can
> take his chances with the second one which adds the bugfixes.
> 
> Well, this is just my five cents worth and I'm happy for people to
> comment and tell me why I'm totally and utterly wrong to hold such an
> opinion. ;)

Thanks for your feedback on this, however the issue you mentioned was
not part of the security bug fixing process - it was committed to Git
earlier without properly checking it's functionality - thus the review
process is the thing to be improved.

However I agree that having separated bug and security releases would
lower the chances to have regressions - however it still depends on
active reviewing and testing.

But in this case the security issue was already exploitable and was
found on several webserver logfiles (no damage to the systems, since
there is only a limited number of people having register_globals
enabled). Thus, we had a pre-announcement and the releases the next day
- it just had to be handled urgent.

Since RTE is a basic thing, we will have new releases with the fixes
tomorrow then - prior to the release of TYPO3 4.7 alpha2.

Cheers,
Olly
-- 
Oliver Hader
TYPO3 v4 Core Team Leader

TYPO3 .... inspiring people to share!
Get involved: http://typo3.org

More information about the TYPO3-team-core mailing list