On Tue, Sep 10, 2019 at 4:55 PM Dave Townsend <dtowns...@mozilla.com> wrote:
> On Mon, Sep 9, 2019 at 6:01 PM Jeff Walden <jwal...@mit.edu> wrote: > > > Those of you longer in the tooth may remember Firefox was successfully > > exploited in Pwn2own 2012...and we didn't have to lift a finger to fix > it. > > We already had -- in the Firefox release shipping days later. 🤦 > > > > https://bugzilla.mozilla.org/show_bug.cgi?id=735104 (pwn2own bug) > > https://bugzilla.mozilla.org/show_bug.cgi?id=720511 (cover bug, > > discussion only of a spec-compliance issue) > > https://bugzilla.mozilla.org/show_bug.cgi?id=720079 (sec bug noting the > > sec issue) > > > > We later discussed whether the exploit had been "achieved" by reading our > > public commits. https://bugzilla.mozilla.org/show_bug.cgi?id=735104#c2 > > The fruit of this discussion was our security approval process, where > > security patches land only after approval, in relative lockstep close to > > release, with incriminating tests/comments removed. This is also where > > sec-approval comment hoop-jumping began. > > > How often do we go back and land those tests and comments after the fix has > been in the release builds for a suitable amount of time? > In theory, you should set the in-testsuite? flag when you land without the test, and then when the bug is opened, land the test, but in practice I don't think anybody makes sure that happens. I feel like I've seen one or two cases over the years where we fixed some sec issue, no test landed, then much later we regressed it. _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
