Seems like it ought to be straightforward to do something to cause in-testsuite? flags to send mail occasionally, or show up on some dashboard, or...
Dan Am Di., 10. Sept. 2019 um 09:11 Uhr schrieb Andrew McCreight <amccrei...@mozilla.com>: > > On Tue, Sep 10, 2019 at 4:55 PM Dave Townsend <dtowns...@mozilla.com> wrote: > > > On Mon, Sep 9, 2019 at 6:01 PM Jeff Walden <jwal...@mit.edu> wrote: > > > > > Those of you longer in the tooth may remember Firefox was successfully > > > exploited in Pwn2own 2012...and we didn't have to lift a finger to fix > > it. > > > We already had -- in the Firefox release shipping days later. 🤦 > > > > > > https://bugzilla.mozilla.org/show_bug.cgi?id=735104 (pwn2own bug) > > > https://bugzilla.mozilla.org/show_bug.cgi?id=720511 (cover bug, > > > discussion only of a spec-compliance issue) > > > https://bugzilla.mozilla.org/show_bug.cgi?id=720079 (sec bug noting the > > > sec issue) > > > > > > We later discussed whether the exploit had been "achieved" by reading our > > > public commits. https://bugzilla.mozilla.org/show_bug.cgi?id=735104#c2 > > > The fruit of this discussion was our security approval process, where > > > security patches land only after approval, in relative lockstep close to > > > release, with incriminating tests/comments removed. This is also where > > > sec-approval comment hoop-jumping began. > > > > > > How often do we go back and land those tests and comments after the fix has > > been in the release builds for a suitable amount of time? > > > > In theory, you should set the in-testsuite? flag when you land without the > test, and then when the bug is opened, land the test, but in practice I > don't think anybody makes sure that happens. I feel like I've seen one or > two cases over the years where we fixed some sec issue, no test landed, > then much later we regressed it. > > _______________________________________________ > > dev-platform mailing list > > dev-platform@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-platform > > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
