tl;dr: If you've ever landed a security fix please check-in your public testcases <https://bugzilla.mozilla.org/buglist.cgi?quicksearch=FIX flag%3Ain-testsuite%3F kw%3Asec- -group:security assignee%3A%25user%25&list_id=15143122>.
We've long worried that if we landed tests along with our security fixes that attackers could develop and deploy an "N-day" exploit before we could get the fixes into the hands of our users. This is not paranoia; there are people who do this <https://blog.exodusintel.com/2019/09/09/patch-gapping-chrome/>. We've done a great job preventing this in part by withholding tests and marking bugs with the *in-testsuite?* flag to land them later when the bug is public (at which time the flag is changed to *in-testsuite+*). We need to do better at the remembering-to-land part. If you've fixed a security bug in the past please check if you have any hanging *in-testsuite?* bugs for bugs that are now public. You can find this query and other useful information about how to handle security bugs on our Security Bug Life Cycle <https://wiki.mozilla.org/Security/Firefox/Security_Bug_Life_Cycle> page, or click the link in the "tl;dr" above. -Dan Veditz _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
