MozillaWiki

Security/Firefox/Security Bug Life Cycle: Difference between revisions

Page Discussion

Security/Firefox/Security Bug Life Cycle (view source)

Revision as of 20:39, 1 October 2019

154 bytes added ,  1 October 2019
m
minor re-wording
(added bit about in-testsuite flags)
m (minor re-wording)
Line 88: Line 88:




Testcases for vulnerability fixes should be split into a separate patch for this "sec-approval" process. These testcases should land ''after'' we have shipped the fix in Release, usually by a few weeks to give users time to have applied the update. We '''must''' track the task of landing these patches later. You have two main options, and either are fine:
Testcases for vulnerability fixes should be split into a separate patch for this "sec-approval" process. These testcases should land ''after'' we have shipped the fix in Release, usually by a few weeks to give users time to have applied the update. We '''must''' track the task of landing these patches later. You have two main options and either is fine. A task bug is more upfront work but more straightforward; the flag is easy but requires more follow-up.


# Create a task bug assigned to yourself ("Land tests for bug XXXX"). It must be a hidden security bug like the main vulnerability was. Add the keyword '''sec-other''', or
# Create a task bug assigned to yourself ("Land tests for bug XXXX") that depends on the vulnerability bug. It must be a hidden security bug like the main vulnerability. Add the keyword '''sec-other'''
# Track it in the original bug using the '''in-testsuite?''' flag. If you go this route you must remember to check for un-landed tests (queries below). Once the tests are landed change the flag to '''in-testsuite+'''.
# Or, track it in the original bug using the '''in-testsuite?''' flag. If you go this route you must remember to check for un-landed tests (queries below). Once the tests are landed change the flag to '''in-testsuite+'''.




[https://bugzilla.mozilla.org/buglist.cgi?quicksearch=FIX%20flag%3Ain-testsuite%3F%20kw%3Asec-%20assignee%3A%25user%25 '''"My" security testcases that need landing'''] (personalized)<br>
[https://bugzilla.mozilla.org/buglist.cgi?quicksearch=FIX%20flag%3Ain-testsuite%3F%20kw%3Asec-&limit=0&order=cf_last_resolved '''All unlanded testcases for fixed security bugs''']<br>
[https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20sec-approval%3F '''Pending sec-approval requests''']
[https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20sec-approval%3F '''Pending sec-approval requests''']
[https://bugzilla.mozilla.org/buglist.cgi?quicksearch=FIX%20flag%3Ain-testsuite%3F%20kw%3Asec-%20assignee%3A%25user%25 '''"My" security bug testcases that need landing''']
[https://bugzilla.mozilla.org/buglist.cgi?quicksearch=FIX%20flag%3Ain-testsuite%3F%20kw%3Asec-&limit=0&order=cf_last_resolved '''All unlanded testcases for fixed security bugs''']


== Verifying Fixes ==
== Verifying Fixes ==
Dveditz
canmove, Confirmed users
637

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1218523"