canmove, Confirmed users
637
edits
(sec-approval is not a rating-assigning mechanism) |
(short explanation why obfuscation isn't always a toxic anti-pattern) |
||
Line 71: | Line 71: | ||
If your security patch looks obvious because of the code it contains (e.g. a one-line fix), or if you really need to push to Try servers, '''consider integrating your security-related patch to non-security work in the same area'''. | If your security patch looks obvious because of the code it contains (e.g. a one-line fix), or if you really need to push to Try servers, '''consider integrating your security-related patch to non-security work in the same area'''. | ||
And/or pretend it is related to something else, like some performance improvement or a correctness fix. | And/or pretend it is related to something else, like some performance improvement or a correctness fix. | ||
This will help making the security issue less easily identifiable. | This will help making the security issue less easily identifiable. (The absolute ban against "Security through Obscurity" is in relation to cryptographic systems. In other situations you still can't ''rely'' on obscurity but it can sometimes buy you a little time. In this context we need to get the fixes into the hands of our users faster than attackers can weaponize and deploy attacks and a little extra time can help.) | ||
===Landing sec-high and sec-critical bugs=== | ===Landing sec-high and sec-critical bugs=== |