124
edits
Security/Firefox security bug fixing: Difference between revisions
Security/Firefox security bug fixing (view source)
Revision as of 03:54, 10 October 2019
, 10 October 2019→Obfuscating a security patch
(sec-approval+ may not be for immediate landing) |
|||
| Line 70: | Line 70: | ||
If your security patch looks obvious because of the code it contains (e.g. a one-line fix), or if you really need to push to Try servers, '''consider integrating your security-related patch to non-security work in the same area'''. | If your security patch looks obvious because of the code it contains (e.g. a one-line fix), or if you really need to push to Try servers, '''consider integrating your security-related patch to non-security work in the same area'''. | ||
And/or pretend it is related to something else, like some performance improvement or a correctness fix. | And/or pretend it is related to something else, like some performance improvement or a correctness fix. '''Definitely don't include the bug number in the commit message.''' | ||
This will help making the security issue less easily identifiable. (The absolute ban against "Security through Obscurity" is in relation to cryptographic systems. In other situations you still can't ''rely'' on obscurity but it can sometimes buy you a little time. In this context we need to get the fixes into the hands of our users faster than attackers can weaponize and deploy attacks and a little extra time can help.) | This will help making the security issue less easily identifiable. (The absolute ban against "Security through Obscurity" is in relation to cryptographic systems. In other situations you still can't ''rely'' on obscurity but it can sometimes buy you a little time. In this context we need to get the fixes into the hands of our users faster than attackers can weaponize and deploy attacks and a little extra time can help.) | ||