canmove, Confirmed users
637
edits
Security/Bug Approval Process: Difference between revisions
adding options for remembering to check in tests later
(adding options for remembering to check in tests later) |
|||
| Line 51: | Line 51: | ||
* Separate out tests into a separate commit. '''Do not commit tests when checking in''' when the security bug fix is initially checked-in. '''Remember we don’t want to 0-day ourselves!''' | * Separate out tests into a separate commit. '''Do not commit tests when checking in''' when the security bug fix is initially checked-in. '''Remember we don’t want to 0-day ourselves!''' | ||
** Tests should only be checked in later, after an official Firefox release that contains the fix has gone live and not for at least four weeks following that release. For example, if Firefox 53 contains a fix for a security issue that affects the world and is then fixed in 54, tests for this fix should not be checked in until four weeks after 54 goes live. The exception to this is if there is a security issue that hasn’t shipped in a release build and it is being fixed on multiple development branches (such as mozilla-central and beta). Since the security problem was never released to the world, once the bug is fixed in all affected places, tests can be checked in to the various branches. | ** Tests should only be checked in later, after an official Firefox release that contains the fix has gone live and not for at least four weeks following that release. For example, if Firefox 53 contains a fix for a security issue that affects the world and is then fixed in 54, tests for this fix should not be checked in until four weeks after 54 goes live. The exception to this is if there is a security issue that hasn’t shipped in a release build and it is being fixed on multiple development branches (such as mozilla-central and beta). Since the security problem was never released to the world, once the bug is fixed in all affected places, tests can be checked in to the various branches. | ||
** There are two main techniques for remembering to check in the tests later: | |||
*** clone the sec bug into a hidden "task" bug "land tests for bug xxxxx" and assign to yourself. It should get a "sec-other" keyword rating. | |||
*** Or, set the "in-testsuite" flag to "?", and later set it to "+" when the tests get checked in. | |||