[webkit-dev] rolling out a buggy security patch

Adam Barth abarth at webkit.org
Tue Mar 12 01:48:23 PDT 2013


On Tue, Mar 12, 2013 at 1:36 AM, Osztrogonác Csaba <oszi at inf.u-szeged.hu> wrote:
> But my question is still open about how can we avoid similar
> problems in the future. Why can't we let the EWS bots to
> build and test security patches before commit.

This topic was discussed on the webkit-security mailing list in May
2010.  Unfortunately, the archives of that list are not viewable
publicly.  Maciej's concerns at the time are summaries in his message
below:

On Tue, Oct 19, 2010 at 6:16 PM, Maciej Stachowiak <mjs at apple.com> wrote:
> The commit bot is not a person and therefore can't agree to the security group policy, as required for security group membership.
>
> If a specific person or persons want to take responsibility for an additional email account and bugzilla account having security access, then that's not categorically excluded. But I'd like to understand who currently has access to the commit bot's email account and bugzilla account, what the policies are for more people getting access, and whether there are indirect ways of getting access such as by modifying the commit bot's code, or by uploading a patch that tries to abuse the EWS testers. And I'd like to see at least one person named to take responsibility for ensuring that the commit bot is not used as a means of violating the policy.

Of course, it's entirely possible that his views have changed since then.

Adam


More information about the webkit-dev mailing list