[webkit-dev] rolling out a buggy security patch

Maciej Stachowiak mjs at apple.com
Tue Mar 12 02:26:47 PDT 2013 

On Mar 12, 2013, at 1:48 AM, Adam Barth <abarth at webkit.org> wrote:

> On Tue, Mar 12, 2013 at 1:36 AM, Osztrogonác Csaba <oszi at inf.u-szeged.hu> wrote:
>> But my question is still open about how can we avoid similar
>> problems in the future. Why can't we let the EWS bots to
>> build and test security patches before commit.
> 
> This topic was discussed on the webkit-security mailing list in May
> 2010.  Unfortunately, the archives of that list are not viewable
> publicly.  Maciej's concerns at the time are summaries in his message
> below:
> 
> On Tue, Oct 19, 2010 at 6:16 PM, Maciej Stachowiak <mjs at apple.com> wrote:
>> The commit bot is not a person and therefore can't agree to the security group policy, as required for security group membership.
>> 
>> If a specific person or persons want to take responsibility for an additional email account and bugzilla account having security access, then that's not categorically excluded. But I'd like to understand who currently has access to the commit bot's email account and bugzilla account, what the policies are for more people getting access, and whether there are indirect ways of getting access such as by modifying the commit bot's code, or by uploading a patch that tries to abuse the EWS testers. And I'd like to see at least one person named to take responsibility for ensuring that the commit bot is not used as a means of violating the policy.
> 
> Of course, it's entirely possible that his views have changed since then.

I am still curious who has access to the commit bot's bugzilla account. Is a small set of known people, is it a large set, is the password sitting around somewhere that others may get at it? I do not recall this being answered at the time, or perhaps I have forgotten.

If the set with access is a small set of known people who are willing to be identified and be in the security group themselves (or already are), then I am personally fine with it.

Regards,
Maciej

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20130312/21388737/attachment.html>

More information about the webkit-dev mailing list