On 3/9/17 5:53 PM, Ben Kelly wrote:
Right now our security bug process asks about the commit message and if it
"paints a target" on the patch.
It asks this:
Do comments in the patch, the check-in comment, or tests included
in the patch paint a bulls-eye on the security problem?
I always interpreted that to mean "does the commit message give clues
about how to exploit the pre-patch state?". So a commit message like
"Make sure that SVG elements with a 'fill' attribute that are adopted
into another document don't leave dangling pointers behind" would
probably be a bad idea for a security bug....
I don't think there's anything you can do in the commit message to not
make it scream out "security bug" to anyone who's actually trying, if
you include the bug# in there....
-Boris
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
