News-Feeds:
Preannouncements - no general use for TYPO3 advisories
The TYPO3 Security Team has decided to not use preannouncements in general. This is an explanation why we stick to the current procedure.
Every once in a while the TYPO3 Security Team is being asked to generally use preannouncements. Such preannouncements, to be published days before the actual TYPO3 Security bulletin, seem to be a nice way to be prepared for a necessary update of the TYPO3 Core, the base platform.
We discussed this suggestions but came to the conclusion that we better stick to the current procedure. Following is a list of points you need to understand.
- Preannouncements for third-party TYPO3 extensions seem to be not necessary. Most time, you won't be affected by extension issues as you aren't using any of the mentioned extensions.
- We believe and know that upgrading (w/o testing) alone of the TYPO3 Core won't take longer than 5 minutes per server.
- We are not aware of any other Open Source project that has preannouncements in general use.
- Preannouncements will become useless again, if we need to late-postpone or pre-release a new TYPO3 Core version. Valid reasons would be regressions or exploits in the wild.
- Your TYPO3 installation might not be vulnerable because of not using an extension in question (recent openid vulnerability etc..) or the exploitability risk is very low (e.g. XSS in the backend with another vulnerability as mandatory prerequisite).
Last but not least, preannouncements would be another task to be done by the TYPO3 Security Team. The creation/review/publication of the bulletin takes hours (not taking any work on the issue itself into account). We're mostly interested in reducing our work load; after all, most of us do this work for free. However, preannouncements would mean the contrary and the overhead does not compensate the to be expected benefits.Nonethless, for critical security issues we will of course proceed with preannouncements which has been done several times in the past.
This posting is a redistribution of the original article.
comments
March 8, 2010
17:48
Preannouncements could cause fear and doubt, because essential information is missing (e.g. affected component).
I am happy with the situation we have now. Security stuff is handled very professional.
March 11, 2010
12:56
Preannouncements are dangerous and therefore I wouldn't do it. If you can not specify what exactly has to be updated, and which constelations are vulnerable the pre announcment will be ignored. If you put all the information in, it's not a pre announcment any more ;-), and can be even more dangerous if there is no patch yet...
But please be carefull with throwing around numbers like '5 minutes'. This can irritate customers very much. Because a clean update, which includes testing, addapting the configuration to use the new features, checking the extensions for compatibility, checking the addaptions (with hooks, TypoScript and sometimes even with XClasses), updating all the extensions, maybe even changing CSS for new HTML output etc. you need much longer to complete an update...
What you could think about are 'Patch Extensions' which integrate important security patches to the core by Hooks or even XClasses, so one just need to install the extension and everything is fine, without updating the whole core with alle the other changes...
Buzz is the official blog resource of the TYPO3 project. You can be part of Buzz too. If you want to blog about the achievements of your team or your personal involvement please check out our HELP section.
Right, updating a server takes only 5 minutes. But if you are in charge of more than one server, it takes a little bit longer. It is absolutely helpful for the users out there to have a 2-3 day preannouncement.
IMHO this is not a good decision.
Apart from this: Keep up the good work! Thanks a lot!