Contrib.social

Document results of security audit

Open on Drupal.org →
Created on 2 October 2024, 3 months ago

Problem/Motivation

The Drupal Association commissioned a security audit of php-tuf and related packages, as well as rugged. I don't think this audit explicitly included package manager and automatic updates.

It's my understanding that the audit found some PHP issues all of which were minor and could be fixed in public. And some rugged code and workflow issues which could nearly all (or perhaps all) be fixed in public.

However, I am not aware of a way to find out:

1. Which issues were reported against which projects without reading the full audit.
2. Which issue/MR these issues were worked on.
3. Whether those issues/MRs were already resolved.

If there are still issues being worked on in private that also aren't fixed yet, we can't disclose those publicly, but we could maybe put 'private issue 1, project A, in progress' or alternatively just state when there are no open private issues.

Steps to reproduce

Proposed resolution

Document in this issue or somewhere else the above information.

Remaining tasks

User interface changes

API changes

Data model changes

📌 Task
Status

Active

Version

3.1

Component

Code

Created by

🇬🇧United Kingdom catch

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024