Feedback storm

On last week I received a dozen of requests related to the one of recent blogposts, and all those requests contain the same two questions:

  • Why is it password protected?
  • When will it be publicly available?

The short story is: after installing latest Content Server patches I had faced with severe compatibility issues and further research revealed that those compatibility issues are caused by “security enhancements” which do not really look like security fixes, for example, I had spent about 6 hours to find out why my application has started failing when running on latest patchset and how to disable new weird behaviour, and just 30 minutes to write a new proof of concept which bypasses new “security enhancements”. After that I performed a deep analysis of last ten security vulnerabilities, which were announced by EMC as remediated and found the same problem: nothing was fixed, moreover some of them contain so rude mistakes that those mistakes look more like backdoors rather than mistakes. At current state I’m trying to bring together all information I have and this blogpost will be publicly available soon.

4 thoughts on “Feedback storm

  1. I’m glad (but sad) that I’m not the only one that thinks there’s been a lack of quality/tests in patches for a while now. I have also faced several basic stuff breaking after applying some of the latest patches, and after comparing the files pre and post “fixes” you can clearly see mistakes that are “difficult to understand” (ie: missing return statements or returning generic code instead the right code, etc.).


  2. Some things are hardly explainable. If my memory serves me right, three-four years ago BPM was the only product which was demonstrating gaps between release notes and real behaviour (like some BPM versions introduced caching but this was not mentioned in release notes or another BPM versions introduced transactions and this was not mentioned in release notes too, etc, however, CRs’ descriptions in release notes were always misleading). And I never was able to understand why such thing happens, i.e. I have a bug-tracking system, where I track all CRs, developers resolve CRs either in special branch or try to not influence on main functionality until CR resolved, when I want to release a new build I go to bug-tracking system and pick all CRs which have “resolved” status – these CRs form my release notes. So, when you are saying something like “there’s been a lack of quality/tests in patches for a while now” I do think that there is a gap in development process: some changes are not tracked at all or not tracked properly in bug-tracking system, so QA team has no idea about what they need to test.


  3. Pingback: CVE-2014-0629 strikes back | Documentum in a (nuts)HELL

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s