Since I will need a longer life cycle... I know I'll have to support security patches for at least one more older release starting from 5.X. I know that patching your own 3, 4 web sites that lag behind is one thing, providing patches for a whole community is another thing. Providing security support for older modules it is even a larger task. Making proactive security assessment for older versions is absolutely out of my reach. As a minimum I could provide svn patches for security problems that have been discovered in newer versions and that apply to older versions. To make this effective I'd be informed in advance of the security problems that have been signaled to the sec team before they get public. I could start to take care of this in a *very* informal way. That means that I'll make aware people that they CAN'T relay on this service and see how it goes. Depending on how things go, it could be worth to learn something about the Drupal release mechanism, see if other people can help... etc... I don't know. What I think I can handle is: - getting informed in advance of DN and D(N-1) security problems in core - see if they need to be fixed in D(N-2) and publish a svn diff somewhere concurrently to the DN/D(N-1) public security announcement. - try my best to see if a module security problem can be fixed in older core and provide a patch What I know I won't be able to handle is assisting in fixing security problems in older modules or providing a full tar of an older patched version or manage DB update path. That in the hope that: - I could gain access to early warnings - someone will reach me in the task so that if one is busy/ill/etc... the other can still provide some support to the community, me included. If anyone is willing I could reach the sec team to get used to the way they operate now, make some enemies, call some names, help a bit fixing 5.X sec problems till 5.X will be obsoleted and evaluate in the light of my new experience if and how I can sustain what I proposed. -- Ivan Sergio Borgonovo http://www.webthatworks.it