DragonWize: there is an infrastructure to let Drupal maintainers know about security fix releases. So when a module commits a security fix, it does release a security update, which is clearly marked as such, so that Drupal users are informed that they should update their modules. If a commit followed by a security release is not a clear indication of the previous commit being a security fix, then what is it?
That is my point if you do the commit and release at the same time it is even easier.
You advocate not marking updates as security updates, so users would not know whether the latest module version is a security update or not and they would need to update with each new version that comes out?
I advocate not marking cvc commits as security. You are speaking of publishing a node as a security which I totally agree with.
With the current process, the security team coordinates releases, so the same security fix comes out in all supported core releases, and contributed module updates come out at the same time. So you don't need to fear that in any moment, you need to put all your work away, and update, because there was a security update for one of the modules you use. The security team tries to make Drupal site maintainer's life easier by doing coordinated releases, so you can make sure everything is fine all at once.
Agreed but that is for publishing the node not a lines of code. I appreciate everyone trying patiently trying to explain this to me and as everyone thinks that I am the only person to ever question this, I will not continue the thread any further. I was only responding to Derek's ask for unclear parts of the process. For all of our sake's, I hope that no one else has the issue of this being unclear. -- Alan Doucette Koi Technology, LLC www.KoiTech.net