On Thu, 2006-10-19 at 17:25 -0400, Moshe Weitzman wrote:
dopry@bbox:~/public_html/drupal-4-7/public_html/sites/default/modules$ cat */*.module */*.inc | wc 15672 55392 508132
You mean browse through 15K lines of code? It's crazy to expect that of a site administrator. Remember we are developing for non-developers.
and then you demand that the security team review all of contrib and find affected modules and notify those maintainers and track progress? perhaps you can tell us how many lines of code that is.
I think asking a site administrator to dig through code is completely different than asking a developer who wrote a core patch to dig through code. Its an apples to oranges situation. How much review does a patch in the issue queue that changes an api have to go through to get committed? How many related details are brought up on average? It should be rare that any security update changes an API. If we do change an API it should be done with care. Major versions aren't released without a fair amount of contributed modules being up to date. Should it be any different for a security update? Will Drupal 5 be slammed out without someone seeing which contrib modules have be converted? I seem to remember both in the 4.6 and 4.7 release cycle, more so in 4.7 with FAPI, quiet a bit of concern about the state of contrib... and just to be a total smartypants... dopry@bbox:~/src/cvs/contrib-4.7/modules$ cat */*.module */*.inc | wc 278307 about 20 times as many lines as on my dev site.. and a quicklist of potentially affected modules in my 4-7 checkout... dopry@bbox:~/src/cvs/contrib-4.7/modules$ grep '<form' */*.module */*.inc chatbox/chatbox.module -Darren Oh flashcard/flashcard.module -suuch flash_filter/flash_filter.module -tomsys g2/g2.module -fgm image_pub/image_pub.module -pangloss imce/imce.module -ufku mlist/mlist.module -peterjohnhartmann typecheck/typecheck.module -suuch userlink/userlink.module -marcp webform/webform.module -ullgren weight/weight.module -jjeff disknode/disknode.info.tpl.inc -elmuerte family/import.inc -Sam Wilson securesite/securesite.inc -Darren Oh webcam/webcam_popup_window.inc -flow@www.my-flow.com and I took the time to dig up the drupal usernames of the projects maintainers maintainers.