On Jan 16, 2008 6:13 PM, DragonWize <dragonwize@gmail.com> wrote:
2. making commit doesn't advertise anything unless you put a description saying what the security flaw is and how to exploit it. hopefully it is obvious to not ever do that, no matter when you commit it.
DragonWize: there is an infrastructure to let Drupal maintainers know about security fix releases. So when a module commits a security fix, it does release a security update, which is clearly marked as such, so that Drupal users are informed that they should update their modules. If a commit followed by a security release is not a clear indication of the previous commit being a security fix, then what is it? You advocate not marking updates as security updates, so users would not know whether the latest module version is a security update or not and they would need to update with each new version that comes out? With the current process, the security team coordinates releases, so the same security fix comes out in all supported core releases, and contributed module updates come out at the same time. So you don't need to fear that in any moment, you need to put all your work away, and update, because there was a security update for one of the modules you use. The security team tries to make Drupal site maintainer's life easier by doing coordinated releases, so you can make sure everything is fine all at once. That might not be the best solution ever, I am just pointing out the reasons behind the system. The point is that we are trying to make Drupal installs easier to keep secure with the notification on security updates and the coordinated timing of security updates. Gabor