Security releases and the update status module
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, the update status module has introduced a new mechanism for updating everybody's Drupal site. It tells you when a new version becomes available and warns you when you don't install security releases. One issue that has so far not been addressed is: What happens if a module has two branches and there is a security release for one of them? This situation existed with the pathauto module. It has a 5.1 release and a 5.2 development branch with a beta release. There was a security issue found on the 5.2 branch and a security release was created for it. Unfortunately, since the 5.2 branch was made the default branch, every 5.1 user got told to upgrade to the beta release. This is confusing for less tech savvy users since a beta release is usually perceived to be unstable (even though Greg tells me the 5.1 release is actually quite buggy too). So, what I am asking for is this: Can we agree that in the absence of a "real" release, a branch should not be made the default branch? Cheers, Gerhard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHGz35fg6TFvELooQRAow5AJ99PFA8ce2QnCjHuyhTrDcWdZZBsACfVX5S F3+yud9Gbh0K/C4apzoLLI4= =pCx+ -----END PGP SIGNATURE-----
On 10/21/07, Gerhard Killesreiter <gerhard@killesreiter.de> wrote:
Hi there,
the update status module has introduced a new mechanism for updating everybody's Drupal site. It tells you when a new version becomes available and warns you when you don't install security releases.
One issue that has so far not been addressed is: What happens if a module has two branches and there is a security release for one of them?
It actually has been addressed. Enhancing update status to handle this case has been discussed and "won't fixed" here: http://drupal.org/node/184814
This situation existed with the pathauto module. It has a 5.1 release and a 5.2 development branch with a beta release. There was a security issue found on the 5.2 branch and a security release was created for it. Unfortunately, since the 5.2 branch was made the default branch, every 5.1 user got told to upgrade to the beta release.
This is confusing for less tech savvy users since a beta release is usually perceived to be unstable (even though Greg tells me the 5.1 release is actually quite buggy too).
So, what I am asking for is this: Can we agree that in the absence of a "real" release, a branch should not be made the default branch?
I believe the rest of the discussion stems from Gerhard's feeling that the "official release" of Pathauto was too buggy. My apologies to anyone else who also feels that way. I've changed it back so the official release is from the (differently-buggy) 5.x-1.x branch. In general, I don't have a strong feeling about whether or not certain strings like 'beta' in the "official release" should be allowed or prevented. Drupal project page itself does that, but it is a special case. Views did this for a while but I believe that Earl now regrets that. Greg -- Greg Knaddison Denver, CO | http://knaddison.com World Spanish Tour | http://wanderlusting.org/user/greg
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greg Knaddison - GVS schrieb:
On 10/21/07, Gerhard Killesreiter <gerhard@killesreiter.de> wrote:
Hi there,
the update status module has introduced a new mechanism for updating everybody's Drupal site. It tells you when a new version becomes available and warns you when you don't install security releases.
One issue that has so far not been addressed is: What happens if a module has two branches and there is a security release for one of them?
It actually has been addressed. Enhancing update status to handle this case has been discussed and "won't fixed" here: http://drupal.org/node/184814
Yes, I agree that handling this in an automated way would require too many resources.
This situation existed with the pathauto module. It has a 5.1 release and a 5.2 development branch with a beta release. There was a security issue found on the 5.2 branch and a security release was created for it. Unfortunately, since the 5.2 branch was made the default branch, every 5.1 user got told to upgrade to the beta release.
This is confusing for less tech savvy users since a beta release is usually perceived to be unstable (even though Greg tells me the 5.1 release is actually quite buggy too).
So, what I am asking for is this: Can we agree that in the absence of a "real" release, a branch should not be made the default branch?
I believe the rest of the discussion stems from Gerhard's feeling that the "official release" of Pathauto was too buggy. My apologies to
No, actually, it wasn't. I am just trying to install stable releases for modules that I use on clients' sites. For pathauto the 5.1 release is the only one which is there. I don't always have the time to carefully evaluate which release or branch should be preferred. Also, the amount of bugs I encountered with the 5.1 release was low enough to not make me want to search for better options.
anyone else who also feels that way. I've changed it back so the official release is from the (differently-buggy) 5.x-1.x branch.
Much appreciated.
In general, I don't have a strong feeling about whether or not certain strings like 'beta' in the "official release" should be allowed or prevented. Drupal project page itself does that, but it is a special case.
Indeed.
Views did this for a while but I believe that Earl now regrets that.
Well, he changed it at lease. ;) Cheers, Gerhard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHG03kfg6TFvELooQRAkptAJ9SDZK9L02MO5DtwDxLAPLZ2WaknACgsae3 PyWs13dYRFqn8MJK7rgrDPA= =b+BZ -----END PGP SIGNATURE-----
Gerhard Killesreiter wrote:
Views did this for a while but I believe that Earl now regrets that.
Well, he changed it at lease. ;)
I spent a lot of hours working with dww to change project.module and update_status.module to fix this behavior.
Greg Knaddison - GVS wrote:
In general, I don't have a strong feeling about whether or not certain strings like 'beta' in the "official release" should be allowed or prevented. Drupal project page itself does that, but it is a special case. Views did this for a while but I believe that Earl now regrets that.
What I regret was that -beta showed up as an official release in earlier versions of Update Status due to the way the information was bundled. We've since rectified this, but it took a lot of work. Since this is the second time you've brought this up -- and this time after I corrected you last time -- please stop using this mis-informed example. What you're implying is not the case.
participants (3)
-
Earl Miles -
Gerhard Killesreiter -
Greg Knaddison - GVS