Once upon a time security advisories came with a link to: a) new drupal releases b) patches
Direct link to patches was quite useful to evaluate the changes and the security treat quickly.
security emails are in plain text so the increase in risk to trick users to download trojaned software should be minimal.
Could this feature be reintroduced?
thanks
It's still available, but not as directly. The patches were provided with the intent that people could use those to upgrade their site if they are nervous about all the other changes (bugfixes, features) in core. They may have facilitated your use case, but it wasn't a primary purpose.
Now we provide two full releases: one that is the same as the previous core release but with the security patches (6.21) and one that is both security and all the bugfixes that have happened. This is easier for most users because it doesn't require working with patch files.
If you really want to see the specific changes, look at
http://drupalcode.org/project/drupal.git Click "log" next to the security only release so you see http://drupalcode.org/project/drupal.git/log/refs/tags/6.21 Click commitdiff next to the most recent commit so you see http://drupalcode.org/project/drupal.git/commitdiff/7c4e429b7fa771676a18321a...
Regards, Greg
On Thu, May 26, 2011 at 2:37 AM, Ivan Sergio Borgonovo mail@webthatworks.it wrote:
Once upon a time security advisories came with a link to: a) new drupal releases b) patches
Direct link to patches was quite useful to evaluate the changes and the security treat quickly.
security emails are in plain text so the increase in risk to trick users to download trojaned software should be minimal.
Could this feature be reintroduced?
thanks
-- Ivan Sergio Borgonovo http://www.webthatworks.it
-- [ Drupal support list | http://lists.drupal.org/ ]
On Thu, 26 May 2011 05:45:11 -0600 Greg Knaddison greg@growingventuresolutions.com wrote:
It's still available, but not as directly. The patches were provided with the intent that people could use those to upgrade their site if they are nervous about all the other changes (bugfixes, features) in core. They may have facilitated your use case, but it wasn't a primary purpose.
I appreciate the addition of a security only full drupal archive too but as you may have guessed not as much as the diff. Being able to see at a glance what were the changes quickly looks a quite reasonable use case as well.
Since there is no quick path to the right place of the git web interface I think the new security advisory format lost an important feature that shouldn't be hard to resurrect, that would make unnecessary to bet on which format is serving drupal best.
If you really want to see the specific changes, look at
thanks for the pointer
You're the first to complain the patch is gone ;)
That said, I agree with you and this thread works as a request to the Security Team to add a link to relevant diffs inside the SA.
Regards, Greg
On Thu, May 26, 2011 at 7:06 AM, Ivan Sergio Borgonovo mail@webthatworks.it wrote:
On Thu, 26 May 2011 05:45:11 -0600 Greg Knaddison greg@growingventuresolutions.com wrote:
It's still available, but not as directly. The patches were provided with the intent that people could use those to upgrade their site if they are nervous about all the other changes (bugfixes, features) in core. They may have facilitated your use case, but it wasn't a primary purpose.
I appreciate the addition of a security only full drupal archive too but as you may have guessed not as much as the diff. Being able to see at a glance what were the changes quickly looks a quite reasonable use case as well.
Since there is no quick path to the right place of the git web interface I think the new security advisory format lost an important feature that shouldn't be hard to resurrect, that would make unnecessary to bet on which format is serving drupal best.
If you really want to see the specific changes, look at
thanks for the pointer
-- Ivan Sergio Borgonovo http://www.webthatworks.it
-- [ Drupal support list | http://lists.drupal.org/ ]
On Thu, 26 May 2011 07:27:13 -0600 Greg Knaddison greg@growingventuresolutions.com wrote:
You're the first to complain the patch is gone ;)
I've to admit I haven't dug enough in my email archive to be sure of what I'm going to write, so take it conditionally...
It's a pretty long time I don't receive SA-**CORE**. So congratulation to core developers but that may be the reason I'm the first to notice. This may be the first SA-CORE with the new format.
That said, I agree with you and this thread works as a request to the Security Team to add a link to relevant diffs inside the SA.
Thanks. SA are pretty full of links. I don't think 2 more will affect readability.
Ivan and Greg: I like the new format. I have had customers who didn't want all the other stuff. However, I wonder how the Update Status module is going to handle having 6.22 available if 6.21 is installed. But, I am sure that Derek has it covered already.
From a security standpoint, the omission of the patch is probably better. Hackers may be persistent, but they are also often lazy. If they have to make a few more clicks to find where the exposure is, they may just move on to an easier target.
Nancy
Injustice anywhere is a threat to justice everywhere. -- Dr. Martin L. King, Jr.
From: Ivan Sergio Borgonovo
It's still available, but not as directly.
I appreciate the addition of a security only full drupal archive too but as you may have guessed not as much as the diff. Being able to see at a glance what were the changes quickly looks a quite reasonable use case as well.
-
Greg Knaddison -
Ivan Sergio Borgonovo -
Ms. Nancy Wichmann