[development] Fwd: [SECURITY] [DSA 1125-1] New drupal packages
fix execution of arbitrary web script code
drupal at dwwright.net
Fri Jul 28 02:46:36 UTC 2006
On Jul 27, 2006, at 4:09 AM, Adrian Rossouw wrote:
> We also need to tackle individual module versioning.
absolutely. i've been talking about this so much, i think i'm in the
"talk is silver, code is gold" stage. shut up already and get it
working, derek. ;)
> Each and every time a drupal.org module distribution package gets
> updated with any change whatsoever, a new version needs to be created.
i mostly agree, i just think the cause/effect ordering is backwards
here. i think developers should be free to change code at whatever
pace they feel like, without *every* commit causing a new "release
version" of their module. however, only once they decide a given set
of changes constitute a new release should they manually "create a
new version", and the existence of the new version causes a new
distribution package to be built (see my last paragraph in http://
drupal.org/node/58066#comment-104663 for more on this).
i can see why some people want to still support nightly snapshot
builds/tarballs, but i don't think a) we should encourage their use
on real sites, b) worry about how to handle those in installers/real
distributions, or c) delay having real version of contrib releases to
get nightly snapshots working. if someone *really* wants the
absolutely most recent code, they're probably a developer/tester, and
therefore, clueful enough to get the code from CVS. otherwise, they
should be perfectly happy with the last real release that was bless
and tagged by the maintainer on a given branch.
More information about the development