[development] Fwd: [SECURITY] [DSA 1125-1] New drupal packages fix execution of arbitrary web script code

Derek Wright drupal at dwwright.net
Fri Jul 28 02:46:36 UTC 2006

On Jul 27, 2006, at 4:09 AM, Adrian Rossouw wrote:

> We also need to tackle individual module versioning.

absolutely.  i've been talking about this so much, i think i'm in the  
"talk is silver, code is gold" stage.  shut up already and get it  
working, derek. ;)

> Each and every time a drupal.org module distribution package gets  
> updated with any change whatsoever, a new version needs to be created.

i mostly agree, i just think the cause/effect ordering is backwards  
here.  i think developers should be free to change code at whatever  
pace they feel like, without *every* commit causing a new "release  
version" of their module.  however, only once they decide a given set  
of changes constitute a new release should they manually "create a  
new version", and the existence of the new version causes a new  
distribution package to be built (see my last paragraph in http:// 
drupal.org/node/58066#comment-104663 for more on this).

i can see why some people want to still support nightly snapshot  
builds/tarballs, but i don't think a) we should encourage their use  
on real sites, b) worry about how to handle those in installers/real  
distributions, or c) delay having real version of contrib releases to  
get nightly snapshots working.  if someone *really* wants the  
absolutely most recent code, they're probably a developer/tester, and  
therefore, clueful enough to get the code from CVS.  otherwise, they  
should be perfectly happy with the last real release that was bless  
and tagged by the maintainer on a given branch.


More information about the development mailing list