[development] Fwd: [SECURITY] [DSA 1125-1] New drupal packages
fix execution of arbitrary web script code
Adrian Rossouw
adrian at bryght.com
Fri Jul 28 11:03:19 UTC 2006
On 28 Jul 2006, at 4:46 AM, Derek Wright wrote:
>
> i can see why some people want to still support nightly snapshot
> builds/tarballs, but i don't think a) we should encourage their use
> on real sites, b) worry about how to handle those in installers/
> real distributions, or c) delay having real version of contrib
> releases to get nightly snapshots working. if someone *really*
> wants the absolutely most recent code, they're probably a developer/
> tester, and therefore, clueful enough to get the code from CVS.
> otherwise, they should be perfectly happy with the last real
> release that was bless and tagged by the maintainer on a given branch.
of course. but with a dependency system, a module should be able to
depend on
modulename > 4.7.34 || modulename >= head.2006.06.17
By not supporting some numbering for stuff in HEAD at the least, you
make it impossible to actually test
if the requirements are correctly met until a release is actually
made of all packages in the dependency tree.
--
Adrian Rossouw
Drupal developer and Bryght Guy
http://drupal.org | http://bryght.com
More information about the development
mailing list