[development] Fwd: [SECURITY] [DSA 1125-1] New drupal packages fix execution of arbitrary web script code

Adrian Rossouw adrian at bryght.com
Fri Jul 28 11:03:19 UTC 2006

On 28 Jul 2006, at 4:46 AM, Derek Wright wrote:

> i can see why some people want to still support nightly snapshot  
> builds/tarballs, but i don't think a) we should encourage their use  
> on real sites, b) worry about how to handle those in installers/ 
> real distributions, or c) delay having real version of contrib  
> releases to get nightly snapshots working.  if someone *really*  
> wants the absolutely most recent code, they're probably a developer/ 
> tester, and therefore, clueful enough to get the code from CVS.   
> otherwise, they should be perfectly happy with the last real  
> release that was bless and tagged by the maintainer on a given branch.
of course. but with a dependency system, a module should be able to  
depend on
modulename > 4.7.34 || modulename >= head.2006.06.17

By not supporting some numbering for stuff in HEAD at the least, you  
make it impossible to actually test
if the requirements are correctly met until a release is actually  
made of all packages in the dependency tree.

Adrian Rossouw
Drupal developer and Bryght Guy
http://drupal.org | http://bryght.com

More information about the development mailing list