[development] Security releases and the update status module

[Greg Knaddison - GVS]

On 10/21/07, Gerhard Killesreiter <gerhard at killesreiter.de> wrote:
> Hi there,
>
> the update status module has introduced a new mechanism for updating
> everybody's Drupal site. It tells you when a new version becomes
> available and warns you when you don't install security releases.
>
> One issue that has so far not been addressed is: What happens if a
> module has two branches and there is a security release for one of
> them?

It actually has been addressed.  Enhancing update status to handle
this case has been discussed and "won't fixed" here:
http://drupal.org/node/184814

> This situation existed with the pathauto module. It has a 5.1 release
> and a 5.2 development branch with a beta release. There was a security
> issue found on the 5.2 branch and a security release was created for
> it. Unfortunately, since the 5.2 branch was made the default branch,
> every 5.1 user got told to upgrade to the beta release.
>
> This is confusing for less tech savvy users since a beta release is
> usually perceived to be unstable (even though Greg tells me the 5.1
> release is actually quite buggy too).
>
> So, what I am asking for is this: Can we agree that in the absence of
> a "real" release, a branch should not be made the default branch?

I believe the rest of the discussion stems from Gerhard's feeling that
the "official release" of Pathauto was too buggy.  My apologies to
anyone else who also feels that way.  I've changed it back so the
official release is from the (differently-buggy) 5.x-1.x branch.

In general, I don't have a strong feeling about whether or not certain
strings like 'beta' in the "official release" should be allowed or
prevented.  Drupal project page itself does that, but it is a special
case.  Views did this for a while but I believe that Earl now regrets
that.

Greg

-- 
Greg Knaddison
Denver, CO | http://knaddison.com
World Spanish Tour | http://wanderlusting.org/user/greg