[development] Security releases and the update status module

Gerhard Killesreiter gerhard at killesreiter.de
Sun Oct 21 13:02:28 UTC 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greg Knaddison - GVS schrieb:
> On 10/21/07, Gerhard Killesreiter <gerhard at killesreiter.de> wrote:
>> Hi there,
>>
>> the update status module has introduced a new mechanism for updating
>> everybody's Drupal site. It tells you when a new version becomes
>> available and warns you when you don't install security releases.
>>
>> One issue that has so far not been addressed is: What happens if a
>> module has two branches and there is a security release for one of
>> them?
>
> It actually has been addressed.  Enhancing update status to handle
> this case has been discussed and "won't fixed" here:
> http://drupal.org/node/184814

Yes, I agree that handling this in an automated way would require too
many resources.

>> This situation existed with the pathauto module. It has a 5.1 release
>> and a 5.2 development branch with a beta release. There was a security
>> issue found on the 5.2 branch and a security release was created for
>> it. Unfortunately, since the 5.2 branch was made the default branch,
>> every 5.1 user got told to upgrade to the beta release.
>>
>> This is confusing for less tech savvy users since a beta release is
>> usually perceived to be unstable (even though Greg tells me the 5.1
>> release is actually quite buggy too).
>>
>> So, what I am asking for is this: Can we agree that in the absence of
>> a "real" release, a branch should not be made the default branch?
>
> I believe the rest of the discussion stems from Gerhard's feeling that
> the "official release" of Pathauto was too buggy.  My apologies to

No, actually, it wasn't. I am just trying to install stable releases
for modules that I use on clients' sites. For pathauto the 5.1 release
is the only one which is there.

I don't always have the time to carefully evaluate which release or
branch should be preferred. Also, the amount of bugs I encountered
with the 5.1 release was low enough to not make me want to search for
better options.

> anyone else who also feels that way.  I've changed it back so the
> official release is from the (differently-buggy) 5.x-1.x branch.

Much appreciated.

> In general, I don't have a strong feeling about whether or not
> certain strings like 'beta' in the "official release" should be
> allowed or prevented.  Drupal project page itself does that, but it
> is a special case.

Indeed.

> Views did this for a while but I believe that Earl now regrets that.

Well, he changed it at lease. ;)

Cheers,
	Gerhard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHG03kfg6TFvELooQRAkptAJ9SDZK9L02MO5DtwDxLAPLZ2WaknACgsae3
PyWs13dYRFqn8MJK7rgrDPA=
=b+BZ
-----END PGP SIGNATURE-----


More information about the development mailing list