[development] Please be careful marking release nodes "Security update"
Derek Wright
drupal at dwwright.net
Thu Oct 25 07:16:05 UTC 2007
Dear Drupal developers who manage contributions on drupal.org...
As you've probably noticed, when you create a release node for your
contribution(s), there's a "Release type" vocabulary where you can
select from a few terms:
Security update
Bug fixes
New features
You're supposed to use this to indicate what kind of release your
node represents, to give users of your contribution a sense of if
they want to install it or not. For example, if you're adding new
features, you should say so, since some users might not want to
upgrade something that's potentially unstable and might break their
sites, etc.
However, if you mark a release node a "Security update", that has a
bunch of other side effects and implications, so please only do so if
your release is actually fixing a security problem:
1) The release node will not be published once the packaging script
creates the tarball. This is so that the security team can verify
the release does in fact address a security problem, that the draft
of the security announcement (SA) is ready to be published, etc. See
this issue for more info:
http://drupal.org/node/153973
2) Once a "Security update" release node is published, the Update
status module (now in D6 core) will freak out on every site running
your module, with big nasty red warnings and emails (if so
configured) about the fact that the site is insecure and needs to be
updated immediately.
3) Everyone subscribed to the "Security updates" RSS feed will get
pinged that there's another security release.
...
Therefore, a "Security update" release is a *BIG DEAL*. You need to
coordinate with the security team to make sure an SA goes out with
your release, all of your users are going to get nasty warnings and
scare tactics to try to get them to update ASAP, etc. So, if you
don't mean it, please do *NOT* use this taxonomy term. If you do,
you use up the precious resources of the security team (and/or d.o
infrastructure team) to investigate your release node, clear the
bogus term, manually publish it for you, etc, etc.
Thanks,
-Derek (dww)
More information about the development
mailing list