[development] Please be careful marking release nodes "Security update"

Derek Wright drupal at dwwright.net
Thu Oct 25 07:16:05 UTC 2007

Dear Drupal developers who manage contributions on drupal.org...

As you've probably noticed, when you create a release node for your  
contribution(s), there's a "Release type" vocabulary where you can  
select from a few terms:

Security update
Bug fixes
New features

You're supposed to use this to indicate what kind of release your  
node represents, to give users of your contribution a sense of if  
they want to install it or not.  For example, if you're adding new  
features, you should say so, since some users might not want to  
upgrade something that's potentially unstable and might break their  
sites, etc.

However, if you mark a release node a "Security update", that has a  
bunch of other side effects and implications, so please only do so if  
your release is actually fixing a security problem:

1) The release node will not be published once the packaging script  
creates the tarball.  This is so that the security team can verify  
the release does in fact address a security problem, that the draft  
of the security announcement (SA) is ready to be published, etc.  See  
this issue for more info:

2) Once a "Security update" release node is published, the Update  
status module (now in D6 core) will freak out on every site running  
your module, with big nasty red warnings and emails (if so  
configured) about the fact that the site is insecure and needs to be  
updated immediately.

3) Everyone subscribed to the "Security updates" RSS feed will get  
pinged that there's another security release.


Therefore, a "Security update" release is a *BIG DEAL*.  You need to  
coordinate with the security team to make sure an SA goes out with  
your release, all of your users are going to get nasty warnings and  
scare tactics to try to get them to update ASAP, etc.  So, if you  
don't mean it, please do *NOT* use this taxonomy term.  If you do,  
you use up the precious resources of the security team (and/or d.o  
infrastructure team) to investigate your release node, clear the  
bogus term, manually publish it for you, etc, etc.

-Derek (dww)

More information about the development mailing list