[development] RFC: drupal as a moving target

Moshe Weitzman weitzman at tejasa.com
Mon Apr 28 15:35:10 UTC 2008


So, now we are getting down to specifics which is good. The official
security team policy is that we support the current release and the
prior one. If we want to add a release to that list, then we need to
think of a way to fund it. The volunteer fire dept approach of
security team cannot possibly accept more work as it currently stands.
We already review patches and issue advisories for hundreds of contrib
modules on top of drupal core.

IMO, It is time to fund the position of "Security Team lead". That
person can then focus on optimizing the volunteers and can then decide
if supporting another version is feasible. If anyone wants to fund
this position, or donate their employees' time toward this, then
please talk to the Drupal Association. We dont' really need more
volunteers on the team IMO- coordination costs start to overwhelm the
benefits.

> It's been mentioned a couple of times on irc, so I can't take credit for the
> idea, but would it be worth discussing an extension of support for older
> core versions? To play devils advocate this would mean maintaining 5.x until
> 8.x is released (or 6.x until 9.x etc.), even if only for security.
> Obviously contrib support for older (and newer) versions of core remains
> entirely optional per maintainer/project.


More information about the development mailing list