[development] RFC: drupal as a moving target

Neil Drumm drumm at delocalizedham.com
Mon Apr 28 17:36:44 UTC 2008

On Mon, Apr 28, 2008 at 9:05 AM, Alan Pritt <alan at humte.com> wrote:
> On 28 Apr 2008, at 15:57, catch wrote:
> > [...] there's clearly non-trivial resources involved in 12 months
> additional
> >
> > maintenance of a core release.
> >
>  Can anyone estimate what security only (no other bug fixes) support would
> cost
>  in man hours?

It depends on the situation. Personally, I easily spend 10-20 hours on
a 5.x security release. It varies a lot depending on the
straightforwardness of the fixes and who is helping. At least 3
people, two branch maintainers and the security team lead, spend up to
4 hours online to make the release, others are online to help. Various
people review every incoming message and examine potential
vulnerabilities. Various people write and review patches; a good patch
review takes at least 30 minutes. Security releases are not
straightforward, easy, or cheap.

Neil Drumm

More information about the development mailing list