[development] backporting sec patches

Heine Deelstra hdeelstra at gmail.com
Tue Apr 29 21:31:21 UTC 2008

Ivan Sergio Borgonovo wrote:
> Since I will need a longer life cycle... I know I'll have to support
> security patches for at least one more older release starting
> from 5.X.

Thank you for the offer. Openflows is doing something similar for Drupal 4.7 core.

> I could start to take care of this in a *very* informal way. That
> means that I'll make aware people that they CAN'T relay on this
> service and see how it goes.

If people cannot rely on this service, how can they make the choice to skip upgrading for 
two releases?

> What I know I won't be able to handle is assisting in fixing security
> problems in older modules or providing a full tar of an older patched
> version or manage DB update path.

Whether a burglar comes trough the door (core) or the window (contrib) doesn't matter 
much; you still loose your toys. This is why the sec team also started doing security 
announcements for contributed modules.

In exchange for continuing support for 5.x what needs to happen (at least):

- Dropping security support for all alpha, beta and dev releases.
- Buy-in from the rest of the team.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
Url : http://lists.drupal.org/pipermail/development/attachments/20080429/2f656768/attachment.pgp 

More information about the development mailing list