[development] Think there's a security problem in your module? Here's what to do.

Gábor Hojtsy gabor at hojtsy.hu
Wed Jan 16 19:33:31 UTC 2008

On Jan 16, 2008 6:13 PM, DragonWize <dragonwize at gmail.com> wrote:
> 2. making commit doesn't advertise anything unless you put a
> description saying what the security flaw is and how to exploit it.
> hopefully it is obvious to not ever do that, no matter when you commit
> it.

DragonWize: there is an infrastructure to let Drupal maintainers know
about security fix releases. So when a module commits a security fix,
it does release a security update, which is clearly marked as such, so
that Drupal users are informed that they should update their modules.
If a commit followed by a security release is not a clear indication
of the previous commit being a security fix, then what is it?

You advocate not marking updates as security updates, so users would
not know whether the latest module version is a security update or not
and they would need to update with each new version that comes out?

With the current process, the security team coordinates releases, so
the same security fix comes out in all supported core releases, and
contributed module updates come out at the same time. So you don't
need to fear that in any moment, you need to put all your work away,
and update, because there was a security update for one of the modules
you use. The security team tries to make Drupal site maintainer's life
easier by doing coordinated releases, so you can make sure everything
is fine all at once.

That might not be the best solution ever, I am just pointing out the
reasons behind the system. The point is that we are trying to make
Drupal installs easier to keep secure with the notification on
security updates and the coordinated timing of security updates.


More information about the development mailing list