[development] Think there's a security problem in your module? Here's what to do.
DragonWize
dragonwize at gmail.com
Wed Jan 16 19:47:46 UTC 2008
> DragonWize: there is an infrastructure to let Drupal maintainers know
> about security fix releases. So when a module commits a security fix,
> it does release a security update, which is clearly marked as such, so
> that Drupal users are informed that they should update their modules.
> If a commit followed by a security release is not a clear indication
> of the previous commit being a security fix, then what is it?
>
That is my point if you do the commit and release at the same time it
is even easier.
> You advocate not marking updates as security updates, so users would
> not know whether the latest module version is a security update or not
> and they would need to update with each new version that comes out?
>
I advocate not marking cvc commits as security. You are speaking of
publishing a node as a security which I totally agree with.
> With the current process, the security team coordinates releases, so
> the same security fix comes out in all supported core releases, and
> contributed module updates come out at the same time. So you don't
> need to fear that in any moment, you need to put all your work away,
> and update, because there was a security update for one of the modules
> you use. The security team tries to make Drupal site maintainer's life
> easier by doing coordinated releases, so you can make sure everything
> is fine all at once.
>
Agreed but that is for publishing the node not a lines of code.
I appreciate everyone trying patiently trying to explain this to me
and as everyone thinks that I am the only person to ever question
this, I will not continue the thread any further. I was only
responding to Derek's ask for unclear parts of the process. For all of
our sake's, I hope that no one else has the issue of this being
unclear.
--
Alan Doucette
Koi Technology, LLC
www.KoiTech.net
More information about the development
mailing list