[development] Think there's a security problem in your module? Here's what to do.

DragonWize dragonwize at gmail.com
Wed Jan 16 19:47:46 UTC 2008

> DragonWize: there is an infrastructure to let Drupal maintainers know
> about security fix releases. So when a module commits a security fix,
> it does release a security update, which is clearly marked as such, so
> that Drupal users are informed that they should update their modules.
> If a commit followed by a security release is not a clear indication
> of the previous commit being a security fix, then what is it?
That is my point if you do the commit and release at the same time it
is even easier.

> You advocate not marking updates as security updates, so users would
> not know whether the latest module version is a security update or not
> and they would need to update with each new version that comes out?
I advocate not marking cvc commits as security. You are speaking of
publishing a node as a security which I totally agree with.

> With the current process, the security team coordinates releases, so
> the same security fix comes out in all supported core releases, and
> contributed module updates come out at the same time. So you don't
> need to fear that in any moment, you need to put all your work away,
> and update, because there was a security update for one of the modules
> you use. The security team tries to make Drupal site maintainer's life
> easier by doing coordinated releases, so you can make sure everything
> is fine all at once.
Agreed but that is for publishing the node not a lines of code.

I appreciate everyone trying patiently trying to explain this to me
and as everyone thinks that I am the only person to ever question
this, I will not continue the thread any further. I was only
responding to Derek's ask for unclear parts of the process. For all of
our sake's, I hope that no one else has the issue of this being

Alan Doucette
Koi Technology, LLC

More information about the development mailing list