Contrib.social

Should supported releases be shown on downloads table even if it contains insecure modules? If so, how?

Open on Drupal.org β†’
Created on 16 November 2013, over 10 years ago
Updated 18 March 2023, over 1 year ago

Updated: Comment #7

Problem/Motivation

History

The 7.x release of project caused most distributions to disappear, causing this issue to surface #2122795: Unable to download 7.x distributions with linked projects β†’ . With the release of project, its fixed for supported releases, but releases that contain insecure modules are not listed. This is a pretty important issue as distribution maintainers are all going to have difficulty whenever a new module they're dependent on is marked 'insecure'.

Questions

Should insecure releases be shown on the downloads table for a distribution? Should an indicator/legend be present to alert downloaders to a potential issue.

Proposed resolution

Yes: show the releases

  • Removing a release without notification to the maintainer is a new behavior and maintainers would need to be educated to stay aware/active in updating insecure releases.
  • Removing a release will give downloaders the impression that the project has no releases and is effectively dead, this is not the right impression to give them
  • It makes it very difficult, even for actively maintained distributions, to keep their projects on the download list if there is a security release.
  • The need to educate maintainers and downloaders alike should be tackled by visual indicators (red, orange?) and an explanation saying what that visual indicator means (e.g. "This release includes a module or theme that is outdated and a newer version with a security fix. As always, downloaders are encouraged to evaluate the security of code prior to installing it.").

Arguments against (No!)

  • We shouldn't allow people to easily download a distribution with outdated modules.
πŸ“Œ Task
Status

Closed: won't fix

Version

3.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States japerry KVUO

Live updates comments and jobs are added and updated live.
  • Needs issue summary update

    Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024