Contrib.social

The update report does not honor drupal.org's info about what releases are secure or not

Open on Drupal.org β†’
Created on 31 July 2018, about 6 years ago
Updated 4 February 2023, over 1 year ago

Problem/Motivation

Now that the security team can specifically mark releases insecure


The update module could determine if a project is secure even if there is security release in a new release. Even in cases where the latest release of a project is security release it does not automatically mean that all previous releases will be marked as insecure.

For example a hypothetical core scenario:

  1. 8.100.1 - is released, it has no security hole
  2. 8.100.2 - is released, it introduces an undiscovered security hole
  3. 8.100.3 - is a security release that fixes the problem introduced in 8.100.2

8.100.2 would be marked as "insecure" but 8.100.1 might not be marked as insecure because the problem code wasn't in it. For sites running 8.100.1 that would not be required to update to be secure.

Proposed resolution

Depend on XML from drupal.org to determine if a release is insecure and if a security update is required.

Remaining tasks

  1. Determine if "insecure" tag is working for all core and contrib projects and can be relied on.
  2. Patch
  3. Tests

User interface changes

Not seeing a "Security update required!" message if not needed.

API changes

Possibly none, possible changes or removal of dead code related to the old method of determining security status.

Data model changes

Instead of computing if a release is secure or not based on if a newer release includes security fixes, rely on a secure vs. insecure flag in the update status XML data.

πŸ› Bug report
Status

Needs work

Version

10.1 ✨

Component
UpdateΒ  β†’

Last updated 2 days ago

  • Maintained by
  • πŸ‡ΊπŸ‡ΈUnited States @tedbow
  • πŸ‡ΊπŸ‡ΈUnited States @dww
Created by

πŸ‡ΊπŸ‡ΈUnited States tedbow Ithaca, NY, USA

Live updates comments and jobs are added and updated live.
  • Needs usability review

    Used to alert the usability topic maintainer(s) that an issue significantly affects (or has the potential to affect) the usability of Drupal, and their signoff is needed. When adding this tag, make it easy to review the issue. Make sure the issue summary describes the problem and the proposed solution. Screenshots usually help a lot! To get sign-off on issues with the "Needs usability review" tag, post about them in the #ux channel on Drupal Slack, and/or attend a UX meeting to demo the patch and get direct feedback from designers/UX folks/product management on next steps. If an issue represents a significant new feature, UI change, or change to the general "user experience" of Drupal, use Needs product manager review instead. See the scope of responsibilities for product managers.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    This issue is being reviewed by the kind folks in Slack, #needs-review-queue-initiative. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge request β†’ as a guide.

    Still needs usability review.

    Will post to the slack channel.

    Meantime can MR be updated for 10.1 please.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024