Hardcode security coverage EOL dates for Drupal 10.last-1 and 10.last

Created on 1 August 2023, over 1 year ago

Problem/Motivation

In #2991207: Drupal core should inform the user of the security coverage for the site's installed minor version including final 8.x LTS releases β†’ , we implemented messages for the site owner about the security coverage dates for their installed release. The implementation assumes each minor receives security coverage until two minors later. However, the last 1-2 minor versions of the major series need to have specific dates hardcoded, because there is no "two minors later".

This was done for D8 and D9.

Proposed resolution

Add the dates for Drupal 10

Adding appropriately named constants will automatically generate the correct messages (as shown in the test cases).

Remaining tasks

Needs code review.

Manual testing requires faking update module data, because the message is not displayed unless the branch has a stable release.

These instructions needs to be updated.

Alternately, manual testing with the below changes will display the message as if 9.2 and 9.3 were the final releases instead. (This works because Drupal.org already has stable releases for those branches.)

diff --git a/core/modules/update/src/ProjectSecurityData.php b/core/modules/update/src/ProjectSecurityData.php
index 6c927c5e0f..03e6cd3ab6 100644
--- a/core/modules/update/src/ProjectSecurityData.php
+++ b/core/modules/update/src/ProjectSecurityData.php
@@ -39,13 +39,13 @@ final class ProjectSecurityData {
    *
    * @see \Drupal\update\ProjectSecurityRequirement::getDateEndRequirement()
    */
-  const SECURITY_COVERAGE_END_DATE_9_4 = '2023-06-21';
+  const SECURITY_COVERAGE_END_DATE_9_2 = '2023-06-21';
 
-  const SECURITY_COVERAGE_ENDING_WARN_DATE_9_4 = '2022-12-14';
+  const SECURITY_COVERAGE_ENDING_WARN_DATE_9_2 = '2022-12-14';
 
-  const SECURITY_COVERAGE_END_DATE_9_5 = '2023-11';
+  const SECURITY_COVERAGE_END_DATE_9_3 = '2023-11';
 
-  const SECURITY_COVERAGE_ENDING_WARN_DATE_9_5 = '2023-05-14';
+  const SECURITY_COVERAGE_ENDING_WARN_DATE_9_3 = '2023-05-14';
 
   /**
    * The existing (currently installed) version of the project.

User interface changes

Drupal 10.last-1 and Drupal 10.last will properly inform the user of accurate EOL dates.

API changes

Data model changes

None.

Release notes snippet

TBD

πŸ“Œ Task
Status

Postponed

Version

9.4

Component
OtherΒ  β†’

Last updated about 1 hour ago

Created by

πŸ‡³πŸ‡ΏNew Zealand quietone

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @quietone
  • πŸ‡³πŸ‡ΏNew Zealand quietone
  • πŸ‡¬πŸ‡§United Kingdom catch

    With https://www.drupal.org/blog/drupal-10-will-be-supported-until-the-releas... β†’ I am not sure the best release to add these warnings to any more. 10.3 or 10.4 seems too soon given the longer support cycle, maybe 10.5 or 10.6?

  • Status changed to Active 7 months ago
  • πŸ‡ΊπŸ‡ΈUnited States xjm

    Moving to beta2.

    There's another issue somewhere to make this less ooglay, but for D10 we really should just get the EOL dates in there, so de-uglification can happen in D11+.

    Based on an August release of 11.0.0 which is now locked in barring some horrible catastrophe, there are two possible paths forward. Both include:

    • Dec. 2024: 10.4.0 and 11.1.0
    • June 2025: 10.5.0 and 11.2.0
    • Dec. 2025: 10.6.0 and 11.3.0

    If 12.0.0 comes out in June or August, we don't create a 10.7.0 because we don't want to issue releases for three branches at once; we can simply make a best-effort extension of 10.5.0's security coverage through to November 2026 when Symfony 6 goes EOL.

    If we miss the April-May-ish deadline for an August release of 12.0.0, there might be some case for creating a 10.7.0 with backported APIs. However, I think this would be a bad idea since it'd only be supported for six months and would mean managing all of the following branches at once in the spring:

    • 12.0.x
    • 11.5.x
    • 11.4.x
    • 10.7.x
    • 10.6.x
    • 10.5.x

    So, even in a December 12.0.0 release scenario, I think we should avoid issuing a 10.7.0. Besides, it's always better to warn site owners too early over too late.

    So I agree that 10.5 and 10.6 are the branches to deal with here.

  • πŸ‡ΊπŸ‡ΈUnited States xjm

    These changes don't go into 11.x.

  • πŸ‡ΊπŸ‡ΈUnited States xjm

    xjm β†’ changed the visibility of the branch 3378393-d10-minor-eol-dates to hidden.

  • Status changed to Needs review 7 months ago
  • πŸ‡ΊπŸ‡ΈUnited States xjm
  • πŸ‡ΊπŸ‡ΈUnited States xjm
  • Merge request !8184Add EOL and warning dates for 10.5 and 10.6. β†’ (Closed) created by xjm
  • πŸ‡ΊπŸ‡ΈUnited States xjm
  • Status changed to Needs work 7 months ago
  • πŸ‡ΊπŸ‡ΈUnited States xjm

    Right, this is actually tested:

    ---- Drupal\Tests\update\Functional\UpdateSemverCoreSecurityCoverageTest ----
    Status    Group      Filename          Line Function                            
    --------------------------------------------------------------------------------
    Fail      Other      phpunit-5.xml        0 Drupal\Tests\update\Functional\Upda
        PHPUnit Test failed to complete; Error: PHPUnit 9.6.19 by Sebastian
        Bergmann and contributors.
        
        Testing Drupal\Tests\update\Functional\UpdateSemverCoreSecurityCoverageTest
        .........FFFFFFFFF.                                               19 / 19
        (100%)
        
        Time: 02:08.966, Memory: 6.00 MB
        
        There were 9 failures:
        
        1)
        Drupal\Tests\update\Functional\UpdateSemverCoreSecurityCoverageTest::testSecurityCoverageMessage
        with data set "9.4.0, supported" ('9.4.0', 'sec.9.5.0', 'Checked', 'Covered
        until 2023-Jun-21 Vis...eases.', '2022-12-13')
        Failed asserting that actual size 0 matches expected size 1.
        
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:122
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:56
        /builds/project/drupal/core/modules/update/tests/src/Functional/UpdateSemverCoreSecurityCoverageTest.php:53
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/TestResult.php:729
        
        2)
        Drupal\Tests\update\Functional\UpdateSemverCoreSecurityCoverageTest::testSecurityCoverageMessage
        with data set "9.4.0, supported, 6 months warn" ('9.4.0', 'sec.9.5.0',
        'Warnings found', 'Covered until 2023-Jun-21 Upd...eases.', '2022-12-14')
        Failed asserting that two strings are equal.
        --- Expected
        +++ Actual
        @@ @@
        -'Covered until 2023-Jun-21 Update to a supported minor version soon to
        continue receiving security updates. Visit the release cycle overview for
        more information on supported releases.'
        +'Covered until 9.6.0 Update to 9.5 or higher soon to continue receiving
        security updates. Visit the release cycle overview for more information on
        supported releases.'
        
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Equality/IsEqual.php:95
        /builds/project/drupal/core/modules/update/tests/src/Functional/UpdateSemverCoreSecurityCoverageTest.php:56
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/TestResult.php:729
        
        3)
        Drupal\Tests\update\Functional\UpdateSemverCoreSecurityCoverageTest::testSecurityCoverageMessage
        with data set "9.4.0, supported, last day warn" ('9.4.0', 'sec.9.5.0',
        'Warnings found', 'Covered until 2023-Jun-21 Upd...eases.', '2023-06-20')
        Failed asserting that two strings are equal.
        --- Expected
        +++ Actual
        @@ @@
        -'Covered until 2023-Jun-21 Update to a supported minor version soon to
        continue receiving security updates. Visit the release cycle overview for
        more information on supported releases.'
        +'Covered until 9.6.0 Update to 9.5 or higher soon to continue receiving
        security updates. Visit the release cycle overview for more information on
        supported releases.'
        
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Equality/IsEqual.php:95
        /builds/project/drupal/core/modules/update/tests/src/Functional/UpdateSemverCoreSecurityCoverageTest.php:56
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/TestResult.php:729
        
        4)
        Drupal\Tests\update\Functional\UpdateSemverCoreSecurityCoverageTest::testSecurityCoverageMessage
        with data set "9.4.0, support over" ('9.4.0', 'sec.9.5.0', 'Errors found',
        'Coverage has ended Update to ...eases.', '2023-06-22')
        Failed asserting that actual size 0 matches expected size 1.
        
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:122
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:56
        /builds/project/drupal/core/modules/update/tests/src/Functional/UpdateSemverCoreSecurityCoverageTest.php:53
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/TestResult.php:729
        
        5)
        Drupal\Tests\update\Functional\UpdateSemverCoreSecurityCoverageTest::testSecurityCoverageMessage
        with data set "9.5.0, supported" ('9.5.0', 'sec.9.5.0', 'Checked', 'Covered
        until 2023-Nov Visit ...eases.', '2023-01-01')
        Failed asserting that two strings are equal.
    --- Expected
    +++ Actual
    @@ @@
    -'Covered until 2023-Nov Visit the release cycle overview for more
    information on supported releases.'
    +'Covered until 9.7.0 Visit the release cycle overview for more information
    on supported releases.'
    /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Equality/IsEqual.php:95
    /builds/project/drupal/core/modules/update/tests/src/Functional/UpdateSemverCoreSecurityCoverageTest.php:56
    /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/TestResult.php:729
    6)
    Drupal\Tests\update\Functional\UpdateSemverCoreSecurityCoverageTest::testSecurityCoverageMessage
    with data set "9.5.0, supported, 6 months warn" ('9.5.0', 'sec.9.5.0',
    'Warnings found', 'Covered until 2023-Nov Update...eases.', '2023-05-15')
    Failed asserting that actual size 0 matches expected size 1.
    /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:122
    /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:56
    /builds/project/drupal/core/modules/update/tests/src/Functional/UpdateSemverCoreSecurityCoverageTest.php:53
    /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/TestResult.php:729
    7)
    Drupal\Tests\update\Functional\UpdateSemverCoreSecurityCoverageTest::testSecurityCoverageMessage
    with data set "9.5.0, supported, last day warn" ('9.5.0', 'sec.9.5.0',
    'Warnings found', 'Covered until 2023-Nov Update...eases.', '2023-10-31')
    Failed asserting that actual size 0 matches expected size 1.
    /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:122
    /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:56
    /builds/project/drupal/core/modules/update/tests/src/Functional/UpdateSemverCoreSecurityCoverageTest.php:53
    /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/TestResult.php:729
    8)
    Drupal\Tests\update\Functional\UpdateSemverCoreSecurityCoverageTest::testSecurityCoverageMessage
    with data set "9.5.0, support over" ('9.5.0', 'sec.9.5.0', 'Errors found',
    'Coverage has ended Update to ...eases.', '2023-11-01')
    Failed asserting that actual size 0 matches expected size 1.
    /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:122
    /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:56
    /builds/project/drupal/core/modules/update/tests/src/Functional/UpdateSemverCoreSecurityCoverageTest.php:53
    /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/TestResult.php:729
    9)
    Drupal\Tests\update\Functional\UpdateSemverCoreSecurityCoverageTest::testSecurityCoverageMessage
    with data set "10.5.0" ('10.5.0', 'sec.10.5.0', 'Checked', 'Covered until
    10.7.0 Visit th...eases.', '')
    Failed asserting that two strings are equal.
    --- Expected
    +++ Actual
    @@ @@
    -'Covered until 10.7.0 Visit the release cycle overview for more
    information on supported releases.'
    +'Covered until 2026-Jun-17 Visit the release cycle overview for more
    information on supported releases.'
    /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Equality/IsEqual.php:95
    /builds/project/drupal/core/modules/update/tests/src/Functional/UpdateSemverCoreSecurityCoverageTest.php:56
    /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/TestResult.php:729
    FAILURES!
    Tests: 19, Assertions: 212, Failures: 9.
  • πŸ‡ΊπŸ‡ΈUnited States xjm

    Also I realized my dates for 10.6 are actually wrong; we're not constrained by the Symfony 7 EOL at all.

  • Status changed to Needs review 7 months ago
  • πŸ‡ΊπŸ‡ΈUnited States xjm

    Should be fixed now.

  • Status changed to Needs work 7 months ago
  • πŸ‡ΊπŸ‡ΈUnited States xjm

    Still failing for some reason:

    1)
        Drupal\Tests\update\Functional\UpdateSemverCoreSecurityCoverageTest::testSecurityCoverageMessage
        with data set "10.5.0, supported" ('10.5.0', 'sec.10.6.0', 'Checked',
        'Covered until 2026-Jun-17 Vis...eases.', '2024-06-25')
        Failed asserting that actual size 0 matches expected size 1.
        
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:122
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:56
        /builds/project/drupal/core/modules/update/tests/src/Functional/UpdateSemverCoreSecurityCoverageTest.php:48
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/TestResult.php:729
        
        2)
        Drupal\Tests\update\Functional\UpdateSemverCoreSecurityCoverageTest::testSecurityCoverageMessage
        with data set "10.5.0, supported, 6 months warn" ('10.5.0', 'sec.10.6.0',
        'Warnings found', 'Covered until 2026-Jun-17 Upd...eases.', '2025-12-10')
        Failed asserting that actual size 0 matches expected size 1.
        
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:122
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:56
        /builds/project/drupal/core/modules/update/tests/src/Functional/UpdateSemverCoreSecurityCoverageTest.php:48
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/TestResult.php:729
        
        3)
        Drupal\Tests\update\Functional\UpdateSemverCoreSecurityCoverageTest::testSecurityCoverageMessage
        with data set "10.5.0, supported, last day warn" ('10.5.0', 'sec.10.6.0',
        'Warnings found', 'Covered until 2026-Jun-17 Upd...eases.', '2026-06-17')
        Failed asserting that actual size 0 matches expected size 1.
        
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:122
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:56
        /builds/project/drupal/core/modules/update/tests/src/Functional/UpdateSemverCoreSecurityCoverageTest.php:48
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/TestResult.php:729
        
        4)
        Drupal\Tests\update\Functional\UpdateSemverCoreSecurityCoverageTest::testSecurityCoverageMessage
        with data set "10.5.0, support over" ('10.5.0', 'sec.10.6.0', 'Errors
        found', 'Coverage has ended Update to ...eases.', '2026-06-18')
        Failed asserting that actual size 0 matches expected size 1.
        
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:122
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:56
        /builds/project/drupal/core/modules/update/tests/src/Functional/UpdateSemverCoreSecurityCoverageTest.php:48
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/TestResult.php:729
        
        5)
        Drupal\Tests\update\Functional\UpdateSemverCoreSecurityCoverageTest::testSecurityCoverageMessage
        with data set "10.6.0, supported" ('10.6.0', 'sec.10.6.0', 'Checked',
        'Covered until 2026-12-09 Visi...eases.', '2026-01-01')
        Failed asserting that actual size 0 matches expected size 1.
        
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:122
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:56
        /builds/project/drupal/core/modules/update/tests/src/Functional/UpdateSemverCoreSecurityCoverageTest.php:48
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/TestResult.php:729
        
        6)
        Drupal\Tests\update\Functional\UpdateSemverCoreSecurityCoverageTest::testSecurityCoverageMessage
        with data set "10.6.0, supported, 6 months warn" ('10.6.0', 'sec.10.6.0',
        'Warnings found', 'Covered until 2026-12-09 Upda...eases.', '2026-06-10')
        Failed asserting that actual size 0 matches expected size 1.
        
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:122
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:56
        /builds/project/drupal/core/modules/update/tests/src/Functional/UpdateSemverCoreSecurityCoverageTest.php:48
        /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/TestResult.php:729
    7)
    Drupal\Tests\update\Functional\UpdateSemverCoreSecurityCoverageTest::testSecurityCoverageMessage
    with data set "10.6.0, supported, last day warn" ('10.6.0', 'sec.10.6.0',
    'Warnings found', 'Covered until 2026-12-09 Upda...eases.', '2026-12-09')
    Failed asserting that actual size 0 matches expected size 1.
    /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:122
    /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:56
    /builds/project/drupal/core/modules/update/tests/src/Functional/UpdateSemverCoreSecurityCoverageTest.php:48
    /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/TestResult.php:729
    8)
    Drupal\Tests\update\Functional\UpdateSemverCoreSecurityCoverageTest::testSecurityCoverageMessage
    with data set "10.6.0, support over" ('10.6.0', 'sec.10.6.0', 'Errors
    found', 'Coverage has ended Update to ...eases.', '2026-12-10')
    Failed asserting that actual size 0 matches expected size 1.
    /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:122
    /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/Constraint/Constraint.php:56
    /builds/project/drupal/core/modules/update/tests/src/Functional/UpdateSemverCoreSecurityCoverageTest.php:48
    /builds/project/drupal/vendor/phpunit/phpunit/src/Framework/TestResult.php:729
    FAILURES!
    Tests: 19, Assertions: 198, Failures: 8.
  • πŸ‡³πŸ‡ΏNew Zealand quietone

    I've spent too much time on this today, partially due to having problems with debugging not working.

    All failing tests are all using the fixture 'sec.10.6.0'. Locally I get a 'No data available' warning. It seems that when getting the data from KeyValueExpirable, the data is already expired so nothing is returned. If I workaround that and run the test, the display shows "Out of date (version 10.6.0 available)" still not the correct message though.

  • πŸ‡³πŸ‡ΏNew Zealand quietone

    It looks like the calculation of the expired time changed in #2991207: Drupal core should inform the user of the security coverage for the site's installed minor version including final 8.x LTS releases β†’ . If I revert the changes that commit made to UpdateProcessor.php then the one test case I am testing with passes. That is '10.5.0, supported'

  • Status changed to Needs review 7 months ago
  • πŸ‡³πŸ‡ΏNew Zealand quietone

    This was calculating the date difference using the mock date and the current time. With the mock date in the future the time difference was always great enough for the update data in keyvalueexpirable was always expired. When the test got that data it would return an empty array and thus tests were failing when mock dates were used. The solution here is to add a test version of getCurrentTime that will return the mock date.

    Tests were failing for the test of the messages on the last day of security coverage. According to the test on the last day of security coverage there should be a warning message. I took that as the intention and changed the relevant if statement in \Drupal\update\ProjectSecurityRequirement::getDateEndRequirement to allow that.

  • πŸ‡ΊπŸ‡ΈUnited States xjm

    @quietone Thank you for fixing that silly test.

  • πŸ‡ΊπŸ‡ΈUnited States xjm

    Updated the IS for the reasoning for the dates.

  • πŸ‡ΊπŸ‡ΈUnited States xjm
  • πŸ‡ΊπŸ‡ΈUnited States xjm
  • πŸ‡ΊπŸ‡ΈUnited States xjm

    Confirmed the date expectations with @catch.

  • πŸ‡ΊπŸ‡ΈUnited States smustgrave

    So still not 100% how to test this one

    I applied a script that @xjm was kind enough to share
    php -r "include 'vendor/autoload.php'; \Drupal\Composer\Composer::setDrupalVersion('.', '10.whichever.whatever');"

    And set to 10.5.0

    I altered the variables SECURITY_COVERAGE_END_DATE_10_5 and SECURITY_COVERAGE_ENDING_WARN_DATE_10_5 to go back 1 year.

    But with or without the patch the page on /admin/reports/updates remains the same

  • πŸ‡ΊπŸ‡ΈUnited States xjm

    Sorry, I didn't do a very good job of explaining that there are two different ways of testing this. One involves faking the release data (both in core itself and also what it would get from Drupal.org), the way that the Update module does in its tests. The other method is to install production versions of core, and hack the constants and dates so that those production versions (say, 10.1 and 10.2) are the ones with specific end-of-life dates (rather than 10.5 and 10.6). The messages won't show up if Drupal thinks you're on an unsupported/invalid release; with the current logic, being on an unsupported release supercedes providing any info about security coverage. (I don't agree with this, FWIW, but it is out of scope just as it was the first time around).

    So here's testing it the second way which is probably easier to understand if you haven't worked with the Update module before, the way I suggested in the IS:

    Before patch

    1. git checkout 10.2.7; composer install
    2. php core/scripts/drupal quick-start standard
    3. Navigate to /admin/reports/status.
    4. Observe the following default message:

    With modified patch (pretending 10.2 is what 10.6 will be, and adjusting constants accordingly

    1. git checkout 10.4.x (so that the patch will apply)
    2. php -r "include 'vendor/autoload.php'; \Drupal\Composer\Composer::setDrupalVersion('.', '10.2.7');"
      
    3. curl https://git.drupalcode.org/project/drupal/-/merge_requests/8184.diff | git apply --index -
    4. rm -rf vendor; composer install
    5. Modify the patch with the following diff, to pretend our faux-10.2.7 is behaving as we expect 10.6.7 to (as per the IS suggestion):
      diff --git a/core/modules/update/src/ProjectSecurityData.php b/core/modules/update/src/ProjectSecurityData.php
      index 472e408f2b..e5776ad2c1 100644
      --- a/core/modules/update/src/ProjectSecurityData.php
      +++ b/core/modules/update/src/ProjectSecurityData.php
      @@ -44,9 +44,9 @@ final class ProjectSecurityData {
       
         const SECURITY_COVERAGE_ENDING_WARN_DATE_10_5 = '2025-12-10';
       
      -  const SECURITY_COVERAGE_END_DATE_10_6 = '2026-12-09';
      +  const SECURITY_COVERAGE_END_DATE_10_2 = '2024-12-09';
       
      -  const SECURITY_COVERAGE_ENDING_WARN_DATE_10_6 = '2026-06-17';
      +  const SECURITY_COVERAGE_ENDING_WARN_DATE_10_2 = '2024-06-17';
       
         /**
          * The existing (currently installed) version of the project
      

      With the current date, we now expect a warning about 10.2's encroaching EOL.

    6. php core/scripts/drupal quick-start standard
    7. Navigate to /admin/reports/status.
    8. Observe the following warning:
      Covered until 2024-Dec-09. Update to a supported minor version soon to continue receiving security updates. Visit the release cycle overview for more information on supported releases." />
    9. You can continue to adjust dates and versions from there to see what the messages would look like before the warning date, or after the EOL date. It "just works" with the appropriately named constants and appropriate dates.

  • πŸ‡ΊπŸ‡ΈUnited States xjm

    Oh also note that this has nothing to do with admin/reports/updates. It affects a status report message shown for stable, known core versions.

  • πŸ‡ΊπŸ‡ΈUnited States xjm
  • πŸ‡ΊπŸ‡ΈUnited States xjm
  • πŸ‡ΊπŸ‡ΈUnited States xjm
  • Status changed to Needs work 2 months ago
  • The Needs Review Queue Bot β†’ tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

    This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

    Consult the Drupal Contributor Guide β†’ to find step-by-step guides for working with issues.

  • The Needs Review Queue Bot β†’ tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

    This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

    Consult the Drupal Contributor Guide β†’ to find step-by-step guides for working with issues.

  • πŸ‡³πŸ‡ΏNew Zealand quietone

    I think the bot is is mistaken. Anyway, I rebased and there were no conflicts.

  • πŸ‡ΊπŸ‡ΈUnited States dww

    Thanks for working on this! These tests and the logic they're testing are pretty confusing and weird. I tried to review as best I could. I think there are some errors in the MR as currently written. Although I'll quickly grant I could be confused myself. πŸ˜… Anyway, I think this needs another look before it's RTBC. Bare minimum there's a faulty comment to remove (nit). But in addition to changing the dates, the MR is also currently changing the behavior of the requirements messages, and I'm not sure it should be doing that. Locally, by fixing a few of the mock dates in UpdateSemverCoreSecurityCoverageTest, everything passes with no logic change in core/modules/update/src/ProjectSecurityRequirement.php...

  • πŸ‡ΊπŸ‡ΈUnited States dww

    After having only looked at the MR, I've now read the issue and comments, and see that my concern about the logic change was explained in #17. I'm on the fence if I agree with it. But I don't want to die on that hill. If we want to start showing the "Coverage has ended" error as soon as you hit the "coverage ends on" date, that seems fairly reasonable, even if it is a bit of scope creep.

    Thanks for #17 also explaining why we're adding TestTime:: getCurrentTime(). I started down the path of re-debugging why that was needed, but got distracted by the other changes and forgot to open a thread about it. πŸ˜… It might be nice to add a comment about it, but I certainly wouldn't require it here. Could always be a follow-up if we're anxious to get this committed ASAP.

    Thanks again,
    -Derek

  • πŸ‡³πŸ‡ΏNew Zealand quietone

    @dww, thanks for the review.

  • The Needs Review Queue Bot β†’ tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

    This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

    Consult the Drupal Contributor Guide β†’ to find step-by-step guides for working with issues.

  • Pipeline finished with Running
    28 days ago
    #345740
  • πŸ‡³πŸ‡ΏNew Zealand quietone

    Rebased and no conflicts.

  • The Needs Review Queue Bot β†’ tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

    This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

    Consult the Drupal Contributor Guide β†’ to find step-by-step guides for working with issues.

  • Pipeline finished with Success
    27 days ago
    Total: 2936s
    #346387
  • πŸ‡³πŸ‡ΏNew Zealand quietone

    Again, the bot was incorrect.

  • πŸ‡¬πŸ‡§United Kingdom longwave UK

    I feel like there should be an easier way of doing this, where we just set a constant for "last minor" and the code can calculate everything else by itself from there, which would then be unit testable, but that can wait for next time around I guess.

    Otherwise this looks correct to me for Drupal 10 so let's ship this with 10.4.

    • catch β†’ committed 55d2288b on 10.4.x
      Issue #3378393 by quietone, xjm, dww: Hardcode security coverage EOL...
    • catch β†’ committed 6e4863ff on 10.5.x
      Issue #3378393 by quietone, xjm, dww: Hardcode security coverage EOL...
  • πŸ‡¬πŸ‡§United Kingdom catch

    Committed/pushed to 10.5.x and cherry-picked to 10.4.x, thanks!

  • Automatically closed - issue fixed for 2 weeks with no activity.

Production build 0.71.5 2024