Define security team coverage policy for Drupal CMS and dependencies

Created on 20 December 2024, 3 months ago

Problem/Motivation

Drupal CMS includes some modules that aren't on stable releases yet.

There was a discussion in slack around whether the security team should extend coverage to those modules because they're in a stable release of Drupal CMS - either as a permanent measure, or a temporary one until πŸ› Alpha stability flag in composer.json allows project_browser to download any alpha stabiility module Active is resolved and everything is on stable releases.

If the security team policy is going to change, it should probably be documented (and there might need to be changes on d.o). That would normally be a security working group issue but seemed easier to discuss it in this project.

If there's no change, then this might also need to be documented - e.g. security support is unchanged regardless of how the module gets installed.

This is really a security team policy issue, but because it's specific to Drupal CMS, it seemed easier to post it here for visibility, and if nothing changes, the documentation may end up on the CMS side rather than the security team side.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

πŸ“Œ Task
Status

Active

Component

General

Created by

πŸ‡¬πŸ‡§United Kingdom catch

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @catch
  • πŸ‡ΊπŸ‡ΈUnited States benjifisher Boston area

    I am linking to some issues that seem to be related.

  • Status changed to Closed: duplicate 21 days ago
  • πŸ‡¦πŸ‡ΊAustralia pameeela

    I think this has been addressed for now across other issues referenced as related.

  • πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

    If there's no change, then this might also need to be documented - e.g. security support is unchanged regardless of how the module gets installed.

    I guess we've gone that route. Which I think is OK.

    There was some special treatment for the AI (Artificial Intelligence) security releases β†’ to say:

    The AI module is included in Drupal CMS.

    As I'm reading that now, I guess we could link that to Drupal CMS to explain what it is?

  • πŸ‡¦πŸ‡ΊAustralia pameeela

    But the AI module has a stable release, so it's covered like any other module. So do you just mean the special treatment to highlight that it's included in Drupal CMS?

  • πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

    Yes, that's right.

    i.e. no special treatment other than highlighting to a Drupal CMS site that they need to do an update ( in addition to whatever other notifications they might see).

Production build 0.71.5 2024