Problem/Motivation

Today, the colorbox module was marked as unmaintained with over 200,000 active installations. Given that most widely used modules will eventually gain a new maintainer after being marked unsupported, are there any opportunities to avoid widespread disruption?

Proposed resolution

Can we perhaps add a step in the process that reaches out to downstream module maintainers, or other project maintainers that may be indirectly affected before completely removing support, sending out emails to the whole user-base, etc?

Hypothetical Email Template

Hello! We are in the process of degrading the security coverage status of {{ abandoned_module }}, which is an upstream dependency of {{ your_module }}. If you would like to help out by becoming a co-maintainer of your upstream dependency, please follow this process: {{ link_to_process }}.

If we don't hear back in two weeks, then {{ abandoned_module }} will be marked as abandoned.

Thanks!

Comments

Luke.Leber created an issue. See original summary.

damienmckenna’s picture

Thanks for bringing up this discussion.

The first option is a reasonable idea, though it's often difficult to determine this. With something like Colorbox how would you suggest guessing how far to throw out the metaphorical net?

The second idea would be difficult to determine - how do you tell what may be "indirectly affected"?

The third option is a no-go - we don't have any way of knowing who currently uses a module, and just because someone has posted in an issue queue doesn't mean they have any active interest in the module.

In general we leave the process in place because maintainers can always add more maintainers if they so choose, so they have the ability to deal with the problem ahead of time.

luke.leber’s picture

Hi! I don't think that my original issue summary was as clear as it should have been. I'm really only suggesting one idea -- to look to existing maintainers that might have a stake in the fate of an upstream module.

What I meant with the emails part was part of the rationality of implementing an additional step in the process -- just to avoid sending out thousands of emails.

As far as actual implementation, I think that we can look to...

  1. Explicit dependencies in .info.yml files (for direct dependencies)
  2. Explicit dependencies in composer.json files (for direct dependencies)
  3. Explicit dev dependencies in composer.json files (for indirect dependencies)
  4. Trolling on http://grep.xnddx.ru/ for usage of public interfaces that the module exposes (perhaps?)

in order to determine the distance to throw the cast net.

For a concrete example, http://grep.xnddx.ru/search?text=colorbox&filename=.info.yml yields about 23 projects that declare an explicit dependency on the colorbox module.

Thanks!

luke.leber’s picture

Issue summary: View changes
luke.leber’s picture

Issue summary: View changes
luke.leber’s picture

Issue summary: View changes
luke.leber’s picture

Perhaps it would also make sense to also limit the candidates in the pool to those with a vetted role.

I'm pretty much in the dark when it comes to how the drupal.org infrastructure works, so please keep in mind my suggestions may not be bound by technical limitations :-)

joegl’s picture

It might be useful to classify these differently. There were security advisories with fixes implemented in updates mixed in with these "unsupported" module notices. The "critical" status also is equally jarring and confusing when there is no path forward supplied, and I imagine in these cases a lot of users using these modules are in a holding pattern for the next 30 days to see if anyone takes over the project and fixes the vulnerability. I.e., I feel these SA's could have been communicated better and more clearly.

The documentation link supplied also had a broken anchor link, so it didn't take you to the right section of the documentation.

cmlara’s picture

Just to clarify,

Is this being proposed that this process be done before the module is announced as having a security vulnerability or is it being proposed for after the fact a vulnerability is announce (unsupported SA issued) but before the module itself has its releases tagged unsupported and SA coverage is formally removed?

luke.leber’s picture

The idea was that the new process would occur before an SA. The rationality being that it could help to save hundreds of thousands of sites owners from a potential freak-out situation.

The drawback of course is that the new status quo would be less secure than the current process.

This could potentially be offset by unioning the new process with non-security project degrading that we've already seen with D9 readiness. All that the increased circle of trust would know is that the project needs a new maintainer to retain security advisory coverage because the current maintainer(s) are unresponsive. There may or may not be a known security issue with the module.

Does that sort of make sense?

cmlara’s picture

Does that sort of make sense?

Yep perfect sense. I suspected this is what you meant however I just wanted to be sure before commenting.

The drawback of course is that the new status quo would be less secure than the current process.

That is the big part. This would in my mind trigger the following points of concerns (no particular order just numbered for easier reference later):

  1. Increase the number of individuals who are in a position to silently exploit a vulnerability.
  2. Create a process that permits disclosure to (random/select) individuals prior to others sites receiving such notice.
  3. Possibly increase the length of time sites are vulnerable for.

Point 1 isn't really quantifiable on exactly how risky it is considered to be. I would assume it be limited to (as you suggested) maintainers with the vetted role as a minimum. Possibly also add on the impacted project needs to be SA covered as well on the grounds that it shows that particular project views its association as needing to be secure..

Point 3 is going to very based on the vulnerability and timeline of bringing in individuals, however as proposed this could increase the period by 2 weeks that a module is available with a known hidden vulnerability. Personally I think the length of time the security team holds on to issues may actually already be too long in some cases, and this could be an additional 2 weeks that an exploit could be ongoing. Unless Drupal.org has a really good honeypot network to deploy signatures to privately it isn't really known if an exploit is occurring.

Colorbox this past week shown that users may be slow to remove a module since its a core part of their user experience, however after the announcement it was their choice to continue running it while other sites may have chosen to completely remove the module and deal with recovering after the fact.

Point 3 possibly raises the question of should such a policy to perhaps be limited to CVE's of only a certain impact (Below a points score, or excluding specific types of flaws)

Point 2 is where ethics discussions start to occur. It is not unheard of for larger projects to have such information sharing agreements in place, however in my experience usually controlled under previously established non-disclosure agreements (where you know the lawsuits will be filed if you breach and significant monetary damages obtained) and only usually with larger partners(presumption of increased trust/increased need to know.) However in my experience such processes of limited disclosure are often viewed negatively as being denied an equal chance to protect one self.

luke.leber’s picture

I totally agree with the slippery slope that comes with increasing trust circles -- it forms an impossible barrier IMO. It would be best if we didn't have to deal with the "equal chance" dilemma.

I think that there's an important distinction between "this module is unsupported with a known security issue" and "this module is losing security coverage because the maintainer doesn't seem to be around anymore".

Having agreed to work with the security team to coordinate releases, it almost seems like there should be a mandatory maintainer check-in from time to time. If there's a periodic email that asks maintainers to re-affirm that they're still able to maintain their end of the security advisory agreement, I think that could work. The semi-automatic Drupal 8 project degrading that we've seen could be used as an example of a similar process. It also seems a lot more honest.

To conclude, I feel that there needs to be an ambiguous reason for the loss of security advisory coverage if the circles of trust are to increase at all. Otherwise, as you said, it would be pretty unfair to everybody.

cmlara’s picture

it almost seems like there should be a mandatory maintainer check-in from time to time. If there's a periodic email that asks maintainers to re-affirm that they're still able to maintain their end of the security advisory agreement, I think that could work.

+1 to trying to find a way to deal with unresponsive maintainers BEFORE a security flaw is reported.

The semi-automatic Drupal 8 project degrading that we've seen could be used as an example of a similar process. It also seems a lot more honest.

A method based off the private notice and if no response open a public issue actually seems quite good IMHO.

Of course all this is making the assumption that the majority of the time it is a maintainer who doesn't respond at all. Two other scenarios that I'm not sure this will fix are:

  • When a maintainer is responsive but fails to fix the issue because it is on a branch they do not personally work with/do not have the knowledge to work with. (I was recently in this spot to patch a D7 issue while I'm primarily a D9 dev.)
  • Cases where the maintainer is disagreeing with the security team on an issue actually being a vulnerability (I've seen this at least once in a 2012 thread but no clue how common it may be)

Only the security team can opine on if those are frequent enough concerns to render this discussion of limited use (in other words are we suggesting to fix the wrong problem because we do not know all the details)

gaele’s picture

it almost seems like there should be a mandatory maintainer check-in from time to time. If there's a periodic email that asks maintainers to re-affirm that they're still able to maintain their end of the security advisory agreement, I think that could work.

+1

I think this would solve the real problem. Colorbox had five maintainers listed (paulmckibben and jenlampton were only recently added). Apparently all of those five were unresponsive. One of them stated in an issue after the SA: "One of the original maintainers here, I stoped using Drupal a few years ago and handed over all my modules." He's still listed.

Suppose you were using, or wanted to use, colorbox. The project page looked fine, security team coverage, five maintainers. On the surface this appeared to be a safe choice.

cmlara’s picture

Interesting data point:

Two of the modules that went unsupported had the auto-open for adoption issues.
#3234025: media_entity_flickr project open to new maintainer applications on 30 Sep, 2021
#3238081: image_export_import project open to new maintainer applications on 5 Oct, 2021

These are not the only security supported modules that still have these open for adoption issues open. Some have no volunteers, some have only non-vetted volunteers and as such couldn't be transferred.

solideogloria’s picture

Copied from 3280775#16

Maybe there could be a way to have a "frequent contributor" role or something on modules, and give those people the ability to see pending security issues after a certain amount of times passes following a reported security issue, or if the module maintainer can't be reached regarding a security issue. The people given "frequent contributor" or "temporary security issue access" could be automatically or manually determined as desired. I think having more people in the loop would be helpful for arriving at a solution, rather than just marking the module unmaintained (though perhaps in the example situation that would still need to happen).