Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
In #3039120: Create initial feature to display relevant PSA data in Drupal, we built the code to displays a PSA. But the live feed and URL isn't known yet. Once that is available, let's update the default config with it.
Proposed resolution
Remaining tasks
User interface changes
API changes
Data model changes
Release notes snippet
Comment | File | Size | Author |
---|---|---|---|
#36 | 3045273-36.patch | 17.59 KB | heddn |
| |||
#36 | interdiff_35-36.txt | 3.9 KB | heddn |
Comments
Comment #2
heddnComment #3
AaronMcHaleIs there a corresponding issue for implementing the relevant end point? If so we should link it here.
Comment #4
heddnmlhess is working on it. I'm not sure if he's opened an issue we can link to.
Comment #5
drummWhere is the desired format documented?
#3039118: Create JSON feed format for PSAs to be consumed by Drupal automatic update doesn’t look like it matches where #3039120: Create initial feature to display relevant PSA data in Drupal landed - https://git.drupalcode.org/project/automatic_updates/commit/bb395cb#8b51...
Comment #6
heddnTake the PHP arrays in https://git.drupalcode.org/project/automatic_updates/blob/8.x-1.x/tests/... and json_encode them.
[{"title":"Critical Release - PSA-2019-02-19","link":"https:\/\/www.drupal.org\/psa-2019-02-19","project":"core","extensions":[],"type":"module","secure_versions":["7.99","8.10.99","8.9.99","8.8.99","8.7.99","8.6.99","8.5.99"],"pubDate":"Tue, 19 Feb 2019 14:11:01 +0000"},{"title":"Critical Release - PSA-Really Old","link":"https:\/\/www.drupal.org\/psa","project":"core","extensions":[],"type":"module","secure_versions":["7.0","8.4.0"],"pubDate":"Tue, 19 Feb 2019 14:11:01 +0000"},{"title":"Node - Moderately critical - Access bypass - SA-CONTRIB-2019","link":"https:\/\/www.drupal.org\/sa-contrib-2019","project":"node","extensions":["node"],"type":"module","secure_versions":["7.x-7.22","8.x-8.2.0"],"pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"},{"title":"Standard - Moderately critical - Access bypass - SA-CONTRIB-2019","link":"https:\/\/www.drupal.org\/sa-contrib-2019","project":"Standard Install Profile","extensions":["standard"],"type":"profile","secure_versions":["8.x-8.10.99"],"pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"},{"title":"Seven - Moderately critical - Access bypass - SA-CONTRIB-2019","link":"https:\/\/www.drupal.org\/sa-contrib-2019","project":"seven","extensions":["seven"],"type":"theme","secure_versions":["8.x-8.10.99"],"pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"},{"title":"Foobar - Moderately critical - Access bypass - SA-CONTRIB-2019","link":"https:\/\/www.drupal.org\/sa-contrib-2019","project":"foobar","extensions":["foobar"],"type":"foobar","secure_versions":["8.x-1.2"],"pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"},{"title":"Token - Moderately critical - Access bypass - SA-CONTRIB-2019","link":"https:\/\/www.drupal.org\/sa-contrib-2019","project":"token","extensions":["token"],"type":"module","secure_versions":["7.x-1.7","8.x-1.5"],"pubDate":"Tue, 19 Mar 2019 12:50:00 +0000"}]
Comment #7
heddnAssigning to Michael to work on this week.
Comment #9
heddnApply patch attached here.
Then to test w/ the new dummy end-point:
\Drupal::configFactory()->getEditable('automatic_updates.settings')->set('psa_endpoint', 'https://drupal:drupal@mlhsec-drupal.dev.devdrupal.org/files/release-history/psa.json')->save();
Or enable the test_automatic_updates module. If the site isn't setup to use localhost, you might have to change it from the defaults of
http://localhost/automatic_updates/test-json
Comment #10
heddnFeedback desired on the wording and messaging if a PSA or SA is published. How would you like to see these things rendered?
They are currently rendered on admin pages and the system status page.
Comment #11
tatarbjI just rerolled the patch on the latest head.
Comment #12
tatarbjFor all who's gonna test it, this is how you can do it:
- Get the latest version of the code, apply the patch (another reroll might be needed)
- Edit automatic_updates.settings_yml and change psa_endpoint to the dummy one (see #3045273-9: Add real endpoint after drupal.org provides a live feed)
- Enable the module. (If you had it enabled before, uninstall it and enable it again).
- Then navigate to admin/config/automatic_updates path and see how it looks like.
- Say your words :)
Comment #13
tatarbjMy 2 cents here is to add a link to all PSAs either by making the header a link or under the listed ones say 'For all PSA visit https://www.drupal.org/security/psa' - also about wording, let's follow the Drupal Security Team's standard one and making the P capital everywhere.
Comment #14
tatarbjThe mentioned things are implemented in my patch to get an improved version just in case.
Comment #15
tatarbjSorry, the dummy endpoint stayed in my previous patch, here is the correct one.
Comment #16
tatarbjAs @heddn asked in slack, here is the interdiff between 11 and 15 (11 is a reroll on 9).
Comment #17
heddnThanks for your review. A couple questions to ponder...
Do we want to keep or remove the word "Drupal"? The reason to add it is to distinguish in the inbox or site from other PSAs that might be rendered.
Perhaps it would read more clearly,
"To see all PSAs, visit..."
Comment #18
tatarbjAbout point no1: is there any plans to use that twig for rendering other things rather than just on a drupal site (emails, i might think of). If not, I wouldn't put there the 'Drupal' word as everyone gets it :)
Comment #19
tatarbjImplementing @heddn no2 point in the next patch (with interdiff between #15 and current one attached).
Comment #20
heddnSo, 17.2 is addressed and 17.1 is fine. Any other feedback?
Comment #21
catchThis looks ready to go to me, agreed with removing 'Drupal' from the text.
Comment #23
heddnComment #24
heddnThis needs backported to D7.
Comment #25
heddnComment #26
drummhttps://updates.drupal.org/psa.json is now live. It is currently hard-coded to just contain
[]
. The implementation of the format will be in #3068539: Add psa.json API endpoint to support automatic updates.Comment #27
heddnSmall change to test for null on json decoding. But otherwise, pretty simple stuff here.
Comment #28
heddnComment #29
heddnWrong branch
Comment #31
heddnThis seems trivial enough, let's just move to committing. And we will need a patch for 7.x.
Comment #32
heddnWe're also missing all the feedback from earlier in this issue that landed in #22. But let's throw up the easy patch first.
Comment #33
heddnAnd since I seem to have missed uploading the patch for #32, doing that now as well as a new one that covers the string changes from #22. Still need to do some manual testing to make sure the test feed works as expected.
Comment #34
heddnComment #35
heddnComment #36
heddnComment #38
heddn