Problem/Motivation

In #2991207: Drupal core should inform the user of the security coverage for the site's installed minor version including final 8.x LTS releases, we implemented messages for the site owner about the security coverage dates for their installed release. The implementation assumes each minor receives security coverage until two minors later. However, the last 1-2 minor versions of the major series need to have specific dates hardcoded, because there is no "two minors later".

Proposed resolution

Add the dates for 9.4.x and 9.5.x.

Adding appropriately named constants will automatically generate the correct messages (as shown in the test cases).

Remaining tasks

Needs code review.

Manual testing requires faking update module data, because the message is not displayed unless the branch has a stable release.

Alternately, manual testing with the below changes will display the message as if 9.2 and 9.3 were the final releases instead. (This works because Drupal.org already has stable releases for those branches.)

diff --git a/core/modules/update/src/ProjectSecurityData.php b/core/modules/update/src/ProjectSecurityData.php
index 6c927c5e0f..03e6cd3ab6 100644
--- a/core/modules/update/src/ProjectSecurityData.php
+++ b/core/modules/update/src/ProjectSecurityData.php
@@ -39,13 +39,13 @@ final class ProjectSecurityData {
    *
    * @see \Drupal\update\ProjectSecurityRequirement::getDateEndRequirement()
    */
-  const SECURITY_COVERAGE_END_DATE_9_4 = '2023-06-21';
+  const SECURITY_COVERAGE_END_DATE_9_2 = '2023-06-21';
 
-  const SECURITY_COVERAGE_ENDING_WARN_DATE_9_4 = '2022-12-14';
+  const SECURITY_COVERAGE_ENDING_WARN_DATE_9_2 = '2022-12-14';
 
-  const SECURITY_COVERAGE_END_DATE_9_5 = '2023-11';
+  const SECURITY_COVERAGE_END_DATE_9_3 = '2023-11';
 
-  const SECURITY_COVERAGE_ENDING_WARN_DATE_9_5 = '2023-05-14';
+  const SECURITY_COVERAGE_ENDING_WARN_DATE_9_3 = '2023-05-14';
 
   /**
    * The existing (currently installed) version of the project.

User interface changes

Drupal 9.4 and 9.5 will properly inform the user of accurate EOL dates.

API changes

Data model changes

None.

Release notes snippet

TBD

Issue fork drupal-3272956

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

xjm created an issue. See original summary.

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Issue summary: View changes
Issue tags: +Needs change record
xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Status: Active » Needs work
xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Issue summary: View changes
xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Issue summary: View changes

xjm opened merge request !2039

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Related issues: +#2991207: Drupal core should inform the user of the security coverage for the site's installed minor version including final 8.x LTS releases
xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented

Test failure is a problem in the fixtures; I added release metadata for 9.8.0 and 9.9.0 instead of 9.4.0 and 9.5.0. 🤦‍♀️ Fix incoming.

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Status: Needs work » Needs review
xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Assigned: xjm » Unassigned
Issue tags: -Needs change record

Added a draft change record for the issue. I was on the fence about whether we even needed one, since the class is internal and the constants are only relevant on the Drupal version in their names, but it's there just in case.

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Issue summary: View changes
xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Issue summary: View changes

Added info on manual testing.

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented

Known random fail; sent retest.

dww’s picture

dww
we/he/they
CreditAttribution: dww at TEN7 commented
Related issues: +#3115435: Make clear why each XML update.module fixture is created the way it is

Per #3115435: Make clear why each XML update.module fixture is created the way it is, I'd love for us to be adding new update.module test fixtures with comments. E.g. see the top of core/modules/update/tests/fixtures/release-history/bbb_update_test.1_2.xml:

<?xml version="1.0" encoding="utf-8"?>
<!--
This fixture is used by Drupal\Tests\update\Functional\UpdateManagerUpdateTest.

It contains 3 releases:
- 8.x-1.0: The currently installed version in the test scenarios.
- 8.x-1.1: An available update that does not specify '<core_compatibility>'.
- 8.x-1.2: An available update that uses '<core_compatibility>' to require at
    least Drupal core version 8.1.0. Since the currently installed Drupal core
    for the tests is 8.0.0, this release will be flagged as 'Not compatible'.
-->

I know you're copy/pasting existing fixtures that don't have them, but I'd be in favor of adding them (and trying to maintain the "gate" that newly added update fixtures should always have them, as if they were docblock comments on a class).

I have trouble keeping track of our test coverage and fixtures, and I'm one of the subsystem maintainers. It's generally very hard for other folks to contribute to these issues and understand the fixtures and tests.

Otherwise, I don't think I see anything in the MR to complain about. But I'll give it a more thorough look after some belated lunch. 😉

Thanks!
-Derek

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Issue tags: +Needs followup

Tagging for:

I will make an issue soon to remove the legacy attributes and to add supported_branches

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Issue tags: +Needs subsystem maintainer review
dww’s picture

dww
we/he/they
CreditAttribution: dww at TEN7 commented
Assigned: Unassigned » tedbow

Per #2995367: Fix update module test fixture names for 8.2.0-rc2 sample data and many others, I was under the impression that our naming convention for fixtures was that the filename indicates the latest release in that fixture. I don't believe we have this convention documented anywhere, but it's mostly true. 😉 Perhaps we can add a README.md to this directory as part of #3115435: Make clear why each XML update.module fixture is created the way it is or something?

Granted, the previous fixture names touched by this issue don't match that "convention" (such as it is), but if we're renaming them, I think we should move in the direction of this standard. So what's now drupal.sec.9.9.0.xml should be renamed to drupal.sec.9.5.0.xml (since that's the latest release in that fixture after the changes in the MR).

The one being renamed to drupal.sec.10.5.0.xml is already correct (since that fixture indeed ends with a 10.5.0 release).

I haven't chatted w/ Ted about this, so I won't remove the subsystem maintainer review tag. But here's 1/2 of that review. 😉 I'll ping via Slack to see if we agree. Also temporarily assigning to @tedbow for the same.

Thanks and sorry for the confusion!
-Derek

tedbow’s picture

tedbow
he/him
Primary language English
Location Ithaca, NY, USA
CreditAttribution: tedbow at Acquia commented

the fixture renaming @dww suggests in #17 seems right to me

tedbow’s picture

tedbow
he/him
Primary language English
Location Ithaca, NY, USA
CreditAttribution: tedbow at Acquia commented
Assigned: tedbow » xjm
dww’s picture

dww
we/he/they
CreditAttribution: dww at TEN7 commented
Assigned: xjm » Unassigned
Status: Needs review » Needs work
Issue tags: -Needs subsystem maintainer review

I believe these are the metadata changes Ted meant. 😉

Wim Leers made their first commit to this issue’s fork.

Wim Leers’s picture

Wim Leers
Location Ghent 🇧🇪🇪🇺
CreditAttribution: Wim Leers at Acquia commented
Status: Needs work » Needs review
Issue tags: -Needs followup
  1. @xjm's change record looks crystal clear 👍
  2. @dww's feedback in #14 seems relevant and reasonable: explicit docs for rarely touched code understood by few seems wise.
  3. Because this is a 9.4.0 target, I spent hours building a complete understanding of this problem space. Detailed write-up in the pre-existing thread on the merge request: https://git.drupalcode.org/project/drupal/-/merge_requests/2039/diffs#no....
  4. Implemented my conclusion: https://git.drupalcode.org/project/drupal/-/merge_requests/2039/diffs?co... — hopefully @tedbow and @dww will RTBC 🤞😄
  5. For the same reason, created the follow-up issue that @xjm requested in #15 and which was first raised 2.5 years ago in #2991207-120: Drupal core should inform the user of the security coverage for the site's installed minor version including final 8.x LTS releases. That will also help #3115435: Make clear why each XML update.module fixture is created the way it is. Done: #3280679: Remove legacy attributes, add supported_branches and consistently name update.module's XML fixtures
tedbow’s picture

tedbow
he/him
Primary language English
Location Ithaca, NY, USA
CreditAttribution: tedbow at Acquia commented
Status: Needs review » Needs work

Needs Work for needing comments in XML see #14

Wim Leers’s picture

Wim Leers
Location Ghent 🇧🇪🇪🇺
CreditAttribution: Wim Leers at Acquia commented
Status: Needs work » Needs review

All feedback addressed!

tedbow’s picture

tedbow
he/him
Primary language English
Location Ithaca, NY, USA
CreditAttribution: tedbow at Acquia commented
Status: Needs review » Reviewed & tested by the community

Looks. thanks everyone

@Wim Leers for your follow #3280679: Remove legacy attributes, add supported_branches and consistently name update.module's XML fixtures, you might to see if the scope overlaps with #3110917: [meta] Fix update XML fixtures bad data

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Acro Commerce, Thunder commented
Version: 9.5.x-dev » 9.4.x-dev
Status: Reviewed & tested by the community » Fixed

Committed and pushed 96b87dfb70 to 10.0.x and 387143aa73 to 9.5.x and 6b59e9e50f to 9.4.x. Thanks!

  • alexpott committed 96b87df on 10.0.x 
    Issue #3272956 by xjm, Wim Leers, tedbow, dww: Hardcode security...

  • alexpott committed 387143a on 9.5.x 
    Issue #3272956 by xjm, Wim Leers, tedbow, dww: Hardcode security...

  • alexpott committed 6b59e9e on 9.4.x 
    Issue #3272956 by xjm, Wim Leers, tedbow, dww: Hardcode security...

xjm closed merge request !2039

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

smustgrave credited jcnventura.

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented

Closed https://www.drupal.org/project/drupal/issues/3186927 as a duplicate of this moving over credit

quietone credited benjifisher.

quietone’s picture

quietone CreditAttribution: quietone at PreviousNext commented

Closed #3107378: Deprecate hard-coded Drupal 8 dates from update logic for the status report once this information is provided by the infrastructure as a duplicate, adding credit.

quietone’s picture

quietone CreditAttribution: quietone at PreviousNext commented
Related issues: +#3107378: Deprecate hard-coded Drupal 8 dates from update logic for the status report once this information is provided by the infrastructure