Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
1. If an issue is in some status that indicates it needs work by maintainers (needs work, needs advisory, needs maintainer response) for more than X weeks then send an email to the project maintainers
2. If an issue is in some status for the team (needs team response, ready for release, code needs review, no maintainer response (unsupported), postponed ) for more than X weeks then send an email to the assigned person
3. Every week send a list of unassigned issues to security-tracker list and cc'd to team coordinators
Comment | File | Size | Author |
---|---|---|---|
#15 | sdo-notifications-1832456-15.patch | 4.92 KB | cashwilliams |
#14 | Screen Shot 2017-04-30 at 4.17.38 PM.png | 50.89 KB | cashwilliams |
#9 | sdo-notifications-1832456-9.patch | 4.62 KB | cashwilliams |
#8 | sdo-notifications-1832456-8.patch | 4.62 KB | cashwilliams |
Comments
Comment #1
mlhess CreditAttribution: mlhess commentedComment #2
helmo CreditAttribution: helmo commentedmlhess in #2348789: Automate reminders on issues
Comment #3
dokumori CreditAttribution: dokumori commentedComment #4
mlhess CreditAttribution: mlhess as a volunteer commentedI have a script that does this now. The text to review:
$body = "Hello " . $account->name . ", \n There are security issues awating your action. Please login into security.drupal.org within 2 weeks and provide an update. \n\n";
Each issue is added with
$list .= $projectname . ' -> ' . 'https://security.drupal.org/node/' . $row->nid . "\n";
The final email reads
Comment #5
helmo CreditAttribution: helmo as a volunteer and at Initfour websolutions for Aegir Cooperative commented'Please login' could start on a new line... But looks good anyway.
Comment #6
hestenetI think this looks good. My suggestion is to provide a little bit more in-context explanation as to why we're asking the maintainer to respond within a particular timeframe. The message should:
We should also link to: https://www.drupal.org/node/101497 for a more detailed explanation.
This is just a rough attempt at doing that, likely needs additional finesse from someone on the security team:
Comment #7
mlhess CreditAttribution: mlhess as a volunteer commentedThis is ready to go.
Comment #8
cashwilliams CreditAttribution: cashwilliams at Acquia commentedHere is a hacky attempt at providing this in an existing drush file.
Output on my local looks like this:
Comment #9
cashwilliams CreditAttribution: cashwilliams at Acquia commentedAdded a line break and posting example without code for wrapping
-----
Comment #10
cashwilliams CreditAttribution: cashwilliams at Acquia commentedActually don't merge this hack, I've got a much better implementation I'm working on.
Comment #11
cashwilliams CreditAttribution: cashwilliams at Acquia commentedI've run into a logic issue with this -
The original idea was a drush script that would itself be run only twice a month. However with that implementation, an issue could be 3 weeks and 6 days old before an email was sent.
So I was moving this to a proper cron hook with a SQL filter to pick issues that haven't been updated in X weeks (2). That way an email would be sent when the issue was actually 2 weeks old.
However I realized that without some sort of marker or change to the issue, the same set of issues would send an email over and over on every subsequent cron run.
Options:
- Put a marker on the issue to indicate a reminder has been sent, or maybe have an automated comment.
- Only run the cron hook once a day, which would send a daily reminder list of all stale issues.
- Only run the actual stale notifications once every 2 weeks.
Comment #12
mlhess CreditAttribution: mlhess as a volunteer commented- Only run the actual stale notifications once every 2 weeks.
Why my thought.
Comment #13
dokumori CreditAttribution: dokumori at Deeson commentedI think putting a marker would be good, but it would be best to have a 'last contacted' field that shows on which date a reminder was sent to the maintainer. That way we would know after what date we would be able to mark the project unsupported.
We can also use automated commenting for the same purpose. The downside of it however is that it generates even more email notifications.
While I was thinking through this (my assumption is that the script only covers #1 "If an issue is in some status that indicates it needs work by maintainers for more than X weeks . . ." ) one question popped up. This may be a 'scope creep', but @cashwilliams does your script re-send the notification if the maintainer initially responds within 2 weeks, but fails to respond afterwards?
Here's what often happens:
1. We receive a report
2. The issue is assigned to the maintainer (issue status: 'Active' -> 'Needs maintainer response')
3. We receive no responses from the maintainer so we send them a notice
4. The maintainer supplies the patch (issue status: 'Needs maintainer response' -> 'Patch (code needs review)')
5. Discussions are held, and the sec team ask the maintainer to respond to our questions or update the patch (issue status: 'Patch (code needs review' -> 'Needs maintainer response' / 'Patch (code needs work)')
6. The maintainer doesn't respond so we send them another notice
7. We mark the module unsupported after not receiving a response from the maintainer for x weeks
If the script sends a notice in the step #2 above, would it re-send another notice at step #6?
Comment #14
cashwilliams CreditAttribution: cashwilliams at Acquia commentedRight now the script would send notice in #2 and #6.
The current select is very simple, and filters on:
- status is in a state that requires maintainer action (ie not closed, not waiting on sec team, etc)
- node changed date is older then 2 week (it looks like adding a comment on s.d.o updates the node changed date, so basically 0 activity for 2 weeks)
for the marker idea, we could actually put a comment into the system AND change the status to "No maintainer response (unsupported)" which would show up in our filters when we're looking for tickets on Wednesdays.
Something like attached mockup.
Comment #15
cashwilliams CreditAttribution: cashwilliams at Acquia commentedDumping completely untested patch just to ensure the work isn't lost or anyone wants to pick up.
This is the different implementation I mentioned in #8.