Unpublish Distributions with Forks of Core < 7.32

IMO these profiles just waste diskspace even if they use a makefile.

@kreynen - Holy crap, thanks for bring this to our attention! I just investigated a few more while looking into the details of #2137095: Should supported releases be shown on downloads table even if it contains insecure modules? If so, how? and this is just the tip of the iceberg. It appears that most distros on d.o have completely subverted the d.o distro packaging system, and just check in whatever they want directly into Git. :( We should either open a separate META about this or turn this issue into that discussion. But this is a big mess. Ugh.

Thanks again for pointing this out!
-Derek

p.s. Agreed, that comment #1 is totally unhelpful. :/

Hi @kreynen & @dww,

We'd appreciate your information and your kind acts of helping maintain Drupal secured. We are taking a close look at this matter and will get back to this discussion asap. This is the first time we encounter such issues hence it might take a while to study and put in practice so please bear with us.

Regarding the relationship between us & WeebPal, we are independent parties, WeebPal just uses our base theme Nucleus and build their own theme. The approach/practice seems similar but we actually have no business connection with WeebPal whatsoever.

Closed #2175983: A list of distributions Doing It Wrong™ (checking in full copies of Drupal core/modules vs. using make files) as a duplicate.

Tim asked me to grep my checkout of Drupal contrib the other day, and I accidentally found the following distros that have checked in full copies of Drupal core / contrib modules vs. using make files properly:

https://drupal.org/node/1087726 (Arabic Installation Profile)
https://drupal.org/project/async_drupal
https://drupal.org/project/b2b_store_solution
https://drupal.org/project/datapublic
https://drupal.org/project/MobileARKickstart
https://drupal.org/project/onepage
https://drupal.org/project/Open_Badging_Installation_Profile
https://drupal.org/project/plato_tipico
https://drupal.org/project/tb_* (already covered above)
https://drupal.org/project/tr_kurulum
https://drupal.org/project/transcribe_distribution

It seems like we ought to build some kind of validation to protect against this in the packaging scripts.

Added tag.

Hm. I wouldn't call this a licensing issue, per se. These projects are all distributed on Drupal.org so they're all compatible with Drupal's license. It's more a factor of not using Drush make properly; these projects are trying to do what the packager will already do for them.

I will work on getting a full list, and then we can figure out how to proceeded from there.

This is a list of repos that are not sandbox repos and have a database.inc file in them that has a security issue.

1087726
commerce_drupalgap_kickstart
dcco
education_profile
fuse
onepage
plato_tipico
rebuild
rebuild
spanish_distribution
spinetta
tb_blog_starter
tb_events_starter
tb_hadelis_starter
tb_methys_starter
tb_mollise_starter
tb_neris_starter
tb_palicico_starter
tb_purity_starter
tb_rave_starter
tb_simply_starter
tb_sirate_starter
timebit
transcribe_distribution
tr_kurulum
xeditor
yandex_metrics
zircon_profile

Hi @mlhess,

I don't remember that yandex_metrics module ever contained database.inc file.
Moreover, it's not a distribution.

Can you give me more information?

Thanks,
Konstantin

yandex_metrics should not be on this list sorry for the extra email.

Okay

I believe the ALL distributions that have committed forks of core should be unpublished/deleted

In general, we want to keep tarballs of releases working, so anything build have built that expects them will keep working consistently. Licensing would be an exception, we need to stay legal. Security could be an exception, but there's no precedent I can think of.

The releases that exist also set up the available versions for project issues.

It seems like we could follow a similar process like unsupported projects, IE: https://www.drupal.org/project/admintools

Some projects are unpublished, which we don't have to do here (Except maybe for licensing?) but this would help remove these dangerous distributions from being used as much, and might even get maintainers to be proactive to fix their projects before allowing them to become supported again.

Here is a draft book page describing the policy that has somewhat existed but isn't cemented anywhere:

https://www.drupal.org/node/2392557

Hi @mlhess,

It's not funny! I've just received an email that says:

The releases for these project(s) will be removed sometime after 2014-12-20. Let us know if you have any questions or need help converting these into makefiles.

I can't even comment on the issue https://security.drupal.org/node/147228 because of the bug:

The referenced entity (node: 147193) is invalid.

Please remove yandex_metrics module from the block list immediately!

For reference #15

Thanks,
Konstantin

@konstantin.komelin,

Not sure why you are unable to comment on the issue. However, I have removed your project from the list.

Thanks. Hope we won't come back to it again.

Per earlier discussion and #26, I haven't seen these site releases unpublished yet. Where are we with this issue?

The tb_* and tr_kurulum projects have been flagged an the releases removed.

TIMEBIT has its releases hosted on bitbucket, so the project page is just a pointer.

I have fixed the tb_sirate_starter issue.

I will create private issues in the s.d.o tracker for the other projects.

I've strikeouts over those that had their releases pulled and maintenance status set to "Unsupported". In addition, it looks like the maintainer has repackaged Plato Típico to use make, so it does no longer belong on the list.

Why is the rest not acted upon?

I have created issues for this in the security.drupal.org tracker, for some projects I emailed the primary contact. In 2 weeks, we will unpublish the releases.

The recommended releases of Education Profile and Zircon Profile still contains insecure forks of core. The changes the maintainer has applied (re. #40) only affects the latest dev snapshots.

Why are those the insecure releases of Education Profile and Zircon Profile allowed to stay online and even be marked as "Recommended Releases"? Why have strikeouts (assumed to mean "fixed") been placed over Education Profile and Zircon Profile?

While it is fine that the maintainer now has started working on this, I think strikeouts should only be used if insecure releases has been replaced by secure ones, or all inssecure releases have been unpublished.

I have removed the releases above and sent the maintainer an email about why.

mlhess wrote:

I have removed the releases

Still, the insecure published release of 7.x-1.0-beta1 of Zircon Profile is still available for download.

The Zircon Profile 8.x-1.0-beta3 release should be removed as well. It may not be insecure, but it violates the Drupal Git Usage Policy by containing a complete fork of core.

The 7.x-1.0-beta1 of Zircon Profile has been removed. The 8.x-1.0-beta3 should be taken care of in another ticket as it is not related to this security issue.

@kreynen & other Security Team members

Hi all,

One of my colleagues and I have been assigned to release new download packages for tb_*_starter projects using make files to prevent forking Drupal core as well as other contributed modules since few days ago. We have successfully released tb_simply_starter 7.x-1.0-beta 4 for the TB Simply Starter project without forking Drupal core or contributed modules. The package has been also upgraded to Drupal 7.38 to prevent security issues. However, this project and other tb_*_starter projects have been marked as Unsupported and assigned to the special user Unsupported Projects or have been removed. Are there any chances for us to get these projects back?

williampham wrote in #52:

One of my colleagues and I have been assigned to release new download packages for tb_*_starter projects using make files to prevent forking Drupal core as well as other contributed modules since few days ago.

It is great that you've moved to using make-files for these. However, note that the majority of the tb_* projects also seem to suffer of a complete disregard of the Drupal Git Repository Usage Policy (by including 3rd party materials in the repo).

Before getting these projects back, I think the licensing violations in the underlying tb_* theme projects (that you include by means of a make file) need to be fixed as well. See: #2553865: Multiple policy violations in projects owned by ThemeBrain for details.

@gisle

Thanks for your feedback. We will review them to solve these licensing violations case by case.

This seems to be taken care of at this point.