Dear views maintainers,
with the recent views update to 7.x-3.8 a security issue was fixed:
In the same release, in addition to the security fix, there were 26 bug fixes and new features added.
We are operating quite a big site and have views deeply integrated into our drupal setup. Upgrading to 7.x-3.8 was introducing more changes then our small team of developers could review in time and the security issue was somehow urgent. (Who wants to operate a site with known vulnerabilities?)
For future security releases, I would ask you whether it is possible to create a separate release which fixes the security issue only and add bug fixes / new features in a separate release on top of this security fix? This would allow us to review new bugfix/feature releases more carefully before going live with them.
Thanks
donSchoe
Comments
Comment #1
dawehnerSounds like a quite nice idea in general, though this certainly adds additional effort. I wonder whether the security team reads this tag.
In case we want to do that we should use a similar release cycle as core did.
Comment #2
gregglesThis is up to the maintainer if they want to do it. The process is outlined in https://drupal.org/node/1177074 although that's for core and some of the details are slightly different for contrib.
And no, the team doesn't pay attention to that tag ;) Best to send an email to security@ or file an issue or ping someone in irc.
Comment #3
donSchoe CreditAttribution: donSchoe commentedWhy should that differ for contrib modules?
The core release cycle is very mature and stable. I would welcome applying this to any contrib module.
Comment #4
gregglesre #3: Its up to the maintainer whether they want to do that process or not. The part of that document that is different is around things like the branch naming (7.x -> 7.x-1.x and 7.1 -> 7.x-1.1).
Comment #5
John Pitcairn CreditAttribution: John Pitcairn commentedYes please to this. I'm currently trying to figure out why 7.x-3.8 breaks a view on my site. I wouldn't have upgraded if it wasn't for the security issue, so it would be ideal if that security patch was a standalone upgrade.
Comment #6
DamienMcKennaWe will try to stick to this policy.