Dear views maintainers,

with the recent views update to 7.x-3.8 a security issue was fixed:

In the same release, in addition to the security fix, there were 26 bug fixes and new features added.

We are operating quite a big site and have views deeply integrated into our drupal setup. Upgrading to 7.x-3.8 was introducing more changes then our small team of developers could review in time and the security issue was somehow urgent. (Who wants to operate a site with known vulnerabilities?)

For future security releases, I would ask you whether it is possible to create a separate release which fixes the security issue only and add bug fixes / new features in a separate release on top of this security fix? This would allow us to review new bugfix/feature releases more carefully before going live with them.

Thanks
donSchoe

Comments

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner commented
Issue tags: +security team

Sounds like a quite nice idea in general, though this certainly adds additional effort. I wonder whether the security team reads this tag.
In case we want to do that we should use a similar release cycle as core did.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles commented
Issue tags: -security team

This is up to the maintainer if they want to do it. The process is outlined in https://drupal.org/node/1177074 although that's for core and some of the details are slightly different for contrib.

And no, the team doesn't pay attention to that tag ;) Best to send an email to security@ or file an issue or ping someone in irc.

donSchoe’s picture

donSchoe CreditAttribution: donSchoe commented

Why should that differ for contrib modules?

The core release cycle is very mature and stable. I would welcome applying this to any contrib module.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles commented

re #3: Its up to the maintainer whether they want to do that process or not. The part of that document that is different is around things like the branch naming (7.x -> 7.x-1.x and 7.1 -> 7.x-1.1).

John Pitcairn’s picture

John Pitcairn CreditAttribution: John Pitcairn commented

Yes please to this. I'm currently trying to figure out why 7.x-3.8 breaks a view on my site. I wouldn't have upgraded if it wasn't for the security issue, so it would be ideal if that security patch was a standalone upgrade.

DamienMcKenna’s picture

DamienMcKenna
Location NH, USA
CreditAttribution: DamienMcKenna at Mediacurrent commented
Status: Active » Fixed

We will try to stick to this policy.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.