Proposal to change the project application review and promotion process
All projects, new and existing, will be scanned regularly by Drupal.org code review tools. The results of these scans will be made available to project maintainers and will be used to display pertinent information on project pages. The information may include security warnings, error counts, or other information related to project health. This scan will also be used on all projects before they are promoted to full status.
Projects pages will contain text explaining the Security Team’s responsibility for development releases. This text will be part of the downloads section. Drupal’s Update Status report will also display a warning when running the development version of a project.
All users, regardless of their Git-vetted status, will follow this process:
- Create a sandbox project.
- Initiate promotion of the project, which will mark the project as ready for an automated scan. Only the owner of the sandbox can initiate the promotion process.
- If the project passes the automated scan, the project will be given full status.
- Choose a namespace for the project.
For non-vetted users, the following restrictions apply:
- Only one sandbox project can be promoted to full status.
- The promoted project will have development snapshots, but cannot have tagged releases. (beta, rc, 1.x, etc.)
- The project page will have a visible indicator that the project is maintained by a non-vetted user, including text that the project is not subject to Security Advisories.
Requesting Vetted Status
When a user completes the project application review process, the restrictions above are removed. The process is as follows:
- Submit a project application request in the Project Application queue. The project submitted for review should have already been promoted to full status, and passed Drupal.org’s automated scan.
- Reviewers will manually review the project, checking only for problems related to licensing, security, or major problems with Drupal api use. Applications will not be blocked for minor coding standards violations, bugs, or project duplication.
Existing Vetted Users
- Users that already have vetted status will not be affected at this stage, other than now having access to automated review of their code before making available for release
As many people in the Drupal community know, the current project applications process is not ideal, and can be a huge barrier for new contributors. The rate of incoming applications exceeds what our limited number of volunteers can review and approve, which results in people waiting months to create full projects on Drupal.org.
Recent review automation and bonus programs created by klausi were a big improvement; however, they weren’t able to fix the problem completely.
For the past few months, a number of people in the community have been discussing possible ways to improve the situation. Conversations have occurred between the Technical Working Group, Drupal.org Software Working Group, Security Working Group, and frequent project application reviewers.
As a result of those efforts, we’d like to introduce a proposal that was approved by all of the above Working Groups.
First of all, what are the goals of the changes we’d like to introduce?
- Reduce the feeling there are two tiers of users; those who can contribute code freely, and those who cannot.
- Prevent insecure and poorly coded modules from being published on Drupal.org. This is a major concern for the Security Working Group, which is responsible for Security Advisories for contributed projects, as well as core.
- Let sandbox users get a release that is installable. This is one of the biggest desires of users waiting for approval. They want a release for their module they can link to and share.
- Let sandboxes reserve a namespace so that every project has a proper project page and url.
- Reduce the amount work a review requires by reducing the rigor with which reviews must be completed.
We recognize that this proposal won’t make the process perfect; but it is a step in the right direction. After these changes are implemented, we will continue exploring options to make the process even better.