Create Security announcement content type

Work on this has started, see https://sa-drupal.dev.devdrupal.org/node/2757532

I committed the refactoring changes to the dev branch. On devwww, I made a 2461167-sa branch, committed what was there so far, and merged in dev. The diff is quite a bit smaller now.

Reusing the version field from issues won't work well. The field base config keeps track of single/multivalued fields, so this forces issues to have multiple values for versions: https://sa-drupal.dev.devdrupal.org/admin/structure/features/drupalorg_s.... While that's something we might want to do, #66484: Allow issues to be filed against multiple versions/branches., that comes with a bunch of other work. Something like #1347438: Reverting Features Drops Search API DB tables is probably where all the issues went on that dev site.

The versions field value population is somewhat abstracted out, using this little module https://www.drupal.org/project/dereference_list.

I made a few improvements over the last couple weeks:

• The title is now automated, except the section like “Multiple vulnerabilities”. I think we need a field added for that unless I’m missing something.
• Crediting now recognizes aliased URLs like https://www.drupal.org/u/coltrane.
• Comments now stay hidden.

I think I fixed up everything from #7, and pushed an export of the feature.

To do:

• Version field should use dereference_list to get version numbers from the project, or add help text for correct formatting.
• Make sure PSAs can work.
• Make sure the trimmed version on the home page looks nice.
• Make Views for SA pages.
• Add lists integration.

PSAs are now done by selecting the “securitydrupalorg” project. This autogenerates a title without the project name or security risk, matching recent PSAs. If promoted to the home page, up to the first 150 characters of the description are included, in line with the usual promoted blog posts.

Remaining work:

• Make Views for SA pages.
• Add lists integration.

I started on the PSA View at https://sa2-drupal.dev.devdrupal.org/admin/structure/views/view/drupalor.... The “Content: Has taxonomy term” filter is causing an INNER JOIN {taxonomy_index} instead of LEFT JOIN, so the test PSA on the site isn’t found. Hopefully a different filter works better.

I think this round of work is actually good to launch. Then we can:

• Copy over SAs made this year to verify we have a good place for everything. (Full migration requires splitting up different HTML formats into fields, some people have bits of code lying around, but there won’t be a full migration of all SAs right away.)
• Add/change anything we discover.
• Add list module integration.
• Add the new Views. Due to how taxonomy Views filters work, it doesn’t seem to be doable to make a View of both old and new SAs. mlhess said making the old Views "archive views" and cross-linking them is good.

I think I might do the initial launch on a Saturday since I fully expect it to degrade site performance for 10 minutes.

Finally did the initial deployment. In addition to #25, we also need to set the permissions on staging and export that Feature.

Security team members can now create and edit SA content

Moving #25 into the issue summary along with the additional work I found.

Deployed a few fixes today:

• Default the author to Drupal Security team.
• Add list module integration.
• Add the new Views, and teaser field configuration.
• Section navigation

I added the Contact & more info block.

The new content type is now in use: https://www.drupal.org/sa-contrib-2017-077

Updating the issue summary with some followups:

• Human-readable URLs is done with the last commit, which also gives us a token for the SA ID, like “SA-CONTRIB-2017-077”. Some old SAs have a “DRUPAL-” prefix which I left off.
• I moved the “Contact and more information” block from the bottom to the side.
• The “Coordinated by” field is out of order. Some other styling changes are likely needed to make the page more readable.

The email did not go out, but that was due to mis-moderation. It will go out with tomorrow’s SAs.

The Coordinated by field is now the last field to be displayed.

John Morahan - thanks, that has been corrected now.

The new content type is being used with success. It is probably time to open followup issues for the remaining tasks and close this issue.

Filed followup issues for the remaining to dos:
#2969694: Streamline SA publishing
#2969695: Migrate old security advisories to SA content type

Mission accomplished.