Currently, update status XML is being written using the usual update status script. We marked all 6.x modules as unsupported, see #2675892: Drupal 6.38 isn't correct in Update Status, it is unsupported and will be insecure in the long run for the full history. Contrib maintainers are currently able to go back and say their 6.x projects really are supported. 22 releases have done this:
mysql> SELECT n.nid, substring(n.title, 1, 15) AS project, prsv.recommended, u.name FROM project_release_supported_versions prsv INNER JOIN node n ON n.nid = prsv.nid INNER JOIN users u ON u.uid = n.uid WHERE prsv.tid IN (87) AND prsv.supported = 1 AND prsv.nid <> 3060;
+---------+-----------------+-------------+--------------------+
| nid | project | recommended | name |
+---------+-----------------+-------------+--------------------+
| 3236 | Devel | 1 | moshe weitzman |
| 38878 | Views | 0 | merlinofchaos |
| 38878 | Views | 0 | merlinofchaos |
| 46666 | Email Verify | 0 | dbr |
| 74958 | Panels | 0 | merlinofchaos |
| 77863 | FileField | 0 | quicksketch |
| 137440 | Audit Files | 0 | andyceo |
| 137440 | Audit Files | 0 | andyceo |
| 147903 | reCAPTCHA | 1 | RobLoach |
| 162354 | Conference Orga | 0 | japerry |
| 225610 | Restrict Login | 0 | rocketeerbkw |
| 298508 | SPIP to Drupal | 1 | jonhattan |
| 343333 | Chaos tool suit | 0 | merlinofchaos |
| 543238 | Varnish | 0 | joshk |
| 847732 | Webfont Loader | 0 | BTMash |
| 1076002 | Taxonomy contai | 1 | Chi |
| 1106226 | Security Kit | 1 | p0deje |
| 1877776 | WP Migrate | 1 | sanchi.girotra |
| 2005928 | Yandex Services | 1 | Konstantin Komelin |
| 2030383 | Logman | 1 | abghosh82 |
| 2457495 | Ubercart MyClea | 1 | khalemi |
| 2677872 | myDropWizard | 1 | dsnopek |
+---------+-----------------+-------------+--------------------+
Why this is non-ideal
As security issues are discovered, Not supported! becomes inaccurate. There has already been a 6.x backport of Prepopulate’s SA-CONTRIB-2016-009. These are no longer just unsupported, they are insecure too.
Drupal and drush handle Not supported! the same regardless of which version you have installed. If you are on an older-than-previously-recommended release of an unsupported project, there is no mention of ability to upgrade, only recommending disabling the project. This includes any 6.x security updates that weren't installed yet. While upgrading to Drupal 7 or later, or using https://www.drupal.org/about/drupal6-lts, is highly recommended, installing previously available security updates is better than nothing.
Proposed resolution
After a meeting with representatives from the Drupal Association, the security team, the D6 maintainer, and an LTS vendor, we decided on a plan:
- Update status XML for all 6.x Contrib Modules will be set to state ‘insecure’
- Contrib XML will be hard coded to link back to the LTS landing page
More details are at #2678882: Release to improve LTS messaging in Update status.
But my project really is supported!
The best way to do Drupal 6 long term support is to work with https://www.drupal.org/project/d6lts.
Example
I manually updated https://updates.drupal.org/release-history/drupalorg_crosssite/6.x for this. It looks like this:
(Facet API shows the current situation.)
The “Drupal.org cross-site customizations” link goes to https://www.drupal.org/about/drupal6-lts?project=drupalorg_crosssite. I added the project argument in case we ever want to do something special like add a link to the project page.
Implementation
- Add a way to override/alter the
project_status
&link
elements generated by project release.
Comment | File | Size | Author |
---|---|---|---|
#16 | filefield-unsupported-xml.patch | 747 bytes | David_Rothstein |
Comments
Comment #2
drummAdd notes on the current problems
Comment #3
drummAdd notes on proposed resolution.
Comment #4
drummAdd more notes on why this is non-ideal.
Comment #5
drummTypo
Comment #6
drummAdd note on LTS for project maintainers.
Comment #7
Gábor HojtsySounds good to me. It aligns with what we discussed AFAIS.
Comment #8
drummAdd example & implementation.
Comment #9
drummChanged implementation notes. My previous idea would have locked in the current versions completely, I think we want to keep these dynamically generated.
Comment #10
drummI have the code in place to do this for groupsdrupalorg and drupalorg_crosssite modules. When we're ready to coordinate this deployment, drupalorg module's
2681323-6.x-contrib-insecure
branch can be merged to remove the killswitch that limits it to the two projects.Comment #11
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedWe've always used the "Not supported" status for this situation (e.g. Services module for Drupal 6 was marked unsupported a long time ago and certainly has unfixed security issues by now given that there have been Drupal 7 security releases). I don't see the problem with it. I think the possibility of unfixed security issues is exactly why Update Status marks these modules red in the first place.
(where "999999" is some number so large that no module will actually have a release branch for it)
I commented in the other issue why that's not the best place to link to, but especially for contrib modules - why would we do that? This would just prevent people from getting to the project page for the module.
I think any custom end-of-life messaging could be handled via the Drupal core entry on the available updates page, so I don't see why it would need to be done for each contrib module in addition to that.
Comment #12
drummThis is what update status looks like with
Comment #13
drummI did a bit more testing on #12. Using large supported/recommended/default numbers seems equivalent to using
<project_status>unsupported</project_status>
Putting us back to not showing specific updates that are available, like updating to filefield 6.x-3.14.
Comment #14
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commented@drumm, they are almost equivalent in the case where the module is up to date, but if the module is not up to date (e.g. FileField 6.x-3.13) then I think the first approach shows "Security update required" whereas the second still just shows "Not supported".
So it depends exactly what we're going for here, but in the other issue I think people were pretty interested in still being able to see which of their modules had security updates available.
Comment #15
drummI could not get this to happen in my testing. It really did seem equivalent to unsupported. What code looks like it behaves otherwise?
Comment #16
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedI tested this with the attached (which is based on #2675892-36: Drupal 6.38 isn't correct in Update Status, it is unsupported and will be insecure in the long run but for filefield rather than core). So it's not the same as actually changing the XML, but should have the same effect.
I just debugged it now and the reason it gets marked as a security update for me is that this code adds 6.x-3.14 to the list of unapplied security updates and then this code marks the project insecure as a result.
Comment #17
drummAha, I was testing with a project that had not had a security release recently.
Comment #18
drummI can confirm that #16 does look like a promising approach.
That fulfills the goals of aggressively making clear that the modules are not supported, and allowing the last few updates.
I think with the better-than-expected release number hack in #2675892: Drupal 6.38 isn't correct in Update Status, it is unsupported and will be insecure in the long run, I'd be okay with not overriding the link to the LTS landing page.
Comment #19
drummThis is now deployed to production, limited to the drupalorg_crosssite and groupsdrupalorg projects. Those are showing as “Not supported!” in Groups.Drupal.org’s admin.
Comment #20
gregglesThe outcome in #18 seems great to me.
Comment #21
drummI removed the limit on the two modules for testing and this will be deploying today. Results will be seen on the normal update status XML regeneration, which happens daily.
Comment #22
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedOne thing I did notice is that for certain modules (Views and Ctools are both examples) if you are running the latest version, Update Status is now showing "No available releases found" for those, rather than "Not supported" like for other modules.
Not sure what the reason for the difference is, but in any case, if you are running an old enough version (such that a security update is available) it still shows the security update message, so I guess it's good enough.
Comment #23
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedActually for some modules (CCK and Pathauto) there's a worse problem; in those cases you can be running an insecure version and it still shows up as "not supported" rather than "security update required".
Not sure what the difference is; maybe because those modules have multiple branches but most sites are on the older branch? (I.e. the problem shows up on the older branch, 6.x-2.x for CCK and 6.x-1.x for Pathauto.)
Comment #24
drummAfter the initial aggressive unsupporting of 6.x, we loosened it to being able to mark as supported, and defaulting everything to unsupported. This also affects the display on download pages like https://www.drupal.org/project/views. This includes the core project.
We should probably start an issue about redoing this configuration at an appropriate time with appropriate communication. Specifically, it is marking API term as unsupported, removing the ability for project maintainers to mark a 6.x release as unsupported.
For 5.x, this wasn't actually done until a few months ago, I think December or January. That was late enough for no one to really notice and I heard zero feedback about it, good or bad.
Comment #25
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedActually the problem may be simpler than that. Both CCK and Pathauto have
<project_status>unsupported</project_status>
:https://updates.drupal.org/release-history/cck/6.x
https://updates.drupal.org/release-history/pathauto/6.x
which is different than e.g. FileField:
https://updates.drupal.org/release-history/filefield/6.x
Seems to me that defeats the purpose of what this issue was trying to accomplish.
Do we know why they are set like that?
I spot-checked a few others and it actually seems widespread. Some, like Views Bulk Operations, are not only marked "unsupported" but also have all releases except the most recent one unpublished, which would make it doubly hard for Update Status to ever report that security updates are available for them:
https://updates.drupal.org/release-history/views_bulk_operations/6.x
Comment #26
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedI cross-posted, but:
That probably explains it.
Seems like defaulting everything to unsupported is not what we want, based on the above testing. (It kind of makes setting the supported branch to "999999" a no-op for those projects.)
Comment #27
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedPerhaps it should be a new issue - the status change was a cross-post too.
Comment #29
rooby CreditAttribution: rooby commentedIs there a notice somewhere on drupal.org that outlines how the available updates page now works for Drupal 6?
It would be nice to know for sure to plan a sensible approach for doing D6 module updates.
I find that I now have to manually check the releases list for each project because the available updates report says unsupported, even though there are bug fix releases newer than my versions.
It also says unsupported if a module has a recommended D6 release on the project page.
I notice that security updates are mentioned on the available updates report though.
Comment #30
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedLinking to an issue that I think could serve as the followup discussed above, or at least close enough.
(It retrospect maybe it shouldn't have been a separate followup issue... since it seems like the end result here was that the fix implemented here only really wound up happening for a tiny number of modules in practice.)
Comment #31
fuzzy76 CreditAttribution: fuzzy76 commentedThe end result is terrible: People running D6 has no way of updating their contrib modules to the latest releases. And the one contrib module that helps with it is not mentioned anywhere except deep down in issue queues.
Comment #32
rooby CreditAttribution: rooby commentedYeah I can understand wanting to make it clear that a version is unsupported, but making life more difficult for users of the old version is not great.
If the data was available (maybe it is, I don't know) so that a contrib module could provide an accurate update status for D6 that would be good.
Comment #33
gregglesIMO that's no longer the responsiblity of d.o to provide. The myDropWizard provides it and also helps people learn about their LTS options. Maybe other LTS vendors also offer a similar thing?
If it's not easy enough to find that module then we could consider making it easier to find? Any specific suggestions of how to make it easier to find that?
Comment #34
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedUnfortunately, though, the (unintentional) result of this issue was that the Update Status data goes out of its way to confuse people, by displaying some available D6 contrib module security updates but not others.
That is still worth fixing (in one direction or the other), either via the issue I linked above or somewhere else.