Add security advisory coverage field to projects

This project has not opted into coverage from the Security Team.
It may have publicly disclosed vulnerabilities. Use at your own risk!

Based on discussion in #2035277: Draft text for security advisory coverage messages the text for the first sentence should actually be more like "This project is not covered by the security advisory policy."

I think I've pulled out all the relevant bits of language from those commits:

      'allowed_values' => [
        'not-covered' => 'Not covered',
        'covered' => 'Opt into <a href="/security-advisory-policy">security advisory coverage</a>',
        'revoked' => 'Unsupported due to security issue',
      ],

Suggestion: 'Unsupported due to unresolved security issue. What does this mean?' - linking to a page that explains that security coverage is revoked if maintainers fail to cooperate with the security team to resolve security issues in a timely fashion.

      'description' => '<em>Read & understand <a href="/security-advisory-policy">the policy</a>!</em> Once you opt-in your project, only the Security Team can change this.',

Suggestion: 'Read & understand the policy! Once you opt-in your project, you may not opt-out. Only the Security Team will be able to change this.'

function drupalorg_permission() {
  return [
    'opt into security advisory coverage' => [
      'title' => t('Opt into security advisory coverage'),
      'description' => t('Agree to the policy for projects.'),
    ],
  ];
}

Suggestion: Would it be more clear to say 'May opt into security advisory coverage for projects'? many people will have this role, but it almost implies that if you have the role your projects will all be opted in. (especially since that's kinda sorta how the old process worked).

    elseif ($wrapper->field_security_advisory_coverage->value() !== 'not-covered') {
      $form['field_security_advisory_coverage'][LANGUAGE_NONE]['#description'] = t('Only Security Team members may change coverage. Notice of discontinuing security advisory coverage should be given to users.');

Question: what do we mean by 'notice of discontinuing coverage should be given to users' - do we mean 'When changing this, the security team will require you as a maintainer to notify your users" ? Do we mean that a message will be posted to the update status? I think we should be more clear who's responsible for the communication, whether it is automated or manual, and where it will be made.

      if ($wrapper->field_project_type->value() !== 'full') {
        $form['field_security_advisory_coverage'][LANGUAGE_NONE]['#description'] = t('Only promoted full projects may opt into security advisory coverage.');

Suggestion: none - this looks good.

      elseif ($form_state['node']->uid !== $GLOBALS['user']->uid && !user_access('post to newsletter')) {
        $form['field_security_advisory_coverage'][LANGUAGE_NONE]['#description'] = t('Only the project owner may opt into security advisory coverage. <a href="!url">Learn about transferring ownership</a>', ['!url' => url('project/projectownership')]);

Suggestion: none - this looks good.

      elseif (!user_access('opt into security advisory coverage')) {
        $form['field_security_advisory_coverage'][LANGUAGE_NONE]['#description'] = t('You must be given access to opt into security advisory coverage. <a href="!url">Learn how to apply</a>', ['!url' => url('project/projectapplications')]);

Suggestion: Maaaybe: t('You must be given access to opt into security advisory coverage for your projects. Learn how to apply', ['!url' => url('project/projectapplications')]); -- but it may be fine as is.

      elseif ($form_state['node']->created > REQUEST_TIME - 10 * 24 * 60 * 60 && !user_access('post to newsletter')) {
        $form['field_security_advisory_coverage'][LANGUAGE_NONE]['#description'] = t('New projects must wait 10 days. Please take this time to review <a href="!url">writing secure code</a>.', ['!url' => url('writing-secure-code')]);

Suggestion: Might be nice to give a why? 'New projects must wait 10 days before opting into security advisory coverage, as this is often a period of flux for a new project's codebase. Please take this time to review writing secure code.', ['!url' => url('writing-secure-code')]);

Question: sounds like we mean literally new - but if they're newly promoted they can opt in on day 1?

Leaving on needs review because some security team input would be good.

We haven’t done this process yet, but the general idea is that when a previously-covered project becomes unsupported, there will probably be a public security issue in the long run, if there isn’t one already. This isn’t quite an SA, but the Security Team does have a responsibility to inform users, potentially using all the communication channels like update status and/or an SA or PSA email.

Ah - that makes sense - in that case I'd suggest the language be more specific if we can be.

Suggestion: "Only Security Team members may change coverage. A security advisory should be posted to notify users that the project is no longer receiving security advisory coverage."

Re: 10 day wait:

Yes, that’s my understanding from the various meetings, and easy to implement. (We don’t have an easily-accessible project promotion time, other than scrubbing through the project’s revision history.)

Cool - that sounds good to me then - just wanted to clarify

drumm mentioned updating docs at https://www.drupal.org/security-advisory-policy. I think part of the update should include some info and/or link to a page discussing the opt-in process. A project maintainer may not realize what the message really means and what options are available. Since the link from the new feature goes to https://www.drupal.org/security-advisory-policy, that could be the place to mention it.

Maybe the info about the opt-in process is out there already and we just need to add a link to https://www.drupal.org/security-advisory-policy?