Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
As a followup to #2787165: Add security advisory coverage field to projects, the security team has discussed requiring security advisory coverage for maintainers to make full releases, such as a 1.0.
This proposal has not been finalized.
Comments
Comment #2
hestenetMy two cents on this issue - in our initial discussions with trying to get the Project Application Revamp done and off the ground - one of primary goals is to make it possible for people to make full projects and releases without a manual review queue to wait through. To compensate for that, we wanted to add the much stronger signals about whether a project receives security coverage to both project pages and updates status.
My gentle request (and I'm open to other ideas) is that we hold off on enforcing this as a release gate until something like @mlhess's security practices test (i.e: something automated) has been implemented - and for now rely on the stronger signals we provide.