Problem/Motivation
Quick glancing it appears to me some of the modules that were included in the recent SA blast did not have any public issues to review (or if they did it was not obvious the issue was referring to them)
Currently the documentation about what to do around a project that has just been announced unsupported appears to be somewhat contradictory. It appears to me the document was written that the actual security issue is public at the time the SA is released (which would make sense given that once a module is unsupported it is no longer entitled to private disclosure) and sometime after the document was written with those conditions the policy was changed that the security team would hold onto the issues privately.
The message atop projects taken from marking a project as unsupported for security reasons appears to imply that a security issue will be public and than contact the security team for a review.
<li>File an issue in the queue with a patch to fix the module and then <a href="https://www.drupal.org/security-team">contact the security team</a> to have your version reviewed and the project handed over to you following the <a href="https://www.drupal.org/node/251466">unsupported project process</a>.</li>
The Process for taking over abandoned projects Becoming owner of a project that is unsupported for security reasons implies in most cases the content will be public (but provides a fallback method to get access to the issue from the security team)
For most modules, finding the issue should be easy. If you are unable to find the issue, you can email the team and the team may give you more information about the issue, if and only if you are willing to commit to maintaining the project.
While a message from a security team team member on Slack appears to imply if the issue isn't public one should just try and harden the module any way they can (without knowing the actual true fault.) (note: this was sent from someone not at their desk so It is likely not the clearest, but it goes towards my point that messaging is not consistent)
In order to take over a module, please follow the directions from the SA links. If you can’t find the exact security issue in question, suggest a security hardening of any type. The project applications issue queue will be ignored for 30 days in favor of the what is laid out in that linked doc.
Which I suppose is a good way to test if an individual has the ability to discover vulnerabilities however no where is it declared explicitly in the procedure that this is suppose to be a test (and really is this the right time to be testing someone who is already vetted who is trying to secure a module?)
Additionally what does it mean that the application queue will be ignored for 30 days in favor of the policy? Does the policy expire at 30 days and it becomes available to become a maintainer without any requirement to fix the issue?
Next Steps
I'm willing to try and take a round at making these more consistent however before I can do that can someone specify exactly what the intended process is suppose to be?
Is a public issue suppose to exist immediately after the unsupported SA or is it suppose to remain private?
Will the team come back in 30 days and release it or will they never release the issue unless someone is volunteering to maintain?
Should an individual wishing to volunteer try to contact the security team to obtain the known issue or should they just fix any small security issue they can find? (and what if no obvious one exists?)
etc.
Comments
Comment #2
cmlaraSpelling correction in issue title.
Comment #3
avpadernoThe
https://www.drupal.org/drupal-security-team/security-team-procedures/marking-a-project-as-unsupported-for-security-resonslink used in the IS returns a 404 error.Comment #4
avpadernoI fixed it.
Comment #5
cmlaraThanks for the 404 correction @apaderno.
Linking #3260722: Offer to co-maintain Colorbox as another issue that shows users questioning the policy.
I'm not linking the half dozen other issues from the project ownership queue from users offering to maintain modules, however the fact they exist is I believe also indicative of a problem around the messaging.
Comment #6
cmlaraFrom info given on Slack the Security Team plans to discuss the subject of the wording of this at their meeting in April at DrupalCon.
Setting postponed on the Security Team.
Comment #12
mlhess commentedWe have updated the handbook page and created a new handbook with a more clear policy. We have also fixed the template text that is inserted onto project pages.
Comment #13
mlhess commentedComment #14
xjm@mlhess Can you link the updated pages?
Comment #15
gregglesI believe this is it https://www.drupal.org/drupal-security-team/becoming-primary-maintainer-...
Comment #16
cmlarahttps://www.drupal.org/drupal-security-team/security-team-procedures/mar... is also another changed page I believe.
A few small suggestions to try and make the content more readable:
On Becoming primary maintainer of a project that is unsupported for security reasons:
be given its own list item tag inside of the unordered list of point 3.
Be moved outside of the unordered list of point 3, yet still inside the ordered list item of point 3 so that it does not appear to be a part of the list item about describing the patch. This should make the point that missing any required item may result in silently ignored messages.
Regarding marking a project as unsupported for security reasons:
reads as if a 'one and done' contact would be all that is needs to handle this scenario, however the becoming a primary maintainer policy indicates an individual must be willing to adopt the module which is a larger scope than just fixing the module. Perhaps this could be changed to "Hire someone to adopt and fix the module so that it can be re-published" which I believe more accurately indicates the required commitment.