Closed (works as designed)
Project:
Drupal.org security advisory coverage applications
Component:
module
Priority:
Normal
Category:
Task
Assigned:
Unassigned
Reporter:
Created:
5 May 2025 at 12:54 UTC
Updated:
13 May 2025 at 19:19 UTC
Jump to comment: Most recent
Comments
Comment #2
vishal.kadamComment #3
vishal.kadamThank you for applying!
Please read Review process for security advisory coverage: What to expect for more details and Security advisory coverage application checklist to understand what reviewers look for. Tips for ensuring a smooth review gives some hints for a smoother review.
The important notes are the following.
Keep in mind that once the project is opted into security advisory coverage, only Security Team members may change coverage.
To the reviewers
Please read How to review security advisory coverage applications, Application workflow, What to cover in an application review, and Tools to use for reviews.
The important notes are the following.
For new reviewers, I would also suggest to first read In which way the issue queue for coverage applications is different from other project queues.
Comment #4
vishal.kadamFor these applications, we need a project where, in at least a branch, most of the commits (but preferably all the commits) have been done from the person who created the application.
The purpose of these applications is reviewing a project to understand what the person who applies understands about writing secure code which follows the Drupal coding standards and correctly uses the Drupal API, not what all the project maintainers collectively understand about those points.
Do you have a project for which most of the commits have been done by you in at least a branch? It also needs to contain enough PHP code.
Comment #5
avpadernoMore importantly, is the account used to create this application shared?
Comment #6
siteimprove commentedThank you for the replies,
I am user https://www.drupal.org/u/patstarr, We used the SiteImprove account to opt-in because we wanted to allow SI to have more control. And yes the SI account is shared.
SI contracted out to EPAM to help build the module so, their staff did not commit code.
What should the next steps be in order to opt-in to security coverage for this module? While allowing SI to have this module and future modules under their control to be opted into security coverage more easily.
Comment #7
avpadernoShared accounts cannot commit code on drupal.org repository. This means they cannot be used for these applications.
Comment #8
johnpicozziAfter discussing this with some folks and security team members we are clear on why service accounts can't apply here. I am moving this to Close (works as designed) as we don't need to move forward with this at this time.
Comment #9
avpaderno