Problem/Motivation

There isn't any documentation on how an SA should be updated when a project is newly adopted after having previously been marked unsupported, so there are discrepancies between how they have been handled.

Examples:

Proposed resolution

Add a docs page that details how to properly update a project and SA after new maintainers adopt a module:

  • The project's owner will be updated to the new adopter, they'll be given full maintainership access.
  • The "Unsupported projects" user will be removed from the maintainers list.
  • The project's description will be updated to remove the previous "unsupported" message.
  • The SA will be updated with the normal details.
  • The SA's description will be updated to note that the project had previously been marked as unsupported but others adopted it and resolved the problem.
  • Update the release notes to include a link to the SA.

Remaining tasks

Agree on the process.
Create a documentation page.

Comments

DamienMcKenna created an issue. See original summary.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

This seems like a great idea to me. Thanks for getting it started.

Do you have proposed template text for the SA description areas?

damienmckenna’s picture

damienmckenna
Location TN, USA
commented
Issue summary: View changes

Outstanding questions:
* Should the existing "unsupported" SA be updated to look like a normal SA?
* If there were multiple vulnerabilities should additional SAs be created as needed to match the number of vulnerabilities?

damienmckenna’s picture

damienmckenna
Location TN, USA
commented

Maybe something like:

Updated 2022-02-02: New maintainers have volunteered for the project and created new releases which include fixes for the security issues that caused it to be unsupported.

(refined from one of the existing SAs)

.. but there are some unanswered questions around the process.

damienmckenna’s picture

damienmckenna
Location TN, USA
commented

Additional SAs to update:

damienmckenna’s picture

damienmckenna
Location TN, USA
commented

More SAs I found:

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

I followed this process for False Account Detector.

The old advisory was a mega-combined item from 2010: https://www.drupal.org/forum/newsletters/security-advisories-for-contrib...

I added <del> tags around the old text and added this text:
<strong>Edited March 27, 2024:</strong> Previous versions of False Account Detector for Drupal core versions 5.x and 6.x contained these security vulnerabilities. The code has been rewritten completely for Drupal 10+ and is now available again.