[META] 7.x-1.x branch fix to SA-CONTRIB-2016-060

Updating 7.x-1.x branch would be ideal. I have found that the Scheduler for Workbench no longer works, either, and that is mission critical to my site. Thank you.

+1

+1

I too am a bit concerned about this change and that it might require significant development work to update to the latest stable for the security release thanks to the addition of Drafty. While I am greatly for Drafty since it removes the "double save" issue and does fix the other issues related to the security fix such as disclosure, it is indeed a significant refactor that can break quite a bit of existing workflows.

For instance a current workflow leveraging Entity Translation + Title module might have issues thanks to:

#2487013: Make Drafty work with the Title module patch from issue #2267251

While I haven't tested this I am also wondering about Deploy + UUID for content staging of entities which does work as expected with Workbench Moderation in 1.x line but I do know it has specific logic to deal with the double save.

It would be very helpful to get the security fix for the version 7.x-1.4 too
Thx. And thank you for the new version 7.x-3.0 to make revisions a little bit more to a standard.

+1 for security branch fix.

Having a lot of issues updating from 7.x-1.x to 7.x-3.x.

I'm updating the priority and the more I think about this I think it is a bug and not a feature request but won't be so bold.

Due to the huge architectural changes between 1.x and 3.x, many use cases can't just upgrade. So I agree that this is a bug, and it's related to a security issue, I've increased the priority again.

In all honestly though, the security issue is pretty built into the architect of 1.x, which is bad news for a fix to this branch. Everyone stuck on 1.x will likely have to mitigate the security issue in other ways :S

The maintainers should clarify the plans for 1.x (is it abandoned?), since it unfortunately looks like a lot of sites are going to be stuck there for a while.

Unfortunately spotzero is right, the security flaw is based within the architecture of the 1.x branch. Another fix there is very very unlikely.
The same architectural flaw was present in at least one other module, dealing with revisions in a similar way, and it had to switch to drafty too.
Why drafty you might ask: Well because it's handling exactly the critical case of the revision storage and it's an API module. Having a centralized API for this makes it more likely to get reliable handling by having more stakeholders and a narrower scope.
Regarding the branching, rest assured there was quite some discussion ongoing between maintainers and the security team about how to best handle this case.
Unfortunately as of the complexity of the changes and the issue being the actual architecture there weren't many options besides going with a new branch.
Having a new branch allows us to provide the 1.x state as is - including the security issue - so that users that have problems with the new 3.x have a safe harbour while we continue to work on 3.x to sort all issues out.

As of now I'd consider 1.x minimally maintained.
3.x is the branch you should go with - whenever possible.
If you experience problems with 3.x let us now! We need detailed feedback to fix outstanding issues and so does Drafty.

Remark: "Officially" I'm not the maintainer for 1.x / 3.x but the 2.x branch which integrates with State Machine. However, I'll try to do my best to push things for 3.x.

There is now a warning on the Drafty project page:

This project is not covered by Drupal’s security advisory policy.

That makes this issue even more critical.

I believe that's the same warning that is on all non-stable modules. They've just been toying with it to make it more prominent over the last X months.

We have customization based on 1.x and cannot easily move to 3.x. The fact that 3.x depends on a module that does not have security support makes that doubly a concern for us. We would really like a 1.x fix. Me not knowing anything about the Workbench Moderation code, what is it that makes it so hard?