Yesterday was the first security release of 2009 and the first ever for the Drupal project that used the new naming convention: SA-CONTRIB-YYYY-NNN. The security team had a discussion late last year about the common confusion among outsiders to the project - mainly media reporters and evaluators of Drupal - that any SA announcement is from "Drupal." We often have security announcements about contributed modules that are only used on a couple dozen sites that are then interpreted to be problems in core. (see SA-2008-063 for example which affects several lightly used modules).
To help highlight the separation between core and contrib, the security team decided to put "CONTRIB" into the release number and title of the node for these types of issues.
The security announcements themselves don't give much space for explanation like this so I thought I'd let folks know about it here. If there are any more ideas on how to potentially improve this split or the release process in general, please let us know.
Comments
Finally...
Finally...
More than one time i was scared about a security hole, just before reading the body of the mail which reports that it was only for some modules.
Now it's really better. A hands clap to the one who suggest this change. Even if he's chx =) .
Ingo86