October 2008 Maintainer News Draft

Security team update

We recently released SA-2008-063 for multiple contributed modules. This was due to incorrect implementation of hook_menu in Drupal 6.

Incorrect:

This evaluates to TRUE and leaves the page wide open to any user who might come across it.

Correct:

or even more simply:

since the access callback defaults to 'user_access'

For more documentation see: http://drupal.org/node/109157

Drupal 7 updates

UNSTABLE developer tags now available
Following some discussion we now have Drupal 7 UNSTABLE-2 available for developers to try out. At the moment, these releases are only represented by a CVS tag (no tarball or anything), and allow you to update your contributed modules to the latest unstable release. This gives a steady point of reference and compatibility rather than trying to chase HEAD every day. Upgrade instructions are divided up by unstable release on the 6.x - 7.x module update page so if you fall behind you it should be relatively easy to see what's changed since the last time you upgraded. This change is going to be a big help for people who want to port early and often, and will also help test Drupal 7 better before we get to code freeze and beta stage when it's harder to change things. Currently, unstable releases are being tagged every 2-3 weeks.

Patch spotlight
If you want a preview of Drupal 7 patches which aren't in the unstable releases yet, then some of the most important patches are listed at http://groups.drupal.org/patch-spotlight - this is a great place to get started if you've been meaning to help out with Drupal 7 but haven't done so yet.

String concatenation coding standards have changed
The patch which changes the spacing for the concatenation operator got committed to D7 on April 14, 2008. That means from Drupal 7 onwards, there is a space on both sides of the concat operator (the . that connects strings) instead of just on the non-literal facing side. For contributed modules, this change is optional for D6 compatible code, and recommended for D7.

Drupal 6:

Drupal 7:

This is in line with most other PHP coding styleguides and the conventions of most other C-style languages.

The arguments for the change included:

Why does the . operator have a different coding standard than any other binary operator? Why does:

'foo'. $bar

make sense, but

3+ $bar

not make sense?

Project releases

You cannot put "-dev" in CVS tag names
The drupal-contrib repository on cvs.drupal.org now more strictly validates CVS tags.

See http://drupal.org/node/93999 for the format of valid release tags.

The regular expressions for valid tags are now:

If the release tag contains any of the optional extra portion of the version string, it must be either '-UNSTABLE', '-ALPHA', '-BETA', or '-RC' followed by one or more digits.

Managing Drupal releases with CVS summarized in two pages
In case you missed it, there's a two page handout describing how to manage Drupal releases with CVS, including branches, tags, and release management best practices. This should be required reading for all CVS account holders:

http://drupal.org/files/maintain-release-handout.pdf

Creating Great Release Notes (the easy way)
You've been following the commit message pattern to provide history and credit and your commit messages from one point release to another are a great way to know which bugs have been fixed and which features added. But, how can you get that information formatted for your release notes? Thankfully, there is a script to do this for you!

In the Creating a Release Node For Your Project handbook page, step 5 goes into a little detail on how to use the cvs-release-notes.php script to get a list all the changes with their messages all pretty with HTML formatting.

For more information, see the email where Derek Wright announced the new script.