Posted by bburg on July 29, 2015 at 8:08pm
Every Wednesday, at 4:00 pm Eastern, I have a reminder set for myself to check for the weekly Drupal security announcements. A number of my clients have requirements that basically require applying security updates as soon as possible (PCI/FISMA).
What is awkward around this time is when there are no announcements. I find myself wondering if there is just a delay in the email delivery (which I think is known to happen), or if there are indeed no security updates that week.
Is it possible/not too cumbersome, that at a scheduled time, the security team sends an announcement that there are no security releases that week?
Comments
+1, especially in Europe
I'd like to echo your sentiment, especially since I am in Europe and this means that I might have to wait into the late evening for the announcement(s). They usually arrive at 21 o'clock, which is early enough in the evening to patch something if needed. But not too late to lose sleep over.
But on the rare occasion security announcements have arrived as late as 23 o'clock. That is in the uncomfortable zone where if I wait and there is a new very critical issue (think 2014-005) I might leave multiple sites open for at least 8-9 hours before I even know of the vulnerability and can begin patching. So I have to stay awake.
Any message around that 4 PM eastern announcing that I do not need to wait would be greatly appreciated.
--
fyrkantigt.se av Niklas Brunberg
+1 for any timezone
We time our Drupal platform releases with the Drupal security schedule in order to roll out SA fixes as soon as possible. Right now we are in a holding pattern with our release to see if there any contrib SA annoucements so this would be a very beneficial notification.
Suggestion: decide what's to be released on Tuesday
While there has been precedence of releases being pulled at the last minute, has there ever been a situation where a release was hurried together and only put together on Wednesday, with no indicator that it would have been ready until the flurry of activity? Would it be possible to institute a policy that if releases are not signed, sealed & approved on Tuesday that they wait another week? This would give the security team time to do a "nothing to see here" announcement on the Wednesday, and give contributors more direction as to when the cutoff should be for a release; it would still allow for scenarios where a release needs to be held back another week, at which point the "nothing to see here" message could be just a little late that day. Thoughts?
has there ever been a
Yes, this definitely happens. Another situation that happens is that we think we're done. We've not heard from a maintainer that they plan to do a release and then at 5pm GMT-5 a maintainer comments on the issue that they've done a commit and made the release. Then we are in the position of deciding: make a release later than our ideal window OR let the fix exist in public. If/when the maintainer has used a particularly obvious commit message (e.g. "Fixing critical XSS issue.") then we tend to release as soon as possible.
A real risk that we have experienced in the past was a maintainer saying they are ready to go very late in the day on a wednesday, we ask them to wait and do the work the following Tuesday night/Wednesday morning. They may forget it next week or be busy all of a sudden or...and then weeks go by and the issue is not released (sometimes many weeks). So it's a balancing act between getting the release public as quickly after it's been reported to the team and getting it released at the right time of the day on Wednesday.
knaddison blog | Morris Animal Foundation
David has announced the lack
David has announced the lack of a bugfix release before for 7.x, i.e. https://groups.drupal.org/node/488718
For me it makes sense to do this for security releases.