Public feedback/retrospective thread about Drupal security process

Events happening in the community are now at Drupal community events on www.drupal.org.
greggles's picture
Posted by greggles on April 26, 2018 at 4:59pm

Security releases are a tricky problem, for basically all organizations. They present extra challenges in internet-facing software, used around the globe, and supported by an open source community that's a mix of volunteers and paid or partially funded people. Feedback in Drupal is basically always welcome, whether as an issue in a queue, a comment on social media, a presentation at a meetup/camp/conference, or some other channel. In the spirit of constant improvement, I'm posting here to explicitly solicit feedback about what elements of the Drupal Security process could be improved.

The security process can be thought of in the lifecycle of a security bug:

  • Bug introduced into the software
  • Bug released in a package that gets installed
  • Bug is identified by someone (often someone who is not on the Drupal Security Team and often not even a registered member of Drupal.org)
  • Bug is reported to the Drupal Security Team
  • Bug is worked on in private by a mix of the reporter, code maintainers, and Security Team members
  • Announcements are written and coordinated
  • Git commits made, release made, announcements published
  • Sites update all the code

There are potential problems and points of friction throughout this process and I think the Drupal community has done a lot of work over the years to improve the flow. That's great! But still: there is room for improvement, so let's discuss problems and potential ways to improve in comments below.

Comments

Announcing contrib module

Posted by njbooher on April 26, 2018 at 8:07pm
njbooher's picture

Announcing contrib module updates a few hours after the core release was suboptimal.

announcing contrib module .... more

Posted by n0mad98 on April 27, 2018 at 1:13am
n0mad98's picture

And the conrib modules, especially the media module, were not covered on the twitter feed??

Thanks for pointing this out.

Posted by greggles on May 1, 2018 at 4:47pm
greggles's picture

Thanks for pointing this out. The twitter feed for contrib modules became broken and we hadn't noticed that. I believe it is now fixed.

knaddison blog | Morris Animal Foundation

You're all doing an awesome job

Posted by tobybellwood on April 26, 2018 at 11:17pm
tobybellwood's picture

I know it's been a hard few weeks, but thank you to all the Drupal Security Team for your work and communication.

If I had to nitpick - the media contrib issue above meant we had to push two releases in a day to be safe.

Two releases in one day

Posted by cboyden on April 27, 2018 at 6:17pm
cboyden's picture

We also had to cut and deploy two releases (for 150+ sites) due to Media being announced 2 hours after core. Especially because they were both highly critical and essentially the same vulnerability, it would have been better to get both announcements at the same time.

Our organization also had to

Posted by caesius on April 27, 2018 at 7:44pm
caesius's picture

Our organization also had to patch all of our sites that use Media twice due to the separation between the announcements.

Also the way you announced

Posted by njbooher on May 16, 2018 at 3:46pm
njbooher's picture

Also the way you announced there would be a core security release a few days in advance of there being one was nice. Marking off 4 hours on the calendar once a month and waiting around to see if a release is dropped isn't fun.

The originally announced

Posted by njbooher on August 1, 2018 at 7:04pm
njbooher's picture

The originally announced security release window for today just expired. So I go to https://www.drupal.org/psa-2018-07-30 and see the window has been changed. An email would have been nice.

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: