Posted by greggles on February 18, 2011 at 6:21pm
What tools or processes should we follow for profiles that are hosted off drupal.org when they need to be updated for security reasons.
Currently, all of the modules they use that are hosted on drupal.org will get proper security updates but this could be confusing to the end user (if the profile itself hasn't been upgraded to that module).
What about modules that are hosted elsewhere?
What if the download file is only available from other sites and not packaged on drupal.org?
Comments
Hi Greggles (and all the
Hi Greggles (and all the others on the list)
My 5 "cents": if the Module is managed or available through drupal.org then it should be drupal.org to inform the users of security upgrades with disregard to the actual location of the file. If the location of the file is not "trustworthy" then something basic is wrong anyway (another theme).
If a Drupal module is made available outside drupal.org it is up to the module provider to inform his/her constituency. If the module gains popularity it is reasonable to assume that the module will be "moved" to drupal.org anyway.
Cheers
Josh
Jos Doekbrijder
S.W.I.S. GROUP
this is about profiles
This is about profiles which are collections of modules and other stuff, but not just about modules.
You seem to just be talking about modules which is an important sub part, but not the whole story.
knaddison blog | Morris Animal Foundation
Notify
I'd suggest adopting a similar approach to the 'responsible disclosure' for vendor security notifications -
1) Notify the author with enough information to reproduce it.
2) Request that the software be updated/fixed by a certain date. In this case, since it's open source in many cases the fix could be provided. Because of this I think the 'fix by' date should be much shorter than it would be for a closed source vendor-supplied product like Microsoft Windows.
3) Allow the author to fix it and release a new version, notifying the users of the vulnerability and that it was fixed.
4) Provide a public announcement on d.org that the vulnerability was discovered and fixed. I.E. a bulletin of some sort. This would not be e-mailed out perhaps but posted on the site.
http://en.wikipedia.org/wiki/Responsible_disclosure
This all makes sense, but how
This all makes sense, but how do we alert users of the profile that their profile is out of date?
We have no mechanism to do that now. Should we do an SA?
knaddison blog | Morris Animal Foundation
Linux distributions
How do Linux distributions cope with this? they would have a similar set of problems.
could we start to manage modules in the same way as packages are managed? Where a drupal instal can have multiple module repositories defined and can check each one for updates.
Drupal has done a great job hosting m
odules on drupal.org, but in the longer term I can see them being provided by many sources.
Multiple repositories with
Multiple repositories with their own update server are possible - update.module has alter hooks so you can set certain modules or all modules to checkin somewhere in addition to drupal.org or instead of it.
I think there's a difference in the standard here because drupal.org does all security alerting now, but some day you are right it might be more like Linux where the distributions are responsible for it. But tight now, it seems nobody wants to maintain all that infrastructure.
Some more thoughts: Drupal.org currently gives alerts about projects hosted here, but
Those two differences make profiles somewhat unique.
knaddison blog | Morris Animal Foundation