Re: [development] Security Updates

[Brian Vuyk]

I think it's important the security releases are properly marked, rather than silently updated. With client sites that we maintain, normal module updates are not a huge priority. If the site is working properly, and there are no bugs reported by our users, we don't change code because of the risk of introducing new bugs (which has been known to happen). That is, we wait until there are several modules which require updates, and update them in a single pass with thorough testing of site functionality. Properly marked security updates receive higher priority, because someone could use the now-patched and now-public vulnerabilities to break our sites. There is no shame in flagging security updates in your own modules. Bugs happen despite the best of intentions and abilities, and some do have security implications. Flagging releases as security releases ensures that those of us who use your modules have the proper information for the safety and security of our properties and clients. Brian On 10-08-06 02:10 PM, nan wich wrote: I've noticed that more and more security advisories are reported by module maintainers. In the past, if I noticed a security problem, I would fix it and commit the change without saying anything. It was sort of embarrassing to me to have an SA filed. However, that didn't mean that users would pick up the fixed version.   Are maintainers now flagging their own issues as a way to "force" people to update to the newest code?   Nancy