IMO " Use it at your own risk!" applies NOT only to contributed modules for which the security shield is NOT shown.Drupal is a CMS that currently powers 2.2% of all websites whose CMS we know.If you're not ready yet to create an official release, you can always add some note on your project page like " Note: as the module maintainer, I'm not aware of any publicly disclosed vulnerabilities".Once you've pushed the properly formed tag or branch, see Creating a project release for directions to actually create the release node. More specifically you should do what's mentioned within Tag for a stable release there, which is like so: Near the bottom of it, you'll find detailed instructions about Creating Releases. Head over to your (whereas you replace myproject with your module name). Draft text for security advisory coverage messages.Move security team coverage from per-project to per-branch.Rename “Git vetted user” role to “Opt into security team coverage”.Encourage security coverage by emailing maintainers.Add security advisory coverage field to projects.Note however that in this case the D7 version has an extra (green) shield that is not shown for the D8 version of it.įor way more details on this, refer to these issues: For a sample of this, have a look at the Rules module. If a module does have an official release for at least 1 version of a supported Drupal core version (eg: for D7), then the security shield will not be removed by adding a dev, alfa, beta or rc version (with no official release yet) for another supported Drupal core version (eg: for D8). But it does NOT have the security shield either. " Only full releases get the security shield" (as in the accepted answer) may need some refinement: have a look at the Support Ticketing System module, which does have a full release for D6 (which is no longer supported).It has the same message shown on its project page also. If you want, have a look at modules such as the Conditional Rules module, used in over 11K Drupal 7 sites. Shortly after doing so, your module will have the security shield. In your case, for D7, like a 7.x-1.0 version of your module. You need to create an official release, for at least 1 version of Drupal core that is supported. Here's a screenshot of the module edit page. So it appears that the original information I gave - that you just need to release a full version, and have opted into security advisory coverage, is correct. After waiting two weeks for approval I finally contacted the security team, and they looked into it and found a bug in the caching system, and fixed it. However the module I mentioned above did not have a D7 version, and when I promoted it to a full release it didn't receive the shield. With existing modules, when upgrading from D7 -> D8, modules were automatically given the shield when I released a full version. I am already able to promote modules to rather than the sandbox. It turns out their was a bug in the system. This issue seems to support that assumption: Editing the module page now has an option that requires to module maintainer to opt into the security advisory.Įven having done so, my module still does not have the advisory shield, so I assume it now goes under some review from the security team before receiving it. However, I just promoted a module I've got from RC to a full release, and it did not receive the security advisory. Until recently, if a module was given a full-release, it automatically received the security advisory. I have just discovered that an additional step needs to be taken in addition to creating a full release. To get the security shield, you'll need to release a full version (one not suffixed with -dev, -alpha or -beta). I don't think the shield was removed from your module, as it wouldn't have had one in the first place since you don't have a full release. Your screenshot only shows a dev version. Only full releases get the security shield.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |