Change "Report a security issue" link to security.drupal.org

How should this work for sandbox projects? We probably shouldn't show this link because sandbox projects are not synced to s.d.o since we don't have to manage them. Currently this would lead users to a page that says 'Invalid project selected.'

I confirmed that the $node object is structured the way this patch is written, that the patch applies to the tip of 6.x-3.x and that no syntax errors are introduced. Seems rtbc to me.

We should probably remove the link on sandbox projects, or replace it with a link to a page that explains that sandboxes don't get advisories. Maybe:

Sandboxes do not get security advisories

Same review process as #3.

The $node->project['sandbox'] is either a 1 or a 0.

This can be a follow-up, but do we care about modules that don't have releases, or don't have a 1.0 release, or are marked as 'unsupported' as well? In those cases should we be linking to the policy page as well? It requires more logic but it also avoids unnecessary work for the security team.

+++ b/drupalorg_project/drupalorg_project.moduleundefined
@@ -482,7 +482,12 @@ function drupalorg_project_project_page_link_alter(&$links, $node) {
+    $links['development']['links']['report_security_issue'] = l(t('Sandbox security policy'), 'security-advisory-policy');

Should this link to the specific node in case its alias changes?

Committed.

Should we leave this open for investigating the follow-ups?

This issue is fixed enough, I think new issue(s) would be best.

Deployed