Given that we now handle most dev snapshots, and usuall notice if a newer snapshot is available based on date, it seems we could also flag security updates for dev snapshots, too. Here's how:

  • As we process the list of releases for a given major version, if we know the timestamp of the currently installed snapshot, we use then to decide when to stop searching (currently, we end up searching through everything, since the dev snapshots are always last in the history list).
  • If we see any security update releases that happened more than 100 seconds later than our currently installed snapshot, we fill in our 'security updates' array for that project.
  • Once we hit an official release that's older than our dev snapshot, we stop looking.
  • At the end, if we found any security updates, we flag the dev snapshot as insecure and use the usual display logic.

In fact, if we find an official release with a newer timestamp, we should still mark the dev snapshot as out of date and recommend the newer release, instead of recommending another dev snapshot.

In fact, now that I'm testing it, there's a bug in the existing logic. ;) We only hit the logic to recommend a newer dev snapshot if there are *no* official releases (stable or extra) for that branch. :( We're currently depending on $latest, and if that's a dev, we do the time check, otherwise we don't.

At the very least we should fix this bug and always check the date of the dev snapshot, even if it's not what we'd call the "Latest release". However, while we're at it, I'd also like to get the security update logic outlined above in there.

Comments

dww’s picture

Assigned: Unassigned » dww
Status: Active » Needs review
StatusFileSize
new19.88 KB

Here's a patch. Works great. Unfortunately, I started working in a workspace that already had the patches applied for http://drupal.org/node/153502 and http://drupal.org/node/153757 :( Whoops. So, this is a big nasty patch that includes all 3. That's what I get for not just committing my patches right away. ;)

So, as soon as those other patches land, which sould be soon, this will need a re-roll to resolve the conflicts, but I'm ok with that. I'd rather do things in smaller steps, anyway. But, if anyone wants to play with this in the meanwhile and provide feedback on the UI and behavior, I'd be most pleased.

The functional/UI changes are:

  • Much better handling of timestamps for dev snapshots.
  • We notice security updates that are newer than our currently installed dev snapshot and flag them as such.
  • We always check the timestamp of our dev snapshot and compare against the latest available releases so that we correctly mark it if our dev snapshot is stale.
  • If we're currently running a dev snapshot for a given project, and the "Latest version" isn't a dev snapshot, print another row in the status report for the dev snapshot, since that's often what will be the newest release you'd have to upgrade to if you're stale.

Let me know what y'all think. Thanks!
-Derek

dww’s picture

Status: Needs review » Needs work

I just committed those other 2 issues, so this needs a re-roll.

dww’s picture

Status: Needs work » Needs review
StatusFileSize
new6.59 KB
dww’s picture

StatusFileSize
new6.84 KB

Whoops, I had a bug in the timestamp comparison logic for ignoring security updates older than the currently installed dev snapshot. I was trying to add the 100 seconds of leeway, but I was doing it on the wrong side of the comparison. ;) All better.

dww’s picture

Status: Needs review » Fixed

Committed to HEAD as revision 1.64 of update_status.module.

Anonymous’s picture

Status: Fixed » Closed (fixed)