Note: there are still over 5500 installs of this module. Not insignificant user base. I require this module for my own corporate needs and took the time to review its current state.

This module was abandoned and no one stepped up to the plate to take ownership of it. For this reason I am asking that you wave the normal 2 week waiting period.

My plan is to release a fixed version of this module with the following patches:

Here are the patches ready to commit:

 - https://www.drupal.org/files/issues/0001-Fixes-book_access_default_role-issue_0.patch 
                       - https://www.drupal.org/project/book_access/issues/2355963
 - https://www.drupal.org/files/issues/book_access-limit-anon-author-grants-2440385-7.patch
 - https://www.drupal.org/files/issues/empty_entry_for_roles_without_grant.patch  
                       - https://www.drupal.org/project/book_access/issues/2402491
 - https://www.drupal.org/files/issues/book_access-limit-unpub-node-access--2123165-5.patch

Note, for one of those I had to use the -p0 flag instead of the -p1 flag (if you use the patch utility, patch might apply with git as well)
either way, the patches applied cleanly for me.

extensive tests I ran showed that the issues are resolved.

Thanks.

Transfer of ownership needs to follow: https://www.drupal.org/node/251466#procedure---own-project---unsupported

Checklist

Comments

joseph.olstad created an issue. See original summary.

joseph.olstad’s picture

Issue summary: View changes
joseph.olstad’s picture

Issue summary: View changes
gisle’s picture

Component: Abandoned/unsupported projects » Ownership transfer
Category: Plan » Task
Issue summary: View changes
Status: Needs review » Postponed

The project is marked as abandoned and owned by "Unsupported Projects", so there will be no two week waiting period.

However, to transfer this, we need to follow: https://www.drupal.org/node/251466#procedure---own-project---unsupported

There are some outstanding questions:

  • Do you have permission to opt into security coverage?
  • Have you contacted the security team to get access to the security issue on the Drupal security team subsite?

Also, before we can transfer ownership, a member of the the security team must confirm that the proposed patches fixes the security issue.

Setting to postponed until those things are sorted out.

joseph.olstad’s picture

Yes I already have permission to opt into security coverage.
The security issue was made public afaik. The problem was the maintainer was nowhere to be seen and no one stepped up to take ownership.

All that needs to happen is to create a security advisory for the upgrade and push a release with the fixes that have been ready for quite some timenow.

gisle’s picture

Issue summary: View changes

Can you point me to the public disclosure of the security issue by the security team. The issue summary of #2869160: Security fix? says:

hkirsman has access to the private issue (as do the other maintainers of the module).

apaderno’s picture

Component: Ownership transfer » Abandoned/unsupported projects
apaderno’s picture

Title: Offering to maintain book_access » Offering to maintain Book access
gisle’s picture

Not that the "Component" matter that much, but for the record; "Abandoned/unsupported projects" is to be used to indicate that the goal it to get something where the Maintenance status suggest that it is maintained changed into "Unsupported" without becoming the maintainer - please see https://www.drupal.org/node/251466#procedure---report-without-owner

In this case the project is already marked as "Unsupported", and the goal is "Ownership transfer" - so that should be the component.

apaderno’s picture

Abandoned/unsupported projects should be used for projects that are effectively marked as unsupported or abandoned, not for projects I think unsupported or abandoned.
Its purpose is making clear there isn't a project owner to contact, or that the project owner doesn't intend to continue the development of the project. In those case, I could assume that getting the ownership of the project should be quicker.

gisle’s picture

Abandoned/unsupported projects should be used for projects that are effectively marked as unsupported or abandoned, not for projects I think unsupported or abandoned.

AFAIK, this is not documented anywhere. And, as already noted, it is contradicted by the official documentation. But if you think this is how it "should" be - at least update the documentation to match your thoughts.

The official documentation in practice says that the "Component" metatag is used to identify the goal of task and not the current status. That not only goes for this component, but for all of them. I don't think it is a good idea to keep flipping the "Component" metadata as status changes.

As for current status of the project (including making clear there isn't a project owner to contact), that usually goes into the issue summary, that already clearly says:

  • Abandoned: Yes.

Duplicating this information in the "Component" metatag is redundant.

When working on issues, it is customary to update the issue summary with the latest status as the task makes progress. I don't why this particular community project should diverge from that standard.

We are several people working to resolve these issues together. If each and every one makes up his or her mind about the use of metadata, misunderstandings will occur.

PS: And given your thinking about this, what is correct component to use when requesting a project being marked as "Unsupported" because the current owner is no longer around, and one just want to alert other community members about that particular situation without becoming the new owner?

joseph.olstad’s picture

Due to the public nature of the vulnerability, it is widely known already, there is no need to delay creating a release with the fixes.

so as soon as I get access I will publish a release with the fixes shortly afterwards.

gisle’s picture

so as soon as I get access I will publish a release with the fixes shortly afterwards.

Please understand that I will give you access only after someone from the security team shows up and moves this issue to RTBC.

As far as I am concerned, not having the security team in the loop is blocking this from moving forwards.

joseph.olstad’s picture

Ok I will report a new issue with the security team.

joseph.olstad’s picture

I have written to the security team.

Hello security team, I am or will shortly be the new maintainer of book_access and I have reviewed the security fixes. They are ready.
Please I would like to co-ordinate a release of the fixes with the security team.
Here is the link to the fixes: https://www.drupal.org/project/book_access/issues/2869160
Here is the link to the ownership request https://www.drupal.org/project/projectownership/issues/3081325#comment-1...

Here is the link tothe SA. https://www.drupal.org/node/2869123

Please follow up so we can plan a release.

joseph.olstad’s picture

It would be best if I was granted access now, this will facilitate coordination with the security team.

gisle’s picture

Thank you.

I am not sure if it is necessary to co-ordinate a full release with the security team.

I just wanted a second opinion from a member of the security team whether #2869160: Security fix? really fixes all vulnerabilities before giving you access that will let you remove the project's security warning.

mlhess’s picture

Status: Postponed » Fixed

The security team is working with joseph.olstad on this release. I have made him a maintainer of the module.

gisle’s picture

Issue summary: View changes

Updated summary.

apaderno’s picture

The documentation doesn't give a definition of unsupported nor abandoned and it was written when the projects didn't have any Maintenance status (which incluses Unsupported) nor Development status field.

In this case, it's clear the project was unsupported because security issues, and that should be evident in the issue; that is the reason the Component field has the value used for this issue. Differently, we would have just values for users who want to become maintainers, users who wants to become co-maintainers, project owners who are looking for a new maintainer, and project owners who are looking for new co-maintainers.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.