Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Commons 3.1 was released and packaged today http://drupal.org/node/1954818 and it says that Title 7.x-1.0-alpha7 is recommend because of security update but that's incorrect, Title alpha7 http://drupal.org/node/1946072 is not marked a security release.
Comment | File | Size | Author |
---|
Comments
Comment #1
greggleshttp://drupal.org/node/1954818 is now deleted.
http://drupal.org/node/1954948 looks OK.
Did you fix something?
Marking the issue fixed since it seems there's nothing left to do, but please reopen if that's not the case.
Comment #2
coltraneI think it's still an issue. Commons 3.0 shows that title alpha5 is insecure and to upgrade to title alpha7 http://drupal.org/node/1927326 so this looks like an issue of the packager.
Commons 3.1 no longer shows this because ezra-g pointed the makefile at alpha7.
Comment #3
drummThe cod involved here is project_package.module, within project module, and DrupalorgProjectPackageReleaseDistro.class.php within drupalorg module. That has all been upgraded to D7, so we need to make sure any fixes happen there, and in D6 if needed.
Comment #4
Leeteq CreditAttribution: Leeteq commentedComing from: #1962678: Commons 3.2 release is incorrectly marked as red by the Drupal.org packager
Regarding: [#1960790]
http://drupal.org/node/1960790
IMO, it makes sense to have a _distribution release recolored to red once there is a _security_ release for any of its contained modules.
But in the case of the above mentioned issue, currently only the Mollom module is the cause for the red coloring, even if it does not seem that that particular Mollom release (v.2.5) is a security release at all..? So it seems that it is colored red once "any"(?) of its contained modules receives a new(er) stable release, which does not make sense.
See: [#1961932]
http://drupal.org/node/1961932
Edit: Hm, whatever happened with multiple issue-links, only the first one rendered..?
Comment #5
nedjoI previously reported the bug here: #1784170: Distribution items show as "Not secure" when they should show as "Update available". Closed that as a dupe since this ticket has more information.
Comment #6
kreynen CreditAttribution: kreynen commentedFeatures just rolled https://drupal.org/node/2104021. It is not a security update, but since most distributions include it I expected to see a lot of insecure download links. Oddly, Commons is still showing as green despite including several incorrectly flagged security updates https://drupal.org/node/2069267
The CiviCRM Starter Kit was showing up as red/unsecure and only lists Features as being out of date.
And then other distributions like OpenPublish https://drupal.org/node/1827522 actually include versions of Drupal core and contrib modules that have known security issues. That download is also colored red, but I don't think there should be a download at all. It doesn't see right that modules that don't resolve a security issue have their downloads removed while a distribution that doesn't even update the security issues in the version of Drupal core it distributes can still be downloaded. While the secure versions of the modules could be placed into sites/all/modules to override the old code included in the distribution, updating core in a distribution makes downloading the distribution pretty pointless.
There is still something wrong with the way normal module updates are impacting a distributions security coloring, but there is also larger issue with distributions that include known security issues.
Comment #7
kreynen CreditAttribution: kreynen commentedChanges to how this works after the D7 upgrade are being discussed in #2137095: Should supported releases be shown on downloads table even if it contains insecure modules? If so, how?