Commons 3.1 was released and packaged today http://drupal.org/node/1954818 and it says that Title 7.x-1.0-alpha7 is recommend because of security update but that's incorrect, Title alpha7 http://drupal.org/node/1946072 is not marked a security release.
http://drupal.org/node/1954818 is now deleted.
http://drupal.org/node/1954948 looks OK.
Did you fix something?
Marking the issue fixed since it seems there's nothing left to do, but please reopen if that's not the case.
I think it's still an issue. Commons 3.0 shows that title alpha5 is insecure and to upgrade to title alpha7 http://drupal.org/node/1927326 so this looks like an issue of the packager.
Commons 3.1 no longer shows this because ezra-g pointed the makefile at alpha7.
The cod involved here is project_package.module, within project module, and DrupalorgProjectPackageReleaseDistro.class.php within drupalorg module. That has all been upgraded to D7, so we need to make sure any fixes happen there, and in D6 if needed.
Coming from: #1962678: Commons 3.2 release is incorrectly marked as red by the Drupal.org packager
IMO, it makes sense to have a _distribution release recolored to red once there is a _security_ release for any of its contained modules.
But in the case of the above mentioned issue, currently only the Mollom module is the cause for the red coloring, even if it does not seem that that particular Mollom release (v.2.5) is a security release at all..? So it seems that it is colored red once "any"(?) of its contained modules receives a new(er) stable release, which does not make sense.
Edit: Hm, whatever happened with multiple issue-links, only the first one rendered..?
I previously reported the bug here: #1784170: Distribution items show as "Not secure" when they should show as "Update available". Closed that as a dupe since this ticket has more information.
Features just rolled https://drupal.org/node/2104021. It is not a security update, but since most distributions include it I expected to see a lot of insecure download links. Oddly, Commons is still showing as green despite including several incorrectly flagged security updates https://drupal.org/node/2069267
The CiviCRM Starter Kit was showing up as red/unsecure and only lists Features as being out of date.
And then other distributions like OpenPublish https://drupal.org/node/1827522 actually include versions of Drupal core and contrib modules that have known security issues. That download is also colored red, but I don't think there should be a download at all. It doesn't see right that modules that don't resolve a security issue have their downloads removed while a distribution that doesn't even update the security issues in the version of Drupal core it distributes can still be downloaded. While the secure versions of the modules could be placed into sites/all/modules to override the old code included in the distribution, updating core in a distribution makes downloading the distribution pretty pointless.
There is still something wrong with the way normal module updates are impacting a distributions security coloring, but there is also larger issue with distributions that include known security issues.
Changes to how this works after the D7 upgrade are being discussed in #2137095: Should supported releases be shown on downloads table even if it contains insecure modules? If so, how?
Drupal is a registered trademark of Dries Buytaert.