Commons 3.1 was released and packaged today and it says that Title 7.x-1.0-alpha7 is recommend because of security update but that's incorrect, Title alpha7 is not marked a security release.


Status:Active» Fixed is now deleted. looks OK.

Did you fix something?

Marking the issue fixed since it seems there's nothing left to do, but please reopen if that's not the case.

Status:Fixed» Active

I think it's still an issue. Commons 3.0 shows that title alpha5 is insecure and to upgrade to title alpha7 so this looks like an issue of the packager.

Commons 3.1 no longer shows this because ezra-g pointed the makefile at alpha7.

The cod involved here is project_package.module, within project module, and DrupalorgProjectPackageReleaseDistro.class.php within drupalorg module. That has all been upgraded to D7, so we need to make sure any fixes happen there, and in D6 if needed.

Coming from: #1962678: Commons 3.2 release is incorrectly marked as red by the packager

Regarding: [#1960790]

IMO, it makes sense to have a _distribution release recolored to red once there is a _security_ release for any of its contained modules.
But in the case of the above mentioned issue, currently only the Mollom module is the cause for the red coloring, even if it does not seem that that particular Mollom release (v.2.5) is a security release at all..? So it seems that it is colored red once "any"(?) of its contained modules receives a new(er) stable release, which does not make sense.

See: [#1961932]

Edit: Hm, whatever happened with multiple issue-links, only the first one rendered..?

I previously reported the bug here: #1784170: Distribution items show as "Not secure" when they should show as "Update available". Closed that as a dupe since this ticket has more information.

Features just rolled It is not a security update, but since most distributions include it I expected to see a lot of insecure download links. Oddly, Commons is still showing as green despite including several incorrectly flagged security updates

The CiviCRM Starter Kit was showing up as red/unsecure and only lists Features as being out of date.

And then other distributions like OpenPublish actually include versions of Drupal core and contrib modules that have known security issues. That download is also colored red, but I don't think there should be a download at all. It doesn't see right that modules that don't resolve a security issue have their downloads removed while a distribution that doesn't even update the security issues in the version of Drupal core it distributes can still be downloaded. While the secure versions of the modules could be placed into sites/all/modules to override the old code included in the distribution, updating core in a distribution makes downloading the distribution pretty pointless.

There is still something wrong with the way normal module updates are impacting a distributions security coloring, but there is also larger issue with distributions that include known security issues.

Issue summary:View changes
Status:Active» Closed (duplicate)