Problem/Motivation

In recent discussions with security team members it has been stated that while a known security issue is open a release should not be marked unsupported OR that an unsupported SA should be sent if a release is marked unsupported. That this policy applies even if the issue is discovered after an announcement has been made about when a maintainer will no longer maintain a release and before that date elapses and applies even if the maintainer is working with the security team to publish a release after the end of the planned maintenance period.

To date I do not believe I have seen this policy published and a security team member did not inform me of this policy until after the release had been marked unsupported.

In this particular scenario (slightly different from other cases I have been involved in) it was the modules last release to be currently have active SA coverage and the 3rd party decencies are no longer receiving maintenance. I have been involved in security issues that impact supported branches that are later marked unsupported without resolving the vulnerability or sending an SA regarding a known vulnerability being present in the release at the time of support ending. The rules may want to specify if this applies to just having any supported branch, having a supported branch for specific versions of Drupal etc.

Additionally as a maintainer believe it should not have been possible to make this change if it violates policy without a Security Team member intervening. I would expect a restriction similar to how we are unable to change the 'Security advisory coverage" project setting.

Proposed resolution

  • Update the Drupal Security Policy to indicate a release may not be marked unsupported while an open vulnerability report exists (even if the maintainer is working on the issue to ensure a vulnerability fix is published)
  • Add an additional check to D.O. that prevents marking a release unsupported while an open security ticket exists to prevent a maintainer from bypassing this policy.

Remaining tasks

Draft policy Change
Draft patch to D.O. release management process. This may be better as a child issue since I suspect it involves changes both to S.D.O and D.O.

User interface changes

A new error displayed when attempting to mark a branch unsupported that has an open security issue.

API changes

Unknown

Data model changes

Non expected

Comments

cmlara created an issue.