Problem/Motivation
In recent discussions with security team members it has been stated that while a known security issue is open a release should not be marked unsupported OR that an unsupported SA should be sent if a release is marked unsupported. That this policy applies even if the issue is discovered after an announcement has been made about when a maintainer will no longer maintain a release and before that date elapses and applies even if the maintainer is working with the security team to publish a release after the end of the planned maintenance period.
To date I do not believe I have seen this policy published and a security team member did not inform me of this policy until after the release had been marked unsupported.
In this particular scenario (slightly different from other cases I have been involved in) it was the modules last release to be currently have active SA coverage and the 3rd party decencies are no longer receiving maintenance. I have been involved in security issues that impact supported branches that are later marked unsupported without resolving the vulnerability or sending an SA regarding a known vulnerability being present in the release at the time of support ending. The rules may want to specify if this applies to just having any supported branch, having a supported branch for specific versions of Drupal etc.
Additionally as a maintainer believe it should not have been possible to make this change if it violates policy without a Security Team member intervening. I would expect a restriction similar to how we are unable to change the 'Security advisory coverage" project setting.
Proposed resolution
- Update the Drupal Security Policy to indicate a release may not be marked unsupported while an open vulnerability report exists (even if the maintainer is working on the issue to ensure a vulnerability fix is published)
- Add an additional check to D.O. that prevents marking a release unsupported while an open security ticket exists to prevent a maintainer from bypassing this policy.
Remaining tasks
Draft policy Change
Draft patch to D.O. release management process. This may be better as a child issue since I suspect it involves changes both to S.D.O and D.O.
User interface changes
A new error displayed when attempting to mark a branch unsupported that has an open security issue.
API changes
Unknown
Data model changes
Non expected
Comments