Re: CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)

[Greg Knaddison <greg.knaddison () acquia com>]

On Wed, Apr 11, 2012 at 8:10 PM, Kurt Seifried <kseifried () redhat com> wrote:

> > > Direct links to the code commits fixing them would be nice =)
> >
> > We probably can't do this, though it is a fairly common request.
> > Our current policy is not to discuss the specific details for at
> > least 2 weeks and closer to 6 months if possible. Project usage
> > shows that most site builders don't upgrade very quickly.
>
> Hrmm yeah that's a tough one. Do you do any regression testing to make
> sure the new modules don't break things (if people know stuff is
> unlikely to break they are more likely to upgrade quickly, usually any
> ways).

As a project there is an automated testing framework integrated into the
code hosted on drupal.org and a network of servers to run tests pretty
quickly, but very few of the contributed modules take advantage of it
(there are 16,000 of them after all). I don't think we've gone beyond
anecdotes for why people don't upgrade rapidly but it's definitely
something we're constantly working to improve the speed of the upgrade
cycle.


> Perfect! I was just thinking, as long as the main project
> contributors/etc. (e.g. you guys in the case of Drupal) do the CVE
> requests in a regular and public way (e.g. to OSS-sec) than there is
> minimal chance of duplicates and other problems (e.g. someone else
> sending a request to Mitre directly or whatever).
Solid.

-- 
Director Security Services | +1-720-310-5623
Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com