Mixing
Using modules “not covered by Drupal’s security advisory policyâ€
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
3
down vote
favorite
I would like to use a Drupal 7 module that is "not covered by Drupal’s security advisory policy", specifically the Conditional Fields module.
It would allow me to do exactly what I need. It looks like this module is pretty actively used and maintained but I am not sure how worried I should be about of using a module that I won't get updates about if any security issue should arise.
Any advice? Is coding something like (using hook_form_alter and states) this myself a safer approach?
7 security
edited 8 mins ago
Pierre.Vriens
35k1334154
asked 2 hours ago
Danny Browne
13210
add a comment |Â
up vote
3
down vote
favorite
I would like to use a Drupal 7 module that is "not covered by Drupal’s security advisory policy", specifically the Conditional Fields module.
It would allow me to do exactly what I need. It looks like this module is pretty actively used and maintained but I am not sure how worried I should be about of using a module that I won't get updates about if any security issue should arise.
Any advice? Is coding something like (using hook_form_alter and states) this myself a safer approach?
7 security
edited 8 mins ago
Pierre.Vriens
35k1334154
asked 2 hours ago
Danny Browne
13210
add a comment |Â
up vote
3
down vote
favorite
up vote
3
down vote
favorite
I would like to use a Drupal 7 module that is "not covered by Drupal’s security advisory policy", specifically the Conditional Fields module.
It would allow me to do exactly what I need. It looks like this module is pretty actively used and maintained but I am not sure how worried I should be about of using a module that I won't get updates about if any security issue should arise.
Any advice? Is coding something like (using hook_form_alter and states) this myself a safer approach?
7 security
edited 8 mins ago
Pierre.Vriens
35k1334154
asked 2 hours ago
Danny Browne
13210
I would like to use a Drupal 7 module that is "not covered by Drupal’s security advisory policy", specifically the Conditional Fields module.
It would allow me to do exactly what I need. It looks like this module is pretty actively used and maintained but I am not sure how worried I should be about of using a module that I won't get updates about if any security issue should arise.
Any advice? Is coding something like (using hook_form_alter and states) this myself a safer approach?
7 security
7 security
edited 8 mins ago
Pierre.Vriens
35k1334154
asked 2 hours ago
Danny Browne
13210
edited 8 mins ago
Pierre.Vriens
35k1334154
asked 2 hours ago
Danny Browne
13210
edited 8 mins ago
Pierre.Vriens
35k1334154
edited 8 mins ago
Pierre.Vriens
35k1334154
edited 8 mins ago
Pierre.Vriens
35k1334154
35k1334154
asked 2 hours ago
Danny Browne
13210
asked 2 hours ago
Danny Browne
13210
asked 2 hours ago
Danny Browne
13210
13210
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
2
down vote
accepted
According to the Security advisory process and permissions policy, modules that have an alpha, beta, or rc (relase candidate) status are not covered by this policy, and security advisories will not be reported for these projects. At the time of writing, Conditional Fields has recommended releases for Drupal 7 and 8 that are both in "alpha" stage. Even without security advisories, you can still choose to be notified when the module is updated.
Since module releases and their status are arbitrarily assigned by project maintainers, only you can judge whether you should use a module marked as not being covered by Drupal’s security advisory policy. One maintainer's "alpha" module, would be a "1.0" version to another maintainer.
You should examine the maintainer's credibility, history on Drupal.org, the project's popularity, and the speed at which issues are resolved or responded to. Many popular and public sites do make use of "beta" or other modules.
Coding your own module to duplicate the functionality of a module that already exists seems more likely to introduce security vulnerabilities that can potentially only be diagnosed or fixed by one person: you. Using an "alpha" module with a competent maintainer and an active community of users seems far more advisable.
answered 57 mins ago
komlenic
362
New contributor
komlenic is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
up vote
0
down vote
Be careful in "only" using the security advisory. Instead you may want to consider many more criteria to help you make decissions. As I documented in (what I call) maintenance scorecards. In that case they relate to charting modules, but you can apply them for any set of modules of course.
These are IMO the criteria you should also consider:
- Nr of open bugs
- No RTBC'd items
- Last commits
- Community docu
- Support 2 core releases
- DEV release for D8
- Nr of Committers
- SimpleTests or Unit Tests
- Automated testing enabled
- Downloads / installs ratio
- Contributing users in commits
answered 11 mins ago
Pierre.Vriens
35k1334154
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
According to the Security advisory process and permissions policy, modules that have an alpha, beta, or rc (relase candidate) status are not covered by this policy, and security advisories will not be reported for these projects. At the time of writing, Conditional Fields has recommended releases for Drupal 7 and 8 that are both in "alpha" stage. Even without security advisories, you can still choose to be notified when the module is updated.
Since module releases and their status are arbitrarily assigned by project maintainers, only you can judge whether you should use a module marked as not being covered by Drupal’s security advisory policy. One maintainer's "alpha" module, would be a "1.0" version to another maintainer.
You should examine the maintainer's credibility, history on Drupal.org, the project's popularity, and the speed at which issues are resolved or responded to. Many popular and public sites do make use of "beta" or other modules.
Coding your own module to duplicate the functionality of a module that already exists seems more likely to introduce security vulnerabilities that can potentially only be diagnosed or fixed by one person: you. Using an "alpha" module with a competent maintainer and an active community of users seems far more advisable.
answered 57 mins ago
komlenic
362
New contributor
komlenic is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
up vote
2
down vote
accepted
According to the Security advisory process and permissions policy, modules that have an alpha, beta, or rc (relase candidate) status are not covered by this policy, and security advisories will not be reported for these projects. At the time of writing, Conditional Fields has recommended releases for Drupal 7 and 8 that are both in "alpha" stage. Even without security advisories, you can still choose to be notified when the module is updated.
Since module releases and their status are arbitrarily assigned by project maintainers, only you can judge whether you should use a module marked as not being covered by Drupal’s security advisory policy. One maintainer's "alpha" module, would be a "1.0" version to another maintainer.
You should examine the maintainer's credibility, history on Drupal.org, the project's popularity, and the speed at which issues are resolved or responded to. Many popular and public sites do make use of "beta" or other modules.
Coding your own module to duplicate the functionality of a module that already exists seems more likely to introduce security vulnerabilities that can potentially only be diagnosed or fixed by one person: you. Using an "alpha" module with a competent maintainer and an active community of users seems far more advisable.
answered 57 mins ago
komlenic
362
New contributor
komlenic is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
up vote
2
down vote
accepted
up vote
2
down vote
accepted
According to the Security advisory process and permissions policy, modules that have an alpha, beta, or rc (relase candidate) status are not covered by this policy, and security advisories will not be reported for these projects. At the time of writing, Conditional Fields has recommended releases for Drupal 7 and 8 that are both in "alpha" stage. Even without security advisories, you can still choose to be notified when the module is updated.
Since module releases and their status are arbitrarily assigned by project maintainers, only you can judge whether you should use a module marked as not being covered by Drupal’s security advisory policy. One maintainer's "alpha" module, would be a "1.0" version to another maintainer.
You should examine the maintainer's credibility, history on Drupal.org, the project's popularity, and the speed at which issues are resolved or responded to. Many popular and public sites do make use of "beta" or other modules.
Coding your own module to duplicate the functionality of a module that already exists seems more likely to introduce security vulnerabilities that can potentially only be diagnosed or fixed by one person: you. Using an "alpha" module with a competent maintainer and an active community of users seems far more advisable.
answered 57 mins ago
komlenic
362
New contributor
komlenic is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
According to the Security advisory process and permissions policy, modules that have an alpha, beta, or rc (relase candidate) status are not covered by this policy, and security advisories will not be reported for these projects. At the time of writing, Conditional Fields has recommended releases for Drupal 7 and 8 that are both in "alpha" stage. Even without security advisories, you can still choose to be notified when the module is updated.
Since module releases and their status are arbitrarily assigned by project maintainers, only you can judge whether you should use a module marked as not being covered by Drupal’s security advisory policy. One maintainer's "alpha" module, would be a "1.0" version to another maintainer.
You should examine the maintainer's credibility, history on Drupal.org, the project's popularity, and the speed at which issues are resolved or responded to. Many popular and public sites do make use of "beta" or other modules.
Coding your own module to duplicate the functionality of a module that already exists seems more likely to introduce security vulnerabilities that can potentially only be diagnosed or fixed by one person: you. Using an "alpha" module with a competent maintainer and an active community of users seems far more advisable.
answered 57 mins ago
komlenic
362
New contributor
komlenic is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 57 mins ago
komlenic
362
New contributor
komlenic is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 57 mins ago
komlenic
362
answered 57 mins ago
komlenic
362
362
New contributor
komlenic is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
komlenic is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
komlenic is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
add a comment |Â
up vote
0
down vote
Be careful in "only" using the security advisory. Instead you may want to consider many more criteria to help you make decissions. As I documented in (what I call) maintenance scorecards. In that case they relate to charting modules, but you can apply them for any set of modules of course.
These are IMO the criteria you should also consider:
- Nr of open bugs
- No RTBC'd items
- Last commits
- Community docu
- Support 2 core releases
- DEV release for D8
- Nr of Committers
- SimpleTests or Unit Tests
- Automated testing enabled
- Downloads / installs ratio
- Contributing users in commits
answered 11 mins ago
Pierre.Vriens
35k1334154
add a comment |Â
up vote
0
down vote
Be careful in "only" using the security advisory. Instead you may want to consider many more criteria to help you make decissions. As I documented in (what I call) maintenance scorecards. In that case they relate to charting modules, but you can apply them for any set of modules of course.
These are IMO the criteria you should also consider:
- Nr of open bugs
- No RTBC'd items
- Last commits
- Community docu
- Support 2 core releases
- DEV release for D8
- Nr of Committers
- SimpleTests or Unit Tests
- Automated testing enabled
- Downloads / installs ratio
- Contributing users in commits
answered 11 mins ago
Pierre.Vriens
35k1334154
add a comment |Â
up vote
0
down vote
up vote
0
down vote
Be careful in "only" using the security advisory. Instead you may want to consider many more criteria to help you make decissions. As I documented in (what I call) maintenance scorecards. In that case they relate to charting modules, but you can apply them for any set of modules of course.
These are IMO the criteria you should also consider:
- Nr of open bugs
- No RTBC'd items
- Last commits
- Community docu
- Support 2 core releases
- DEV release for D8
- Nr of Committers
- SimpleTests or Unit Tests
- Automated testing enabled
- Downloads / installs ratio
- Contributing users in commits
answered 11 mins ago
Pierre.Vriens
35k1334154
Be careful in "only" using the security advisory. Instead you may want to consider many more criteria to help you make decissions. As I documented in (what I call) maintenance scorecards. In that case they relate to charting modules, but you can apply them for any set of modules of course.
These are IMO the criteria you should also consider:
- Nr of open bugs
- No RTBC'd items
- Last commits
- Community docu
- Support 2 core releases
- DEV release for D8
- Nr of Committers
- SimpleTests or Unit Tests
- Automated testing enabled
- Downloads / installs ratio
- Contributing users in commits
answered 11 mins ago
Pierre.Vriens
35k1334154
answered 11 mins ago
Pierre.Vriens
35k1334154
answered 11 mins ago
Pierre.Vriens
35k1334154
answered 11 mins ago
Pierre.Vriens
35k1334154
35k1334154
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdrupal.stackexchange.com%2fquestions%2f271018%2fusing-modules-not-covered-by-drupal-s-security-advisory-policy%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
