Using modules ânot covered by DrupalâÂÂs security advisory policyâ
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
3
down vote
favorite
I would like to use a Drupal 7 module that is "not covered by DrupalâÂÂs security advisory policy", specifically the Conditional Fields module.
It would allow me to do exactly what I need. It looks like this module is pretty actively used and maintained but I am not sure how worried I should be about of using a module that I won't get updates about if any security issue should arise.
Any advice? Is coding something like (using hook_form_alter and states) this myself a safer approach?
7 security
add a comment |Â
up vote
3
down vote
favorite
I would like to use a Drupal 7 module that is "not covered by DrupalâÂÂs security advisory policy", specifically the Conditional Fields module.
It would allow me to do exactly what I need. It looks like this module is pretty actively used and maintained but I am not sure how worried I should be about of using a module that I won't get updates about if any security issue should arise.
Any advice? Is coding something like (using hook_form_alter and states) this myself a safer approach?
7 security
add a comment |Â
up vote
3
down vote
favorite
up vote
3
down vote
favorite
I would like to use a Drupal 7 module that is "not covered by DrupalâÂÂs security advisory policy", specifically the Conditional Fields module.
It would allow me to do exactly what I need. It looks like this module is pretty actively used and maintained but I am not sure how worried I should be about of using a module that I won't get updates about if any security issue should arise.
Any advice? Is coding something like (using hook_form_alter and states) this myself a safer approach?
7 security
I would like to use a Drupal 7 module that is "not covered by DrupalâÂÂs security advisory policy", specifically the Conditional Fields module.
It would allow me to do exactly what I need. It looks like this module is pretty actively used and maintained but I am not sure how worried I should be about of using a module that I won't get updates about if any security issue should arise.
Any advice? Is coding something like (using hook_form_alter and states) this myself a safer approach?
7 security
7 security
edited 8 mins ago
Pierre.Vriens
35k1334154
35k1334154
asked 2 hours ago
Danny Browne
13210
13210
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
2
down vote
accepted
According to the Security advisory process and permissions policy, modules that have an alpha, beta, or rc (relase candidate) status are not covered by this policy, and security advisories will not be reported for these projects. At the time of writing, Conditional Fields has recommended releases for Drupal 7 and 8 that are both in "alpha" stage. Even without security advisories, you can still choose to be notified when the module is updated.
Since module releases and their status are arbitrarily assigned by project maintainers, only you can judge whether you should use a module marked as not being covered by DrupalâÂÂs security advisory policy. One maintainer's "alpha" module, would be a "1.0" version to another maintainer.
You should examine the maintainer's credibility, history on Drupal.org, the project's popularity, and the speed at which issues are resolved or responded to. Many popular and public sites do make use of "beta" or other modules.
Coding your own module to duplicate the functionality of a module that already exists seems more likely to introduce security vulnerabilities that can potentially only be diagnosed or fixed by one person: you. Using an "alpha" module with a competent maintainer and an active community of users seems far more advisable.
New contributor
add a comment |Â
up vote
0
down vote
Be careful in "only" using the security advisory. Instead you may want to consider many more criteria to help you make decissions. As I documented in (what I call) maintenance scorecards. In that case they relate to charting modules, but you can apply them for any set of modules of course.
These are IMO the criteria you should also consider:
- Nr of open bugs
- No RTBC'd items
- Last commits
- Community docu
- Support 2 core releases
- DEV release for D8
- Nr of Committers
- SimpleTests or Unit Tests
- Automated testing enabled
- Downloads / installs ratio
- Contributing users in commits
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
According to the Security advisory process and permissions policy, modules that have an alpha, beta, or rc (relase candidate) status are not covered by this policy, and security advisories will not be reported for these projects. At the time of writing, Conditional Fields has recommended releases for Drupal 7 and 8 that are both in "alpha" stage. Even without security advisories, you can still choose to be notified when the module is updated.
Since module releases and their status are arbitrarily assigned by project maintainers, only you can judge whether you should use a module marked as not being covered by DrupalâÂÂs security advisory policy. One maintainer's "alpha" module, would be a "1.0" version to another maintainer.
You should examine the maintainer's credibility, history on Drupal.org, the project's popularity, and the speed at which issues are resolved or responded to. Many popular and public sites do make use of "beta" or other modules.
Coding your own module to duplicate the functionality of a module that already exists seems more likely to introduce security vulnerabilities that can potentially only be diagnosed or fixed by one person: you. Using an "alpha" module with a competent maintainer and an active community of users seems far more advisable.
New contributor
add a comment |Â
up vote
2
down vote
accepted
According to the Security advisory process and permissions policy, modules that have an alpha, beta, or rc (relase candidate) status are not covered by this policy, and security advisories will not be reported for these projects. At the time of writing, Conditional Fields has recommended releases for Drupal 7 and 8 that are both in "alpha" stage. Even without security advisories, you can still choose to be notified when the module is updated.
Since module releases and their status are arbitrarily assigned by project maintainers, only you can judge whether you should use a module marked as not being covered by DrupalâÂÂs security advisory policy. One maintainer's "alpha" module, would be a "1.0" version to another maintainer.
You should examine the maintainer's credibility, history on Drupal.org, the project's popularity, and the speed at which issues are resolved or responded to. Many popular and public sites do make use of "beta" or other modules.
Coding your own module to duplicate the functionality of a module that already exists seems more likely to introduce security vulnerabilities that can potentially only be diagnosed or fixed by one person: you. Using an "alpha" module with a competent maintainer and an active community of users seems far more advisable.
New contributor
add a comment |Â
up vote
2
down vote
accepted
up vote
2
down vote
accepted
According to the Security advisory process and permissions policy, modules that have an alpha, beta, or rc (relase candidate) status are not covered by this policy, and security advisories will not be reported for these projects. At the time of writing, Conditional Fields has recommended releases for Drupal 7 and 8 that are both in "alpha" stage. Even without security advisories, you can still choose to be notified when the module is updated.
Since module releases and their status are arbitrarily assigned by project maintainers, only you can judge whether you should use a module marked as not being covered by DrupalâÂÂs security advisory policy. One maintainer's "alpha" module, would be a "1.0" version to another maintainer.
You should examine the maintainer's credibility, history on Drupal.org, the project's popularity, and the speed at which issues are resolved or responded to. Many popular and public sites do make use of "beta" or other modules.
Coding your own module to duplicate the functionality of a module that already exists seems more likely to introduce security vulnerabilities that can potentially only be diagnosed or fixed by one person: you. Using an "alpha" module with a competent maintainer and an active community of users seems far more advisable.
New contributor
According to the Security advisory process and permissions policy, modules that have an alpha, beta, or rc (relase candidate) status are not covered by this policy, and security advisories will not be reported for these projects. At the time of writing, Conditional Fields has recommended releases for Drupal 7 and 8 that are both in "alpha" stage. Even without security advisories, you can still choose to be notified when the module is updated.
Since module releases and their status are arbitrarily assigned by project maintainers, only you can judge whether you should use a module marked as not being covered by DrupalâÂÂs security advisory policy. One maintainer's "alpha" module, would be a "1.0" version to another maintainer.
You should examine the maintainer's credibility, history on Drupal.org, the project's popularity, and the speed at which issues are resolved or responded to. Many popular and public sites do make use of "beta" or other modules.
Coding your own module to duplicate the functionality of a module that already exists seems more likely to introduce security vulnerabilities that can potentially only be diagnosed or fixed by one person: you. Using an "alpha" module with a competent maintainer and an active community of users seems far more advisable.
New contributor
New contributor
answered 57 mins ago
komlenic
362
362
New contributor
New contributor
add a comment |Â
add a comment |Â
up vote
0
down vote
Be careful in "only" using the security advisory. Instead you may want to consider many more criteria to help you make decissions. As I documented in (what I call) maintenance scorecards. In that case they relate to charting modules, but you can apply them for any set of modules of course.
These are IMO the criteria you should also consider:
- Nr of open bugs
- No RTBC'd items
- Last commits
- Community docu
- Support 2 core releases
- DEV release for D8
- Nr of Committers
- SimpleTests or Unit Tests
- Automated testing enabled
- Downloads / installs ratio
- Contributing users in commits
add a comment |Â
up vote
0
down vote
Be careful in "only" using the security advisory. Instead you may want to consider many more criteria to help you make decissions. As I documented in (what I call) maintenance scorecards. In that case they relate to charting modules, but you can apply them for any set of modules of course.
These are IMO the criteria you should also consider:
- Nr of open bugs
- No RTBC'd items
- Last commits
- Community docu
- Support 2 core releases
- DEV release for D8
- Nr of Committers
- SimpleTests or Unit Tests
- Automated testing enabled
- Downloads / installs ratio
- Contributing users in commits
add a comment |Â
up vote
0
down vote
up vote
0
down vote
Be careful in "only" using the security advisory. Instead you may want to consider many more criteria to help you make decissions. As I documented in (what I call) maintenance scorecards. In that case they relate to charting modules, but you can apply them for any set of modules of course.
These are IMO the criteria you should also consider:
- Nr of open bugs
- No RTBC'd items
- Last commits
- Community docu
- Support 2 core releases
- DEV release for D8
- Nr of Committers
- SimpleTests or Unit Tests
- Automated testing enabled
- Downloads / installs ratio
- Contributing users in commits
Be careful in "only" using the security advisory. Instead you may want to consider many more criteria to help you make decissions. As I documented in (what I call) maintenance scorecards. In that case they relate to charting modules, but you can apply them for any set of modules of course.
These are IMO the criteria you should also consider:
- Nr of open bugs
- No RTBC'd items
- Last commits
- Community docu
- Support 2 core releases
- DEV release for D8
- Nr of Committers
- SimpleTests or Unit Tests
- Automated testing enabled
- Downloads / installs ratio
- Contributing users in commits
answered 11 mins ago
Pierre.Vriens
35k1334154
35k1334154
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdrupal.stackexchange.com%2fquestions%2f271018%2fusing-modules-not-covered-by-drupal-s-security-advisory-policy%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password