Using modules “not covered by Drupal’s security advisory policy”

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
3
down vote

favorite












I would like to use a Drupal 7 module that is "not covered by Drupal’s security advisory policy", specifically the Conditional Fields module.



It would allow me to do exactly what I need. It looks like this module is pretty actively used and maintained but I am not sure how worried I should be about of using a module that I won't get updates about if any security issue should arise.



Any advice? Is coding something like (using hook_form_alter and states) this myself a safer approach?










share|improve this question





























    up vote
    3
    down vote

    favorite












    I would like to use a Drupal 7 module that is "not covered by Drupal’s security advisory policy", specifically the Conditional Fields module.



    It would allow me to do exactly what I need. It looks like this module is pretty actively used and maintained but I am not sure how worried I should be about of using a module that I won't get updates about if any security issue should arise.



    Any advice? Is coding something like (using hook_form_alter and states) this myself a safer approach?










    share|improve this question

























      up vote
      3
      down vote

      favorite









      up vote
      3
      down vote

      favorite











      I would like to use a Drupal 7 module that is "not covered by Drupal’s security advisory policy", specifically the Conditional Fields module.



      It would allow me to do exactly what I need. It looks like this module is pretty actively used and maintained but I am not sure how worried I should be about of using a module that I won't get updates about if any security issue should arise.



      Any advice? Is coding something like (using hook_form_alter and states) this myself a safer approach?










      share|improve this question















      I would like to use a Drupal 7 module that is "not covered by Drupal’s security advisory policy", specifically the Conditional Fields module.



      It would allow me to do exactly what I need. It looks like this module is pretty actively used and maintained but I am not sure how worried I should be about of using a module that I won't get updates about if any security issue should arise.



      Any advice? Is coding something like (using hook_form_alter and states) this myself a safer approach?







      7 security






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 8 mins ago









      Pierre.Vriens

      35k1334154




      35k1334154










      asked 2 hours ago









      Danny Browne

      13210




      13210




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          2
          down vote



          accepted










          According to the Security advisory process and permissions policy, modules that have an alpha, beta, or rc (relase candidate) status are not covered by this policy, and security advisories will not be reported for these projects. At the time of writing, Conditional Fields has recommended releases for Drupal 7 and 8 that are both in "alpha" stage. Even without security advisories, you can still choose to be notified when the module is updated.



          Since module releases and their status are arbitrarily assigned by project maintainers, only you can judge whether you should use a module marked as not being covered by Drupal’s security advisory policy. One maintainer's "alpha" module, would be a "1.0" version to another maintainer.



          You should examine the maintainer's credibility, history on Drupal.org, the project's popularity, and the speed at which issues are resolved or responded to. Many popular and public sites do make use of "beta" or other modules.



          Coding your own module to duplicate the functionality of a module that already exists seems more likely to introduce security vulnerabilities that can potentially only be diagnosed or fixed by one person: you. Using an "alpha" module with a competent maintainer and an active community of users seems far more advisable.






          share|improve this answer








          New contributor




          komlenic is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.
























            up vote
            0
            down vote













            Be careful in "only" using the security advisory. Instead you may want to consider many more criteria to help you make decissions. As I documented in (what I call) maintenance scorecards. In that case they relate to charting modules, but you can apply them for any set of modules of course.



            These are IMO the criteria you should also consider:



            • Nr of open bugs

            • No RTBC'd items

            • Last commits

            • Community docu

            • Support 2 core releases

            • DEV release for D8

            • Nr of Committers

            • SimpleTests or Unit Tests

            • Automated testing enabled

            • Downloads / installs ratio

            • Contributing users in commits





            share|improve this answer




















              Your Answer







              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "220"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              convertImagesToLinks: false,
              noModals: false,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













               

              draft saved


              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdrupal.stackexchange.com%2fquestions%2f271018%2fusing-modules-not-covered-by-drupal-s-security-advisory-policy%23new-answer', 'question_page');

              );

              Post as a guest






























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes








              up vote
              2
              down vote



              accepted










              According to the Security advisory process and permissions policy, modules that have an alpha, beta, or rc (relase candidate) status are not covered by this policy, and security advisories will not be reported for these projects. At the time of writing, Conditional Fields has recommended releases for Drupal 7 and 8 that are both in "alpha" stage. Even without security advisories, you can still choose to be notified when the module is updated.



              Since module releases and their status are arbitrarily assigned by project maintainers, only you can judge whether you should use a module marked as not being covered by Drupal’s security advisory policy. One maintainer's "alpha" module, would be a "1.0" version to another maintainer.



              You should examine the maintainer's credibility, history on Drupal.org, the project's popularity, and the speed at which issues are resolved or responded to. Many popular and public sites do make use of "beta" or other modules.



              Coding your own module to duplicate the functionality of a module that already exists seems more likely to introduce security vulnerabilities that can potentially only be diagnosed or fixed by one person: you. Using an "alpha" module with a competent maintainer and an active community of users seems far more advisable.






              share|improve this answer








              New contributor




              komlenic is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.





















                up vote
                2
                down vote



                accepted










                According to the Security advisory process and permissions policy, modules that have an alpha, beta, or rc (relase candidate) status are not covered by this policy, and security advisories will not be reported for these projects. At the time of writing, Conditional Fields has recommended releases for Drupal 7 and 8 that are both in "alpha" stage. Even without security advisories, you can still choose to be notified when the module is updated.



                Since module releases and their status are arbitrarily assigned by project maintainers, only you can judge whether you should use a module marked as not being covered by Drupal’s security advisory policy. One maintainer's "alpha" module, would be a "1.0" version to another maintainer.



                You should examine the maintainer's credibility, history on Drupal.org, the project's popularity, and the speed at which issues are resolved or responded to. Many popular and public sites do make use of "beta" or other modules.



                Coding your own module to duplicate the functionality of a module that already exists seems more likely to introduce security vulnerabilities that can potentially only be diagnosed or fixed by one person: you. Using an "alpha" module with a competent maintainer and an active community of users seems far more advisable.






                share|improve this answer








                New contributor




                komlenic is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.



















                  up vote
                  2
                  down vote



                  accepted







                  up vote
                  2
                  down vote



                  accepted






                  According to the Security advisory process and permissions policy, modules that have an alpha, beta, or rc (relase candidate) status are not covered by this policy, and security advisories will not be reported for these projects. At the time of writing, Conditional Fields has recommended releases for Drupal 7 and 8 that are both in "alpha" stage. Even without security advisories, you can still choose to be notified when the module is updated.



                  Since module releases and their status are arbitrarily assigned by project maintainers, only you can judge whether you should use a module marked as not being covered by Drupal’s security advisory policy. One maintainer's "alpha" module, would be a "1.0" version to another maintainer.



                  You should examine the maintainer's credibility, history on Drupal.org, the project's popularity, and the speed at which issues are resolved or responded to. Many popular and public sites do make use of "beta" or other modules.



                  Coding your own module to duplicate the functionality of a module that already exists seems more likely to introduce security vulnerabilities that can potentially only be diagnosed or fixed by one person: you. Using an "alpha" module with a competent maintainer and an active community of users seems far more advisable.






                  share|improve this answer








                  New contributor




                  komlenic is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.









                  According to the Security advisory process and permissions policy, modules that have an alpha, beta, or rc (relase candidate) status are not covered by this policy, and security advisories will not be reported for these projects. At the time of writing, Conditional Fields has recommended releases for Drupal 7 and 8 that are both in "alpha" stage. Even without security advisories, you can still choose to be notified when the module is updated.



                  Since module releases and their status are arbitrarily assigned by project maintainers, only you can judge whether you should use a module marked as not being covered by Drupal’s security advisory policy. One maintainer's "alpha" module, would be a "1.0" version to another maintainer.



                  You should examine the maintainer's credibility, history on Drupal.org, the project's popularity, and the speed at which issues are resolved or responded to. Many popular and public sites do make use of "beta" or other modules.



                  Coding your own module to duplicate the functionality of a module that already exists seems more likely to introduce security vulnerabilities that can potentially only be diagnosed or fixed by one person: you. Using an "alpha" module with a competent maintainer and an active community of users seems far more advisable.







                  share|improve this answer








                  New contributor




                  komlenic is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.









                  share|improve this answer



                  share|improve this answer






                  New contributor




                  komlenic is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.









                  answered 57 mins ago









                  komlenic

                  362




                  362




                  New contributor




                  komlenic is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.





                  New contributor





                  komlenic is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.






                  komlenic is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.






















                      up vote
                      0
                      down vote













                      Be careful in "only" using the security advisory. Instead you may want to consider many more criteria to help you make decissions. As I documented in (what I call) maintenance scorecards. In that case they relate to charting modules, but you can apply them for any set of modules of course.



                      These are IMO the criteria you should also consider:



                      • Nr of open bugs

                      • No RTBC'd items

                      • Last commits

                      • Community docu

                      • Support 2 core releases

                      • DEV release for D8

                      • Nr of Committers

                      • SimpleTests or Unit Tests

                      • Automated testing enabled

                      • Downloads / installs ratio

                      • Contributing users in commits





                      share|improve this answer
























                        up vote
                        0
                        down vote













                        Be careful in "only" using the security advisory. Instead you may want to consider many more criteria to help you make decissions. As I documented in (what I call) maintenance scorecards. In that case they relate to charting modules, but you can apply them for any set of modules of course.



                        These are IMO the criteria you should also consider:



                        • Nr of open bugs

                        • No RTBC'd items

                        • Last commits

                        • Community docu

                        • Support 2 core releases

                        • DEV release for D8

                        • Nr of Committers

                        • SimpleTests or Unit Tests

                        • Automated testing enabled

                        • Downloads / installs ratio

                        • Contributing users in commits





                        share|improve this answer






















                          up vote
                          0
                          down vote










                          up vote
                          0
                          down vote









                          Be careful in "only" using the security advisory. Instead you may want to consider many more criteria to help you make decissions. As I documented in (what I call) maintenance scorecards. In that case they relate to charting modules, but you can apply them for any set of modules of course.



                          These are IMO the criteria you should also consider:



                          • Nr of open bugs

                          • No RTBC'd items

                          • Last commits

                          • Community docu

                          • Support 2 core releases

                          • DEV release for D8

                          • Nr of Committers

                          • SimpleTests or Unit Tests

                          • Automated testing enabled

                          • Downloads / installs ratio

                          • Contributing users in commits





                          share|improve this answer












                          Be careful in "only" using the security advisory. Instead you may want to consider many more criteria to help you make decissions. As I documented in (what I call) maintenance scorecards. In that case they relate to charting modules, but you can apply them for any set of modules of course.



                          These are IMO the criteria you should also consider:



                          • Nr of open bugs

                          • No RTBC'd items

                          • Last commits

                          • Community docu

                          • Support 2 core releases

                          • DEV release for D8

                          • Nr of Committers

                          • SimpleTests or Unit Tests

                          • Automated testing enabled

                          • Downloads / installs ratio

                          • Contributing users in commits






                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered 11 mins ago









                          Pierre.Vriens

                          35k1334154




                          35k1334154



























                               

                              draft saved


                              draft discarded















































                               


                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdrupal.stackexchange.com%2fquestions%2f271018%2fusing-modules-not-covered-by-drupal-s-security-advisory-policy%23new-answer', 'question_page');

                              );

                              Post as a guest













































































                              Comments

                              Popular posts from this blog

                              What does second last employer means? [closed]

                              Installing NextGIS Connect into QGIS 3?

                              One-line joke