Problem/Motivation
Currently, Drupal.org and various communication channels inform site owners of when the next important (and possibly more difficult) minor version update is scheduled, but this information is not available within Drupal itself.
In #2909665: [plan] Extend security support to cover the previous minor version of Drupal, we want to extended security coverage for the pervious minor version of Drupal for an extra release, so that if (e.g.) 8.6.2 is created with a security advisory in October, the security fixes in the advisory will be backported to (e.g.) 8.5.7, so that the site owner has more time to test minor updates while still keeping their site secure.
So for example the Drupal core minor 9.0.x would be supported until 9.2.0 is released and 9.1.x is supported until 9.3.x. This information is not available inside Drupal.
For Drupal releases before a new Drupal major this will different. For example 8.8.x will be supported until December 2, 2020 and 8.9.x, the LTS release will be supported until November 2021. This information also not available until inside Drupal
Related: This issue has some similarities to #2766491: Update status should indicate whether installed contributed projects receive security coverage, but it is not the same. That issue is about whether or not the whole contributed project has opted into security team support; this issue is about which minor versions of core currently have security team support.
Proposed resolution
Indicate to the site owner when:
- The site's minor version of Drupal core will have security coverage until a specific version of Drupal is released. This will be 2 minor releases. For instance if 9.0.2 is installed the will have security coverage until 9.2.0 is released
- The site receives security coverage but when the next minor version of Drupal is release their coverage will end. For example they are on 9.0.10 and 9.1.17 is the latest release. When 9.2.0 is released
9.0.x will no longer receive security coverage. - The site does not receive any support and they should update as soon as possible to have security coverage. They are on 9.0.10 and 9.2.0 has already been released.
Special logic for the minor releases 8.8.x and 8.9.x.
- 8.8.x will have security coverage until 2020-12-02. Sites on 8.8.x should be warned that they should update as soon as possible on 2020-6-02(this is that same as if they had 1 minor release to update)
- 8.9.x is the LTS release for Drupal. It will receive coverage until 2021-11-01. Sites on 8.9.x will not receive a update as soon as possible warning 6 months before the LTS term ends
Completed tasks
- Followup regarding the last minor of a release and/or the next major release (might be noted on #2608062: [META] Requirements for tagging Drupal 9.0.0-alpha1): #2998287: Provide accurate information on the security coverage of the 8.x final minor and LTS, and recommend updating to the next major version when appropriate
- Followup for potentially including minor coverage info/dates in the d.o XML data, rather than relying solely on the "supported minors" constant and handbook page: #2998285: Add information on later releases to updates.drupal.org
- Followup to discuss whether this should also add anything to the "General system information" header at the top: #2998289: Make security coverage more prominent on the Status Report
- Followup to discuss email notifications of being out of security coverage: #2998292: Send email when installed version no longer receives security coverage
Remaining tasks
None
User interface changes
Here are messages starting from the most out of date, earliest release. Currently the latest release is 8.7.x.
8.5.x out of date, 2 minor version behind most recent
8.6.x out of date, 1 minor version behind most recent, extra warning about updating soon
8.7.x out of date, current minor version behind most recent, not a warning
8.8.x, message doesn't change based on which version is most recent, only by date, using real date 2019.10.10
8.8.x, using test data date 2020.6.3, less than 6 months till end of coverage
8.8.x using test data date 2020.12.3, coverage over
8.9.x using real date 2019.10.10
8.9.x using test data date 2021.11.2, coverage over
API changes
None
Data model changes
None