Problem/Motivation
In #2942591: Start reporting specific releases as insecure in update status XML and #2804155: If the next minor version of core has a security release, status still says "Security update required!" even if the site is on an equivalent, secure release already, Drupal.org and core are being changed to allow the Drupal security team to automatically mark old releases as insecure, but to manually mark an older release as secure. This is useful when (for example) the same security advisory is fixed in two different minor branches, which we already have to do about 30% of the time for Drupal 8 core and which we want to do for every release when we adopt #2909665: [plan] Extend security support to cover the previous minor version of Drupal.
Following the Drupal.org change that has already been made, the Drupal status report only links the latest security release. So, for example, in this scenario:
- SA-CORE-2018-002 creates the following core security releases, all of which are considered equally secure: 8.3.9, 8.4.6, and 8.5.1.
- The site is on 8.4.5.
The status report will link to 8.5.1, but the site owner also actually has the option to update to 8.4.6.
Proposed resolution
If the site is on an insecure version of an old minor and there is a secure version of that old minor available, link the latest secure release of the old minor branch on the update status report.
Continue to also provide a link to the latest version.
Remaining tasks
- This issue is postponed on #2804155: If the next minor version of core has a security release, status still says "Security update required!" even if the site is on an equivalent, secure release already.
- We need a design for how the status report should link both releases.
- Decide whether to continue linking the latest security release if it is not the latest release overall and the user is on a different minor branch.
User interface changes
TBD
API changes
TBD
Data model changes
TBD