Problem/Motivation
To support the recent changes to the project application process, namely decoupling the ability to create full projects/releases from security coverage - we need to provide indicators on the update status page of which installed modules receive security coverage.
@hestenet, @drumm, and @mlhess hope to help drive this forward. @Dries has given his blessing to prioritize this patch.
We (the DA) want to get this committed as soon as possible, and so we're allocating our sprint time towards getting this ready, writing tests, and responding to any reviews.
Proposed resolution
The changes would need to:
- Indicate which modules have security coverage and which do not.
- Provide visual indicators of coverage status via the shield icon and the !-alert icon
- For modules that are explicitly unsupported for known security issues or other reasons, it should indicate that
In addition the changes could:
- Provide an alert on each page for admins like the 'you are using a module with a security release' warning
Remaining tasks
Review
User interface changes
admin/reports/updates with added security information
The update status for available updates, including security updates and the row backgrounds, is left as-is for consistency. Security information is grouped with module support or update status.
Addition to status report
If everything is covered:
If something is not:
API changes
Theme additions in update module.
Data model changes
We have updated the update status xml to support this change: #2853696: Add security advisory coverage to update status XML and can make additional changes as needed.