As you add more patches over time, you will be responsible for making sure that patches continue to apply cleanly if there are conflicts between one or more of them. When a vulnerability is disclosed you will be responsible for finding or creating a fix and then tracking and applying your own security patches. There will be no further commits or packaged releases for Drupal 7. There will be no more core commits to Drupal 7. These are just some of the questions you will have to ask yourself in a post-EOL world. Do I trust the person who is sharing this patch?.Does this patch actually resolve a real issue or could it be creating a new vulnerability?.You will be on your own to identify and vet any security disclosures and fixes. The security team coordinates security announcements in release cycles and evaluates whether security issues are ready for release several days in advance.Įven if a developer is kind enough to publish a fix for a vulnerability, no official announcements will be made. Hundreds of thousands of people rely on the Drupal security team to notify them of known vulnerabilities. Providing security requires more than simply posting a patch to. It will be increasingly likely that vulnerabilities will be disclosed publicly before fixes are identified and published. The security team will no longer accept or triage reports for Drupal 7, coordinate/publish fixes, or publicize their release. The security processes detailed above will not exist for Drupal 7. Reports about Drupal 7 vulnerabilities might become public creating 0 day exploits. The Drupal Security Team will no longer provide support or Security Advisories for Drupal 7 core or contributed modules, themes, or other projects. The original EOL announcement from 2019 details what will be different when Drupal 7 reaches end-of-life: Zero-Day Exploits Drupal users only need to concern themselves with following the security team's announcements to stay up to date on vulnerabilities and their corresponding fixes. When the issue has been fixed, and new releases created, the security team will publicize the vulnerability and its fix.The security team will coordinate with the maintainers to ensure the issue has been resolved.This is important so that a fix can be created before the vulnerability is made public. The security team will triage the issue and if they confirm it, contact the relevant maintainers in private.You report the vulnerability to the Drupal Security Team.You discover a security vulnerability in Drupal core or a contributed module.Drupal's Security ProcessĪs a refresher, this is a high-level overview of the steps that would occur if you discover a vulnerability in a supported version of Drupal. ![]() ![]() This is not what anyone responsible for the security of a website wants to hear. It will be a bit like living in a frontier town with no infrastructure or help available when something inevitably goes wrong. When Drupal 7 reaches EOL, its code will still be open-source, but it will not benefit from any of the structure or processes that have been built to get Drupal to where it is now. The Drupal Security Team is responsible for triaging security issues for Drupal core and contributed modules, mobilizing developers to create fixes, and getting information about the vulnerability, along with the corresponding fix, in front of users as efficiently as possible. ![]() I would argue the level of security offered by Drupal's codebase is a product of its security process. Trust the Processĭrupal has long had a stellar reputation for security and it would be easy to think that was due to the fact that it is open-source. Keep reading this article (or listen to our Drupal 7 End-of-Life Podcast) to learn all about what it means for you. There has been a lot of talk about what it takes to upgrade to "modern Drupal," but less ink has been spilled painting a picture of what it will actually be like to still be responsible for a Drupal 7 site and its security after that date. It's not news that Drupal 7 is approaching its end-of-life (EOL), in fact, it has been a long time coming, even with another EOL extension date ( January 5, 2025) changes in overall support come into effect as early as August 2023, and that will be here before you know it. Notice: This article has been updated in response to the new Drupal 7 End-of-Life date announced by the Drupal Association on June 7, 2023.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |