A number of ported modules like Nodequeue received security notices recently saying they are being flagged as unsupported because of unaddressed security bugs. Is there any equivalent kind of security group for the Backdrop versions? Should there be?

Most helpful answers

I see the conundrum now. Maybe the security teams can work something out between them. I see some people applying to become maintainers of the Drupal 7 modules, as well, which might help.

Thanks.

It is my understanding (and I am not an expert or speaking with authority) that:

1) The reason that these modules have been marked as unsupported is that the Drupal 7 maintainer is not responding to issues. 

2) That Backdrop modules maintainers do not have access to the security issue unless they are willing and able to become the maintainer of the Drupal module. 

https://www.drupal.org/node/251466#procedure---own-project---unsupported

It can't hurt to reach out to the maintainer of the Backdrop modules in question, but at this point, I don't think there is anything that they can do until (or if) the exploit is made public - at which point we would respond as quickly as possible - or unless they are willing to fix and maintain the Drupal 7 version of the module as well. 

Here are three key statements from the Backdrop CMS security page:

1) The Backdrop Security Team is also watching all Drupal module security releases. When there are security releases for Drupal modules, we will work with the Backdrop maintainer to create a matching Backdrop security release within the next 24 hours. For contributed projects, our Security Team acts reactively to Drupal's security releases.

2) In the event that the maintainer of a Backdrop contributed project is not available to perform a review or update of a security release, the Backdrop Security Team is authorized to make the update to the Backdrop contributed project on the maintainer's behalf.

3) Once a solution to the problem has been found, the (Backdrop CMS) security team will request the project maintainer schedule a release for the following Wednesday.

https://backdropcms.org/security

 

Is there any equivalent kind of security group for the Backdrop versions? Should there be?

It would appear that the answer is "yes" and "yes."

Backdrop CMS definitely has a security group. It might not be the same as the Drupal security team, but it's evolving as needs arise. 

Comments

I expect others will weigh in shortly who are more familiar with this issue, but I can say a few things. 

1) Check https://backdropcms.org/security for current security policies and procedures for Backdrop CMS.

2) I am aware that the Backdrop CMS security team has been monitoring the situation with Drupal 7 contrib modules becoming unsupported and discussing how best to respond and keep the Backdrop CMS versions of those modules secure. 

Again, I hope that others will share a more detailed and informative reply soon.

 

klonos's picture

Hello ,

The Backdrop Security team is looking into the security issues for the respective Drupal projects that have been ported to Backdrop. Unfortunately, we cannot provide any further information publicly, due to the nature of these security-related matters.

Best way to stay informed is to subscribe to our security mailing list, and you will be notified once there's any update.

Since we are using a few of the affected modules, like Nodequeue, I can probably get some time to work on the issue(s) for them. I gather I won't be able to tell what the problems are by looking at the issue queues?

Should I contact the mainainers directly? Or will they put out some kind of call for assistance if needed?

 

It is my understanding (and I am not an expert or speaking with authority) that:

1) The reason that these modules have been marked as unsupported is that the Drupal 7 maintainer is not responding to issues. 

2) That Backdrop modules maintainers do not have access to the security issue unless they are willing and able to become the maintainer of the Drupal module. 

https://www.drupal.org/node/251466#procedure---own-project---unsupported

It can't hurt to reach out to the maintainer of the Backdrop modules in question, but at this point, I don't think there is anything that they can do until (or if) the exploit is made public - at which point we would respond as quickly as possible - or unless they are willing to fix and maintain the Drupal 7 version of the module as well. 

Here are three key statements from the Backdrop CMS security page:

1) The Backdrop Security Team is also watching all Drupal module security releases. When there are security releases for Drupal modules, we will work with the Backdrop maintainer to create a matching Backdrop security release within the next 24 hours. For contributed projects, our Security Team acts reactively to Drupal's security releases.

2) In the event that the maintainer of a Backdrop contributed project is not available to perform a review or update of a security release, the Backdrop Security Team is authorized to make the update to the Backdrop contributed project on the maintainer's behalf.

3) Once a solution to the problem has been found, the (Backdrop CMS) security team will request the project maintainer schedule a release for the following Wednesday.

https://backdropcms.org/security

 

Is there any equivalent kind of security group for the Backdrop versions? Should there be?

It would appear that the answer is "yes" and "yes."

Backdrop CMS definitely has a security group. It might not be the same as the Drupal security team, but it's evolving as needs arise. 

I see the conundrum now. Maybe the security teams can work something out between them. I see some people applying to become maintainers of the Drupal 7 modules, as well, which might help.

Thanks.