[TYPO3-ect] TER clean up actions

Jigal van Hemert jigal at xs4all.nl
Sun Feb 19 09:21:08 CET 2012 

Hi Michael,

On 19-2-2012 6:16, Michael wrote:
>> 7.2 Difference between 'insecure' and 'outdated'
>
> If we use the "reviewstate" value for classifying 'insecure' (-1) *and*
> 'outdated' extensions (-2), this would mean, we can not distinguish
> between both states.

The Security Team has already mentioned that they wouldn't focus on 
'outdated' extensions any more.

In the TER database all versions of an extension have their own record. 
The Security Team only marks versions of extensions as 'insecure' which 
have the security problem.
Both the online TER search and the Extension Manager filter 'insecure' 
records first and show the latest version of the extensions which still 
have one or more records left.

Both 'insecure' and 'outdated' extensions will not be listed in the TER 
search in the Extension Manager. You will have to take some effort to 
get 'outdated' extensions from the online TER (and it will show a 
warning in that case).
'insecure' extensions can only become listed again when a new (fixed) 
version is uploaded. This version is then automatically checked for the 
right TYPO3 version dependency and will then also not be 'outdated' any 
more.
There is also a reviewstate +1 (reviewed by the Security Team), but this 
is the case only for very few extensions. Because new versions of those 
extensions have to be re-reviewed before they get this status again we 
can assume that once they become 'outdated' that they also lose the 
'reviewed' status.

The 'insecure' state is more severe than the 'outdated' state. I would 
suggest that we would only mark extensions as 'outdated' if they do not 
have a 'insecure' state.

Anyway, marking extensions as 'outdated' won't be a very trivial query:
- to mark an extension without dependencies on TYPO3 as 'outdated' all 
versions of that extension must be marked
- only not-insecure versions can be marked 'outdated'
- versions of extensions with dependencies on TYPO3 must be checked 
individually
- TYPO3 4.5 LTS makes dependency checks non-trivial. If you look at the 
roadmap [1] you'll see that 4.7 will be EOL before 4.5; an extension 
(version) with dependency 'typo3' => '4.6.0-4.7.99' will be 'outdated' 
before the previous version 'typo3' => '4.5.0-4.5.99' will be 
'outdated'. (This seems illogical at first)

We could use a bit-array for the negative values, but it wouldn't add 
too much at the moment. Maybe to be forward compatible?

[1] http://preview.typo3.org/roadmap/

-- 
Kind regards / met vriendelijke groet,

Jigal van Hemert.

More information about the TYPO3-team-extension-coordination mailing list