Drupal 6 - Dual Security and Bug Updates of Core

We all know how important it is to keep your website secure and updated. A couple of days ago new security and bugfix versions of Drupal 6 was released. When I first saw the announcement listing both v6.18 and v6.19 I initially thought v6.19 was a panic release fixing a problem with 6.18. It wasn't until I further read up on it I discovered it was intentional.

I believe there are many Drupal users, like myself, that got a bit confused about this new Drupal 6 release process, especially since it is not very clearly explained on drupal.org and the project page. Below I will try and explain what has changed and how it works.

Dual Security and Bugfix Releases

In the Details about the new Drupal 6 release process, Gábor Hojtsy goes into details about the Drupal 6 Core release process, as well as the changes recently made to it . Basically it boils down to this:

• One release containing only security fixes.
• One release containing both security and bug fixes.

The security release is aimed at websites that implements a strict QA (Quality Assurance) process to make sure that a new version does not break any functionality on the existing website. Before, and still, they have had the option to manually patch Drupal Core based on the security advisory, such as SA-CORE-2010-001, announcements from the Drupal Security Team. Those announcements contains links to patches.

Manually applying those patches creates overhead since it is needed to keep track on them by the site administrators. The sites Drupal Core version will thus be different from the official release, and we all know how that is not a good idea. Its not the same as hacking core, but still creates additional overhead.

By only including the security fixes in one release, it is now possible to quickly patch those wholes, while the other release, the one also containing buxfixes, goes through a more rigid QA testing.

Better Clarification on drupal.org Needed

This is definitely a step in the right direction for Drupal, but it needs to be better explained on drupal.org. Right now you have to read the "fine print" to fully understand what is going on. Reading the release notes for v6.19 doesn't really explain it:

Drupal 6.18 and 5.23, maintenance releases which fix security vulnerabilities are now available for download.

Drupal 6.19 also fixes other small issues reported through the bug tracking system.

Its not difficult to read the above as v6.18 introduced a bug that quickly had to be fixed and resulted in a panic v6.19 release.

The project page for Drupal Core doesn't make things clearer either, it doesn't even contain a link to v6.18.

One idea for better clarification could be to specify that even numbered minor releases, such as v6.18, v6.20. etc, are the ones containing security fixes only, while odd minor releases, such as v6.19, v6.21, etc, contains both security and bug fixes. That way you only need to look at the minor number and know what it contains.