From now on Web sites running unfinished Drupal modules are on their own.
The Register’s Gavin Clarke reported that open source Drupal “has updated the wording on its security site on how it handles security fixes to clarify it will only work on vulnerabilities in completed code of modules that comprise the CMS. The change clarifies that modules in release-candidate mode will not be supported.”
Module maintainers will now be given deadlines to plug security holes. If the deadline is missed Drupal will pull the project from Drupal.org.
The change is a response to a bug found in a module that the White House used to build a plugin they released three weeks ago.
One interesting tidbit from the Register’s story is that according to Clarke, Drupal is running on one billion Web sites?