Security release timing

Security Release numbers

Security releases of Backdrop currently use the semantic version numbering scheme, with no special indication in the release number that a security fix is included.

For example, Backdrop 1.29.3 was a security release, and Backdrop 1.29.4 was a bug fix release made afterwards (containing no new security fixes besides those already released in Backdrop 1.29.3).

An advantage of this approach, is that many of our existing systems depend on sequential version numbers, including Update Status and Installer modules, Bee, Drush, localize.backdropcms.org, the release packaging system, and so on. Reworking all these systems seems unwise.

A disadvantage of this approach, is that it's not immediately clear which release is a security release. This information is readily available from the release notes, as well as from the list of security advisories. It can also be located in various other places, such as the Update Manager module within your Backdrop site.

Security Release timing

Security release "windows" are every Wednesday for Backdrop contributed projects, and one Wednesday a month (usually the third Wednesday) for Backdrop core. We generally do not release contributed project security issues on same day as core unless the core fix should also be in contributed project. For example, if there were a bug in the core Link module that also affects contributed modules that extend the core Link module, those modules should have a release on the same day as the Backdrop core release.

A release window does not necessarily mean that a release will be made on that date. The window exists so that site administrators can know in advance which days they should look out for a possible security release. (In the unusual case of a highly critical security issue, such as one which is being actively exploited in the wild, releases may be made outside of the normal window.)

Security releases usually happen between 16:00 UTC and 22:00 UTC.

You can view all release windows (and all other regular meetings) on this calendar.

Bug-fix releases

The current policy for Backdrop core security releases is that they will not occur within one week of any bug-fix release.

Minor releases

The current policy for Backdrop core security releases is that they will not occur within two weeks of any minor release.

Security Release contents

What is in a security release?

Backdrop core

Each security release should contain only the security fixes applied to the previous release. The next bug fix or minor release, when it happens, will contain the previous security fixes plus all other new changes.

This approach is intended to allow people to upgrade their sites immediately once a security hole is found, without concerns of accidentally breaking their sites by pulling any other upstream changes that have not been widely tested yet.

Contributed projects

Backdrop contributed projects may not always follow the Release Content policy. Our maintainers generally make releases when it bests suits the changes in the project, and works with their schedules. One of the two following scenarios is likely:

• There could be two releases on the same day. One would be a bug fix/feature release, and the other would be a security release.
• Though discouraged, there could be a single release that contains both the security fix and bug fixes/features together. This kind of release should get more careful testing before it is deployed to production websites.

Always check the release notes for a particular security release for more information about what exactly it contains.