What are the really use of the ancient Project Application issue queue now that you can promote your own sandbox projects?

Question

The Gates are open for Drupal.org Code Contributions, so now you can promote sandbox projects to full projects with releases if you have accepted the git terms of service.

But what is the actual use of the legacy Project Application issue queue (which is now named Drupal.org security advisory coverage applications?

I post this question because I have a module in revision there a some users that says that the code is OK, they made some suggestions and I made the changes until the last comment that says:

When a node Add is disabled, you should at minimum highlight which content type won't accept new content (in fact providing node edition instead).

This is a UX change that don't affect the security and don't affect the module functionalities. The module works fine without this. And now the module is promoted to full project this is an impediment to approve the module in the new Drupal.org security advisory coverage applications queue?

What are now the procedures to go ahead wit the revisions?

^{Disclosure: I'm the maintainer of the module Only One. I'm not looking for promotion, I just want to know how to finish the review process.}

Answer 1

The canonical reference for this is [Community Initiative Proposal] Project Applications Process Revamp.

As of 2017/03/14, most of the plan has been implemented on the back-end, but some of the documentation still needs to be updated and there are still a few things that are being fine tuned.

To directly answer your question, the old Project Application queue is being repurposed as the Drupal.org security advisory coverage applications queue.

There is currently a documentation page about how to apply for permission to opt into security advisory coverage.

In short, you need to go through the application process where your project is reviewed. Instead of being allowed to promote your project (which you can now do on your own), a successful application will result in the applicant being able to opt-into security team coverage (the meaning of the "git vetted" role is being changed).

The process is essentially the same, and the security advisory coverage application checklist has been updated. The review admins will block applications on

• Licensing problems (including third-party code)
• Security problems

An application can be blocked on other items in the checklist at admin discretion.

You can go ahead an work on the issues in your project's issue queue. Make sure you follow best-practices as outlined in (the page I can't find about being a responsible maintainer). If you haven't already, then make sure you have an application in the queue, and reviewers will use the latest -dev version of your code for evaluation.

Just keep in mind that the process changes that were just done were to allow project promotion; there is a still the human factor (and backlog) for the manual reviews for the security opt-in.

Answer 2

Apart from your actual question, you also posted a comment which contains this:

... the project is promoted, but now how can I obtain the shield?

Not sure if it will be a complete answer to your question, but your scenario here seems a variation of the question about "Why has my security shield for my new module on Drupal.org been removed?". Your variation now seems to be "Why has my security shield for my new module on Drupal.org not yet been added?" (or why is it not visible yet).

Here is part of my answer in that related question:

You need to create an official release, for at least 1 version of Drupal core that is supported. In your case, for D7, like a 7.x-1.0 version of your module. Shortly after doing so, your module will have the security shield.

I'm not sure (yet) about how long that Shortly actually may take, but I also noticed that on the revisions page of OnlyOne the most current timestamp is 13 Mar 2017 at 22:32 CET (which is less then 24 hours ago). Moreover, on its project page there is also Last modified: March 14, 2017 (which is today ...). But it could well be that with only a little patience (like until tomorrow?), you will automagically get the shield that you're looking for.

Update

Debugging is the art of taking away all possible causes ... about a day later it appears that for your module "a little patience" is not the solution (the shield still doesn't show up). Sorry.