[consulting] preparing clients for Drupal 5 obsolesence

Matt Chapman Matt at NinjitsuWeb.com
Tue Mar 10 19:50:20 UTC 2009 

Sam Cohen wrote:
> Are you actually suggesting that developers should refuse to add 
> features to Drupal 5 sites  even if they never told the client when 
> they first built the Drupal 5 site that they were going to be doing this?

No, as I said, I am continuing to serve my existing Drupal 5 clients, 
while encouraging them to plan for an upgrade at the end of the year. 
Because I'm having these conversations now, most clients see the value 
of not delaying the upgrade, and prefer to upgrade now. I will refuse to 
add features to Drupal 5 sites only after the official EOL for D5.

What I'm doing now is refusing to take on NEW clients who have existing 
Drupal 5 sites, or want a site built with Drupal 5. (A large portion of 
my business comes from clients who have been abandoned or screwed by a 
previous Drupal developer. If they have a D5 site, as of this week, I'm 
telling them that step one is an upgrade.)

> That seems incredibly unfair to clients, especially those with limited 
> budgets. 
To me, it is incredibly unfair to the client to claim to be saving them 
money by giving them an obsolete solution which is prone to security 
vulnerabilities.

> In truth, I wouldn't even consider having clients agree to this for 
> future sites.  If I did, I'd have to say, ok, I'm going to build your 
> site in Drupal 6 today, but at some point in the future I'm going to 
> refuse to add any new features unless you spend X dollars to upgrade 
> to Drupal 7 -- and if we're talking about a heavily customized site 
> that X can be many thousands of dollars. 
I think it is shortsighted at best, and dishonest at worst, to NOT have 
this conversation with you client, unless you're willing to commit to 
writing Drupal 6 modules and back-porting security patches ten years 
from now.


> I've still got a couple of 4.7 sites that are serving nonprofit 
> clients very well and they are very happy with them.  I'd like it if 
> they paid for an upgrade, but I can't imagine requiring them to do so.

You'll be able to imagine it more clearly when they get hacked because 
of a lack of security patching and blame you. I hope you have E&O 
liability insurance.

I don't consider myself a security expert. When absolute security is a 
requirement, I suggest a third-party audit. Even if I wanted to do the 
work of back-porting security patches without compensation, I don't 
trust that I or my sub-contractors have sufficient skills to do so. I 
depend on & trust the drupal security team only.

Best,

Matt

More information about the consulting mailing list