[development] RFC: letting modules phone home to check for new releases

Gabor Hojtsy gabor at hojtsy.hu
Wed Nov 22 07:39:38 UTC 2006


On Tue, 21 Nov 2006, Larry Garfield wrote:
> For the sysadmins in the crowd, there's nothing wrong with putting "apt-get
> update" in your crontab.  "apt-get upgrade" should only be run by the
> sysadmin as root, by hand, and therefore when you know you're doing something
> dangerous. :-)
>
> The hard parts (downloading and unpacking) are all automated, but only when
> the admin is on the command line (and therefore running as the owner of the
> files anyway), and therefore (hopefully) knows exactly what he's doing.  Yes,
> this excludes people who are on a host that doesn't give them a shell.  Given
> the file permissions involved, I don't really know of a way around that.
>
> *sits back to have the security holes pointed out in the above.* :-)

How many shared hosts have a command line feature for their users? This 
discussion is around easing the update pain for inexperienced users. They 
are surely not running their site on their own servers.

The problem with the above, even if you only consider "apt-get update" 
automatically done is that incompatibilities can happen. Previous releases 
of Drupal have seen database updates needed between minor versions, and 
even big chunks of code replaced / modified. Like the XML-RPC layer 
completely replaced and released as a minor update. Or the form key 
requirement added and released as a minor update. There is a strong 
possibility that at the time when that update happens, your contrib 
modules are not yet up to date (especially those you might have added 
yourself, or downloaded and set up from a third party vendor - not 
drupal.org). Now think that you have a modified theme, not some stock 
theme from drupal.org. That cannot be updated, although you might need to 
add the form key stuff into the code. No automatic update will do this for 
you.

The problem is that customized software like Drupal is extremely hard to 
update automatically (and most of the time it will fail due to being 
uncertain that some of your components which are not possible to update 
might not be compatible with stuff which is possible to update). And this 
is only about updating minor releases...

As far as I see, noone saves you from testing the updates / upgrades 
yourself, and ensuring that everything works. There is a place for humans 
here.

Gabor


More information about the development mailing list