[support] drupal upgrades? automated?

Richard Damon Richard at Damon-Family.org
Sun Feb 5 03:29:05 UTC 2012 

On 2/4/12 3:50 PM, Dave Stevens wrote:
> Quoting Richard Damon <Richard at Damon-Family.org>:
>
>> On 2/4/12 1:28 PM, Dave Stevens wrote:
>>> Dear All,
>>>
>>> Recently I got an email from my drupal 7.10 site informing me that
>>> there was an update available to version 7.12. The link took me to a
>>> pink hued page where I was told that it was advisable to correct a
>>> security problem by upgrading to 7.12. I am then informed that there
>>> is no automated upgrade, but that instructions are available to
>>> manually back up files and databases then carry on with a manual
>>> upgrade.
>>>
>>> I see this as a real issue with the design of Drupal. It is all very
>>> well to find vulnerabilities and announce them, with fixes, but if
>>> there is no simple, automated way to apply the fixes there will
>>> inevitably be a lot of unpatched cms's out there running outdated and
>>> known-vulnerable versions of Drupal.
>>>
>>> The developers may, for all I know, be working hard on an automated
>>> update and patch mechanism. Can anyone tell me if this is the case? Am
>>> I doomed to continue manually applying security fixes as long as I
>>> persist with Drupal? I dumped Win95 a long time ago and have really no
>>> wish to regress this way.
>>>
>>> Dave
>>>
>>>
>> Drupal has problems updating itself, as while it is updating itself it
>> needs to be present, but one step of an update is to remove the current
>> set of core files.
>> Drush, the drupal command line tool, being somewhat separate from the
>> Drupal core, is able to do an update mostly autonomously. Drush does use
>> parts of core for other operations. With drush it is fairly easy to
>> apply the update.
>>
>> You really don't want an update like this to happen "automatically" but
>> only on command, as you REALLY want to know when an update has happened
>> to understand possible sources of strangeness (if it happens shortly
>> after an upgrade, you want to look if it is a known issue with the
>> upgrade, if you haven't done an upgrade recently, it is probably
>> something else you did recently), and to make sure you have done the
>> appropriate backups before doing the upgrade.
>>
>> --
>> Richard Damon
>>
>> --
>> [ Drupal support list | http://lists.drupal.org/ ]
>>
> I partly agree. I don't want a major unattended upgrade going on,  
> certainly. But if I get a message about a security issue and a  
> proposed path forward, I'd like to, for example, make a tarball of the  
> whole site, dbs and everything else (easy) then be able to push the  
> button and say GO to the upgrade without having to  bit twiddle. So a  
> scripted upgrade and some kind of rollback mechanism would, I think,  
> be vastly preferable to excluding site maintainers from upgrading from  
> fear of breaking something, and so choosing to leave the current  
> version in place, security holes and all.
>
> Just to add some realism to this, is there an estimate of how many  
> sites are running versions with security issues still in place? So for  
> example, how many sites are running D6 say?
>
> Dave
>
With drush, once you have your backup, you just need to execute

drush up

and drush will install the core & module updates, then run the update
script. This is pretty close to a "just push the button", the only
difference is it is a shell command not a control on a web site page.

As to usage information of old/outdate versions. Drupal actual does
gather some of this information with the update module and it can be
seen at http://drupal.org/project/usage/drupal

Now, as to looking down on D6 installs, D6 is still actively maintained,
so just running D6 isn't a security risk, and there are good reasons to
not migrate a working site from D6 to D7 just to be "current" (not all
the modules are updated yet for one).

-- 
Richard Damon

More information about the support mailing list