In light of the recent discussions (eg. supporting older versions), I created some graphs: http://buytaert.net/drupal-download-statistics -- Dries Buytaert :: http://www.buytaert.net/
Dries Buytaert wrote:
In light of the recent discussions (eg. supporting older versions), I created some graphs:
Very interesting. I think that the download stats of the bugfix releases are also intersting: June May Sum 4.6.7: 239 2003 2242 4.6.8: 228 228 4.7.1: 1153 7423 8576 4.7.2: 830 830 This is roughly 4:1 for 4.7 to 4.6. The patches have been downloaded: http://drupal.org/files/sa-2006-005/4.7.0.patch 1926 http://drupal.org/files/sa-2006-005/4.6.6.patch 1193 http://drupal.org/files/sa-2006-006/4.7.0.patch 1122 Numbers for May. I am not sure how to interpret this numbers. They either indicate that only a small percentage of the people who download Drupal actually build a site with it or that we need to rais security awareness... Cheers, Gerhard
Considering that the bugfix was released yesterday, I think it may be to early to tell if people are forgetting to do the security updates or not. I noticed that you don't have the stats for the 4.7.0 release. It would be interesting to see how many downloaded it compared to 4.7.1. On 6/2/06, Gerhard Killesreiter <gerhard@killesreiter.de> wrote:
Dries Buytaert wrote:
In light of the recent discussions (eg. supporting older versions), I created some graphs:
Very interesting. I think that the download stats of the bugfix releases are also intersting:
June May Sum 4.6.7: 239 2003 2242 4.6.8: 228 228 4.7.1: 1153 7423 8576 4.7.2: 830 830
This is roughly 4:1 for 4.7 to 4.6.
The patches have been downloaded:
http://drupal.org/files/sa-2006-005/4.7.0.patch 1926 http://drupal.org/files/sa-2006-005/4.6.6.patch 1193
http://drupal.org/files/sa-2006-006/4.7.0.patch 1122
Numbers for May.
I am not sure how to interpret this numbers. They either indicate that only a small percentage of the people who download Drupal actually build a site with it or that we need to rais security awareness...
Cheers, Gerhard
Corey Bordelon wrote:
Considering that the bugfix was released yesterday, I think it may be to early to tell if people are forgetting to do the security updates or not.
The 4.7.1 bugfix is out for a week.
I noticed that you don't have the stats for the 4.7.0 release. It would be interesting to see how many downloaded it compared to 4.7.1.
36693 for May Cheers, Gerhard
On 6/2/06, Gerhard Killesreiter <gerhard@killesreiter.de> wrote:
Corey Bordelon wrote:
Considering that the bugfix was released yesterday, I think it may be to early to tell if people are forgetting to do the security updates or not.
The 4.7.1 bugfix is out for a week.
Sorry. I meant for 4.7.2
I noticed that you don't have the stats for the 4.7.0 release. It
would be interesting to see how many downloaded it compared to 4.7.1.
36693 for May
Combining the number of downloads for both bugfixes (some may not have had time to update to 4.7.1, but just went straight to 4.7.2), it comes out to 9406. That means that only 25% of the people that installed Drupal 4.7.0 in May are following up with the security fixes. Of course that's not taking into account the good adminstrators that did the actual updates when they should have (duplicates in the numbers). I'm sorry if the number cruncher in me is taking over and saying the obvious, I can't help it.
On 02 Jun 2006, at 16:13, Corey Bordelon wrote:
36693 for May
Combining the number of downloads for both bugfixes (some may not have had time to update to 4.7.1, but just went straight to 4.7.2), it comes out to 9406. That means that only 25% of the people that installed Drupal 4.7.0 in May are following up with the security fixes.
The fact that Drupal 4.7.0 has been downloaded 36693 times, doesn't mean there are 36693 Drupal sites. Nor can we imply that all people who downloaded Drupal 4.7.1 are actually 9406 upgrading from Drupal 4.7.0. -- Dries Buytaert :: http://www.buytaert.net/
On 02 Jun 2006, at 4:34 PM, Dries Buytaert wrote:
The fact that Drupal 4.7.0 has been downloaded 36693 times, doesn't mean there are 36693 Drupal sites. Nor can we imply that all people who downloaded Drupal 4.7.1 are actually 9406 upgrading from Drupal 4.7.0.
also the fact that any serious developer should be using cvs to access it. And that each of these developers could be managing dozens of sites. -- Adrian Rossouw Drupal developer and Bryght Guy http://drupal.org | http://bryght.com
On 02.Jun.2006, at 11:09, Adrian Rossouw wrote:
also the fact that any serious developer should be using cvs to access it.
Adrian, This comment of yours is a good example of what I mean when I say that developers in Drupal have to move away from the limelight. Drupal may have started as a project for "serious developers" only but at this point, with the explosion of the blogosphere, the project cannot really afford to be only for "serious developers". So in thinking how to track actual use of the software and its patch implementation, you need to get down several notches from where you are and make your demographics not the serious developer y'all covet to come in droves but the non-serious type who want a good product that is easy to use for community building. As I have told many a software / net artist : If a child cannot use the artwork consider the UI a failure. In the case of Drupal, you dont have to make it easy for a 6 year old to install and maintain, but you may want to think more along the lines of ... and yeah, I can be sexist about this ... cheerleaders in tight abercrombie and fitch wet tshirts wanting to make their own "suicide girls" site. This, I insist, is the trend that's going to explode in the next 18 months. If you can make it easy for that crowd to MySpace themselves, then honey, you can make anything with code. BTW, anybody in the marketing group here? Cheers, Liza Sabater, Publisher www.culturekitchen.com www.dailygotham.com TEL - 646.552.7365 AIM - cultkitdiva SKYPE - lizasabater NOTICE: Due to Presidential Executive Orders, the National Security Agency may have read this email without warning, warrant, or notice. They may do this without any judicial or legislative oversight. You have no recourse nor protection save to call for the impeachment of President George W. Bush and Vice-President Richard Cheney, for high crimes and misdemeanors.
On 02.Jun.2006, at 11:35, blogdiva@culturekitchen.com wrote:
As I have told many a software / net artist : If a child cannot use the artwork consider the UI a failure. In the case of Drupal, you dont have to make it easy for a 6 year old to install and maintain, but you may want to think more along the lines of ... and yeah, I can be sexist about this ... cheerleaders in tight abercrombie and fitch wet tshirts wanting to make their own "suicide girls" site.
This, I insist, is the trend that's going to explode in the next 18 months.
I hit the send button too soon. One more point I want to make about demographics and usability. 57% of bloggers are women. Women tend to make communities with their blogs; which is why a big chunk of these women bloggers used to be found in LiveJournal. The two fastest growing services at the moment are MySpace and Facebook. In my chunk of the blogosphere (I am on the advisory board of BlogHer), most women are running multiple sites : a blog, a myspace, a livejournal and if they are young enough a facebook. As someone following the growing audiences of some of these women (I am writing an article about this for a major US magazine), i can see that it's becoming increasingly difficult for these power users to manage all their blogs --because the more connected they are elsewhere, the more traffic and demands of community interactivity the are getting from their commenters. In other words, MySpace and Facebook are transforming the blogosphere. People dont want to be just commenters. They want to be part of a community. I could go on and on. I'll post on my site and y'all can follow up there. Cheers, liza
blogdiva@culturekitchen.com wrote:
I hit the send button too soon.
One more point I want to make............
OMG HERE WE GO AGAIN =( You really did hit the send button too soon as you ignored good advice to just wait a couple (weeks|months|years) before sending mails that are likely to pollute a DEVELOPMENT list with flame wars. Adrian's comment had no bias for or against bloggers, women or MySpace users. He pointed out one more consideration that needs to be made when gaging the accuracy of some statistics. Please.... keep "HOW DRUPAL IS MARKETED" for your Marketing group. eof
Robert Douglass wrote:
blogdiva@culturekitchen.com wrote:
I hit the send button too soon.
One more point I want to make............
OMG HERE WE GO AGAIN =(
You really did hit the send button too soon as you ignored good advice to just wait a couple (weeks|months|years) before sending mails that are likely to pollute a DEVELOPMENT list with flame wars.
Adrian's comment had no bias for or against bloggers, women or MySpace users. He pointed out one more consideration that needs to be made when gaging the accuracy of some statistics. Please.... keep "HOW DRUPAL IS MARKETED" for your Marketing group.
Thanks for posting that. Cheers, Gerhard
Adrian is right, Liza. This isn't a limelight thing, it's a simple fact. Seriously, I understand you want an end-user support infrastructure for Drupal-the-software. But (since we been comparing to other successful projects) developers are as central to Drupal as to PHP, Linux, Perl, Eclipse, etc, etc.You want your support infrastructure to wrap around the development effort, not infiltrate it. On 6/2/06, blogdiva@culturekitchen.com <blogdiva@culturekitchen.com> wrote:
On 02.Jun.2006, at 11:09, Adrian Rossouw wrote:
also the fact that any serious developer should be using cvs to access it.
Adrian,
This comment of yours is a good example of what I mean when I say that developers in Drupal have to move away from the limelight.
Drupal may have started as a project for "serious developers" only but at this point, with the explosion of the blogosphere, the project cannot really afford to be only for "serious developers".
Earl, If not here where do we talk about specs? Aren't usability specs supposed to take into consideration not just current but also potential future users? This goes beyond just submitting a feature request. If the developers do not want to talk specs here, who do we talk to and where? Would this mean Drupal needs a specs list so as not to inconvenience the flow of code talk here? As to other points I was trying to make, I've written a post at www.lizasabater.com. /liza On 02.Jun.2006, at 12:00 PM, Earl Dunovant wrote:
Adrian is right, Liza. This isn't a limelight thing, it's a simple fact.
Seriously, I understand you want an end-user support infrastructure for Drupal-the-software. But (since we been comparing to other successful projects) developers are as central to Drupal as to PHP, Linux, Perl, Eclipse, etc, etc.You want your support infrastructure to wrap around the development effort, not infiltrate it.
Lisa If by "here" you mean this thread, then you are wrong. If you mean this mailing list, then maybe. The point Robert and Earl and others are making, and I strongly agree with, is not to hijack threads (even unintentionally) and turn them into a tirade on how Drupal has grown despite its developers and it is time to pry it out of their hands. I am one who regularly chides fellow developers if they make insensitive remarks against clueless users, but will also do so to others who do that against developers. So, go ahead and write what you propose in feature requests, DEPs, or groups.drupal.org, and then point to them here so all can discuss them. All without causing unintentional flame wars or hijacking other threads. I am sure your input this way will be appreciated. On 6/4/06, blogdiva@culturekitchen.com <blogdiva@culturekitchen.com> wrote:
Earl,
If not here where do we talk about specs? Aren't usability specs supposed to take into consideration not just current but also potential future users?
This goes beyond just submitting a feature request. If the developers do not want to talk specs here, who do we talk to and where?
Would this mean Drupal needs a specs list so as not to inconvenience the flow of code talk here?
As to other points I was trying to make, I've written a post at www.lizasabater.com.
/liza
On 02.Jun.2006, at 12:00 PM, Earl Dunovant wrote:
Adrian is right, Liza. This isn't a limelight thing, it's a simple fact.
Seriously, I understand you want an end-user support infrastructure for Drupal-the-software. But (since we been comparing to other successful projects) developers are as central to Drupal as to PHP, Linux, Perl, Eclipse, etc, etc.You want your support infrastructure to wrap around the development effort, not infiltrate it.
On 04.Jun.2006, at 09:30, Khalid B wrote:
If you mean this mailing list, then maybe.
i meant this. if by a thread here one has comments that don't have to do with code, where do we post them given the discussion started here and not elsewhere? what do you want people to do? at first thought, it seems disengenious going elsewhere; where nobody from the devel list involved in the original discussion is going to read it. but if there is a place to go where you do, then is it really groups.drupal? / liza
Here is what I wrote in my previous reply: ==== So, go ahead and write what you propose in feature requests, DEPs, or groups.drupal.org, and then point to them here so all can discuss them. All without causing unintentional flame wars or hijacking other threads. ==== There are many ways: Check this group and start a thread there. http://groups.drupal.org/usability You can post a link here for those interested. On 6/4/06, blogdiva@culturekitchen.com <blogdiva@culturekitchen.com> wrote:
On 04.Jun.2006, at 09:30, Khalid B wrote:
If you mean this mailing list, then maybe.
i meant this. if by a thread here one has comments that don't have to do with code, where do we post them given the discussion started here and not elsewhere? what do you want people to do? at first thought, it seems disengenious going elsewhere; where nobody from the devel list involved in the original discussion is going to read it. but if there is a place to go where you do, then is it really groups.drupal?
/ liza
will do. On 04.Jun.2006, at 02:30 PM, Khalid B wrote:
Here is what I wrote in my previous reply:
==== So, go ahead and write what you propose in feature requests, DEPs, or groups.drupal.org, and then point to them here so all can discuss them. All without causing unintentional flame wars or hijacking other threads. ====
There are many ways:
Check this group and start a thread there. http://groups.drupal.org/usability
You can post a link here for those interested.
On 6/4/06, blogdiva@culturekitchen.com <blogdiva@culturekitchen.com> wrote:
On 04.Jun.2006, at 09:30, Khalid B wrote:
If you mean this mailing list, then maybe.
i meant this. if by a thread here one has comments that don't have to do with code, where do we post them given the discussion started here and not elsewhere? what do you want people to do? at first thought, it seems disengenious going elsewhere; where nobody from the devel list involved in the original discussion is going to read it. but if there is a place to go where you do, then is it really groups.drupal?
/ liza
On 04 Jun 2006, at 20:12, blogdiva@culturekitchen.com wrote:
i meant this. if by a thread here one has comments that don't have to do with code, where do we post them given the discussion started here and not elsewhere? what do you want people to do? at first thought, it seems disengenious going elsewhere; where nobody from the devel list involved in the original discussion is going to read it. but if there is a place to go where you do, then is it really groups.drupal?
You can post it here (or elsewhere), as long you create a new thread. -- Dries Buytaert :: http://www.buytaert.net/
Ah! That should have been obvious to me. Too much sleep deprivation. Thanx Dries. On 04.Jun.2006, at 03:00 PM, Dries Buytaert wrote:
On 04 Jun 2006, at 20:12, blogdiva@culturekitchen.com wrote:
i meant this. if by a thread here one has comments that don't have to do with code, where do we post them given the discussion started here and not elsewhere? what do you want people to do? at first thought, it seems disengenious going elsewhere; where nobody from the devel list involved in the original discussion is going to read it. but if there is a place to go where you do, then is it really groups.drupal?
You can post it here (or elsewhere), as long you create a new thread.
-- Dries Buytaert :: http://www.buytaert.net/
c'mon down to groups.drupal.org - the water's fine! Dan
On 04 Jun 2006, at 20:12, blogdiva@culturekitchen.com wrote:
i meant this. if by a thread here one has comments that don't have to do with code, where do we post them given the discussion started here and not elsewhere? what do you want people to do? at first thought, it seems disengenious going elsewhere; where nobody from the devel list involved in the original discussion is going to read it. but if there is a place to go where you do, then is it really groups.drupal?
You can post it here (or elsewhere), as long you create a new thread.
-- Dries Buytaert :: http://www.buytaert.net/
That's not what that last post was about. How are usability specs related to developers being in the limelight? Especially when said developers have done a lot of usability research, and have been seeking out usability information since 4.6 (admittedly, I have been AWOL in the discussion)? I'm not trying to blow this up...I'm trying to suggest a better approach for you, because challenging obviously ain't working. You need a frozen API to address the developers, not the code, know what I'm saying? Because If the guiding principle of coding Drupal was anything other than it was, it is VERY unlikely you would be using it right now. I know I wouldn't. On 6/4/06, blogdiva@culturekitchen.com <blogdiva@culturekitchen.com> wrote:
Earl,
If not here where do we talk about specs? Aren't usability specs supposed to take into consideration not just current but also potential future users?
On 6/2/06, blogdiva@culturekitchen.com <blogdiva@culturekitchen.com> wrote:
On 02.Jun.2006, at 11:09, Adrian Rossouw wrote:
also the fact that any serious developer should be using cvs to access it.
This comment of yours is a good example of what I mean when I say that developers in Drupal have to move away from the limelight.
Drupal may have started as a project for "serious developers" only but at this point, with the explosion of the blogosphere, the project cannot really afford to be only for "serious developers".
I think you're putting words into Adrian's mouth. He's right, if you're a "serious developer" you'll already be using CVS, if only because it's the easiest way to keep up with the changes. Now you're welcome to debate whether we should be encouraging users to update via CVS. It is more complicated to setup the first time but once that's done it's a whole lot faster than downloading and unpacking and possibly over writing your local modifications. I've got 5 different Drupal installations and when the security alert went out, I logged into each server ran "cvs up" getting them all updated in less than 5 minutes. andrew
On 02 Jun 2006, at 17:35, blogdiva@culturekitchen.com wrote:
Drupal may have started as a project for "serious developers" only but at this point, with the explosion of the blogosphere, the project cannot really afford to be only for "serious developers".
With every release, we've been making Drupal easier to use, easier to install, and easier to upgrade. Sure it can be made a lot easier, but it takes quite a bit of work. In any event, developers will continue to use CVS and patch. If you know what you are doing, it is the best tool for the job. -- Dries Buytaert :: http://www.buytaert.net/
People could be downloading 4.7 for sandbox fun only. No need to apply security fixes if the version isn¹t ever going into production. What better measure is there of use than the number who apply security patches? Of course, foolish admins who don¹t fix security bugs do skew that data, sadly. I¹d be curious to see how the numbers change if Drupal had a version check on the admin section of each installation (like phpBB). If admins had a clear warning they were using an insecure version, the security patch metric probably would be a pretty good indication of production use. -Peter On 2006/06/02 10:13 AM, "Corey Bordelon" <corey.bordelon@gmail.com> wrote:
On 6/2/06, Gerhard Killesreiter <gerhard@killesreiter.de> wrote:
Corey Bordelon wrote:
Considering that the bugfix was released yesterday, I think it may be to early to tell if people are forgetting to do the security updates or not.
The 4.7.1 bugfix is out for a week.
Sorry. I meant for 4.7.2
I noticed that you don't have the stats for the 4.7.0 release. It would be interesting to see how many downloaded it compared to 4.7.1.
36693 for May
Combining the number of downloads for both bugfixes (some may not have had time to update to 4.7.1, but just went straight to 4.7.2), it comes out to 9406. That means that only 25% of the people that installed Drupal 4.7.0 in May are following up with the security fixes.
Of course that's not taking into account the good adminstrators that did the actual updates when they should have (duplicates in the numbers).
I'm sorry if the number cruncher in me is taking over and saying the obvious, I can't help it.
Corey Bordelon wrote:
On 6/2/06, *Gerhard Killesreiter* <gerhard@killesreiter.de <mailto:gerhard@killesreiter.de>> wrote: > I noticed that you don't have the stats for the 4.7.0 release. It > would be > interesting to see how many downloaded it compared to 4.7.1.
36693 for May Combining the number of downloads for both bugfixes (some may not have had time to update to 4.7.1, but just went straight to 4.7.2), it comes out to 9406. That means that only 25% of the people that installed Drupal 4.7.0 in May are following up with the security fixes.
Statistically speaking, it does not. Probably the easiest way to "patch" is to get 4.7.2 and overwrite everything. We don't have any data on how many people are doing that (and can't get that data anyhow). -- ------------------------------------------- John Handelaar E john@handelaar.org T +353 21 427 9033 M +353 85 748 3790 http://handelaar.org ------------------------------------------- Work in progress: http://dev.vocalvoter.com -------------------------------------------
On Jun 2, 2006, at 8:45 AM, John Handelaar wrote:
Probably the easiest way to "patch" is to get 4.7.2 and overwrite everything.
I recommended that Drupal 4.7 ship with a Patches directory. In interviews with administrators we found that it was taking from 20 hours to 40 hours to upgrade Drupal when you factored in absolutely everything including feature requests, testing, user training etc. One of the reasons was that so many people had patched Drupal. By adding a patches directory we encourage people running Drupal sites to keep a set of patches that most likely apply against security releases easily. If we did add a patches directory it would make it easier to recommend what John is suggesting. Kieran
On 02 Jun 2006, at 17:45, John Handelaar wrote:
Statistically speaking, it does not.
Probably the easiest way to "patch" is to get 4.7.2 and overwrite everything. We don't have any data on how many people are doing that (and can't get that data anyhow).
It was suggested that, on clean Drupal installations, we automatically enable the aggregator.module, that we subscribe it to the 'Drupal security announcement' feed, and that we show a 'Drupal security announcement' block on some or all administration pages. This might be a simple but effective step towards a better notification mechanism. Maybe we should cook up a patch for this, and continue the discussion in the issue tracker. -- Dries Buytaert :: http://www.buytaert.net/
-----Original Message----- From: Dries Buytaert [mailto:dries.buytaert@gmail.com] Sent: Friday, June 02, 2006 11:50 AM To: development@drupal.org Subject: Re: [development] Download statistics for core
It was suggested that, on clean Drupal installations, we automatically enable the aggregator.module, that we subscribe it to the 'Drupal security announcement' feed, and that we show a 'Drupal security announcement' block on some or all administration pages. This might be a simple but effective step towards a better notification mechanism.
This is a GREAT idea. It's worth noting that most other CMS systems, including WordPress, do this in their administration sections. The only trick, I think, is Aggregator.module's dependence on cron. Until a user configures that bit of the system, they won't get any security announcements. --Jeff
including WordPress, do this in their administration sections. The only trick, I think, is Aggregator.module's dependence on cron. Until a user configures that bit of the system, they won't get any security announcements.
Maybe the initial install could also give you an initial cron run? --mark
Jeff Eaton wrote:
It was suggested that, on clean Drupal installations, we automatically enable the aggregator.module, that we subscribe it to the 'Drupal security announcement' feed, and that we show a 'Drupal security announcement' block on some or all administration pages. This might be a simple but effective step towards a better notification mechanism.
It is certainly a step in the right direction.
This is a GREAT idea. It's worth noting that most other CMS systems, including WordPress, do this in their administration sections. The only trick, I think, is Aggregator.module's dependence on cron. Until a user configures that bit of the system, they won't get any security announcements.
We could instruct the user to invoke cron.php manually after update. The installer could run cron.php after completing the installation. Cheers, Gerhard
Gerhard Killesreiter wrote:
This is a GREAT idea. It's worth noting that most other CMS systems, including WordPress, do this in their administration sections. The only trick, I think, is Aggregator.module's dependence on cron. Until a user configures that bit of the system, they won't get any security announcements.
We could instruct the user to invoke cron.php manually after update. The installer could run cron.php after completing the installation.
Cheers, Gerhard
The concept of an administration block that shows up when patches are available is a good one, especially if a default Drupal install had it enabled for the administrator out of the box. To work through some of the dependence on sites running cron, I propose that this same block also show a notice if cron has not been run in over two weeks (or some reasonable time frame that is measured in days and not hours). The block would alert the admin to the fact that cron has not run since date DD MMM, YYYY and provide a link to click to check for security updates. That link could kick off cron. There is an issue of the user than expecting a response quickly (which cron does not necessarily provide). It also assumes that Drupal stores the time/date of the last successful cron run. If it does not, that's an easy patch. I'd find this useful personally in two ways. First, in the context described here it would help catch the cases where an admin would miss security updates because the aggregator did not run to draw down the RSS feed of the updates. Second, I've made the same mistake several times across the Drupal based sites I manage. I've typically forgotten to modify cron-lynx.sh to point to my site and not www.example.com, and I forget to make the change until I notice that cron-driven content is a week or three out of date. I've since moved cron-lynx.sh out of the Drupal tree - this sort of admin warning that cron is not running would have helped me catch what is a slightly embarrassing mistake. Hopefully it's not just me making it. :) Scott
Scott McLewin wrote:
Gerhard Killesreiter wrote:
This is a GREAT idea. It's worth noting that most other CMS systems, including WordPress, do this in their administration sections. The only trick, I think, is Aggregator.module's dependence on cron. Until a user configures that bit of the system, they won't get any security announcements.
We could instruct the user to invoke cron.php manually after update. The installer could run cron.php after completing the installation.
The concept of an administration block that shows up when patches are available is a good one, especially if a default Drupal install had it enabled for the administrator out of the box.
To work through some of the dependence on sites running cron, I propose that this same block also show a notice if cron has not been run in over two weeks (or some reasonable time frame that is measured in days and not hours).
++
The block would alert the admin to the fact that cron has not run since date DD MMM, YYYY and provide a link to click to check for security updates. That link could kick off cron. There is an issue of the user than expecting a response quickly (which cron does not necessarily provide). It also assumes that Drupal stores the time/date of the last successful cron run. If it does not, that's an easy patch.
It does store the dates of watchdog events.
I'd find this useful personally in two ways. First, in the context described here it would help catch the cases where an admin would miss security updates because the aggregator did not run to draw down the RSS feed of the updates. Second, I've made the same mistake several times across the Drupal based sites I manage. I've typically forgotten to modify cron-lynx.sh to point to my site and not www.example.com, and I forget to make the change until I notice that cron-driven content is a week or three out of date. I've since moved cron-lynx.sh out of the Drupal tree - this sort of admin warning that cron is not running would have helped me catch what is a slightly embarrassing mistake. Hopefully it's not just me making it. :)
I think this would be a useful extension of the patch. I suggest somebody open an issue and collect ideas there (if there isn't already one, please check that before). Cheers, Gerhard
This makes me think that there are really two types of scheduled tasks in Drupal; those that need to happen even if the site is inactive (sending a mail queue), and those that only need to happen if people are visiting the site. Poormans cron does a great job of the latter, but can't guarantee the former on a low-traffic site. An elaborate but potentially very useful (and user-friendly) route to take would be to make this distinction and introduce a hook_tasks or something similar to complement cron. This would basically be the poormans cron module reimplemented to call hook_tasks instead of hook_cron. Thus we could use cron for stuff that really needs it (mail, backups) and hook_task for stuff that *has to work* with or without cron, and is only relevant when somebody is looking at the site. Thus, the aggregator feeds could be run on hook_task. Jeff Eaton wrote:
This is a GREAT idea. It's worth noting that most other CMS systems, including WordPress, do this in their administration sections. The only trick, I think, is Aggregator.module's dependence on cron. Until a user configures that bit of the system, they won't get any security announcements.
--Jeff
Op vrijdag 2 juni 2006 19:19, schreef Jeff Eaton:
-----Original Message----- From: Dries Buytaert [mailto:dries.buytaert@gmail.com] Sent: Friday, June 02, 2006 11:50 AM To: development@drupal.org Subject: Re: [development] Download statistics for core
It was suggested that, on clean Drupal installations, we automatically enable the aggregator.module, that we subscribe it to the 'Drupal security announcement' feed, and that we show a 'Drupal security announcement' block on some or all administration pages. This might be a simple but effective step towards a better notification mechanism.
This is a GREAT idea. It's worth noting that most other CMS systems, including WordPress, do this in their administration sections. The only trick, I think, is Aggregator.module's dependence on cron. Until a user configures that bit of the system, they won't get any security announcements.
What we do on sympal, is almost similar, be it, that I have a custom block showing the full latest entry of a feed, in a custom block. I use if to show tips to users, and they seem to like this. So, this idea is not only simple, I am confident that it will be appreciated a lot. Bèr
Gerhard Killesreiter wrote:
The patches have been downloaded:
http://drupal.org/files/sa-2006-005/4.7.0.patch 1926 http://drupal.org/files/sa-2006-005/4.6.6.patch 1193
http://drupal.org/files/sa-2006-006/4.7.0.patch 1122
Numbers for May.
I am not sure how to interpret this numbers. They either indicate that only a small percentage of the people who download Drupal actually build a site with it or that we need to rais security awareness...
Gerhard, I encouraged people in the Hungarian community to download the new Drupal version, and upgrade to that, and forget about the patch. The new version fixes more bugs, which people are interested in, so it is much better to put time into updating to that then applying the patch IMHO. Goba
Gabor Hojtsy wrote:
Gerhard Killesreiter wrote:
The patches have been downloaded:
http://drupal.org/files/sa-2006-005/4.7.0.patch 1926 http://drupal.org/files/sa-2006-005/4.6.6.patch 1193
http://drupal.org/files/sa-2006-006/4.7.0.patch 1122
Numbers for May.
I am not sure how to interpret this numbers. They either indicate that only a small percentage of the people who download Drupal actually build a site with it or that we need to rais security awareness...
Gerhard, I encouraged people in the Hungarian community to download the new Drupal version, and upgrade to that, and forget about the patch. The new version fixes more bugs, which people are interested in, so it is much better to put time into updating to that then applying the patch IMHO.
You are of course right. But the download numbers for 4.7.1 and 4.6.7 weren't particularly high either. Especially for 4.6.7 I had hoped for more. BTW, will you update the POT files for 4.7 or should I? Cheers, Gerhard
participants (19)
-
Adrian Rossouw -
andrew morton -
blogdiva@culturekitchen.com -
Bèr Kessels -
Corey Bordelon -
Dan Robinson -
Dries Buytaert -
Dries Buytaert -
Earl Dunovant -
Gabor Hojtsy -
Gerhard Killesreiter -
Jeff Eaton -
John Handelaar -
Khalid B -
Kieran Lal -
mark burdett -
Peter Kowalke -
Robert Douglass -
Scott McLewin