Automatic Updates/Upgades
Hi Everybody Has anyone thought about automatic updates/upgrades to the Drupal core? If not, I would implement it. Excuse me if there is already a conversation going on about this--I am new here. Gaelan
If you have drush, you can run `drush pm-update` to automatically update core and contrib. I'm not sure if I'd build in automatic updating of core in Drupal, though, since it's a bit more complex than updating a module and many more things can go wrong. Todd On 1 Sep 2011, at 13:36, Gaelan Bright Steele wrote:
Hi Everybody Has anyone thought about automatic updates/upgrades to the Drupal core? If not, I would implement it. Excuse me if there is already a conversation going on about this--I am new here. Gaelan
I see. I got the idea from WordPress, which knows how to automatically update itself. On Sep 1, 2011, at 10:46 AM, Todd wrote:
If you have drush, you can run `drush pm-update` to automatically update core and contrib.
I'm not sure if I'd build in automatic updating of core in Drupal, though, since it's a bit more complex than updating a module and many more things can go wrong.
Todd
On 1 Sep 2011, at 13:36, Gaelan Bright Steele wrote:
Hi Everybody Has anyone thought about automatic updates/upgrades to the Drupal core? If not, I would implement it. Excuse me if there is already a conversation going on about this--I am new here. Gaelan
Sincerely, Gaelan
Automatic update of core + potential for malicious code getting uploaded to the source repos = very nice recipe for taking over a huge amount of the web! WordPress and Debian have both had bad stuff uploaded to their repositories. It could happen to Drupal too. For that reason alone I think auto-updating is a really bad idea -- it makes for a very nice target for an attacker! Here's how an attack might play out: 1. Attacker plants some keylogger on a core committer's machine, captures their credentials. 2. Attacker builds an exploit and uploads it to Core, immediately before the default update check time for sites set to UTC or some large time zone. 3. All sites configured for auto-update download the new exploit. 4. Exploit changes the update source to their own malicious repository. 5. Millions of exploited web sites are now at the attacker's disposal -- done right, huge numbers of site admins would never realize their sites were compromised. This would not be difficult to do -- all you need to do is get the credentials for one person with appropriate access. And while it would certainly be discovered and caught, it could do some pretty widespread damage in a short amount of time, and leave a bunch of compromised sites out there available to do far more damage than your ordinary Windows bot-net... Ugh. No thanks. Cheers, John Locke http://freelock.com On 09/01/2011 11:03 AM, Gaelan Bright Steele wrote:
I see. I got the idea from WordPress, which knows how to automatically update itself. On Sep 1, 2011, at 10:46 AM, Todd wrote:
If you have drush, you can run `drush pm-update` to automatically update core and contrib.
I'm not sure if I'd build in automatic updating of core in Drupal, though, since it's a bit more complex than updating a module and many more things can go wrong.
Todd
On 1 Sep 2011, at 13:36, Gaelan Bright Steele wrote:
Hi Everybody Has anyone thought about automatic updates/upgrades to the Drupal core? If not, I would implement it. Excuse me if there is already a conversation going on about this--I am new here. Gaelan
Sincerely, Gaelan
!DSPAM:4e5fcd1d186229553215262!
-- John Locke Manager, Freelock Computing The Open Source for Business Solutions http://www.freelock.com john@freelock.com 206-579-4836
It's not just the possibility of an attack that would be bad for Drupal. Given the amount of Drupal sites that are existence and playing devil's advocate for a bit, let's say that just 5% of them have been tweaked in such a manner that a core update will break them. If we do auto-updates this could result in Drupal garnering attention that it doesn't want. Regards, Jonathan Dale On Sep 1, 2011, at 1:40 PM, John Locke wrote:
Automatic update of core + potential for malicious code getting uploaded to the source repos = very nice recipe for taking over a huge amount of the web!
WordPress and Debian have both had bad stuff uploaded to their repositories. It could happen to Drupal too. For that reason alone I think auto-updating is a really bad idea -- it makes for a very nice target for an attacker!
Here's how an attack might play out:
1. Attacker plants some keylogger on a core committer's machine, captures their credentials. 2. Attacker builds an exploit and uploads it to Core, immediately before the default update check time for sites set to UTC or some large time zone. 3. All sites configured for auto-update download the new exploit. 4. Exploit changes the update source to their own malicious repository. 5. Millions of exploited web sites are now at the attacker's disposal -- done right, huge numbers of site admins would never realize their sites were compromised.
This would not be difficult to do -- all you need to do is get the credentials for one person with appropriate access. And while it would certainly be discovered and caught, it could do some pretty widespread damage in a short amount of time, and leave a bunch of compromised sites out there available to do far more damage than your ordinary Windows bot-net...
Ugh. No thanks.
Cheers, John Locke http://freelock.com
On 09/01/2011 11:03 AM, Gaelan Bright Steele wrote:
I see. I got the idea from WordPress, which knows how to automatically update itself. On Sep 1, 2011, at 10:46 AM, Todd wrote:
If you have drush, you can run `drush pm-update` to automatically update core and contrib.
I'm not sure if I'd build in automatic updating of core in Drupal, though, since it's a bit more complex than updating a module and many more things can go wrong.
Todd
On 1 Sep 2011, at 13:36, Gaelan Bright Steele wrote:
Hi Everybody Has anyone thought about automatic updates/upgrades to the Drupal core? If not, I would implement it. Excuse me if there is already a conversation going on about this--I am new here. Gaelan
Sincerely, Gaelan
!DSPAM:4e5fcd1d186229553215262!
-- John Locke Manager, Freelock Computing The Open Source for Business Solutions http://www.freelock.com john@freelock.com 206-579-4836
On 1 Set 2011 19h40 WEST, john@freelock.com wrote:
Automatic update of core + potential for malicious code getting uploaded to the source repos = very nice recipe for taking over a huge amount of the web!
WordPress and Debian have both had bad stuff uploaded to their repositories. It could happen to Drupal too. For that reason alone I think auto-updating is a really bad idea -- it makes for a very nice target for an attacker!
Add kernel.org to that list also.
Here's how an attack might play out:
1. Attacker plants some keylogger on a core committer's machine, captures their credentials. 2. Attacker builds an exploit and uploads it to Core, immediately before the default update check time for sites set to UTC or some large time zone. 3. All sites configured for auto-update download the new exploit. 4. Exploit changes the update source to their own malicious repository. 5. Millions of exploited web sites are now at the attacker's disposal -- done right, huge numbers of site admins would never realize their sites were compromised.
This would not be difficult to do -- all you need to do is get the credentials for one person with appropriate access. And while it would certainly be discovered and caught, it could do some pretty widespread damage in a short amount of time, and leave a bunch of compromised sites out there available to do far more damage than your ordinary Windows bot-net...
There's also the issue that when invoking a hook_update_N() some schema change might happen so that your site stops working correctly. What then? To roll back you need a DB dump. Also the update procedure could fail and you'll have a potentially dysfunctional site between the auto-update and you detecting the malfunction. --- appa
António P. P. Almeida wrote:
Add kernel.org to that list also.
The Linux kernel repositories were not compromised, they are cryptographically signed by most of the committers. The servers were compromised, but that's something entirely different. John Locke wrote:
Automatic update of core + potential for malicious code getting uploaded to the source repos = very nice recipe for taking over a huge amount of the web!
This whole scenario is so laughable it's quite ridiculous.
WordPress and Debian have both had bad stuff uploaded to their repositories. It could happen to Drupal too. For that reason alone I think auto-updating is a really bad idea -- it makes for a very nice target for an attacker!
At least in the case of Wordpress, it's not known if the exploits were ever even deployed to any sites, let alone actually used.
1. Attacker plants some keylogger on a core committer's machine, captures their credentials. 2. Attacker builds an exploit and uploads it to Core, immediately before the default update check time for sites set to UTC or some large time zone. 3. All sites configured for auto-update download the new exploit. 4. Exploit changes the update source to their own malicious repository. 5. Millions of exploited web sites are now at the attacker's disposal -- done right, huge numbers of site admins would never realize their sites were compromised.
If an attacker had physical or remote access to the core committers machine, they could perform the exploit from there, otherwise they would primarily need to steal the SSH key to commit to git, and create a tag for a new release there. Secondly, they would need the d.o credentials in order to create the release node on d.o and publish it. Even still this information takes a small amount of time to be available since the update status servers on d.o are heavily cached. If no one in the Drupal community noticed a new, random core release when none was planned in the amount of time it takes for the packaging script to run, node to be published, and caches to be flushed, one could safely assume that the zombie apocalypse has come, and taking over the internet is of no consequence to mankind.
This would not be difficult to do -- all you need to do is get the credentials for one person with appropriate access.
I don't think anyone is really suggesting that core auto-update itself. The current update mechanism is manual, since it doesn't store the credentials used for the update, it requires them to entered each time updates are performed. -Mike -- __________________ Michael Prasuhn 503.512.0822 office mike@mikeyp.net http://mikeyp.net
On Thu, Sep 1, 2011 at 6:41 PM, Michael Prasuhn <mike@mikeyp.net> wrote: <snip sound stuff> Mikey had a lot of great input on this topic and what is/isn't safe. I'll just add that there are a few other ways someone could try to mess with our code and there are protections and monitoring toosl in place to prevent those from happening and create alarms if they do happen. So, yeah, this is a desirable feature, and work is continuing at http://drupal.org/node/606592 Thanks! Greg -- Greg Knaddison, Security Services Mobile: 720-310-5623 Skype: greg.knaddison | Twitter: @greggles | LinkedIn Acquia
This discussion belongs in "Support" not Development. Frankly, I won't auto-update anything; I test it first. Nancy Injustice anywhere is a threat to justice everywhere. -- Dr. Martin L. King, Jr.
________________________________ From: Todd
If you have drush, you can run `drush pm-update` to automatically update core and contrib.
I'm not sure if I'd build in automatic updating of core in Drupal, though, since it's a bit more complex than updating a module and many more things can go wrong.
On 9/1/11 10:36 AM, Gaelan Bright Steele wrote:
Hi Everybody Has anyone thought about automatic updates/upgrades to the Drupal core? If not, I would implement it. Excuse me if there is already a conversation going on about this--I am new here. Gaelan
There is ongoing discussion about this feature at http://drupal.org/node/606592. If you'd like to help out with patches, that's the place to start! -Angie
participants (9)
-
António P. P. Almeida -
Gaelan Bright Steele -
Greg Knaddison -
John Locke -
Jonathan Dale -
Michael Prasuhn -
Ms. Nancy Wichmann -
Todd -
webchick