On 2/4/12 3:50 PM, Dave Stevens wrote:
Quoting Richard Damon Richard@Damon-Family.org:
On 2/4/12 1:28 PM, Dave Stevens wrote:
Dear All,
Recently I got an email from my drupal 7.10 site informing me that there was an update available to version 7.12. The link took me to a pink hued page where I was told that it was advisable to correct a security problem by upgrading to 7.12. I am then informed that there is no automated upgrade, but that instructions are available to manually back up files and databases then carry on with a manual upgrade.
I see this as a real issue with the design of Drupal. It is all very well to find vulnerabilities and announce them, with fixes, but if there is no simple, automated way to apply the fixes there will inevitably be a lot of unpatched cms's out there running outdated and known-vulnerable versions of Drupal.
The developers may, for all I know, be working hard on an automated update and patch mechanism. Can anyone tell me if this is the case? Am I doomed to continue manually applying security fixes as long as I persist with Drupal? I dumped Win95 a long time ago and have really no wish to regress this way.
Dave
Drupal has problems updating itself, as while it is updating itself it needs to be present, but one step of an update is to remove the current set of core files. Drush, the drupal command line tool, being somewhat separate from the Drupal core, is able to do an update mostly autonomously. Drush does use parts of core for other operations. With drush it is fairly easy to apply the update.
You really don't want an update like this to happen "automatically" but only on command, as you REALLY want to know when an update has happened to understand possible sources of strangeness (if it happens shortly after an upgrade, you want to look if it is a known issue with the upgrade, if you haven't done an upgrade recently, it is probably something else you did recently), and to make sure you have done the appropriate backups before doing the upgrade.
-- Richard Damon
-- [ Drupal support list | http://lists.drupal.org/ ]
I partly agree. I don't want a major unattended upgrade going on, certainly. But if I get a message about a security issue and a proposed path forward, I'd like to, for example, make a tarball of the whole site, dbs and everything else (easy) then be able to push the button and say GO to the upgrade without having to bit twiddle. So a scripted upgrade and some kind of rollback mechanism would, I think, be vastly preferable to excluding site maintainers from upgrading from fear of breaking something, and so choosing to leave the current version in place, security holes and all.
Just to add some realism to this, is there an estimate of how many sites are running versions with security issues still in place? So for example, how many sites are running D6 say?
Dave
With drush, once you have your backup, you just need to execute
drush up
and drush will install the core & module updates, then run the update script. This is pretty close to a "just push the button", the only difference is it is a shell command not a control on a web site page.
As to usage information of old/outdate versions. Drupal actual does gather some of this information with the update module and it can be seen at http://drupal.org/project/usage/drupal
Now, as to looking down on D6 installs, D6 is still actively maintained, so just running D6 isn't a security risk, and there are good reasons to not migrate a working site from D6 to D7 just to be "current" (not all the modules are updated yet for one).