Dear All,
Recently I got an email from my drupal 7.10 site informing me that there was an update available to version 7.12. The link took me to a pink hued page where I was told that it was advisable to correct a security problem by upgrading to 7.12. I am then informed that there is no automated upgrade, but that instructions are available to manually back up files and databases then carry on with a manual upgrade.
I see this as a real issue with the design of Drupal. It is all very well to find vulnerabilities and announce them, with fixes, but if there is no simple, automated way to apply the fixes there will inevitably be a lot of unpatched cms's out there running outdated and known-vulnerable versions of Drupal.
The developers may, for all I know, be working hard on an automated update and patch mechanism. Can anyone tell me if this is the case? Am I doomed to continue manually applying security fixes as long as I persist with Drupal? I dumped Win95 a long time ago and have really no wish to regress this way.
Dave
Automated updates are a tricky thing, because they might break things in contributed modules. I have a development and a production site of each of my sites. I first update the development site, run a few pre-defined checks, and then update the production site. And if something broke on the development site, I first look for a fix. And yes, things do break.
I use drush for backup and updates, just a couple of commands, no time-consuming pointy-clicky business.
Ursula
On Sat, Feb 4, 2012 at 10:28 AM, Dave Stevens geek@uniserve.com wrote:
Dear All,
Recently I got an email from my drupal 7.10 site informing me that there was an update available to version 7.12. The link took me to a pink hued page where I was told that it was advisable to correct a security problem by upgrading to 7.12. I am then informed that there is no automated upgrade, but that instructions are available to manually back up files and databases then carry on with a manual upgrade.
I see this as a real issue with the design of Drupal. It is all very well to find vulnerabilities and announce them, with fixes, but if there is no simple, automated way to apply the fixes there will inevitably be a lot of unpatched cms's out there running outdated and known-vulnerable versions of Drupal.
The developers may, for all I know, be working hard on an automated update and patch mechanism. Can anyone tell me if this is the case? Am I doomed to continue manually applying security fixes as long as I persist with Drupal? I dumped Win95 a long time ago and have really no wish to regress this way.
Dave
-- It is told that such are the aerodynamics and wing loading of the bumblebee that, in principle, it cannot fly...if all this be true...life among bumblebees must bear a remarkable resemblance to life in the United States.
-- John Kenneth Galbraith, in American Capitalism: The Concept of Countervailing Power
-- [ Drupal support list | http://lists.drupal.org/ ]
Quoting Ursula Pieper dramamezzo@gmail.com:
Automated updates are a tricky thing, because they might break things in contributed modules. I have a development and a production site of each of my sites. I first update the development site, run a few pre-defined checks, and then update the production site. And if something broke on the development site, I first look for a fix. And yes, things do break.
Thanks for this. I am not a developer of contributed modules, so I am not sure about such issues. But it makes me wonder about the state of documentation for modules. It seems it would be very useful to have clear statements about coding standards and perhaps some automated verification of the module. I mean apart from 'run it and see how hard it breaks.' Static programming languages have long faced the issues of clear definitions of the actions evoked by statements and have an elaborate structure of checking to improve confidence in the results. Of course, from my newbie perspective, I have no way to know if the internal structure and design of the core is sufficiently stable and clear to form an adequate basis for such an effort. Is it? And are standards in the browser and server ecosystem clear enough?
Dave
I use drush for backup and updates, just a couple of commands, no time-consuming pointy-clicky business.
Ursula
On Sat, Feb 4, 2012 at 10:28 AM, Dave Stevens geek@uniserve.com wrote:
Dear All,
Recently I got an email from my drupal 7.10 site informing me that there was an update available to version 7.12. The link took me to a pink hued page where I was told that it was advisable to correct a security problem by upgrading to 7.12. I am then informed that there is no automated upgrade, but that instructions are available to manually back up files and databases then carry on with a manual upgrade.
I see this as a real issue with the design of Drupal. It is all very well to find vulnerabilities and announce them, with fixes, but if there is no simple, automated way to apply the fixes there will inevitably be a lot of unpatched cms's out there running outdated and known-vulnerable versions of Drupal.
The developers may, for all I know, be working hard on an automated update and patch mechanism. Can anyone tell me if this is the case? Am I doomed to continue manually applying security fixes as long as I persist with Drupal? I dumped Win95 a long time ago and have really no wish to regress this way.
Dave
-- It is told that such are the aerodynamics and wing loading of the bumblebee that, in principle, it cannot fly...if all this be true...life among bumblebees must bear a remarkable resemblance to life in the United States.
-- John Kenneth Galbraith, in American Capitalism: The Concept of Countervailing Power
-- [ Drupal support list | http://lists.drupal.org/ ]
Hi, having spent the last few days building a new Centos 6.2 (RHEL 6) webserver and migrating 5 low-traffic Drupal virtual sites to it - successfully, now looking to use the old server as a development machine. Brain is a bit worn out so this may seem a silly question, but how can I access the development machine sites? Localhost just gives me the first Apache default listed site, and using the domain names takes me to the new server. Tried listening on a different port, didn't help, nor did using 127.0.0.1 - loopback. Must be an easier way than setting up a local DNS server and changing development machine domain names.
Suggestions please.
Alison
On Sat, Feb 4, 2012 at 5:26 PM, Alison alison@ssrv.org.au wrote:
Hi, having spent the last few days building a new Centos 6.2 (RHEL 6) webserver and migrating 5 low-traffic Drupal virtual sites to it - successfully, now looking to use the old server as a development machine. Brain is a bit worn out so this may seem a silly question, but how can I access the development machine sites? Localhost just gives me the first Apache default listed site, and using the domain names takes me to the new server. Tried listening on a different port, didn't help, nor did using 127.0.0.1 - loopback. Must be an easier way than setting up a local DNS server and changing development machine domain names.
Suggestions please.
Add your dev sites to the /etc/hosts file.
127.0.0.1 dev.site1.com 127.0.0.1 dev.site2.com etc.
How are you accessing the dev sites? I mean are you using a browser housed on the same host as the server or are you accessing from a different client? You'll need to add the same entries in the client hosts file, if that is a windows PC it will be something like c:\windows\system32\drivers\etc\hosts.
You can download MAMP / XAMPP or WAMP for free. Follow the instructions and you can access any (dev) site. Will take you about 15 minutes.
Regards,
Eljay
On Sun, Feb 5, 2012 at 2:46 AM, Earnie Boyd earnie@users.sourceforge.netwrote:
On Sat, Feb 4, 2012 at 5:26 PM, Alison alison@ssrv.org.au wrote:
Hi, having spent the last few days building a new Centos 6.2 (RHEL 6)
webserver and migrating 5 low-traffic Drupal virtual sites to it - successfully, now looking to use the old server as a development machine. Brain is a bit worn out so this may seem a silly question, but how can I access the development machine sites? Localhost just gives me the first Apache default listed site, and using the domain names takes me to the new server. Tried listening on a different port, didn't help, nor did using 127.0.0.1 - loopback. Must be an easier way than setting up a local DNS server and changing development machine domain names.
Suggestions please.
Add your dev sites to the /etc/hosts file.
127.0.0.1 dev.site1.com 127.0.0.1 dev.site2.com etc.
How are you accessing the dev sites? I mean are you using a browser housed on the same host as the server or are you accessing from a different client? You'll need to add the same entries in the client hosts file, if that is a windows PC it will be something like c:\windows\system32\drivers\etc\hosts.
-- Earnie
-- https://sites.google.com/site/earnieboyd
[ Drupal support list | http://lists.drupal.org/ ]
For Windows machines, I suggest using Acrylic DNS proxy to handle the DNS for multiple sites. I've got info on it here:
http://drupal.org/node/32715#comment-2579138
Basically all my client sites on the devel machine get the TLD .dev (ie: mysite.dev) . I've been doing this for a few years now and love it.
Jamie Holly http://www.intoxination.net http://www.hollyit.net
On 2/5/2012 11:04 AM, L.J.Bos wrote:
You can download MAMP / XAMPP or WAMP for free. Follow the instructions and you can access any (dev) site. Will take you about 15 minutes.
Regards,
Eljay
On Sun, Feb 5, 2012 at 2:46 AM, Earnie Boyd <earnie@users.sourceforge.net mailto:earnie@users.sourceforge.net> wrote:
On Sat, Feb 4, 2012 at 5:26 PM, Alison <alison@ssrv.org.au <mailto:alison@ssrv.org.au>> wrote: > Hi, having spent the last few days building a new Centos 6.2 (RHEL 6) webserver and migrating 5 low-traffic Drupal virtual sites to it - successfully, now looking to use the old server as a development machine. Brain is a bit worn out so this may seem a silly question, but how can I access the development machine sites? Localhost just gives me the first Apache default listed site, and using the domain names takes me to the new server. Tried listening on a different port, didn't help, nor did using 127.0.0.1 - loopback. Must be an easier way than setting up a local DNS server and changing development machine domain names. > > Suggestions please. > Add your dev sites to the /etc/hosts file. 127.0.0.1 dev.site1.com <http://dev.site1.com> 127.0.0.1 dev.site2.com <http://dev.site2.com> etc. How are you accessing the dev sites? I mean are you using a browser housed on the same host as the server or are you accessing from a different client? You'll need to add the same entries in the client hosts file, if that is a windows PC it will be something like c:\windows\system32\drivers\etc\hosts. -- Earnie -- https://sites.google.com/site/earnieboyd -- [ Drupal support list | http://lists.drupal.org/ ]-- Eljay Bos Mobile Italy:+39 3392403630 Mobile Kenya: +254 0706758499
What Earnie described is totally the simplest and easiest way to handle this:
In both machines' /etc/hosts
127.0.0.1 localhost whatever 192.168.1.1 prod server1.prod server2.prod server3 192.168.1.3 dev server1.dev server2.dev server4
... etc.
----- Original Message ----- From: Alison To: support@drupal.org Sent: Sunday, February 05, 2012 10:23 PM Subject: Re: [support] Accessing multiple virtual sites on a development machine
My old server was running Centos 5.7, which didn't support the latest Intel Express chipset very well, hence the upgrade to Centos 6.2. Have now upgraded the development machine also to Centos 6.2 as well.
So I have 2 machines on the same network, both running Linux and both having five virtual Apache based Drupal websites, with the development machines replicating the production one in every respect. Use static IP's for both - production on 192.168.1.1 and development on 192.168.1.3. With a Windows 7 machine at 192.168.1.2, which I use for access. What I would like to do is make changes to the development systems, and when I'm happy migrate the changes to the production machine.
Alison
At 03:09 AM 6/02/2012, you wrote:
For Windows machines, I suggest using Acrylic DNS proxy to handle the DNS for multiple sites. I've got info on it here:
http://drupal.org/node/32715#comment-2579138
Basically all my client sites on the devel machine get the TLD .dev (ie: mysite.dev) . I've been doing this for a few years now and love it.
Jamie Holly http://www.intoxination.net
http://www.hollyit.net On 2/5/2012 11:04 AM, L.J.Bos wrote:
You can download MAMP / XAMPP or WAMP for free. Follow the instructions and you can access any (dev) site. Will take you about 15 minutes.
Regards,
Eljay
On Sun, Feb 5, 2012 at 2:46 AM, Earnie Boyd < earnie@users.sourceforge.net> wrote: On Sat, Feb 4, 2012 at 5:26 PM, Alison alison@ssrv.org.au wrote: > Hi, having spent the last few days building a new Centos 6.2 (RHEL 6) webserver and migrating 5 low-traffic Drupal virtual sites to it - successfully, now looking to use the old server as a development machine. Brain is a bit worn out so this may seem a silly question, but how can I access the development machine sites? Localhost just gives me the first Apache default listed site, and using the domain names takes me to the new server. Tried listening on a different port, didn't help, nor did using 127.0.0.1 - loopback. Must be an easier way than setting up a local DNS server and changing development machine domain names. > > Suggestions please. >
Add your dev sites to the /etc/hosts file.
127.0.0.1 dev.site1.com 127.0.0.1 dev.site2.com etc.
How are you accessing the dev sites? I mean are you using a browser housed on the same host as the server or are you accessing from a different client? You'll need to add the same entries in the client hosts file, if that is a windows PC it will be something like c:\windows\system32\drivers\etc\hosts. -- Earnie -- https://sites.google.com/site/earnieboyd -- [ Drupal support list | http://lists.drupal.org/ ]
-- Eljay Bos Mobile Italy:+39 3392403630 Mobile Kenya: +254 0706758499
-- [ Drupal support list | http://lists.drupal.org/ ]
------------------------------------------------------------------------------
-- [ Drupal support list | http://lists.drupal.org/ ]
Alison wrote:
Hey it works. Thanks guys.
By setting httpd.conf virtuals in my development machine to dev.xxxxx.com, etc, and including a hosts file in my Windows box I can access both my development and production sites concurrently.
I'd not use names from the .com namespace, lest there be (or become) a legitimate owner. You don't need a public namespace for private purposes.
.lan and .dev both have some risk (it seems the AFL wants .afl), but less than .com. Probably, .local is best, but I used .lan before I ever heard of .local. I used to use .networking back when I wrote this, http://www.eracc.com/content/john-summerfield-setting-home-lan but I decided it's too long.
Thanks again
Alison
At 04:29 PM 6/02/2012, you wrote:
What Earnie described is totally the simplest and easiest way to handle this:
In both machines' /etc/hosts
127.0.0.1 localhost whatever 192.168.1.1 prod server1.prod server2.prod server3 192.168.1.3 dev server1.dev server2.dev server4
... etc.
----- Original Message ----- From: Alison<mailto:alison@ssrv.org.au> To: support@drupal.org<mailto:support@drupal.org> Sent: Sunday, February 05, 2012 10:23 PM Subject: Re: [support] Accessing multiple virtual sites on a development machine My old server was running Centos 5.7, which didn't support the latest Intel Express chipset very well, hence the upgrade to Centos 6.2. Have now upgraded the development machine also to Centos 6.2 as well. So I have 2 machines on the same network, both running Linux and both having five virtual Apache based Drupal websites, with the development machines replicating the production one in every respect. Use static IP's for both - production on 192.168.1.1 and development on 192.168.1.3. With a Windows 7 machine at 192.168.1.2, which I use for access. What I would like to do is make changes to the development systems, and when I'm happy migrate the changes to the production machine. Alison At 03:09 AM 6/02/2012, you wrote:For Windows machines, I suggest using Acrylic DNS proxy to handle the DNS for multiple sites. I've got info on it here: http://drupal.org/node/32715#comment-2579138 Basically all my client sites on the devel machine get the TLD .dev (ie: mysite.dev) . I've been doing this for a few years now and love it. Jamie Holly http://www.intoxination.net http://www.hollyit.net<http://www.hollyit.net/> On 2/5/2012 11:04 AM, L.J.Bos wrote:You can download MAMP / XAMPP or WAMP for free. Follow the instructions and you can access any (dev) site. Will take you about 15 minutes. Regards, Eljay On Sun, Feb 5, 2012 at 2:46 AM, Earnie Boyd< earnie@users.sourceforge.net <mailto:earnie@users.sourceforge.net>> wrote: On Sat, Feb 4, 2012 at 5:26 PM, Alison<alison@ssrv.org.au <mailto:alison@ssrv.org.au>> wrote: > Hi, having spent the last few days building a new Centos 6.2 (RHEL 6) webserver and migrating 5 low-traffic Drupal virtual sites to it - successfully, now looking to use the old server as a development machine. Brain is a bit worn out so this may seem a silly question, but how can I access the development machine sites? Localhost just gives me the first Apache default listed site, and using the domain names takes me to the new server. Tried listening on a different port, didn't help, nor did using 127.0.0.1 - loopback. Must be an easier way than setting up a local DNS server and changing development machine domain names. > > Suggestions please. > Add your dev sites to the /etc/hosts file. 127.0.0.1 dev.site1.com<http://dev.site1.com> 127.0.0.1 dev.site2.com<http://dev.site2.com> etc. How are you accessing the dev sites? I mean are you using a browser housed on the same host as the server or are you accessing from a different client? You'll need to add the same entries in the client hosts file, if that is a windows PC it will be something like c:\windows\system32\drivers\etc\hosts. -- Earnie -- https://sites.google.com/site/earnieboyd -- [ Drupal support list | http://lists.drupal.org/ ] -- Eljay Bos Mobile Italy:+39 3392403630 Mobile Kenya: +254 0706758499-- [ Drupal support list | http://lists.drupal.org/ ]-------------------------------------------------------------------------------- -- [ Drupal support list | http://lists.drupal.org/ ]-- [ Drupal support list | http://lists.drupal.org/ ]
Alison wrote:
Hi, having spent the last few days building a new Centos 6.2 (RHEL 6) webserver and migrating 5 low-traffic Drupal virtual sites to it - successfully, now looking to use the old server as a development machine. Brain is a bit worn out so this may seem a silly question, but how can I access the development machine sites? Localhost just gives me the first Apache default listed site, and using the domain names takes me to the new server. Tried listening on a different port, didn't help, nor did using 127.0.0.1 - loopback. Must be an easier way than setting up a local DNS server and changing development machine domain names.
Suggestions please.
Alison
Alison When you have a new question, "Compose" or "Write" your message, do not "Reply" to an existing message.
Your email client creates special headers, such as this: References: 20120204102828.77866imznucwy40c@webmail.uniserve.com CACpPVysa2SJsqZ=WtqV9hZr4XJdpXLnwF1CMKuEyamFNNmqv0A@mail.gmail.com 20120204125602.143174u4ge23jejm@webmail.uniserve.com
which is one line, to allow others' email clients to group, or thread, messages into separate topics. This allows people to pick on topics of interest to them rather than read all the messages, and to easily see other contributions to the topic before responding.
Someone who's chosen to ignore the "automated updates" topic might not see your question at all, and that would be a shame if they had a good answer and the inclination to provide it.
I am going to assume that your server is hosted, like mine, at home on an ADSL router.
Clearly, you use Windows on your desktop, so I suppose you are comfortable with both Windows and Linux, and that you already have a network with everything on it.
While it's not strictly necessary, I use BIND to convert hostnames to IP addresses and addresses to hostnames on my LAN. There are other solutions such as hosts files (which I find a little yucky) and dnsmasq.
I use a top-level domain or lan, and because I feel I need one, an intermediate domain ms, so one of my development machines is called "chessdev.ms.lan" and I can find it by name from anywhere on my LAN.
js.id.au is hosted on a CentOS 5 system, but mostly I develop on Debian.
Depending on the capacity of your old system, you might use virtualisation. This allows you to any Linux distribution (or, subject to licensing) Windows (or even a BSD or free Solaris) for development, and any of Windows and Linux as the host OS.
I've given up on xen and KVM, neither seems to me very reliable, so I now download virtualbox and use that. Note that it does not play very well at all with KVM or xen. Virtualbox or one of the others.
Using virtualisation has some advantages over Apache or druapal virtual sites that might appeal:
You can easily test with different releases of Drupal, without any worries about getting confused about what's where.
You can easily test with different database software, again with clearer separation.
You can easily test with different releases of the same database software.
You can set up "small" computers. A useful Debian system can run in 128 Mbytes of RAM and have 4 Gbytes of disk. You can easily backup the whole thing with just a disk image.
Note, I use Debian for these systems because 1. It's easy to set up a virtual machine with small resource requirements I don't normally install a GUI. 1a. If I do want a GUI, there's quite an assortment of desktop environments to choose from, many of them very lightweight.
2. Like Ubuntu, it has an enormous array of software available, more than Fedora. Unlike Ubuntu it's all supported.
Automatic updates also open up other security issues, which can impact a much larger segment of Drupal sites than sites that don't upgrade. Here's a perfect example of that:
https://wpsecurity.net/wordpress-repository-hacked/
There are ups and downs to both sides of the arguments. IMHO if this ever became of Drupal it should either be optional or (even better) a contrib module. You can upgrade via Drush, but not everyone has shell access on their hosting, so that isn't a real solution.
Jamie Holly http://www.intoxination.net http://www.hollyit.net
On 2/4/2012 1:28 PM, Dave Stevens wrote:
Dear All,
Recently I got an email from my drupal 7.10 site informing me that there was an update available to version 7.12. The link took me to a pink hued page where I was told that it was advisable to correct a security problem by upgrading to 7.12. I am then informed that there is no automated upgrade, but that instructions are available to manually back up files and databases then carry on with a manual upgrade.
I see this as a real issue with the design of Drupal. It is all very well to find vulnerabilities and announce them, with fixes, but if there is no simple, automated way to apply the fixes there will inevitably be a lot of unpatched cms's out there running outdated and known-vulnerable versions of Drupal.
The developers may, for all I know, be working hard on an automated update and patch mechanism. Can anyone tell me if this is the case? Am I doomed to continue manually applying security fixes as long as I persist with Drupal? I dumped Win95 a long time ago and have really no wish to regress this way.
Dave
On 2/4/12 1:28 PM, Dave Stevens wrote:
Dear All,
Recently I got an email from my drupal 7.10 site informing me that there was an update available to version 7.12. The link took me to a pink hued page where I was told that it was advisable to correct a security problem by upgrading to 7.12. I am then informed that there is no automated upgrade, but that instructions are available to manually back up files and databases then carry on with a manual upgrade.
I see this as a real issue with the design of Drupal. It is all very well to find vulnerabilities and announce them, with fixes, but if there is no simple, automated way to apply the fixes there will inevitably be a lot of unpatched cms's out there running outdated and known-vulnerable versions of Drupal.
The developers may, for all I know, be working hard on an automated update and patch mechanism. Can anyone tell me if this is the case? Am I doomed to continue manually applying security fixes as long as I persist with Drupal? I dumped Win95 a long time ago and have really no wish to regress this way.
Dave
Drupal has problems updating itself, as while it is updating itself it needs to be present, but one step of an update is to remove the current set of core files. Drush, the drupal command line tool, being somewhat separate from the Drupal core, is able to do an update mostly autonomously. Drush does use parts of core for other operations. With drush it is fairly easy to apply the update.
You really don't want an update like this to happen "automatically" but only on command, as you REALLY want to know when an update has happened to understand possible sources of strangeness (if it happens shortly after an upgrade, you want to look if it is a known issue with the upgrade, if you haven't done an upgrade recently, it is probably something else you did recently), and to make sure you have done the appropriate backups before doing the upgrade.
Quoting Richard Damon Richard@Damon-Family.org:
On 2/4/12 1:28 PM, Dave Stevens wrote:
Dear All,
Recently I got an email from my drupal 7.10 site informing me that there was an update available to version 7.12. The link took me to a pink hued page where I was told that it was advisable to correct a security problem by upgrading to 7.12. I am then informed that there is no automated upgrade, but that instructions are available to manually back up files and databases then carry on with a manual upgrade.
I see this as a real issue with the design of Drupal. It is all very well to find vulnerabilities and announce them, with fixes, but if there is no simple, automated way to apply the fixes there will inevitably be a lot of unpatched cms's out there running outdated and known-vulnerable versions of Drupal.
The developers may, for all I know, be working hard on an automated update and patch mechanism. Can anyone tell me if this is the case? Am I doomed to continue manually applying security fixes as long as I persist with Drupal? I dumped Win95 a long time ago and have really no wish to regress this way.
Dave
Drupal has problems updating itself, as while it is updating itself it needs to be present, but one step of an update is to remove the current set of core files. Drush, the drupal command line tool, being somewhat separate from the Drupal core, is able to do an update mostly autonomously. Drush does use parts of core for other operations. With drush it is fairly easy to apply the update.
You really don't want an update like this to happen "automatically" but only on command, as you REALLY want to know when an update has happened to understand possible sources of strangeness (if it happens shortly after an upgrade, you want to look if it is a known issue with the upgrade, if you haven't done an upgrade recently, it is probably something else you did recently), and to make sure you have done the appropriate backups before doing the upgrade.
-- Richard Damon
-- [ Drupal support list | http://lists.drupal.org/ ]
I partly agree. I don't want a major unattended upgrade going on, certainly. But if I get a message about a security issue and a proposed path forward, I'd like to, for example, make a tarball of the whole site, dbs and everything else (easy) then be able to push the button and say GO to the upgrade without having to bit twiddle. So a scripted upgrade and some kind of rollback mechanism would, I think, be vastly preferable to excluding site maintainers from upgrading from fear of breaking something, and so choosing to leave the current version in place, security holes and all.
Just to add some realism to this, is there an estimate of how many sites are running versions with security issues still in place? So for example, how many sites are running D6 say?
Dave
On 2/4/12 3:50 PM, Dave Stevens wrote:
Quoting Richard Damon Richard@Damon-Family.org:
On 2/4/12 1:28 PM, Dave Stevens wrote:
Dear All,
Recently I got an email from my drupal 7.10 site informing me that there was an update available to version 7.12. The link took me to a pink hued page where I was told that it was advisable to correct a security problem by upgrading to 7.12. I am then informed that there is no automated upgrade, but that instructions are available to manually back up files and databases then carry on with a manual upgrade.
I see this as a real issue with the design of Drupal. It is all very well to find vulnerabilities and announce them, with fixes, but if there is no simple, automated way to apply the fixes there will inevitably be a lot of unpatched cms's out there running outdated and known-vulnerable versions of Drupal.
The developers may, for all I know, be working hard on an automated update and patch mechanism. Can anyone tell me if this is the case? Am I doomed to continue manually applying security fixes as long as I persist with Drupal? I dumped Win95 a long time ago and have really no wish to regress this way.
Dave
Drupal has problems updating itself, as while it is updating itself it needs to be present, but one step of an update is to remove the current set of core files. Drush, the drupal command line tool, being somewhat separate from the Drupal core, is able to do an update mostly autonomously. Drush does use parts of core for other operations. With drush it is fairly easy to apply the update.
You really don't want an update like this to happen "automatically" but only on command, as you REALLY want to know when an update has happened to understand possible sources of strangeness (if it happens shortly after an upgrade, you want to look if it is a known issue with the upgrade, if you haven't done an upgrade recently, it is probably something else you did recently), and to make sure you have done the appropriate backups before doing the upgrade.
-- Richard Damon
-- [ Drupal support list | http://lists.drupal.org/ ]
I partly agree. I don't want a major unattended upgrade going on, certainly. But if I get a message about a security issue and a proposed path forward, I'd like to, for example, make a tarball of the whole site, dbs and everything else (easy) then be able to push the button and say GO to the upgrade without having to bit twiddle. So a scripted upgrade and some kind of rollback mechanism would, I think, be vastly preferable to excluding site maintainers from upgrading from fear of breaking something, and so choosing to leave the current version in place, security holes and all.
Just to add some realism to this, is there an estimate of how many sites are running versions with security issues still in place? So for example, how many sites are running D6 say?
Dave
With drush, once you have your backup, you just need to execute
drush up
and drush will install the core & module updates, then run the update script. This is pretty close to a "just push the button", the only difference is it is a shell command not a control on a web site page.
As to usage information of old/outdate versions. Drupal actual does gather some of this information with the update module and it can be seen at http://drupal.org/project/usage/drupal
Now, as to looking down on D6 installs, D6 is still actively maintained, so just running D6 isn't a security risk, and there are good reasons to not migrate a working site from D6 to D7 just to be "current" (not all the modules are updated yet for one).
Quoting Richard Damon Richard@Damon-Family.org:
snip!
still in place? So for example, how many sites are running D6 say?
Dave
With drush, once you have your backup, you just need to execute
drush up
and drush will install the core & module updates, then run the update script. This is pretty close to a "just push the button", the only difference is it is a shell command not a control on a web site page.
thanks. I didn't know that but will study up.
As to usage information of old/outdate versions. Drupal actual does gather some of this information with the update module and it can be seen at http://drupal.org/project/usage/drupal
thanks again, I'll dig in.
Now, as to looking down on D6 installs, D6 is still actively maintained, so just running D6 isn't a security risk, and there are good reasons to not migrate a working site from D6 to D7 just to be "current" (not all the modules are updated yet for one).i
not intending to look down, just concerned about security issues. Glad to hear about active maintenance.
Dave
-- Richard Damon
-- [ Drupal support list | http://lists.drupal.org/ ]
Quoting Richard Damon Richard@Damon-Family.org:
On 2/4/12 3:50 PM, Dave Stevens wrote:
Quoting Richard Damon Richard@Damon-Family.org:
Richard especially, and others who helped, thanks very much.
I have a dummy site under Centos that has no content so after installing drush I did "drush up" and sure enough 7.0 became 7.12 with no worries. Then tried my ubuntu 11.04 netbook with toy content and went from 7.0 to 7.12 with no problem at all. So good enough for me. And I learned some useful stuff too.
Dave
On 2/4/12 1:28 PM, Dave Stevens wrote:
Dear All,
Recently I got an email from my drupal 7.10 site informing me that
snip!
This is why I don't use the Update module on most of my live sites. I have back ups of all my sites set up locally in a multi-site per core version. I update my core and contribs there first and make sure that things are working. Then I move the code to the live sites.
Yes, this can mean that there are temporary security vulnerabilities. I'll take that risk over the likelihood that something will break if I just upgrade willy-nilly. Plus, having already tested, I know whether or not to follow those instructions.
Oh, and I have also had problems come up by allowing Windoze to update itself.
Nancy Injustice anywhere is a threat to justice everywhere. -- Dr. Martin L. King, Jr.
From: Dave Stevens Recently I got an email from my drupal 7.10 site informing me that there was an update available to version 7.12. The link took me to a pink hued page where I was told that it was advisable to correct a security problem by upgrading to 7.12. I am then informed that there is no automated upgrade, but that instructions are available to manually back up files and databases then carry on with a manual upgrade.
I see this as a real issue with the design of Drupal. It is all very well to find vulnerabilities and announce them, with fixes, but if there is no simple, automated way to apply the fixes there will inevitably be a lot of unpatched cms's out there running outdated and known-vulnerable versions of Drupal.
The developers may, for all I know, be working hard on an automated update and patch mechanism. Can anyone tell me if this is the case? Am I doomed to continue manually applying security fixes as long as I persist with Drupal? I dumped Win95 a long time ago and have really no wish to regress this way.
-
Alison -
Dave Stevens -
Earnie Boyd -
Jamie Holly -
Jeff Brown -
John Summerfield -
L.J.Bos -
Ms. Nancy Wichmann -
Richard Damon -
Ursula Pieper