[consulting] preparing clients for Drupal 5 obsolesence
Matt Chapman
Matt at NinjitsuWeb.com
Tue Mar 10 19:50:20 UTC 2009
Sam Cohen wrote:
> Are you actually suggesting that developers should refuse to add
> features to Drupal 5 sites even if they never told the client when
> they first built the Drupal 5 site that they were going to be doing this?
No, as I said, I am continuing to serve my existing Drupal 5 clients,
while encouraging them to plan for an upgrade at the end of the year.
Because I'm having these conversations now, most clients see the value
of not delaying the upgrade, and prefer to upgrade now. I will refuse to
add features to Drupal 5 sites only after the official EOL for D5.
What I'm doing now is refusing to take on NEW clients who have existing
Drupal 5 sites, or want a site built with Drupal 5. (A large portion of
my business comes from clients who have been abandoned or screwed by a
previous Drupal developer. If they have a D5 site, as of this week, I'm
telling them that step one is an upgrade.)
> That seems incredibly unfair to clients, especially those with limited
> budgets.
To me, it is incredibly unfair to the client to claim to be saving them
money by giving them an obsolete solution which is prone to security
vulnerabilities.
> In truth, I wouldn't even consider having clients agree to this for
> future sites. If I did, I'd have to say, ok, I'm going to build your
> site in Drupal 6 today, but at some point in the future I'm going to
> refuse to add any new features unless you spend X dollars to upgrade
> to Drupal 7 -- and if we're talking about a heavily customized site
> that X can be many thousands of dollars.
I think it is shortsighted at best, and dishonest at worst, to NOT have
this conversation with you client, unless you're willing to commit to
writing Drupal 6 modules and back-porting security patches ten years
from now.
> I've still got a couple of 4.7 sites that are serving nonprofit
> clients very well and they are very happy with them. I'd like it if
> they paid for an upgrade, but I can't imagine requiring them to do so.
You'll be able to imagine it more clearly when they get hacked because
of a lack of security patching and blame you. I hope you have E&O
liability insurance.
I don't consider myself a security expert. When absolute security is a
requirement, I suggest a third-party audit. Even if I wanted to do the
work of back-porting security patches without compensation, I don't
trust that I or my sub-contractors have sufficient skills to do so. I
depend on & trust the drupal security team only.
Best,
Matt
More information about the consulting
mailing list