[development] Automatic Updates/Upgades

Jonathan Dale darthclue at gmail.com
Thu Sep 1 18:54:48 UTC 2011 

It's not just the possibility of an attack that would be bad for Drupal. Given the amount of Drupal sites that are existence and playing devil's advocate for a bit, let's say that just 5% of them have been tweaked in such a manner that a core update will break them.

If we do auto-updates this could result in Drupal garnering attention that it doesn't want.

Regards,
Jonathan Dale


On Sep 1, 2011, at 1:40 PM, John Locke wrote:

> Automatic update of core + potential for malicious code getting uploaded
> to the source repos = very nice recipe for taking over a huge amount of
> the web!
> 
> WordPress and Debian have both had bad stuff uploaded to their
> repositories. It could happen to Drupal too. For that reason alone I
> think auto-updating is a really bad idea -- it makes for a very nice
> target for an attacker!
> 
> Here's how an attack might play out:
> 
> 1. Attacker plants some keylogger on a core committer's machine,
> captures their credentials.
> 2. Attacker builds an exploit and uploads it to Core, immediately before
> the default update check time for sites set to UTC or some large time zone.
> 3. All sites configured for auto-update download the new exploit.
> 4. Exploit changes the update source to their own malicious repository.
> 5. Millions of exploited web sites are now at the attacker's disposal --
> done right, huge numbers of site admins would never realize their sites
> were compromised.
> 
> This would not be difficult to do -- all you need to do is get the
> credentials for one person with appropriate access. And while it would
> certainly be discovered and caught, it could do some pretty widespread
> damage in a short amount of time, and leave a bunch of compromised sites
> out there available to do far more damage than your ordinary Windows
> bot-net...
> 
> Ugh. No thanks.
> 
> Cheers,
> John Locke
> http://freelock.com
> 
> On 09/01/2011 11:03 AM, Gaelan Bright Steele wrote:
>> I see. I got the idea from WordPress, which knows how to automatically update itself.
>> On Sep 1, 2011, at 10:46 AM, Todd wrote:
>> 
>>> If you have drush, you can run `drush pm-update` to automatically update core and contrib.
>>> 
>>> I'm not sure if I'd build in automatic updating of core in Drupal, though, since it's a bit more complex than updating a module and many more things can go wrong.
>>> 
>>> Todd
>>> 
>>> On 1 Sep 2011, at 13:36, Gaelan Bright Steele wrote:
>>> 
>>>> Hi Everybody
>>>> Has anyone thought about automatic updates/upgrades to the Drupal core? If not, I would implement it. Excuse me if there is already a conversation going on about this--I am new here.
>>>> Gaelan
>>>> 
>> Sincerely, Gaelan
>> 
>> 
>> !DSPAM:4e5fcd1d186229553215262!
>> 
> 
> 
> 
> -- 
> John Locke
> Manager, Freelock Computing
> The Open Source for Business Solutions
> http://www.freelock.com
> john at freelock.com  206-579-4836
>

More information about the development mailing list