Automatic Drupal Updates - WTF or FTW?
Automatic updates have been discussed since years already. The pro and con of letting Drupal update itself are discussed in different Drupal.org issues queues. It was not a big surprise that Dries mentioned automatic Drupal core updates as part of the strategic roadmap of Drupal in his Driesnote at DrupalCon Vienna 2017. Presenting Drop Guard as Silver Sponsor of this DrupalCon gave us the chance to talk to a lot of people and get their opinion about automatic Drupal updates as well as to get some overview of and insights into other existing solutions. I want to share these information with the community to get this topic moving forward and make the Drupal ecosystem more secure.
What will automatic Drupal updates do?
They will provide a functionality in a similar way that Wordpress provides to update Drupal core directly on the live server. The positive aspects are:
- The site stays secure, especially in case of highly critical Drupal updates such as Drupalgeddon.
- Small sites, that are not actively and professionally maintained, will stay secure
Whereas the most important negative aspects are (there are many more listed in this post):
- There is no control of the update process and no way to ensure quality
- When Drupal updates itself, GIT will not be used for version control, roll backs are hard work or even impossible
- Drupal.org becomes a big target for hackers to modify updates and inject vulnerable code
Overview over existing solutions
There are already some approaches in the community to automate Drupal updates. I want to give an overview over existing solutions in the following section (please extend your experience in the comments if some are missing).
Not only a few agencies automate Drupal updates with custom scripts that are executed by Jenkins or other CI tools. The common challenge that they face is to maintain the bunch of scripts and keep on track with the rapid development of DevOp changes, new libraries, tools and workflows. Quality assurance is often a critical point that is missing due to missing workflow and tool integrations. There was an approach to build a Drupal module called CMS Updater but the module is not maintained any more or was shut down by the security team.
Build-in solutions of Drupal hosting providers
Acquia provides the remote administration service that commits updates to a separate branch or directly to your live site in case of a highly critical security update. Pantheon promoted a script to apply updates on Pantheon at DrupalCon Vienna 2017. The script is available on Github. Amazee.io integrates with Drop Guard to bring security updates aligned with DevOp workflows and development tools and provides this security update service to its users in both, their cloud hosting and their on-premise solution. The challenge of those build-in solutions is that they miss the integration with the organisation's devOp workflows and tools and when using many different hosting providers, there is no central processing and management overview over all sites on different platforms. According to the feedback of agencies in this situation, this brings additional complexity to the overall update process. Talking to Ryan Aslett as head of the DrupalCI system on Drupal.org at DrupalCon Vienna 2017, he confirmed that the Drupal Association and the DrupalCI Team support the idea of automatic Drupal updates. Nevertheless there is a common sense that automatic updates are not matching the requirements of professional Drupal sites but fill the security gap for small sites without professional maintenance. The lack of control about the update process is what concerns most DevOp teams and developers. On the other side, Dries highlighted that Drupal will develop more and more as an enterprise grade CMS and as a result small sites and blogs are better served by SaaS offers. If small sites move away from Drupal, and in return more professional teams, enterprise customers and global marketing teams adopt Drupal, will there be a use case for automatic updates in Drupal core in the future, if they lack control and quality assurance in the update process? I would appreciate your opinion in the comments.
The future of Drop Guard
This DrupalCon and the Driesnote in particular, confirmed our mission to make Drupal and open source updates a no-brainer. Giving our users one central platform to manage, control and monitor the overall update process solves the issue of a fast, reliable and stable update process with full integration into devOp tools and workflows. If the Drupal auto update initiative decides to bring Drupal auto updates to core to make the lifecycle of small sites more secure, we want to offer our help to support them with know-how, experience and code. For those agencies and organisations that care about their sites' security and maintain many sites, we will continue to improve Drop Guard to provide a tool that supports hassle free open source updates, Drupal updates in particular. As I was asked about our Roadmap many times, here are a few features that will be released in the next 12 month:
- Provide a Docker container to run the Drop Guard service on your own infrastructure
- Allow to manage the update and integration behaviour of Drop Guard with JSON files that are committed to the GIT repository