We can’t predict the Drupal core security update releases because security updates can arrive at any time and we need to keep our sites updated. People from other parts of the world stay awake during security updates.
Let’s look at the numerous sites built for small businesses today. If a site maintainer is present to manage these updates then there’s no problem at all. But what if there is no maintainer?
Many a time people have questions like:
- “Has anyone built the script which will download, backup, and install the updates?”
- “Why upgrade, with all security updates which pop up? It seems like I need to upgrade every month.”
New updates arrive frequently. It is a part of the software world be it open source or commercial. The Drupal security team is an awesome team that provides security releases as quickly as possible rather than leaving you with an insecure site.
There have been talks since the past few years about automating the Drupal core updates, thus a Drupal core strategic initiative was formed “Automatic Updates”. If successful, it would secure a lot of vulnerable Drupal sites.
Currently, the Automatic Update feature is being developed as a contributed module and eventually, it will be shipped into Drupal core as an experiment and finally if all goes well it could land as a new Drupal core feature.
Since the work for Automatic Updates is so vast, tasks are being worked in phases.
Currently, Automatic Updates is divided into the following two phases out of which, phase I is now stable.:
Objectives of Phase I
Providing a JSON feed of Drupal PSAs from Drupal.org
Displaying PSAs in the Drupal admin interface
Providing an extensible update readiness check system
Generating update packages from Drupal.org
Securing the update packages with a signing system
Applying the updates, manually or automatically, with roll-back
In this first phase, the Automatic Updates module includes the Public Service Announcement and Readiness Check features and can apply In-Place Updates manually or on cron. Updates that contain database updates will cause a rollback of the update.
Objectives of Phase II
Providing an A/B front-end controller for more robust testing/roll-back features
Supporting contributed module automatic updates
Supporting composer-based site installs
The goal is to implement a secure system for automatically installing updates in Drupal, lowering the total cost of ownership of maintaining a Drupal site, and improving the security of Drupal sites.
Public service announcements (PSAs)
Announcements for highly critical security releases for core and contrib modules are done infrequently. When a PSA is released, site owners should review their sites to verify if they are up-to-date with the latest releases and that the site is in a good shape to update quickly once the fixes are provided to the community.
Drupal.org provides a JSON feed of Drupal Public Security Announcements to be consumed by the automatic updates module.
That feed includes values for the following:
Project type (core, module, theme, etc)
Project: the short name of the project the PSA is for
Title: The title of the PSA
Is_psa: The flag which indicates that the post is a PSA (and not another kind of Security Advisory)
Link: The link to the full PSA on drupal.org
Insecure: Metadata about what versions of the affected project are known insecure
pubDate: The date the PSA was published
Update Checklist
List all checklists which are checked whether a site is ready for an upgrade or not.
Eg: pending hook updates, changes made in drupal core files. Etc
Demonstrating Automatic Updates
Step 1: First, check if the update is available or not
Step 2: Configuring Automatic Updates
Step 3: Now examine the PSAs and Readiness checks in the configurations
Click on ‘Manually run the readiness checks link’ under READINESS CHECKS.
Step 4: Under Errors found of the status report page, you can see the checks failed message with reasons
Wish to contribute to Automatic Updates?
- You can contribute to Automatic Update by picking up an issue from issue queue or pick issues tagged automatic updates phase 2
- Issue queue: Pick issues tagged automatic updates phase 2
- Join the automatic update team in #autoupdates channel in Drupal slack
- Link to project Automatic updates
- Link to strategic initiative page: https://www.drupal.org/about/strategic-initiatives/automatic-updates