New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[META] Automatic Updates #2018

Open
klonos opened this Issue Jul 14, 2016 · 9 comments

Comments

Projects
None yet
6 participants
@klonos
Member

klonos commented Jul 14, 2016

Placeholder issue for any tasks related to Backdrop CMS for https://github.com/mbaynton/cms-autoupdate-design with task list to be eventually formed for any actionable things specific to us.

Everyone's opinion is welcomed, but we specifically seek opinions from the PMC members.

Respective/related issue in d.org: https://www.drupal.org/node/2367319

  • #2555: Move /profiles under /core/profiles
  • #3105: Add ability to update Backdrop core via UI
  • #3271: Expose the Backdrop core update via the UI by default
  • #2024: Improve security of updates
  • #1992: Include digital signatures on packages
  • #3208: Remove/deprecate authorize.php
  • #414: The automatic part
@laryn

This comment has been minimized.

Contributor

laryn commented Mar 28, 2018

I thought there was further discussion on the topic that I don't see here, but I liked where the discussion was going in terms of:

  • A setting to allow folks to turn it on or off.
  • A separate security patch branch that only fixed the security issue without forcing other upgrades, including for previous versions (e.g. a security patch for 1.8.x that wouldn't force an upgrade to 1.9.x) to minimize potential for breaking updates through this system.
@olafgrabienski

This comment has been minimized.

olafgrabienski commented Apr 2, 2018

Reread the article on Automatic Update Technical Design Planning, which seems still worth thinking about. Additionally to the items pointed out by @laryn, I also like the concept of determination which of the offered updates a site receives automatically based on security risk scores.

@olafgrabienski

This comment has been minimized.

olafgrabienski commented Apr 26, 2018

Now as we've just experienced a series of critical Backdrop security releases, let's revive the idea of automatic updates. I guess it's not easy to plan and implement such a feature but it could be a huge improvement which would match the philosophy of Backdrop perfectly. Here some goals of automatic (security) updates from my perspective:

  • Keep more Backdrop sites secure and alive.
  • Save time, so that not only agencies but also individuals (hobbyists, voluntaries, freelancers) are able to maintain Backdrop sites, or to maintain more Backdrop sites. With "save time" I mean
    • the span of time which I need before a site gets eventually exploited, and
    • the working hours which I need to update all of my sites
  • Keep up with WordPress.
  • Make it better than Drupal does (at the moment).

Re the last-mentioned point: automatic updates could be a game changer in Backdrop adoption from a Drupal 7 perspective. At the moment, I build only new sites with Backdrop but I don't consider to switch any sites from D7 to Backdrop because they're running fine. That would change definitely if we had automatic updates.

@Graham-72

This comment has been minimized.

Graham-72 commented Apr 26, 2018

👍

@quicksketch

This comment has been minimized.

Member

quicksketch commented Apr 27, 2018

Some references:

We may want to make a separate issue for "Let core update itself", as Update and Installer module combined can update and install updates for contrib modules already, but it cannot update core. Once we have core capable of updating itself, then we could build on top of that to make it happen automatically when new updates are available.

@serundeputy

This comment has been minimized.

Member

serundeputy commented May 13, 2018

I've added #3105 to allow Backdrop core updates via Backdrop UI.

@quicksketch

This comment has been minimized.

Member

quicksketch commented May 15, 2018

I updated this issue to be a checkbox list of tasks.

@quicksketch

This comment has been minimized.

Member

quicksketch commented Jul 22, 2018

New sub-issue: #3208 Remove authorize.php entirely. I'm looking for more feedback on that proposal.

@serundeputy

This comment has been minimized.

Member

serundeputy commented Jul 22, 2018

I've added #3208 to the OP meta list.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment