Easy Updates Should be Drupal’s Top Priority
Drupal is having another terrible, horrible, no good, very bad time.
Two new security issues, named “Drupalgeddon 2” and “Drupalgeddon 3“, have resulted in widespread problems. These latest issues resulted in cryptocurrency mining hacks to a number of high-profile sites, including several run by US federal agencies.
The core of the problem is that Drupal does not provide an easy way for non-technical people to update their sites.
If you don’t have an easy way to update people’s sites, how do you get their attention? With strong, urgent language. You have to scare them into updating.
Unfortunately, that becomes a problem in itself. Let’s take a couple of examples.
The FAQ page for these security issues says:
How many sites are likely affected? Drupal 8, 7, and 6 sites are affected. According to the Drupal project usage information this represents over one million sites or about 9% of sites that are running a known CMS according to Builtwith.
Well, in the hands of the headline writers, that results in claims like this:
Update Drupal ASAP: Over a million sites can be easily hacked by any visitor
That headline from ZNet is flat-out wrong. This hack was not easily exploited at all. But I’ve seen variations on this claim on many sites. And big-name sites were indeed hacked!
Here’s another statement from the security team:
These patches will only work if your site already has the fix from SA-CORE-2018-002 (the flaw announced on 29 March) applied. (If your site does not have that fix, it may already be compromised.)
That’s a scary-sounding couple of sentences. ITWire respond by saying this was:
an indication of panic among the Drupal team
I think that claim is also mistaken, but that’s only because I spend a lot of time in the Drupal world. For outsiders, it absolutely sounds like panic.
Finally, there’s the name: Drupalgeddon. Like it or not, Drupal’s security issues are now branded, and are becoming one of the best known things about the platform.
Here’s the problem: if you have to scare your users into updating, then users will get scared. And their opinion of Drupal will go down. No-one wants their software to scare them.
This problem is Drupal’s biggest problem
Back in 2014, we wrote a post called “Auto-Update or Die“. That was in response to the original Drupalgeddon. Four years later, and the same headaches keep happening for the same reasons.
At the very least, Drupal needs a one-click update option from the admin area. Auto-updates for security issues would be great, but one-click updates are the absolute minimum acceptable option in 2018. WordPress solved this in 2004! Drupal itself has solved this for modules since 2011.
Easier core updates are on Drupal’s roadmap, but only under “Wishlist”.
There is an offical initiative working on this:
Updating a Drupal site can be difficult, time-consuming, and expensive. While implementing an automatic updates system is a difficult problem, and not without its risks, it is a problem that has been solved by other platforms, and that Drupal can address.
Every time this topic is raised, pedants have a long list of objections. The same hair-splitting arguments have been made for years. I fully expect to see them in the comments here. Sorry, pedants – you are wrong on this.
The short version of this is: after Drupalgeddeon 1, 2 and 3, Drupal can’t afford to leave so much of it’s install base unpatched. We’re stressing out users and causing waves of bad publicity.
Nothing is more important to Drupal’s future than ensuring that updates are easy.
> The core of the problem is that Drupal does not provide an easy way for non-technical people to update their sites.
Well, this is a double headed sword. The Drupal target market is becoming very heavily enterprise focused, even if nobody has flat out said it openly. It’s a concern that echoed throughout DrupalCon for me for the smaller agencies. A lot of Drupal users don’t put their sites online in the same way we would a Joomla or WordPress site where it is self updating or not contained in a git repo where it goes through some kind of CI to deploy workflow.
So what’s the cost-to-benefit ratio of having auto updates on a platform like Drupal? If you use the 80/20 rule, is there really a high enough uptake for Acquia or Drupal Association to devote time and resources into the architecture it takes to pull this off? My honest opinion, I don’t think Dries or the Acquia staff have an interest in the market space that “making updates easier” or auto updates applies to, and I don’t see it being a true core priority or concern as a result.
For sure. I guess one difficulty is that they have a large userbase that still sits in the “small business” or “hobbyist” area. Plus even the “enterprise” users are prone to mistakes. Witness the list of household name sites that were hacked due to these latest issues. We’ve worked with lots of “enterprise” customers where the web team is just 2 or 3 overworked people.
Scripting drush to perform urgent updates has always been simple. This should be a quick push from dev to prod, and typically not near as much hassle as this post makes it seem.
This assumes the site owner has SSH access and can work with a command line client. For the site owners that don’t have that capability, updates aren’t easy because you then have to have FTP access and know the difference between core and third party files. As a favor to one of my company’s clients last year, we did some work updating her side project’s website (a Drupal site) which was disconnected from its old git repo (I guess the old developer is gone), Drush wasn’t working on the host the site was deployed to, and inherently the task of updating any part of the site outside of content being too complex for the client so it hadn’t been updated since before Drupalgeddon 1. Whereas with that same client who has used Joomla in the past and runs WordPress on their current website if there really came a need we could guide them through taking a backup and updating the site entirely through the UI.
Hi John. “Simple”, “quick”, “not near as much hassle”. When I hear this, I reminded of this great post by Chris Coyier: https://css-tricks.com/words-avoid-educational-writing/ The very large number of sites that are not updated is proof that this process is not as easy or simple as we might think.
Independently from the target audience of the CMS, I think the title of the post describes well the issue. An easy way to update Drupal is indeed a top priority. It isn’t just a matter of time, it has to do with the usability of the CMS.
Thanks Jorge. Yes, it’s an absolutely key usability feature
how to update drupal cor and drupal modul?
This should help: https://www.ostraining.com/blog/drupal/how-to-update-drupal-8-sites/
Guess I’ve only updated once, but used this tutorial from O.S… Step by step and its NOT to difficult and actually fun. Makes us novices feel all geeky and everything.
Steve, you speak from my heart! I totally agree with you.
Thanks Maik. You remind me to link to this discussion on Reddit with more comments on this: https://www.reddit.com/r/drupal/comments/8in8v5/easy_updates_should_be_drupals_top_priority/
I stopped using Drupal after 9 years because all my sites got hacked a couple of years ago. I was not technically gifted enough to overcome the total pain in the ass of updating core and modules so regulalry.
A great shame and I had spent many hundreds of hours getting past being a beginner….