[Sysadmin] Next?

Adrian Simmons adrian at perlucida.com
Mon Nov 17 07:22:28 CST 2008 

On 17 Nov 2008, at 04:12, David Kaufman wrote:

> and ...honestly, I think we *should* run Drupal 5.x until Lenny  
> comes out
> with Drupal 6 and security support for it.
I'm not aware of anyone doing serious Drupal development that uses a  
packaged Drupal. They're generally regarded as being outdated and slow  
to apply security patches.
Current etch package of Drupal via backports is 5.10, current version  
of Drupal 5 is 5.12, so the current package is 2  security updates  
behind. 5.11 came out on Oct 8th, so the current packaged version is  
over 5 weeks out of date.

Do we need to be on the ball about security updates? Yes.
Does using an official Debian package keep you up to date? No.

And, as John has said repeatedly, once Drupal 7 comes out there will  
be no more upstream security updates forthcoming for Drupal 5.

Also note David, that drupal 6 has update_status module as part of  
core - if enabled, when a security update is available it will print  
warning messages to admin users on every admin page, it's damn hard to  
ignore :)


> I don't think we want to run a source installation that's
> going to take us days, weeks or months to get around to updating,
Drupal modules aren't available as packages, what about security  
updates in modules? Simply installing Drupal from a package isn't  
going to make us any more secure if we leave modules un-updated. It's  
a bit like installing perl from an official debian package, but then  
using cpan to install perl modules instead of using the official  
debian perl packages.

AFAIK most big drupal shops (and small ones) keep Drupal and all  
modules under version control.
My personal workflow involves SVK and using a vendor branch, testing  
the updates on my local server, then updating the working copy on the  
remote 'live' server, but that's not entirely applicable to evolt.

I'm already monitoring drupal security updates and usually manage to  
apply security updates the same or next day (occasionally longer if  
they come out late on a Friday, I don't get to work weekends). I'd be  
happy to take on board some responsibility for keeping drupal and  
modules up to date.

Adrian
-- 

Phone: +44 1382 541 586 or +44 131 208 0840
e-mail <mailto:adrian at perlucida.com>
AOL/Yahoo/Skype/Gizmo ID: perlucida
Web Site <http://perlucida.com>

More information about the Sysadmin mailing list