[Sysadmin] Next?
Adrian Simmons
adrian at perlucida.com
Mon Nov 17 07:22:28 CST 2008
On 17 Nov 2008, at 04:12, David Kaufman wrote:
> and ...honestly, I think we *should* run Drupal 5.x until Lenny
> comes out
> with Drupal 6 and security support for it.
I'm not aware of anyone doing serious Drupal development that uses a
packaged Drupal. They're generally regarded as being outdated and slow
to apply security patches.
Current etch package of Drupal via backports is 5.10, current version
of Drupal 5 is 5.12, so the current package is 2 security updates
behind. 5.11 came out on Oct 8th, so the current packaged version is
over 5 weeks out of date.
Do we need to be on the ball about security updates? Yes.
Does using an official Debian package keep you up to date? No.
And, as John has said repeatedly, once Drupal 7 comes out there will
be no more upstream security updates forthcoming for Drupal 5.
Also note David, that drupal 6 has update_status module as part of
core - if enabled, when a security update is available it will print
warning messages to admin users on every admin page, it's damn hard to
ignore :)
> I don't think we want to run a source installation that's
> going to take us days, weeks or months to get around to updating,
Drupal modules aren't available as packages, what about security
updates in modules? Simply installing Drupal from a package isn't
going to make us any more secure if we leave modules un-updated. It's
a bit like installing perl from an official debian package, but then
using cpan to install perl modules instead of using the official
debian perl packages.
AFAIK most big drupal shops (and small ones) keep Drupal and all
modules under version control.
My personal workflow involves SVK and using a vendor branch, testing
the updates on my local server, then updating the working copy on the
remote 'live' server, but that's not entirely applicable to evolt.
I'm already monitoring drupal security updates and usually manage to
apply security updates the same or next day (occasionally longer if
they come out late on a Friday, I don't get to work weekends). I'd be
happy to take on board some responsibility for keeping drupal and
modules up to date.
Adrian
--
Phone: +44 1382 541 586 or +44 131 208 0840
e-mail <mailto:adrian at perlucida.com>
AOL/Yahoo/Skype/Gizmo ID: perlucida
Web Site <http://perlucida.com>
More information about the Sysadmin
mailing list