Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.We should write down a policy for Dupal modules (if this does not exists yet) that they MUST fully support Update Manager (update module) with updates and update checks in Drupal or they get unpublished from d.o.
Maintainers not allowing online updates seriously risk security of Drupal sites and this should not supported.
Comments
Comment #2
hass CreditAttribution: hass commentedComment #3
MixologicIs there an example of a module preventing updates from happening? Update Manager support is a feature of D.O. and the project module, not of individual modules, and the only way I can think of whereby a module would not fully support the update manager module would be to deliberately *remove* support by implementing hook_update_projects_alter() and remove itself from the list of projects that need to check for updates, or by implementing hook_update_status_alter() and change the data returned from update status manager to always report the same thing.
I would agree that if somebody went to those lengths, their module should be unpublished.
Comment #4
mlhess CreditAttribution: mlhess as a volunteer commentedI could see someone using a project page to point to a repo on github. I think the only project that this has been allowed with is Drush. But drush is not really a module. There are projects like OG that use github for dev, but sync the repos back to drupal for releases. Since they do the releases on d.o they get update manager support.
Comment #5
hass CreditAttribution: hass commentedYes, drush is an exception as it is not a module.
But address module is a module and if you use update manager your site will break. The module intentionally to not support upgrades via update manager.
I think every module and theme must support this. It is not ok to point people to any other update processes drupal itself does not support as it means the module doeas not integrate with drupal core and does not support drupal core.
Comment #6
drumm#2753921: Disable update manager for Address
Let’s separate update manager, Drupal downloading and updating modules via its own UI, from update status, Drupal checking for updates, if at all possible. Update status is indeed vital. I think update manager is more unclear.
Modules that have dependencies that need to be downloaded/upgraded, either via Composer or not, won't currently work completely with update manager, which doesn't know how to get the dependencies. Handling that gracefully should be doable, although increasing reliance on Composer dependencies should get some solution.
Mixing and matching different ways to install/update projects on a single site won't end well. Threatening project maintainers with policies does not help. Work on #2755809: Modules require composer updates can crash sites after update via update manager is the best path forward I see.
Comment #7
drummI hadn't actually read #2755809: Modules require composer updates can crash sites after update via update manager yet when I commented.
A quick search shows #2477789: Use composer to build sites looks like the best core issue for this, with plenty of discussion.
I'm going to go ahead close this issue. If we do anything along these lines, I could see a security team policy of considering bypassing update status a security issue.
Comment #8
drummComment #9
Mixologichttps://www.drupal.org/node/2494073 Is where the notify the end user about their unmet dependencies exists.