Remove "Download" link from Available Updates report

+1 from me. Those links are a relic of a bygone era.

Thanks,
-Derek

Self-assigning to implement.

Let's see what breaks.

In the meantime, I'm setting this to "needs review" to validate the approach I took, which is very conservative: I just removed the download link from the templates, not from anywhere else, since comes from quite deep in the update system and it seems pointless to explicitly unset the variable in a preprocess function. (Although maybe it does make sense to explicitly deprecate it -- is there a procedure for that?)

Furthermore, for the purposes of this issue, it seems like scope creep to actually remove the download_link variable from fetched project data. (Maybe there should be a follow-up for that?)

"Let's see what breaks."

All the tests that care about download links. 😅

Meanwhile, we shouldn't change stable or stable9 templates for this. Those are supposed to "never" change (except for exceptions for critical bugs, which this is not).

Otherwise, +1 to the basic approach. I agree with removing the links from the templates but leaving the variable processing in place. That's much less disruptive.

Thanks!
-Derek

Meanwhile, we shouldn't change stable or stable9 templates for this. Those are supposed to "never" change (except for exceptions for critical bugs, which this is not).

Hmmm, then does that mean people using those themes, or themes based on them, will see invalid download links??

Because that doesn't seem ideal. That seems actively bad to me, and contradicts the entire raison d'etre for this issue. What should we do?

It means themes built on top of stable get to consciously decide what fixes they want to make, but the "promise" that their base theme won't change out from under them is preserved. This identical point comes up over and over in trying to fix core bugs. By design, we're supposed to "leave stable broken", and sites opt-in to whatever fixes they want to make to their own templates. But we almost never change the stable templates for them.

The download links aren't "invalid", they're just not the recommended way to update your site. But if someone created a theme based on stable, that's up to them to decide, not us.

p.s. It's all a bit of a moot point, since the available updates report is from the admin theme, not front end, and it's even more rare that someone built an admin theme on top of stable. But still, the principles apply. If they did that, our promise is we don't break their templates out from under them. Even if "break" in this case is "fix a bug". I'd give you a list of 20 bug fixes I tried to make where I was advocating "how does leaving stable broken help anyone?", but I basically always lost such debates, and now I'm sticking with the "Thou Shalt Not Change Stable(tm)" line. 😅

Regardless of stable, we still gotta update tests here. NW. 😉

Instead of pushing match over NW, I just pushed the "fix" I was asking for. 😉 @tedbow can RTBC this, so I don't mind getting my hands dirty.

Random fail in Drupal\Tests\settings_tray\FunctionalJavascript\SettingsTrayBlockFormTest. Re-queued.

Draft CR to alert folks using stable they might want to change things:

https://www.drupal.org/node/3279359

I don’t think we need a release note snippet for this.

Sorry, xpost

Okay, I addressed all of your feedback, @tedbow. There are now assertions that the download URLs don't appear anywhere in the response, in any form. Reassigning to you for review.

Thanks! Handful of real test fails again, mostly like this:

1) Drupal\Tests\update\Functional\UpdateContribTest::testUpdateBaseThemeSecurityUpdate
TypeError: PHPUnit\Framework\Assert::assertNotContains(): Argument #2 ($haystack) must be of type iterable, string given, called in /var/www/html/core/modules/update/tests/src/Functional/UpdateTestBase.php on line 175

NW and unassigned for now. Maybe after breakfast I can work on this, but if Adam wants to before then, please do. 😉

Back to @tedbow for review.

Thanks! Not quite RTBC. Composing an MR review now.

Reassigning to @dww for review.

Thanks! commit 6ffcc360 looks great. I guess my hands are dirty for RTBC, so over to Ted to re-RTBC.

In Slack, @xjm requested a release note snippet.

Also, the MR branch needed a rebase to apply to 10.0.x.

That rebase was a little funny, since my copy correctly removed the changes to stable earlier in the history. So there were some cherry picks that no longer applied or made any changes. I think it's all set, but a fresh review would be good before we call this RTBC.

Committed to 10.1.x, 10.0.x, and 9.5.x, and published the CR. Thanks!

Also linking the instructions for switching to Composer.