Automatic Updates

It's not exactly automatic (which would scare me anyway), but i use the http://drupal.org/project/drush module and it works great.

This is a feature that's very well implemented in SMF, without requiring that the site be put into maintenance mode.

I use it on my client sites, and it's working great for handling core updates. It's called Aegir, and although it takes a little time to set up (took me around 30 mins) once that's done it drastically improves my speed of maintaining multiple Drupal installs. :) Check out the video to get an idea of how it works.

http://groups.drupal.org/aegir-hosting-system

And once this module (plugin_manager) gets done, we'll have an easy way of updating our modules too! :)

Hope that helps,
-dellintosh

I do not see even one real "argument" against an automated update. All the points given above are just matters of personal preferences. I cannot even see one real technical reason against auto-updates.

As there is a detailed description for a systematic procedure to update a drupal installation, I cannot understand why it should not be possible to put this into a piece of software. It sounds arrogant to me, to claim that all drupal-webmasters shall be able to handle the updates as easygoing as the "I-am-a-guru-I-do-not-need-auto-updates" experts.

For me, it ended up that way, that I finally abandoned all drupal updates - it was to much effort and I hit problems twice due to a step I missed in the update procedure.

AND THAT'S FOR SURE THE BIGGEST SECURITY RISC.

I finally switched over to WP for that reason, which is a real pity: from a conceptual point of view I really prefer drupal, but the inconveniences and security-riscs associated withg manual updates prevent me from using it.

The bottomline is: Drupal Is missing a safe update procedure that does not pose the riscs of manual work. It is therefore risky to use Drupal for a website.

Many PHP based open source give you capability to update the module or even core by using the simple browser.
Does any one have a pointer on why Drupal does not allow this considering it has such a great talent pool and large following.

This is an interesting topic because I sometimes want to move on from client projects without the worry of whether they can handle the task of site maintenance. At the time, it does keep my involvement fresh and on a customer-relations level it helps build rapport.

In my opinion, Drush makes for the easiest means to update Drupal.

Although it requires an understanding of command-line, Drush really helps to simplify download and installation processes. Drush does conduct core updates, and together with Drush Make it is possible to prescribe Drupal installations, pulling together resources from separate locations. The steps are simplified with the parse of a single text file. The sources the text file names are then downloaded. Per the Drush Make project page: "In practical terms, this means that it is possible to distribute a complicated Drupal [package] as a single text file."

For instance, I develop on a test server to make sure that everything is satisfactory, and then I create backups of web sites and transfer to the web servers. Many of the popular web hosts provide a command-line shell for file transfers while I'm at it. I also like FTP. Check out various resources online like this one. Ciao!

I would suggest using Acquia's (Dries's company) distro of Drupal. http://acquia.com. It comes loaded with more than the core, and has auto updates.

This is being called for in other places. From Google I got here. Generally if the community is going to develop something it really needs to be in the issue queue.

"What Drupal badly needs but doesn't have is an automatic updater that rolls out security updates by default."

http://nakedsecurity.sophos.com/2014/10/30/millions-of-drupal-websites-a...

I couldn't find a related issue queue about this, so created https://www.drupal.org/node/2367567

Since Drupalgeddon I started with a concept of a service to automate Drupal updates "from the outside" (instead of a module that updates Drupal itself "from the inside". Some important criteria was to integrate the update process with our development and deployment workflow as well as automated re-applying of patched modules/core/themes.
Beside Drop Guard is a service I also opened the concept in a blog post in case someone is interested in details. It can be found at http://www.erpal.info/blog/blog/drupal-security-how-to-deliver-drupal-up...

I am very happy about any feedback or requests for personal demos hopefully to make the Drupal eco-system more secure.

Everyone has rationales as to why this isn't necessary, but as someone who has to manage over 40 sites, some not hosted on platforms with SSH access or drush installed, it is time-consuming and frustrating given that the WP sites I manage take care of this all by themselves. This is the kind of project that needs a major developer sponsor because it needs to be done right, but we're operating in isolation from the larger developments in CMS. While Drupal 8 uses best computer science practices for a framework, it sucks at ease of use. Meanwhile WordPress keeps getting better and better and easier and easier.

Look at how easy it is to install a plugin in Wordpress compared to Drupal. Is it easy in drupal with drush? Yes, but WP has a command-line installer like drush, and a UI installer that allows users to browse plugins and install them right from within their site.

We can attempt to rationalize away all the reasons auto-updating is a bad idea, or not necessary, but one of the key reasons Wordpress is so popular is because it is incredibly easy to set up. Is it developed using programming best practices? Not even close. Does it work well? Yes. Is it getting as powerful as Drupal? Yes. It gets harder and harder to justify using Drupal when a tool is emerging that is proving more nimble and user-friendly.

That said, I suppose it is possible to set up a shell script and cron to develop a "poor mans" security updater. A script that runs

cd /web-root
drush sql-dump > ../backup-drirectory/$(whoami).sql 
#in my case most of my sites are chrooted under their own linux user accounts
drush up --security-only -y > logfile.log

would be a good start.

The infrastructure is all there for this to work, but it would require several keen minds working on the issue to develop it.

I started working on a service which uses your github repository (with your Drupal code inside) to automatically provide pull requests with new versions of modules. It's still in a very early state, but it can be found here: https://drupdate.io. Feel free to try it out and send me your feedback.

I think there are services like https://www.mydropwizard.com/ and https://www.webotics.io who does the same thing for you, I assume both do it manually so there are human hours associate with the process. Fully automated process might not be ideal with current versions of Drupal I believe (D7 and D8, D9 could be better who knows)

One of the things I'm noticing with Drupal's direction of travel is that it's making life increasingly difficult for anyone on shared hosting. Access to the command line seems to be a minimum and most themes now require node-tools which just don't exist on servers unless you pay for them.

I'm not a big developer, I develop a few sites occasionally for friends and family because I know how to do it and because it's fun and because I know my way around HTML/CSS. Unfortunately, I'm getting the impression that Drupal does not like me.

This topic is very much in that vein. Yes, if you have access to your own server, updating is easy, and now there are auto-update tools that can be bought in. I even get why an auto-updater from within Drupal is considered a security risk.

However, could those of us who don't do Drupal as our day job and don't have access to the countless tools you all seem to take for granted actually have something too, please? Because I'm still sure that, at my end, an automatic updater is better than not having one, and the more I look into writing websites, the more I'm convinced being a one person web dev IS a security risk. Yet, somehow, didn't everyone start here? Or am I missing something?

It seems notable that this thread has existed for eight (8) years.

For Drupal7 neither core nor module updates have historically been relatively straightforward.

For Drupal7, I long ago achieved the ability to maintain a master superset of Drupal7 core and numerous modules, so that a single primary update could be done, and then an archive of that copied to every Drupal7 site, where only the .htaccess, settings.php, php.ini and a few other files needed to be kept in place after copying in a fresh code archive.

For Drupal7, mass module updates are easily accomplished right from the admin GUI as well, including automatically going to the update.php script page for database updates, making that a relatively straightforward process once it is well understood by a maintainer.

For Drupal7 even with patched versions of certain modules, maintaining a standard superset code archive across dozens of Drupal7 sites is possible, even with a different theme running in each one.

-----------------------
For Drupal8 maintenance, everything changes.

As has been noted, CLI access is a mandatory prerequisite.

When the CLI composer utility - composer update - command works alright it can be relatively painless, but when composer runs into problems, composer is very brittle, unforgiving, and a real annoyance.

As others have noted, the composer utility is also a huge memory hog, in addition to being an - issue command - and check back in half an hour type of affair, even on a Xeon powered server with SSD hard drive, and many GBs of memory.

One response to the above is that it was a huge mistake to essentially have reinvented Drupal in Drupal8, with an architecture of dependencies to complicated it needs automation to keep track of them. Then when the automation tool is as poorly constructed as is the composer utility, the problems are compounded.

IMO, the composer utility is ungainly, archaic, software that smacks of something thrown together back in the 1970s. Modern 21st century software, including CLI utilities, should understand and fix the problems ti encounters on its own, rather than just reporting the problems it encounters and giving up, which is what the composer utility does when it encounters problems. A truly well written "composer" utility, (should have been named conductor), would better understand the underlying dependencies it is supposed to maintain and be able to adjust configuration files and make choices on its own, while at the same time being able to actually inform users how to resolve any conflict it finds, rather than only reporting them.

-

For those of us with appropriate servers and CLI access, it is possible to live with the failings of Drupal8's maintenance design.

However, I have to admit that I am still in the stage of using Drupal8 only for research and development, but not for production websites, not just because of the composer utility matter, but because there are just too many gaps in the contrib module area to make Drupal8 workable at this point in time ( Commerce being a big part of that gap).

-

Notwithstanding all the foregoing, IMO, CMS software needs to be as user friendly and GUI oriented, even at the admin level, as the GUI friendliness the websites it builds hope to present to public website visitors.

Hi,

The solution which I'm working on, Drupdate, is already running on 4 platforms (powering about 10 sites) and so far has been really a timesaver for me, as it does the module updates semi-automatically, providing a PR automatically each time a module needed update.

I am in the process of offering it as a service, https://drupdate.io. I really hope it can be an added value for you and your projects. If you think it can, let me know by subscribing to the mailing list on https://drupdate.io.

#2940731: Automatic Updates Initiative overview and roadmap has recently been launched.

For D8, it's possible to export the configuration of the site, including the list of enabled modules. Can't this configuration be used to pull that module from the git repository? I think even shared hosts allow you to have files uploaded by your site scripts. This would, in theory, replace the need for composer, as far as installing contributed or other publicly hosted module and theme repos.  Is there already a module in place that does something similar to this, and if not, how difficult would it be to create one (that conforms to Drupal 8 and OOP standards, of course)?