Just imagine... automatic updates in Drupal core.
Such a feature would put an end to all those never-ending debates and ongoing discussions taking place in the Drupal community about the expectations and concerns with implementing such an auto-update system.
Moreover, it would be a much-awaited upgrade for all those users who've been looking for (not to say “longing for") ways to automate Drupal core and modules for... years now. Who've been legitimately asking themselves:
“Why doesn't Drupal offer an auto-update feature like WordPress?”
And how did we get this far? From idea to a steady-growing initiative?
first, it was the need to automate Drupal module and security updates
then, the issues queues filled with opinions grounded in skepticism, valid concerns and high hopes started to “pile up” on Drupal.org,
then, there was Dries' keynote presentation at Drupalcon Vienna in 2017, raising awareness around the need to re-structure Drupal core in order to support a secure auto-update system
… which grew into the current Auto Update Initiative
that echoed, recently, at Drupal Europe 2018, during the “Hackers Automate, but the Drupal Community still Downloads Modules from Drupal.org” session
Many concerns and issues have been pointed out. Many questions have been added to the long list.
Yet, one thing's for sure:
There still is a pressing, ever-growing need for an auto-update feature in Drupal...
So, let me try to answer my best to some of your questions regarding this much-awaited addition to Drupal core:
What's in it for you precisely? How will an auto-update pre-built feature benefit you?
Does the user persona profile suit you, too? Is it exclusively low-end websites that such a feature would benefit? Or are enterprise-level, company websites targeted, as well?
What are the main concerns about this implementation?
1. The Automatic Updates Initiative: Goal & Main Challenges
Let's shift focus instead and pass in review the inconveniences of manually installing updates in Drupal:
it's can get risky if you don't know what you're doing
it can be an intimidatingly complex process if you have no dedicated Drupal support & maintenance team to rely on
it can get quite expensive, especially for a small site or blog owner
See where I'm heading at?
This initiative's main objective is to spare Drupal users of all these... inconveniences when it comes to updating and maintaining their websites. Inconveniences that can easily grow into reasons why some might get too discouraged to adopt Drupal in the first place.
The goal is to develop an auto-update mechanism for Drupal core conceptually similar to those already implemented on other platforms (e.g. WordPress).
And now, let's dig up and expose the key challenges in meeting this goal:
enabling update automation in Drupal core demands a complete re-engineering of the codebase; it calls for a reconstructing of its architecture and code layout in order to support a perfectly secure auto-update system
such an implementation will have a major impact on the development cycle itself, causing unwanted disruption
such a built-in auto-update feature could get exploited for distributing and injecting malware into a whole mass of Drupal websites
2. Automatic Updates in Drupal: Basic Implementation Requirements
What would be the ideal context for implementing such a perfectly secure auto-update system?
Well, its implementation would call for:
multiple (up to date) environments
released updates to be detected automatically and instantly
an update pipeline for quality assurance
existing automate tests with full coverage
a development team to review any changes applied during the update process
3. How Would These Auto-Updates Benefit You, the Drupal User?
Let's see, maybe answering these key questions would help you identify the benefits that you'd reap (if any):
is your Drupal website currently maintained by a professional team?
has it been a... breeze for you so far to cope with Drupal 8's release cycle (one new patch each month and a new minor release every 6 months sure claim for a lot of your time)?
have you ever got tangled up in Composer's complexities and a whole load of third-party libraries when trying to update your Drupal 8 website?
did you run the Drupalgeddon update fast enough?
have you been secretly “fancying” about a functionality that would just update Drupal core and modules, by default, right on the live server?
To sum up: having automatic updates in Drupal core would keep your website secured and properly maintained without you having to invest time or money for this.
4. Drupal Updating Itself: Main Concerns
And concerns increase exponentially as the need for an update automation in Drupal rises (along with the expectations).
Now, let's outline some of the most frequently expressed ones:
there is no control over the update process, no quality assurance pipeline; basically, there's no time schedule system enabling you to test any given update, in a development environment, before pushing it live
there's no clearly defined policy on what updates (security updates only, all updates, highly critical updates etc.) should be pushed
with Drupal updating itself, rolling back changes wouldn't be possible anymore (or discouragingly difficult) with no GIT for version control
again: automatic updates in Drupal could turn into a vulnerability for hackers to exploit for a mass malware attack
there's no clear policy regarding NodeJS, PHP and all the JS libraries in Drupal 8, all carrying their own vulnerabilities, too
it's too risky with all those core and module conflicts and bugs that could break through
such a feature should be disabled by default; thus, it would be every site owner's decision whether to turn it on or not
could this auto-update system cater to all the possible update workflows and specific behaviors out there? Could it meet all the different security requirements?
So, you get the point: no control over the update pipeline and no policy for handling updates are the aspects that concern developers the most.
6. Does It Cater for Both Small & Enterprise-Level Websites' Needs?
There is this shared consensus that implementing automatic updates in Drupal core would:
not meet large company websites' security requirements; that it would not fit their specific update workflows
benefit exclusively small, low-end websites that don't benefit from professional maintenance services
Even the team behind the automatic updates initiative have prioritized low-end websites in their roadmap.
But, is that really the case?
Should this initiative target small websites, with simple needs and writable systems, that rarely update and to overlook enterprise-level websites by default?
Or should this much-wanted functionality be adjusted so that it meets the latter's needs, as well?
In this case, the first step would be building an update pipeline that would ensure quality.
What do you think?
7. How About Now?"What Are My Options for Automating Updates in Drupal?"
In other words: what are the currently available solutions if you want to automate the Drupal module and security updates?
7.1. You Can Use Custom Scripts to Automate Updates
… one that's executed by Jerkins or another CI platform.
Note: do bear in mind that properly maintaining a heavy load of scrips and keeping up with all the new libraries, tools, and DevOp changes won't be precisely a “child's play”. Also, with no workflow and no integrated tools, ensuring quality's going to be a challenge to consider.
7.2. You Can Opt for a Drupal Hosting Provider's Built-In Solution
“Teaming up” with a Drupal hosting provider that offers you automated updates services, too, is another option at hand.
In this respect, solutions for auto-updating, such as those provided by Pantheon or Acquia, could fit your specific requirements.
Note: again, you'll need to consider that these built-in solutions do not integrate with your specific DevOps workflows and tools.
And my monologue on automatic updates in Drupal ends here, but I do hope that it will grow into a discussion/debate in the comments here below:
Would you turn it on, if such a feature already existed in Drupal core?
It depends on whether...