1

Topic: Security Updates by Drupal example

Due to millions of websites hit by Drupal hack attack, is there any plan for Wolf CMS to support centralized updates? perhaps taking advantage of Git to handle the files and load, leaving Wolf CMS installations to check for updates (then implementing them).

Perhaps this is something that ultimately benefits Wolf developers that have more than one or two websites built with Wolf CMS. As such, couldn't such a feature help those Wolf developers that use Wolf CMS for client projects, appreciate and influence, the need to financially support the Wolf CMS platform (who already aren't - as much as it embaresses me, my director has no moral inclination to donate towards Wolf CMS as of yet).

If it is feasible, it could be useful to poll (as seen often on these forums) what actual Wolf developers concerns could be, to ensure such an update system works for them (afterall, I know I cannot be the only Wolf developer that has a plethora of older Wolf CMS versions running, which could have teething troubles without better support for the database schema changes that happened a year or two back).

Last edited by BlueWolf (2014-11-01 12:01)

Thumbs up 0

2

Re: Security Updates by Drupal example

Hmmm... this requires a multi-part answer. smile

Easy reply first: As for finances, less than 1% of Wolf CMS users actually contribute financially. So, eurh... I guess you shouldn't feel embarrassed too much.

I've been thinking on how to do (semi) automated upgrades and came to these conclusions:

1) A user would have to update the files on disk first. This could be done using a git deployment strategy. If you're adventurous, a simple "git pull" would be enough.

To enable this, we need a stable/latest release branch. Our master branch is in fact just that. All dev work goes on in the develop and the feature branches.

2) Having Wolf update itself would require the system to have write access on disk. Something I'd loathe to ask for. I consider that a major security risk.... but perhaps I'm being overly cautious there, I don't know.

3) I'm working on automating DB upgrades. Wolf would check what release it is and what release the DB supported. If needed, Wolf would automatically upgrade the DB using something like http://phinx.org/ or https://github.com/ruckus/ruckusing-migrations

While it is technically possible to try and do automated upgrades triggered by a commit (for example) in the core's GitHub repos, I don't feel that is desirable for many people nor particularly safe.

So, long story short, I believe the best we can do is make it as painless as possible to upgrade but still having you as the user be responsible for triggering the update after you've done a backup.

That being said, I'm also working (when I have time) on a Docker based version of Wolf CMS. This would simplify upgrade a lot as you'd simply restart your site's Docker container using the latest build and it'd upgrade the DB automatically using the aforementioned systems. It'd still have to be triggered by you though, not Wolf.

Does this answer your question?!? smile

Wolf CMS founder and lead developer
Please always check the Support forums and Wiki before asking. (My Ohloh account.)
Like Wolf CMS? Consider making a financial contribution or see our financial report first.

3

Re: Security Updates by Drupal example

Interesting Q&A - and it reminds me of something that I think we have raised tentatively over the years ... maybe time to ask again?

The only bits of the upgrade that I find a nuisance are saving and restoring my "third party" plugins and (much fewer) helpers. If we could have a "user" area for these, and simply replace "/wolf" as otherwise in recent upgrades, that would be wonderful! (IMO)

That's not so much a security concern as an "ease of upgrade" thought, but perhaps it connects at some level with BlueWolf's thinking.

Using Wolf CMS professionally and for profit? Please consider supporting Wolf financially. Thanks!

4

Re: Security Updates by Drupal example

mvdkleijn wrote:

Does this answer your question?!? smile

Yes it does, thanks Martijn. The scope of how this technically be done is not so important (at least not for me) but seeing you demonstrate a clear effort in considering this problem, is equally appreciated and valued. Regarding user-prompted updates, I am cool with this. It works very well with Wordpress for example, but do you think there really is no way to safely support updating files on most servers?

David wrote:

ease of upgrade

This is indeed something all CMS have to contend with; user expectations brought about by competitive CMS products. Ease of using, backing up, upgrading ... creating custom plugins to aid with this ease for real-world admin users, is exactly where Drupal sucks and hence why I wanted to see what long-term plans were being factored in.

Thumbs up 0

5

Re: Security Updates by Drupal example

@David - good point. I must say that I do overwrite entire /wolf with 3rd party plugins and I never had any issues except with CKeditor from time to time but that can be easily fixed. In any case, I support the idea!

@BlueWolf - Indeed it works but not everytime. I had to pull backup once cause auto upgrade screwed everything. That happened only once. The bigger problem here are plugins and config.php which is locked.

Tutorials at Project 79 | Wolf CMS Docs