Problem/Motivation
When a security update comes out sites are upgrading slowly. You can see this by looking at the usage metrics for popular contrib modules that have had a security release: http://drupal.org/security/contrib. This problem also affects Drupal core.
There are probably several reasons why a site maintainer doesn't upgrade quickly:
- Security releases (for contrib) most often also include bug and feature changes complicating an upgrade
- Lack of perceived risk or effectiveness to the vulnerabilities
- Not knowing or seeing that an update is available
Proposed resolution
Each reason should be addressed, but reasons 3 (and possibly 2) are in the realm of Drupal core through UI or API changes.
- GET DATA - poll and user testing, coltrane will begin on this
- Analyze it
- #1094018: Improve relevancy of security update notifications within your Drupal site
To address reason 3 it would be beneficial to have some user data on how well users are able to navigate and understand the available update pages in core. I plan to help setup some user testing to collect some data.
Related: #1254128: Unify update pages
Comments
Comment #1
coltraneUpdating title to not limit this to contrib modules. Core also lags behind http://drupal.org/project/usage/drupal
Comment #2
webchickTagging to get on the UX team's radar. Good initiative!
Comment #3
webchickIncidentally, the way that most desktop/mobile programs handle this is they inform me "We've just updated $foo application. Click here to restart." or else "BZZZT. You can't enter until after you've updated." I'm not sure if we could get away with exactly that here, but there's a very far cry from that and what is needed to perform upgrades today.
It might be worth a poll of some kind (maybe on g.d.o/core) to get broader feedback into the "Why don't you upgrade?" question. Off-the-cuff, I would say those reasons boil down to something like:
- Lack of education on the core/security update schedule to know when to look for updates.
- Upgrading core is a difficult and time-consuming manual process (#606592: Allow updating core with the update manager would help).
- Lack of education about the automatic upgrade capability in Drupal 7+ for contrib modules/themes.
- On a typical site with 50+ contrib modules, update notifications come out so frequently that e-mails about available upgrades get ignored.
- Unlike "Extensions/Apps" in browsers, mobile OSes, etc. upgrading a module can have complex ripple effects and is not a one-click operation, but requires setting up a test site, backing up your data, praying, etc.
Most of these are not easy to fix. :\
Comment #4
Heine CreditAttribution: Heine commentedThe security update rate is only important for issues that affect sites. It's reasonable to keep a vulnerable module around when that vulnerability doesn't affect the site.
As a personal interest I mailed some people that reported being exploited via the ckeditor issue (fixed way March 2012) why the site was running old code. A few responded. A lot of sites still haven't updated btw.
Select quotes:
Comment #5
webchickThose are great data points, Heine. Thanks.
Comment #6
Mark TrappTo expand on this point in #5:
I took a look at all the security advistories for Drupal 7, and based on the information provided:
SA-CORE-2011-001
Two issues:
SA-CORE-2011-002
One issue, mitigated by not using a contrib node acccess module.
SA-CORE-2011-003
One issue, mitigated by not using private files.
SA-CORE-2012-001
Three issues:
SA-CORE-2012-002
Five issues:
Due to the first two issues, this one is the first, affects-all-Drupal-sites-upgrade-right-away security advisory and corresponds to Drupal 7.13.
SA-CORE-2012-003
Two issues:
This is the second issue that's a definite upgrade and corresponds to Drupal 7.16.
SA-CORE-2012-004
Two issues:
SA-CORE-2013-001
Three issues:
This is the third issue that is a definite upgrade and corresponds to Drupal 7.19.
So, unless the security advisories are downplaying the critical nature of the security updates, there were only three security updates that every Drupal site should've upgraded regardless of their own situation: 7.13, 7.16, and 7.19 (7.19 just came out yesterday, so it's not really possible to judge its adoption rate).
Otherwise, unless you're using private files, one of the optional features Drupal core provides (book, forum, aggregator, color, etc.), or a contrib access module, there didn't seem to be anything compelling other than if you needed bugfixes for contrib compatibility.
If it is the case that the security advisories don't convey how critical the issues are for people where the mitigating factors apply, then it's definitely an education problem. Otherwise, any more nagging just becomes white noise: it's like the boy who cried wolf. Even the current situation is annoying and borders on being more noise than signal:
This is all to say that rather than throwing up more roadblocks or more nags or more information at people, maybe we can improve the signal to noise ratio:
Anyway, I know this was long: software administration—including a few dozen Drupal sites—has been part of my job description for several years and I've had a lot of time to think and stew about all the nagging. :P More of it doesn't make the job any easier, so I figured I had to say something.
Comment #7
gregglesI think the desktop software solution of downloading/installing for you is an example of a fundamental idea: make it easier to upgrade. There are lots of things we can do to help with that, but they are probably all small wins compared to the level of effort required to achieve them.
re #6: One trick about assigning "critical" levels is that something that is not critical to a certain site might mean certain business failure on another. There are definitely a few things we can try to add update module and the associated xml feed to reduce the noise it creates:
* A sense of trusted roles on a site and then the permissions to exploit becomes a field in the xml feed, that way update can know if an untrusted role has the permission to do something bad.
* A boolean in the xml for "affects private files" and "affects sites with node access" and then update module can check to see if either is in use.
Those three additions would reduce the naggy-ness of update.module but it also puts additional work on the security team to figure out exactly which permissions are impacted (and we may not know them all, especially if custom code or a contrib does something).
I did a small review of Joomla! and Wordpress in this area - WordPress lists updates but doesn't nag you nor mention if any future updates are security related. The upshot is that the WP admins I talked to thought they were secure even though they had pending updates - they just didn't know that the pending updates were security related.
I do hope we can find some ways to improve this.
Comment #7.0
gregglesUpdated issue summary.
Comment #8
coltraneI'm updating this issue meta to better focus discussion first on the goals. I hope through feedback like Heine provides in addition to poll data (good idea webchick) and user testing we can come up with several solutions.
#6 Mark, thank you for the research and input.
I like the ideas of trying to improve the relevancy of updates for particular sites as Mark and greggles point out. A similar feature request exists already so I'm proposing that as a place to discuss that technical solution. #1094018: Improve relevancy of security update notifications within your Drupal site
Comment #8.0
coltraneUpdated issue summary.
Comment #8.1
coltraneUpdated issue summary.
Comment #9
David_Rothstein CreditAttribution: David_Rothstein commented