So I'm at this Drupal event in Chicago Illinois and the place is full of developers extolling the virtues of Drush. 'It's so convenient', says one of the developers.

When I showed him how easy it is to install and update contrib modules using the GUI menu-based commands, he took one look and suddenly changed his argument from 'convenience' to 'security'. Installing or updating contribute modules by just clicking on a link, he claimed, was 'insecure'.

I wasn't impressed. I've heard the 'it's all about security so stop using common sense' excuse before.

I told him my first installation of Drupal was almost 10 years ago (2004 to be exact) and that if the price of entry at that point had been using a command line system like Drush, we wouldn't be talking about Drupal in this day and age.

"But, but," he replied, "Drupal -- Drupal! -- is going Enterprise".

"Yeah right", I replied, "just like Oracle Corp".

So here's the usability question de jour: Why can't I update my version of Core by simply clicking on a link -- just like I update a contrib module? Why isn't this planned for D8? The developers over at WP have figured this out, yet when I asked the same question to the guy at the Drupal Event at Chicago, he didn't even know what I was talking about.

WTF?

Comments

Jaypan’s picture

So here's the usability question de jour: Why can't I update my version of Core by simply clicking on a link -- just like I update a contrib module?

Because no one has built that functionality. Sounds like a good add-on module for those who want it (I wouldn't trust an automatic updater to update core myself, but others would)

Why isn't this planned for D8?

Lack of demand I would imagine. If enough people wanted it, it would be part of the planning.

The developers over at WP have figured this out

Well, that's a matter of opinion. I've talked to a few WP developers who have updated automatically and it has broken their site. So I'm not sure that you can claim fully that it's been figured out at WP, rather they've come upw with a method that sort of works a lot of the time.

leoklein’s picture

First, thanks for the reply.

Second, remember the guy didn't even know what I was talking about.

Third, 'Lack of demand'? Really? You really think the alternative -- ie. having to download a zip file, decompressing it and then uploading all the files back up to one's server -- is something your average user prefers? Sounds like we need to do a bit more user surveys to say the least.

Fourth, WP : "broken their site" -- oh come on, there are a lot of reasons this could happen on WP. The bottom line is that Drupal since D7 has given users a Graphic User Interface (GUI) that allows the updating of Contrib Modules that could just as easily 'break their site'.

The fact that some sort of similar 'one-click' update for Core isn't even in the cards is really a sad comment -- not on WP but on the direction Drupal seems to be heading. The fact that you can do this in Drush (which might be a problem and break the site as well) but you can't do it using the GUI -- again raises questions as to what direction exactly this project is heading.

Jaypan’s picture

Second, remember the guy didn't even know what I was talking about.

Was he a representative of the Drupal association? People know as much about Drupal as they do, or don't. There are a million things I don't know about it, that if you asked me a question I wouldn't know the answer to. But I know Drupal very well. No one knows everything. You seem to be holding this guy up to a non-existent standard. There is no Drupal certification that I've ever heard of (though this could be one of those million things I don't know about).

Third, 'Lack of demand'? Really? You really think the alternative -- ie. having to download a zip file, decompressing it and then uploading all the files back up to one's server -- is something your average user prefers?

I can't speak the average user. But I do it using a combination of wget and drush, and I can update a Drupal installation, both locally and on my server, in about two minutes. Many Drupal developers are using Drush, and for those that don't like the zip method, the Drush method is there to use.

Now as to the lack of demand, I've heard this mentioned maybe two or three times ever, so it wouldn't appear there is a lot of demand for the functionality. Maybe you can find something to show there is demand?

Fourth, WP : "broken their site" -- oh come on, there are a lot of reasons this could happen on WP.

Exactly - and they do, which breaks sites. Drupal is extremely complicated, and for that reason a core updated would be dangerous, because it would most definitely break people's sites at times. And what do you think is going to leave people with a more bitter taste in their mouth - doing an update that takes a few minutes and works, or doing one that takes a few seconds and kills their site?

The fact that some sort of similar 'one-click' update for Core isn't even in the cards is really a sad comment -- not on WP but on the direction Drupal seems to be heading. The fact that you can do this in Drush (which might be a problem and break the site as well) but you can't do it using the GUI -- again raises questions as to what direction exactly this project is heading.

Well Drupal is definitely moving in a more enterprise direction, and will be even more for developers than previous versions have been. It's likely this will cause many users of Drupal to abandon the project. But, it will make the project more focused, rather than trying to be everything to everyone, which is a sure way to not be the perfect solution for anyone.

You may also want to look at BackDrop - a fork of Drupal from after Drupal 7, which is looking to be the next evolution of Drupal 7, rather than a serious overhaul like Drupal 8 is.

leoklein’s picture

"I can update a Drupal installation, both locally and on my server, in about two minutes. Many Drupal developers are using Drush, and for those that don't like the zip method, the Drush method is there to use."

Exactly. The convenience is all one-sided. Soon for us Site Builder types it's going to be Bye-bye Drupal. Command-line interfaces are not the answer.

Jaypan’s picture

Yeah, I agree. I think that over the next couple of Drupal releases, the Drupal site-builders will definitely decrease in size as the complexity, and developer-focused features both increase.

But for those people, Backdrop is looking like a good alternative.

WorldFallz’s picture

just an fyi.... you can update core (minor releases only), with drush with a single simple command ('drush up drupal' iirc)

leoklein’s picture

Thanks for the response.

I realize this. What's disturbing is the Drushization™ of what used to be a Graphic User Interface (GUI). There is nothing modern or simple about command-line management -- it's just that a certain sector of the user-base happens to be used to it.

Yes, it's 'easy' then to do this in Drush. It would also be easy (at least to imagine) minor updates to Core being updated simply by checking a box and clicking on a button marked, 'Update'. (As is done in WP).

My question is, since when was Drush the UI de choix for Drupal? And shouldn't people be concerned about this?

WorldFallz’s picture

Its not just about easy-- in the case of core, more weight is given to security. drush is secure in ways doing things through the browser probably can never be.

leoklein’s picture

Sorry, but I have to laugh. I've been hearing that line of argument -- "it's wysiwyg-gui-etc. so it's less secure; and it's command-line so it's more secure" -- for close to 20 years. Apparently WP knows nothing about this vunerability because they have exactly the push-button upgrade of minor revisions to core that I'm talking about.

But again, it's not so much the absence of such an obvious feature that's important -- I mean, I've been updating core through FTP for close to 10 years. It's just a troubling comment on where this CMS may be heading.

WorldFallz’s picture

Now it is I that has to laugh-- because wp does something that means it must be secure, lol. Really? Harkens me back to the old 'if your friend jumped off a bridge, would you?" of childhood.

In all seriousness though, that argument was made in the issue this was discussed and iirc, it was pointed out that wp was in fact, insecure in its methods. I looked, but I am unable to find the issue that discusses this. Just pop into IRC when you have a chance, I'm sure someone there could link it or explain it.

leoklein’s picture

"Just pop into IRC.."

Why bother when I can get a more dependable explanation from the WP'ers themselves? No doubt they believe this little piece of sensible convenience is a huge security hole.

WorldFallz’s picture

just when I thought this might actually be a real discourse. wp is great, drupal sucks, fine whatever, lol. but then one has wonder why so many 'satisfied' wp users find themselves using drupal, and 'helpfully' pointing out why wp is so much better on drupal.org, lol.

nothing new to see here folks... keep moving...

leoklein’s picture

Um, except I'm number #16403 and you're #155304.

When the early adopters start running from you and all you have to say is:

"nothing new to see here folks... keep moving..."

I'd say it's time to be really really worried.

Jaypan’s picture

You keep saying 'it's worrying', and 'it's time to be really worried', but you haven't explained why. What is worrying? What should we be worrying about? And why is it time to get worried?

WorldFallz’s picture

lol, your logic is actually reinforces my point. You're an early adopter, you seem to be of the opinion drupal sucks, and yet here you still are, lol.

Look, I'm not saying there's not a lot of flaws or a lot of room for improvement. There is. I think even Dries would agree. However, in spite of all its flaws, given what's out there now, there simply is no comparable product/cms/cmf, whatever you want to call it, with the power and flexibility of drupal. For sites that simple can't be done with wp (and that's all i do-- web apps, not web site), drupal still reigns supreme.

And I'm not sold on the 'enterprisification' of drupal or the move to symfony components yet. For me the jury is still out and I'm keeping an eye on backdrop. i'm no 'fanboy', lol.

But in this case, of your specific example of updating, it's just plain off base.

And thanks to jay for stating the technical reasons I couldn't find.

Jaypan’s picture

Sorry, but I have to laugh. I've been hearing that line of argument -- "it's wysiwyg-gui-etc. so it's less secure; and it's command-line so it's more secure" -- for close to 20 years.

Actually, the ssh protocol used through the command line is inherently more secure than both the http and ftp protocols. This isn't a matter of debate, it's known fact. FTP and HTTP are both insecure protocols, susceptible to being intercepted and hijacked. SSH creates an encrypted tunnel between the two devices that prevents the data from being understood at all even if it is intercepted.

There is a reason you've been hearing it for close to 20 years... because it's correct.

Jaypan’s picture

There is nothing modern or simple about command-line management -- it's just that a certain sector of the user-base happens to be used to it.

Actually, it's extremely simple. The only people who think it isn't are those who have never sat down and tried to learn the command line. I taught my employee, who had never touched a terminal in his life, how to use drush and git in literally less than two hours. And it's not 'not modern' - the terminal has never gone out of style, it's always been main interface for 'nix servers, it's just that if you've never used one, it may seem like something you only ever saw in '80s movies.

My question is, since when was Drush the UI de choix for Drupal?

It's been that way a few years now - it wasn't as much in use when I first started using Drupal in 2007, but it's gotten more and more in use since.

And shouldn't people be concerned about this?

Well, obviously you think people should, but why?

leoklein’s picture

"The only people who think it isn't are those who have never sat down and tried to learn the command line."

It's "extremely simple" -- but you have to sit down and learn it? The irony is overwhelming.

"Well, obviously you think people should, but why?"

This is easy : just imagine if Drupal had started out as the CMS de choix for a bunch of command-line drushshistas™. We wouldn't be talking about it now.

Certain characteristics highlight systems that have a future -- and certain characteristics are warning signs of hard times to come.

Again, I'm talking about site-building.

Jaypan’s picture

It's "extremely simple" -- but you have to sit down and learn it? The irony is overwhelming.

Unless you are somehow blessed with immaculate know-how, then yes, you need to it down and learn it. Same as you have to sit down and learn how Drupal works in the first place, and how you have to sit down and learn how certain modules work (Views, Rules, etc). If you don't like sitting down and learning things, Drupal is not the right CMS for you. And the sheer number of Drush users should show you that it's not that hard to learn.

This is easy : just imagine if Drupal had started out as the CMS de choix for a bunch of command-line drushshistas™. We wouldn't be talking about it now.

While you may be right, Drupal has never been about backwards compatibility. It's always been about evolution into a better product, and not about maintaining unnecessary legacy. I guess I can see why it's worrying to you - it's going I'm a direction you don't want it to go.

It sounds like you should be looking at Backdrop, or even consider forming a group to for a new fork of Drupal - you could even have one of the base principles of the fork be that it work more like Wordpress, with an automatic updater through the web interface. You could incorporate other feature that Wordpress does well as well. It could be an interesting fork of Drupal (Drupress?), and you could keep Drupal going in the direction you want, rather than being swept along in the direction it's going now.

If your concerns are shared with enough of the community it shouldn't be too hard to find people to work on your fork. Backdrop seems to be humming along well.

leoklein’s picture

It's always been about evolution into a better product,

You really believe the transition of Drupal from a graphic user interface -- you know, what made that thing called the 'Web' so popular -- into the business-as-usual command line interface is something that people would call 'evolution'?

More like 'regression'.

Jaypan’s picture

I'm not sure what you are talking about - Drupal is still GUI based. Drush is just a command line tool that allows for various tasks to be done through the command line. It's not transitioning to the command line. That would mean that the GUI was being dropped in favour of the command line - that is not happening and never will happen.

leoklein’s picture

Interesting quote:

The reality is that Drupal, driven by the big Drupal shops, is turning into a fantastic enterprise product which (I concluded after having done a bit of work with D8) will not be suited to hobbyists and low-budget clients, or (probably) to shared hosting.

Yup, the world's divided between "big Drupal shops" and the "hobbyists". What more needs to be said?

leoklein’s picture

Came upon this blog entry from 10 years ago:

I've been doodling around with the latest beta of Drupal 5.0.

I was thinking of implementing it here but it's just not far enough along for me to use. Also, most of the modules, which are the true glory of Drupal, haven't been updated yet. (This site's running 4.7.)

That said, 5.0 is a real time-saver. It's easier to install, easier to use, better laid out, etc. They've really spent a lot of time thinking about how to improve the thing so that normal people, normal 'tech' people that is, can use it.

In general, the CMS is kick-azz! It practially tied Joomla at the Packt Open Source CMS Award for first place in 2006. It'll be in first place before too long.

Those were the days, my friend.