Drupal provides a UI for updating contrib modules automatically (at /admin/reports/updates/update). This process is dangerous when used in a distribution like farmOS because it will not reapply patches to modules that are included in the packaged distro (eg: those defined in the drupal-org.make
file).
We currently have a big block of text on https://farmOS.org/hosting/update warning against using this feature:
Do not use Drupal's automatic update feature
Drupal provides an interface for downloading and updating contributed modules automatically.
This process may break your farmOS system.
farmOS is a Drupal distribution, and includes patches to some contributed Drupal modules that are necessary for proper functioning. Drupal's automatic update feature will not apply the necessary patches when it downloads the new version of a module.
It also does not support updating Drupal distributions (only modules and themes). farmOS is a Drupal distribution, and new versions often include automated update code to ensure a smooth update from one version of farmOS to the next.
Therefore, it is recommended that you either download the officially packaged releases of farmOS from https://drupal.org/project/farm, build it yourself with Drush, or run farmOS on Docker. This will ensure that the necessary patches are applied, and that the farmOS distribution updates are included.
And yet, there are still occasional messages in the farmOS forum or chat from someone who didn't see that message, and assumed that the "Updates available" features provided by Drupal are official farmOS features, and therefore should be trusted.
So, I propose we take a more drastic measure: prevent the ability to update via Drupal's UI entirely.
Comments
Comment #2
m.stentaOne approach would be to simply implement
hook_menu_alter()
and remove/restrict access to /admin/reports/updates/update entirely.This would still allow access to the list of available updates (/admin/reports/updates), but would not allow access to the form for downloading/installing updates through the UI.
Only problem with this is that the Status report (/admin/reports/status) links directly to that page. So if someone looks there, and tries to click that link, it won't work.
Another option might be to use
hook_form_alter()
on the form on that page to disable it's functionality. We could also put a big message at the top that says it was disabled intentionally, and describe why.This would be the most effective way to avoid this issue in the future. And we could probably remove the big message from farmOS.org, if we have it in farmOS itself.
Comment #3
m.stentaNote: the form ID is
update_manager_update_form
and actually appears in three places: /admin/reports/updates/update, /admin/modules/update, and /admin/appearance/update.One form alter hook will cover all three.
Comment #5
m.stentaFixed with a very simple form alter in
farm.profile
:Comment #7
m.stentaReopening this for 2.x.
Comment #9
m.stentaForgot to close this.