6. Automatic updates module
• Updates core only
• Replaces the core update UI
• Can do updates in the background
• Built on top of Package Manager
7. Package Manager
• Sub module of Automatic Updates
• API only
• Staged composer updates
• Manages temporary copies of the Drupal site (“stages”)
• Can update any composer package
• Uses composer stager to do most tasks
• Also used by project browser
8. Package Manager
• Prevents conflicting and disruptive operations.
• Does most of the requirement checks.
• Provides means to customise the update process.
• Will be a separate module in core.
9. • Sub module of Automatic Updates
• (experimental)
• Updates contrib modules and themes.
Automatic Update Extensions
11. Update Lifecycle
Phases of an update
• Create:
• Copies sites code into a
staged sandbox.
• Only composer managed
files.
• Apply:
• Update the original site with
the changes from the staged
copy
• Require:
• Update staged codebase.
• Run Composer
Commands in the stage
• Destroy:
• Destroy the staged copy.
21. Unattended updates
• Updates run in the background
• Security releases, or all patch releases
• Emails if a problem is detected
• Can be done by drush command or web request
• Disabled by default
• Can be enabled by programmatically setting the config.
22. Unattended updates via drush
• More secure: web server does not need write access
• Less timeout issues
• Can be run with a more privileged user.
• Extra set up
drush auto-update - - root=path/to/drupal
• Once in core will have a Symfony console command
• https://www.drupal.org/project/automatic_updates/issues/3360485
(3.x)
23. Unattended updates via web
• Easy to set up.
• Web server needs write access
• More vulnerable to timeouts
• Improvements in
https://www.drupal.org/project/automatic_updates/issues/3357969
24. The Update Framework
The Update Framework (TUF) helps
developers maintain the security of
software update systems, providing
protection even against attackers that
compromise the repository or signing
keys. TUF provides a flexible
framework and specification that
developers can adopt into any software
update system.
25. Requirements/Readiness
• Code is writable by web server or terminal
• Composer is runnable
• No unsupported composer plugins
• Not in a multisite
• Composer is using HTTPS
• Etc.
26. Requirement/Readiness Check
• Lot of validation
• Checks if the site meets all the requirements
• Ensures site is ready to apply a security update
• Displays issues/notices on status page and all admin pages.
29. Automatic Update Extensions
• Experimental
• Updating contrib modules and theme
• Not part of core MVP
• Backwards compatibility issues in contrib.
30. Limitations
what automatic updates does not do
• Major core updates
• Rollbacks
• Multisite
• Testing
• Not version control aware
• Changes will not be committed to version control.
• Will have to be incorporated into your development workflow
31. Who is this for
• Prefer to avoid the command line.
• Hosting multiple simple Drupal sites
• Anyone who can't do security updates in a timely manner
32. Where this is less helpful
• Complicated development and deployment workflow
• Continuous integration
• Every change goes through a rigorous review
33. Customisation
• Events are dispatched
• Can be listened to to customise the process.
• Customise the update process
• Perform any tasks before and after the update
• Prevent updates based on conditions.
36. Failure control
• Problems in Staged copy
• File permissions
• Time out etc
• Problems in the stage won't affect the live site.
• Backing up your site before an update is very important.
• Problems in the Apply Phase, you must restore from backup.
• You'll receive an email when that happens
37. In core?
• drupal.org implements the update framework protocol
• Security team review
• Core committer review
Attended updates are more permissive than unattended updates, because our reasoning is that you're right there, watching it happen. If something goes wrong, you can react quickly. Therefore, attended updates will also allow you to update across minor versions of Drupal core.