ubuntuforums-unanswered team mailing list archive

Thread
Date
Re: [Question #76464]: Drupal6 needs security updates

To: ubuntuforums-unanswered@xxxxxxxxxxxxxxxxxxx
From: barsalou <question76464@xxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 15 Jul 2009 14:15:23 -0000
Reply-to: question76464@xxxxxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx
Question #76464 on drupal6 in ubuntu changed:
https://answers.launchpad.net/ubuntu/+source/drupal6/+question/76464

    Status: Answered => Open

barsalou is still having a problem:
Quoting Scott Testerman <question76464@xxxxxxxxxxxxxxxxxxxxx>:

> Your question #76464 on drupal6 in ubuntu changed:
> https://answers.launchpad.net/ubuntu/+source/drupal6/+question/76464
>
>     Status: Open => Answered
>
> Scott Testerman proposed the following answer:
> Before upgrading Drupal it's necessary to turn off all non-core modules
> since they can easily break the Drupal upgrade.  When installing new
> Drupal packages using the standard apt system, there's no way to check
> that the modules are, in fact, turned off.
>
So that would imply i'd have to come up with a way to check if they  
are on or off....that would solve this little headache.

> Further, the system in question may be headless, as well as auto-
> updated, which means that even if there's a way to check and display a
> message about breakage, it may not be seen.  In this instance, it means
> that the expected auto-upgrades would cease to happen since the system
> would forever be waiting for somebody to answer a message that couldn't
> be answered.

I wonder how many systems that are headless and auto-updated are using  
drupal?  I suppose it's quite a few because of the popularity.  I  
wonder if adding some sort of switch within the drupal update could  
account for that?


>
> This all means Ubuntu will happily break a working Web site, just as it
> was asked to do.  While you and I know that this is simply poor
> management skills on the part of the admin in question, the net effect
> is simply going to be, "I refuse to use Ubuntu any more because it broke
> my site."  That's bad for Ubuntu, and very possibly bad for Debian if
> the user assumes it's a Debian thing rather than something specific to
> Ubuntu.  I don't want the convenience of installing Drupal in under 30
> seconds to detract from Ubuntu's reputation.

I'm in agreement here, sullying Ubuntu or Debian for the sake of  
convenience isn't a good idea.

This makes me wonder if doing a patch might be a better choice?

>
> OTOH, I really would like to see more frequent updates to Drupal in the
> repositories, especially since this is a Universe -- and therefore,
> officially unsupported -- package.  Ubuntu has traditionally been fairly
> quick with rolling out security updates, and I believe that unsupported
> applications are just as important to system security as supported
> applications.  Since Ubuntu now comes with Universe and Multiverse
> enabled by default, many users probably don't even recognize the
> difference any more, therefore they won't know that Drupal is from a
> whole different world.

This is especially true of the crowd that says 'I refuse to use Ubuntu  
...' as mentioned above.  Additionally, I've hear folks say ' no use  
in using the Ubuntu  package because security updates don't come out  
very fast..'

There may not be a way to win in this particular arena.

Mike B.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

You received this question notification because you are a member of UF
Unanswered Posts Team, which is an answer contact for Ubuntu.