Automatic Updates in Drupal Core: Are They Becoming Inevitable?

Automatic Updates in Drupal Core: Are They Becoming Inevitable?

And this is a years-old discussion. The good, the bad, and the ugly aspects of implementing such a functionality have been exposed and debated and... debated some more. Yet, since Dries Buytaert's keynote presentation, at Drupalcon Vienna 2017, the issue of automatic updates in Drupal core has turned from a never-ending discussion into a firm... call to action. If WordPress is already offering an automatic update facility to its users, so can Drupal, right?

The Automatic Security Updates Initiative

What's the “mission statement” behind this initiative? Which are the strategic objectives of those Drupal core committers behind it? And, most importantly: how do automatic updates in Drupal core impact you, the Drupal developer or the Drupal site owner?

Key Challenges/Objectives

  • To provide all Drupal users with a tool supporting quick and easy open-source updates
  • To implement some sort of facility in Drupal core that would backport and distribute critical patches upon major releases 
  • To provide users with a platform, a central one, to administer and to monitor their update processes on. One that easily adapts to their specific workflows and aligns to their DevOP tools of choice

This is how we could resume the auto-updating initiative in Drupal

Drupal Would Then Update All By Itself

That's right! Just like WordPress has been able to for a while now, with no intervention from the site admins.

This translates into:

  • a safer procedure (since no more risky manual work will be required)
  • a security best practice    
  • a reliable way to update, by default, Drupal core and modules whenever critical security issues are signaled

And I'm not going to delve any deeper into the pros of letting Drupal run its updates on its own since I'm just about to list them anyway:

4 Reasons to Be Looking Forward to Automatic Updates in Drupal Core

Here are the other promised positive aspects of this initiative:

  • Small Drupal websites, which don't find themselves under the “umbrella” of professional security and maintenance services, will no longer go un-updated
  • You'll no longer need to consider alternative platforms offering hassle-free/cheaper maintenance (that if you were “flitting” with this idea)
  • Your site will be more secure and be kept secure in contexts of highly critical Drupal updates. If you've skipped your updates and you've kept your website vulnerable, exposed to hackers, and if it hasn't been attacked already, it's just because you.. got lucky. For no other reason. 
  • Since headless Drupal 8 is “taking the Drupal world by storm” right now, heavier codebases and large ecosystems of eternal libraries are becoming reality. This can only lead to more frequent manual updates to keep your entire infrastructure up to date. And at some point you'll end up “craving” for automated updates.

5 Concerns You Must Be Facing Now Regarding Auto Updates in Drupal 

For I'm sure you also have enough reasons (or just valid questions that hopefully the Drupal core committer team will answer to) to resist such an initiative:

  1. Will you have zero control over the update process? 
  2. How will quality be guaranteed?
  3. Isn't there a risk that automatic updates in Drupal core turn into security vulnerabilities (into security holes) instead? Hackers could target precisely these updates for injecting “contaminated” code across the entire (and we're talking millions) ecosystem of Drupal sites.
  4. And what if you're using version control on your system? How will Drupal run its automatic security updates in this case, since it doesn't use GIT for version control?
  5. How will automatic updates to Drupal core impact contrib modules? Will there be contrib auto updates as well? And what about the JavaScript libraries that you're using, which are more vulnerable?

Wrapping Up: 2 More Legitimate Questions Regarding Auto Updates

Lots of discussions have been going on these years about implementing automatic updates in Drupal core and more inquires keep adding up.

Take for instance's today's component-based nature of many Drupal websites: they're actually “clusters” of multiple source components coming from several vendors.

And speaking of component parts, we're referring to:

  • Drupal modules
  • JavaScript libraries (since using headless Drupal as a content repository for modern front-end apps is such a big “trend” these days)
  • Symfony components 
  • a plethora of other tools

So, the question that arises now is: how will you, the Drupal user/developer be able to maintain such ecosystems of different components with no central platform to manage and monitor your update processes on? With no unified workflow?

Also, if small-sized businesses will gradually start searching for alternatives to Drupal (since Drupal's planned out to continue to grow into an enterprise-level CMS), will there be any need for these automatic updates in Drupal core?

Since there's no control over the whole process and no quality guarantee either (and enterprise customers have higher standards in terms of security)? And since this initiative is targeting small sites, primarily, after all? 

I have no doubt that we'll get our answers to all these questions sooner than we expected. And this is because I do get the feeling that auto-updating in Drupal has turned from just a “never-ending discussions” phase into a strategic initiative!