Automatic security updates
324 views
Skip to first unread message
Petros
Dec 14, 2015, 3:31:22 PM12/14/15
to Joomla! CMS Development
Maybe not today. But i think we should start the discussion of automatic updates for security reasons just like wordpress. I think there is a plugin in 3.5 for notifying but why not making the plugin make the security update installed? This drastically reduced the consequences of wordpress security holes and i don't think we can find the reason why not us?
For really curious pricavy people it could be with opt-out...
Hannes Papenberg
Dec 14, 2015, 3:43:25 PM12/14/15
to Joomla! CMS Development
See the prior discussion we had about this.
Am 14.12.2015 3:31 nachm. schrieb "Petros" <tzi...@gmail.com>:
Maybe not today. But i think we should start the discussion of automatic updates for security reasons just like wordpress. I think there is a plugin in 3.5 for notifying but why not making the plugin make the security update installed? This drastically reduced the consequences of wordpress security holes and i don't think we can find the reason why not us?For really curious pricavy people it could be with opt-out...
--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cm...@googlegroups.com.
To post to this group, send email to joomla-...@googlegroups.com.
Visit this group at https://groups.google.com/group/joomla-dev-cms.
For more options, visit https://groups.google.com/d/optout.
Beat
Dec 15, 2015, 6:46:52 AM12/15/15
to Joomla! CMS Development
Hi Hannes!
Your reply doesn't read out well to me.
I believe that the situation has changed since the last discussion on this subject.
The question is imho a valid one (at very leat as a highly visible opt-in option).
Best Regards,
Beat
http://www.joomlapolis.com/
Your reply doesn't read out well to me.
I believe that the situation has changed since the last discussion on this subject.
The question is imho a valid one (at very leat as a highly visible opt-in option).
Best Regards,
Beat
http://www.joomlapolis.com/
brian teeman
Dec 15, 2015, 9:00:17 AM12/15/15
to Joomla! CMS Development
For me there is a difference between a security update and a general update that may contain security fixes.
And I have personally changed my view against automatic updates
Michael Babker
Dec 15, 2015, 11:05:13 AM12/15/15
to joomla-...@googlegroups.com
Philosophically, I won't ever support such an effort until a lot of legal and liability concerns are addressed. If there isn't something in place addressing failed updates, to me it opens the door to a lot of issues from users buying into automatic updates and getting their sites crashed by Joomla pushing something to them. And frankly, as long as the template frameworks out there cause update failures, it just raises the concern of whether automatic updates can even be a feasible option for a fair share of users.
On Tue, Dec 15, 2015 at 9:00 AM, brian teeman <joom...@googlemail.com> wrote:
For me there is a difference between a security update and a general update that may contain security fixes.And I have personally changed my view against automatic updates
--
Russ Winter
Dec 15, 2015, 3:56:52 PM12/15/15
to joomla-...@googlegroups.com
Probably a "dumb-possum" question Michael, but are there "well known" conditions/things/items that guarantee an update failure?
Just thinking out-loud, things like Nick's Admin Tools or my very old Tools Suite used to be able to test/check for certain conditions that were well known to cause a variety of issues, could something not be implemented that could at least test for, and report back to the user on these and disable any auto-updates until they are resolved. This would at least reduce the risk, whilst maintaining the opportunity to make use of the option at a later date. Maybe with a disclaimer on a "Try Force" option, where the user accepts all responsibility themselves. (Maybe even some form of "back-up original files" option, with a "Revert To Original" option, realising that this is no simple task)
Just thinking out-loud, things like Nick's Admin Tools or my very old Tools Suite used to be able to test/check for certain conditions that were well known to cause a variety of issues, could something not be implemented that could at least test for, and report back to the user on these and disable any auto-updates until they are resolved. This would at least reduce the risk, whilst maintaining the opportunity to make use of the option at a later date. Maybe with a disclaimer on a "Try Force" option, where the user accepts all responsibility themselves. (Maybe even some form of "back-up original files" option, with a "Revert To Original" option, realising that this is no simple task)
Although I fundamentally like the idea, as you, I have concerns about failures and issues arising from such an action.
Russ
Regards,
Russ Winter
Michael Babker
Dec 15, 2015, 4:41:01 PM12/15/15
to joomla-...@googlegroups.com
I don't do a lot of user support so I don't know where the most common errors in the context of the core application come from. Simple things like ensuring the filesystem has the needed read/write capabilities should be in place. The database seems to cause some issues at times, especially in cases where the schema isn't 100% valid pre-update. From what I see and hear, a lot of issues usually come around when factoring in the larger template frameworks and the third party extensions to the update. After the 3.4.5 release one of them had tweeted almost two weeks after the release their framework's templates were all updated to 3.4.5 and I find that worrisome because that implies there are end users who had to wait for their framework to update before they too could update or users were patching files manually to secure their sites.
Personally, I'm starting to get comfortable with the core updates; aside from a couple of edge cases (mostly coming from <3.2 to current version) I've not seen anything with core that results in a failed update for an end user, but that's overall such a small piece of the puzzle.
Chacapamac
Dec 15, 2015, 5:22:25 PM12/15/15
to Joomla! CMS Development
Brainstorming Here (For the few cells I have left!)
Again, giving the users the possibility of what levels of updates they can automatized or not (with warning) will give an edge to Joomla.
Maybe automatic/manual updates with the possibility of returning to a previous state. (That will be awesome in case of problems with Joomla itself or any third party components)
Also the possibility to email admins before and/or after updates and for critical updates infos.
Having an Administration Update Centre where you can choose those hypothetical possibilities - Even coupling with a backup system (Like Akeeba CMS Update) tool
klas berlič
Dec 15, 2015, 5:23:21 PM12/15/15
to joomla-...@googlegroups.com
Due to the current joomla architecture where a lot of things are tightly coupled some extensions need to override core classes to be able to do its job, also sometimes behaviours like routing change and both those problems take time to bring extension back in synch with core changes. Speaking from experience here as I need to update my LanternFish basically for each minor version of the 3.x.
I would suggest implementing auto updates, but make it in the form of plugin. Anyone using such extensions that block updates (or template frameworks that to force wordpress etc compatibility create their own basic classes like menu and should not be considered joomla at all) would be able and be responsible to disable this plugin and do manual updates.
Regards,I would suggest implementing auto updates, but make it in the form of plugin. Anyone using such extensions that block updates (or template frameworks that to force wordpress etc compatibility create their own basic classes like menu and should not be considered joomla at all) would be able and be responsible to disable this plugin and do manual updates.
Paul D. Bain
Dec 15, 2015, 7:39:28 PM12/15/15
to joomla-...@googlegroups.com
On 12/15/2015 5:22 PM, Chacapamac wrote:
>
> [Giving] the users the possibility of what levels of updates they
> can [automate] . . . (with warning) will give an edge to Joomla.
returning to a "restore point," as it was called in Windows XP) is
usually called "rollback." This feature requires that the CMS
administrator take a snapshot before he implements changes that may
break the CMS. IIRC, this feature is scheduled to be implemented in a
future version of J., probably version 4.x. Is that correct?
If so, then this feature, when fully implemented, might make it easier
to apply security patches (SP). If a SP fails, then the J.
administrator can simply roll J. back to the snapshot that was taken
just before the SP was applied.
Please see my further comments below.
>(That will be awesome in case of problems with Joomla
> itself or any third party components)
Yes, it would be awesome. Please see my comment below.
IIRC, rollback and _backup_ are related, but separate, concepts and
features, just as _archiving_ is different from backup. I do not recall
the nature of the differences.
Sincerely,
Paul Bain
(703) 870-5154
>
> [Giving] the users the possibility of what levels of updates they
> can [automate] . . . (with warning) will give an edge to Joomla.
>
> Maybe automatic/manual updates with the possibility of returning to a
> previous state.
In the CMS world, this feature ("returning to a previous state" or
> Maybe automatic/manual updates with the possibility of returning to a
> previous state.
returning to a "restore point," as it was called in Windows XP) is
usually called "rollback." This feature requires that the CMS
administrator take a snapshot before he implements changes that may
break the CMS. IIRC, this feature is scheduled to be implemented in a
future version of J., probably version 4.x. Is that correct?
If so, then this feature, when fully implemented, might make it easier
to apply security patches (SP). If a SP fails, then the J.
administrator can simply roll J. back to the snapshot that was taken
just before the SP was applied.
Please see my further comments below.
>(That will be awesome in case of problems with Joomla
> itself or any third party components)
>
> Also the possibility to email admins before and/or after updates and for
> critical updates infos.
>
> Having an Administration Update Centre where you can choose those
> hypothetical possibilities - Even coupling with a backup system (Like
> Akeeba CMS Update) tool.
> Also the possibility to email admins before and/or after updates and for
> critical updates infos.
>
> Having an Administration Update Centre where you can choose those
> hypothetical possibilities - Even coupling with a backup system (Like
IIRC, rollback and _backup_ are related, but separate, concepts and
features, just as _archiving_ is different from backup. I do not recall
the nature of the differences.
Sincerely,
Paul Bain
(703) 870-5154
Aleksander Kuczek
Dec 16, 2015, 3:41:57 PM12/16/15
to Joomla! CMS Development
Recently we have been doing over 50 Joomla updates and upgrades a day while working on our new automatic update platform called Perfect Dashboard. We tried updates and upgrades within Joomla 3.X and we have a powerful test engine to check if website is broken after the update. We used simple and more complex websites. Unfortunately over 80% updates, even minor releases, caused some display errors. Luckily the level of complete failures was at just 8%. As we all know even Joomla 3.4.6 broken many website login redirects.
I think we need different attitude for abandoned and managed websites. The first group should be updated automatically (at least with security fixes). For the second group, automatic updates should be turned off as the right course of action requires doing backup, preparing tests, etc. Thus, I agree with Brian on automatic updates turned on by default with a possibility of turning off when needed.
I think we need different attitude for abandoned and managed websites. The first group should be updated automatically (at least with security fixes). For the second group, automatic updates should be turned off as the right course of action requires doing backup, preparing tests, etc. Thus, I agree with Brian on automatic updates turned on by default with a possibility of turning off when needed.
sovainfo
Dec 18, 2015, 7:04:03 AM12/18/15
to Joomla! CMS Development
Suspect that there are more people with multiple sites and the minority of them to be enabled for auto update. So, I would prefer the opt-in instead of opt-out.
Reply all
Reply to author
Forward
0 new messages