Dylan Clear

Continuous Long Term Support: Security Monitoring for Drupal 6, 7, and 8

Though it came and went largely unnoticed, February 24th, 2017 marked an important anniversary to tens of thousands of Drupal website owners. February 24th 2017 was the 1-year anniversary of the End-of-Life (EOL) announcement for Drupal 6 as no longer supported by the Drupal community.

It is widely known that major Drupal version upgrades require non-trivial resources. Not only do they require significant planning, technical expertise, and budget, but the path is often determined by funding and availability of maintainers of popular contributed functionality (modules). Add the complexity of upgrading custom development, and the conditions create significant challenges for small to medium websites without large operating budgets. As evidence of this, our research indicates there are at least 150,000 publicly accessible sites still running Drupal 6.

One of a Kind

Tag1 Quo is the only Drupal monitoring solution that supports Drupal 6 LTS, Drupal 7, and Drupal 8 under one dashboard.

For most D6 site managers, the most critical (and stressful) impact of EOL is the discontinuation of Drupal 6 security patches by the Drupal security team. When a major version reaches EOL, the Drupal security team ceases to release patches, or serve public Security Advisories for that version. Unless those sites are maintained by a skilled developer with the time to monitor upstream projects, review patches, and backport them by hand, Drupal 6 site managers find themselves in a vulnerable spot: ongoing, publicly announced vulnerabilities may be directly exposed on their site.

To its credit, the Drupal security team developed a plan so as not to abandon D6 site owners to the wilderness. Under the Long Term Support (LTS) initiative, they selected Tag1 and other qualified vendors to provide Drupal 6 patches as a paid service to site owners, under the condition that those patches also be made available to the public.

Tag1 Quo: A Year of LTS

With the EOL deadline rapidly approaching, Tag1—like many Drupal consulting firms—had clients still on Drupal 6. We were happy to sign on as an LTS provider to support our clients formally under the LTS initiative. It didn’t take us long to decide on automating patch delivery and empowering customers with some useful management tools. A few months into EOL, Tag1 Quo was launched with automated detection and notification of outstanding patches, and a unified view of security updates across all of their Drupal websites.

The vision was simple:Tag1 Quo Security Patch Notification

  • Provide D6 sites with a dashboard to quickly assess the status of their modules and themes, providing automated patches and pre-packaged releases delivered to their inbox, tested by our team of Drupal experts.
  • Make it platform and hosting-agnostic to provide maximum flexibility to the varied workflows and infrastructure of our customers.
  • Make it simple to setup and run from any site, in any environment, returning clear status reports and ongoing updates with the install of one module and a few clicks.
  • Price it aggressively: for less than the cost of 1 hour of senior developer time per month, a D6 customer could lease Quo as their security concierge, monitoring for patches around the clock.

Because of customers of Tag1 Quo and the LTS program, we’ve delivered on that vision. Paying customers of LTS have financed 25 Drupal 6 patches, written and contributed back to the community. While Drupal 8 continues to mature and add contributed functionality, the D6 LTS initiative is still going strong, giving site managers breathing room to fundraise, budget, and plan for their next big upgrade.

Enterprise Security with Tag1 Quo

Like many power users of Drupal, at Tag1 we maintain internal Drupal 6, 7, and 8 sites, as well as client sites on all of those versions. As we began designing and building Tag1 Quo, we quickly realized that the tools we wanted and needed for managing updates across sites were tools that would come in handy for other enterprise users:

  • agencies
  • universities
  • large corporations, and
  • infrastructure providers

In January 2017, we launched support for Drupal versions 7 and 8 on Tag1 Quo. With discounted rates for multiple sites, Tag1 Quo customers can now manage multiple sites via a centralized security dashboard with email notifications, across Drupal versions 6 through 8.

Tag1 Quo dashboard

 

Quo also provides powerful filtering tools across all sites. Filter by site, project, module version to see all instance of a particular module, across all sites. At-a-glance status color-coding tells you if your module has available updates, security-related or otherwise.

Filtering on modules in Tag1 Quo

 

Click in on a module to access a direct link to the latest release and access project metadata such as package, info, schema, and dependencies.Tag1 Quo module details

In managing our own sites, we’ve found that combining these tools in one central system has rapidly increased our turnaround on identifying and patching vulnerabilities, while lowering our management overhead. Eating our own dogfood has been satisfying: Tag1 Quo has freed up valuable developer time and budget to focus on feature development. If you are an agency maintaining client sites, or an IT department managing multiple corporate properties, you must have a security updates monitoring strategy and we’re confident that enterprise Tag1 Quo provides a solution.

Making Drupal maintenance easy forever

For years, the community has wrestled with the problem of expensive upgrades referenced in the beginning of this blog. How can Drupal continue to be a leader in innovation without becoming cost prohibitive to non-enterprise users? Last week, Dries published an important blog Making Drupal upgrades easy forever that announces an exciting, new approach for Drupal upgrades, based on a policy change initiated by Tag1’s Nat Catchpole.

Writes Dries:

we will continue to introduce new features and backwards-compatible changes in Drupal 8 releases. In the process, we sometimes have to deprecate old systems. Instead of removing old systems, we will keep them in place and encourage module maintainers to update to the new systems. This means that modules and custom code will continue to work. The more we innovate, the more deprecated code there will be in Drupal 8...Eventually, we will reach a point where we simply have too much deprecated code in Drupal 8. At that point, we will choose to remove the deprecated systems and release that as Drupal 9. This means that Drupal 9.0 should be almost identical to the last Drupal 8 release, minus the deprecated code.

For site owners and decision makers, this change is potentially earth-shattering. It replaces the monumental major version upgrade with incremental minor-version updates. Drupal 6 sites planning a Drupal 7 upgrade might want to revisit that plan. Drupal 7 sites waiting to upgrade directly to Drupal 9 may also want to reconsider. Site managers will need to invest more time on planning around minor releases: contributed code they rely on will be ported more frequently (though less dramatically). These changes are good for the Drupal ecosystem but issues of backward compatibility, legacy APIs, and deprecated code will likely require additional diligence.

We’ve built Tag1 Quo with an eye to this new future, with current and upcoming features to help site owners manage this complexity. If you are still on Drupal 6, Tag1 Quo has your back. If you are still on Drupal 7 when it goes EOL, Tag1 Quo will be there. And if you are somewhere in-between D8.7 and D8.11, Tag1 Quo will also be there for you, too.

Monitor all the things!

In March 2017, get $50 credit towards your subscription with