Automatic Security Updates (even with patches)

Albert Albala

Applying security updates, indeed any update, is cringe-inducing. We apply security updates manually, check if some previous developer hacked whatever module we're updating (or core), we have to remember to look inside a /patches directory; then, when we're done update, we somehow have to confirm that nothing is broken, without any guidance of what we need to check -- so we click around our site aimlessly before determining that an update works.

In this talk we will look at a Docker-based approach to managing site assets for local development which guarantees your site is always up-to-date, and fails in case a new version of a module (or core) has an unmet dependency or a patch which no longer applies.

We will look at the idea of build step which generates code for remote hosting only when needed; we will look at how to write end-to-end tests which guarantee that your critical site functionality never breaks, and how to keep everything under continuous integration.

Finally we will look at how Drupalgeddon-type events can be managed in such a workflow.

To get the most out of this talk, you are encouraged to fork the Dcycle Drupal 8 Starterkit, and open a free Circle CI account.

Albert Albala
Developer, Montreal, @@alberto56
Albert Albala specializes in quality control automation for web projects using open source code. Hi is a board member of Terre des jeunes and Bioénergie Haïti, two non-profits whose goal is local empowerment through sustainable development, large-scale access to environmetal technologies, and reduction of greenhouse gases through methane gas management. He is an active member of the open-source Drupal community since 2006. He writes about web best practices and Drupal on his blog, Dcycle.