Drupal Core Auto-Update Architecture

David Strauss

Dries has proposed that Drupal core be re-engineered to support a secure auto-update mechanism.

Sounds easy in theory, but the devil is in the details, and such a change risks both being a disruptive change in the development cycle and introducing a new vector by which Drupal sites could be attacked.

We will conver some background including:

  • The fundamental challenges and trade-offs when building a secure auto-update system 
  • How the WordPress autoupdate mechanism could have been used for mass distribution of malware
  • Options for automating updates using currently available tools
  • multi-server, read-only code, and Composer challenges

We will review some existing secure CMS auto-update systems, and present possible approaches for Drupal along with the corresponding development or infrastructure challenges.

This will be a conversation to solicit input and discussion on the feasibility and technical approaches to this problem.


Session Track

Core Conversations

Experience Level


Drupal Version

When & Where

Tuesday, 10 April, 2018 - 13:00 to 14:00
204 | Mediacurrent