Tuesday, September 22, 2009

Drupal Considered Harmful

Boy, you really have to wonder. I have been evaluating Drupal for my new company site. Logging in recently to see how easy it would be to put up a nice FTP access form for my client's deliverables, I am told by Drupal that a site update is needed. Apparently there's a security hole that needs to be patched. "OK, it happens," I thought, and went to click the update link.

No update link. That would be way too easy. You get a download link instead. OK, normal for open source stuff. Like Joomla.


With Joomla, security patches are self-contained packages. You download, check that obvious prerequisites are met (the version you have is the one the patch upgrades from), take backups, take the site off-line, and apply the patch. Take the site back on-line and you're DONE.

Look, I develop software for remote installation and upgrading. The Drupal developers don't have a clue about packaging. As I read through the update instructions, you find statements like:

  • log on as the user with user ID 1
  • switch to a core theme, such as Garland
  • Disable all custom and contributed modules
  • Remove all old files and directories
  • Copy your backed up "files" and "sites" directories

You've got to be kidding me. Basically, you have to roll back the changes you've made to the site, apply the update, then roll forward the changes again. But the update process is entirely manual, several steps are exceptionally risky to take in and of themselves, and the descriptions of the steps leave out lots of important detail... to be filled in by the (in)experience of the administrator. That's asking for a heck of a lot of trouble.

Not to mention that all my custom modules disappeared after the upgrade. The upgrade readme says to check Web sites for versions of modules compatible with the upgraded Drupal, but doesn't mention that, oh by the way, the process wipes out the modules you had installed.

So really, Drupal doesn't allow upgrades so much as doing complete re-installs of the site. This is one of the inane update processes I've ever seen in a Content Management System promoted as a professional-quality system.

If Joomla's upgrade path is a dirt trail, then Drupal's is a dirt trail covered with brambles. To my mind security patches should be reliable, simple, and quick to apply, so that sites are not left exposed longer than necessary. That rules out Drupal for me. I already have to spend hours on sites I maintain, every time new security holes are found in the CMS -- Drupal's process would at least double that time.

No comments: