[HacktionLab] Drupocalypse v3 Can it ever stop
clara
clara at aktivix.org
Fri Apr 27 09:24:50 UTC 2018
Hi,
The reason why two security updates came after each other like that was
in fact to protect those sites that would be patched straight away.
The security team could have straight away made a patch that would have
fixed everything - but that would also directly point to the vulnerability.
When they released the first patch, the issue was something that could
be exploited - but for which (as far as they knew) there weren't any
exploits out.
And when an exploit came out they straight away released the second patch.
So that means sites where the maintainers are swamped with work got an
extra 3 weeks that kept them safer.
The problem is not Drupal - it's the fact that any dynamical generated
site does need maintenance.
Even with Wordpress' auto-update, there are still plenty of Wordpress
sites that are now hacked to mine bitcoins.
If somebody doesn't have time or money to ensure that their site is
update then there are several options.
1) Ask yourself before you build the site what you actually need and
what you can maintain or have somebody else maintain for you. If you
can't have it maintained and don't need the functionality, then use a
dynamically generated site (neither Drupal, nor Wordpress nor anything
like that), use a static site generator.
2) Use a shared hosting like Mayfirst collective or Pantheon or so if
you want it more commercial. They usually provide the core updates.
3) Pay for a service that does the updates. Dropguard costs about 9€ a
month to do that, and there some are others as well. Don't expect others
to save you and your site out of the goodness of their heart - at least
not repeatedly or without having agreed on that.
And the point that interest me most:
4) Build a network to share the skills and the work. I could have easily
patched a few more sites while I was on it. And I would also be happy to
know that there are trusted people around who have the needed access to
a machine in case I'm travelling on Wednesday.
In solidarity
clara
More information about the HacktionLab
mailing list