Keeping Acquia Drupal in Sync
by Peter Wolanin
We did a security release of Acquia Drupal yesterday in order to incorporate the security fixes in the core Drupal 6.5 release. One of the internal goals of the Acquia engineering team is to respond to security releases of Drupal core, or any of the contributed modules in our distribution, by updating our Acquia Drupal release within 24 hours. We want to ensure that Acquia Drupal sites stay in sync with the most secure code from the Drupal community.
Drupal 6.5 was the the first test of our engineering release process since Acquia Drupal came out of beta. While we beat our internal target by an hour, we are working to refine and accelerate the process. I and several members of our engineering team are among the roughly 25 active members of the Drupal security team. Thus, we committed substantial time to help get the necessary security fixes written and tested over the last couple weeks. Once Drupal 6.5 was released (including fixes to the security issues listed in SA-2008-060) we at Acquia then needed to build a new release of the Acquia Drupal distribution to include the Drupal 6.5 core release.
The process of creating a new Acquia Drupal release included:
- Checking each contributed module in Acquia Drupal for updates and updating from CVS as appropriate
- Updating Drupal core from CVS
- Finalizing the list of changes and preparing release notes
- Running our packaging scripts to correctly populate the .info files and build the download archives
- Running all our available automated tests (simpletests as well as Selenium tests)
- Testing our release process on a development server
- Connecting multiple Acquia Drupal sites to the development server and checking the Acquia Network update status
- Uploading the final release files to acquia.com
In addition to the Drupal core update in Acquia Drupal 1.0.1-ISR, the release also includes updates to imagecache, filefield, CCK, and Views modules in order to keep these modules in sync with releases on http://drupal.org. Acquia Drupal 1.0.1-ISR also includes multiple bug fixes in the Acquia Marina theme (see http://acquia.com/release-notes/1.0.1-ISR/)
So what does the upgrade experience look like for someone subscribed to the Acquia Network? First, the notice about the new release is sent to technical contacts associated with the subscription via email and in their Acquia Network message queue:
This message includes a description from Acquia about the release, the release notes, as well as a link to the full release notes for Drupal 6.x on Drupal.org. In general, the Acquia Network message queue provides an aggregated view of all messages from Acquia Drupal in one location, rather than just scattered among e-mail messages.
At the bottom of the message page, there is a button to turn this message into a task and assign it to one of the contacts for this subscription. By using the task feature, messages can be fed into the team’s work queue – providing a way to track whether sites are up-to-date and protected. Of course, we're eager for feedback on whether this is the right approach for our subscribers and whether you find this feature useful.
Assuming that you have the Drupal core Update module installed on your site, the Acquia Agent module will use its interface to notify you about available updates to Acquia Drupal:
As a member of both the Drupal security team (since well before joining Acquia) and Acquia’s engineering team, this process was a bit hectic, but it's exciting to actually get a release out the door. My excitement also comes from knowing about all the other important fixes and enhancements that we at Acquia, and much more importantly, the larger Drupal community, have gotten into Drupal core since 6.4 was released and that were included in the updates of the contributed modules (especially CCK and Views).