How often is it updated?

Asked by Josh Knight on 2011-02-08

My question is how often is Drupal kept up to date in the repos? We're looking at using the drupal6 package on our Ubuntu servers as a production machine for (initially) 30 pubic sites from a major Michigan school district.

We're running 10.04 server, so I'm aware that the actual version number reported will sit at 6.16. What I'm curious about is how often is it patched from upstream releases? Looking at the Ubuntu change log, it was last patched for Drupal bug SA-CORE-2010-001, which was back with an upstream release of 6.16. Shouldn't it be more on 6.16-5, if you're patching from 6.17, 6.18, 6.19, and 6.20?

The latest upstream release is 6.20, but it doesn't look like the Drupal package for ubuntu has been patched for these bugs. How often do you patch these bugs? The drupal package from Debian looks like it's patched more often.

Would you recommend just installing from source on drupal.org? It was a higher-up who decided to go with using a repo package for Drupal to make upgrading take less time. However if it will make more sense to simply manage it ourselves instead of a repo, then I could try to convince him.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu drupal6 Edit question
Assignee:
No assignee Edit question
Solved by:
Josh Knight
Solved:
2011-02-09
Last query:
2011-02-09
Last reply:
2011-02-08
mycae (mycae) said : #1

The easiest thing to do would probably be to rebuild the newer ubuntu packages, i.e. maintain your own backports. This is quite easy to do, as the ubuntu packages normally rebuild on older installs with no fuss.

http://www.moosechips.com/2008/09/ubuntu-rebuild-a-source-package/

You can then maintain your own repo and add that to your deployed machines sources.list. This is a little more complicated though (have to set up a pool etc etc).
http://www.debian.org/doc/manuals/repository-howto/repository-howto

Just be aware of version clashing. you may wish to add your own package extension, such that updates are automatically picked from ubuntu as needed.

> Looking at the Ubuntu change log, it was last patched for Drupal bug SA-CORE-2010-001, which was
> back with an upstream release of 6.16. Shouldn't it be more on 6.16-5, if you're patching from 6.17, 6.18,
> 6.19, and 6.20?

The log from the newer one has the 6.18 patches:
http://changelogs.ubuntu.com/changelogs/pool/universe/d/drupal6/drupal6_6.18-1ubuntu1/changelog

whereas 10.04 is still using the 6.16 as you say:
http://changelogs.ubuntu.com/changelogs/pool/universe/d/drupal6/drupal6_6.16-1ubuntu1/changelog

The changelog is the best reference as for how often drupal is updated, which seems about every couple of months. As this is usually simply an import from debian, (I note 1 changelog entry that is not from the debian maintainers), so essentially ubuntu has just copied the debian package and built it.

> Would you recommend just installing from source on drupal.org?
Probably not; rebuilding the packages would be simpler, and will smooth out any dependency issues. If you use a custom version string, you can also make your updates compatible with the normal ubuntu updates.

It also means that when you update you don't get a spray of old files from previous drupal installs sitting on your disk

mycae (mycae) said : #2

Oh final couple of points

* If you are deploying updates as complete images, rather than using the package updater, you don't need your own repo. Just build the newer maverick or natty packages as per the moosechips guide.

* I don't work for canonical, just some end user.

Josh Knight (jgknight) said : #3

I don't know if I was unclear, but we're only using one server. We don't have 30 separate servers, just 30 sites through one server. While it would make sense to rebuild packages if I was managing a lot of systems, it almost seems like more work than just maintaining the script via drupal.org.

I'll have to talk to the others, since I am the sysadmin but it's a bit of a group decision.

Thanks for your input!

mycae (mycae) said : #4

Sorry, I interpreted sites as physical ones :), and thought the server might have been some boot server, or master server, or something.

Rebuilding a package takes less time than building the tarball. Someone has already done the heavy lifting for you . just run the three or four commands, and its built. minimal effort.

If its on one machine, then you can ignore all my comments about making a repository, and just use

dpkg -i NEWDEB

to install the built package.