It’s been an exciting summer, building our first product with Drupal 8. When we originally made the decision to offer Long Term Support for Drupal 6, we were thinking about a few of our clients that were a little behind on their upgrade plans, and had envisioned a mostly manual process. However, once we took the plunge and signed up new clients, we had more modules and themes to track than could easily be done manually, and it remained critically important we never miss an upstream release.
This ultimately led to building Tag1 Quo, a product built on top of Drupal 8 to automatically track upstream releases and security advisories, comparing them against subscriber code bases to determine which need to be backported. This automation was combined with an administrative dashboard and email notification system resulting in a fancy system that quickly delivers all applicable patches to new and existing customers, ensuring everyone stays up to date while also making it easy for us to track ongoing security issues.
Why Drupal 8
The first step was architecting the central service where all this information was going to be collected, stored, parsed and shared. After a little debate, we ultimately decided on Drupal 8 for a variety of reasons: there are huge improvements in hosting web services, we have an unparalleled team of Drupal 8 experts, and we generally wanted more real world Drupal 8 experience.
There have been days (and occasionally weeks) I’ve regretted the decision. For developers intimately familiar with earlier versions of Drupal, taking the plunge into 8 can feel intimidating and overwhelming. Fortunately it quickly becomes familiar and you realize it’s still very much Drupal, and you’re just working with a more powerful set of the same essential building blocks. Quite frequently the same problems are solved differently which doesn’t always equate to better, but nor does it always mean it’s worse; I found I had to remind myself occasionally to maintain a good attitude, and ultimately learned a lot in the progress and more often than not found myself preferring the Drupal 8 way.
Ultimately, it’s been a fantastic experience. I mean, I wouldn’t have wanted to do it with any other team. There were weeks we were tracking down and fixing core bugs, many that were both non-trivial and yet basic/common functionality. We carefully maintain an ever-growing directory of core patches waiting to get committed upstream. We also found that a number of key contrib modules weren’t quite stable, leading us to help fix bugs and add the features we need, always sharing them upstream. Through our development cycle, many of our patches have already been merged benefiting us and anyone else using Drupal 8.
Once I got used to the Drupal 8 file structure, and began to wrap my head around the object-oriented paradigm, there’s a number of wonderful improvements that make developing with Drupal 8 a joy. I’ve personally loved managing the site with the new configuration management system -- all configuration changes are made locally in a private development environment, reviewed, merged, and flow upstream in a controlled and auditable fashion to the shared development server, staging server, and finally deployed to the production server.
There is a certain irony in building this Drupal 8 website, which is parsing data from the Drupal 7 powered Drupal.org, and ingesting JSON data sent from and ultimately for supporting Drupal 6 websites. Nat Catchpole, one of the Drupal 8 branch maintainers involved in building Tag1 Quo, stated this eloquently in a tweet:
First proper 8.x project involves parsing HTML from 7.x d.o for 6.x LTS support. I might be stuck in a loop.— catch (@catch56) May 20, 2016
Drupal 6 Long Term Support
At this point, it’s time to explain just exactly what Drupal 6 Long Term Support is. The idea is simple: Drupal is an open source project and as the project moves forward community volunteers simply can’t support all old versions. Shortly after the release of Drupal 8, Drupal 6 was “end of lifed”, which means Drupal’s volunteer security team is no longer actively reviewing, patching, or maintaining it in any way. That’s where we come in at Tag1: we monitor Drupal 7 and Drupal 8 security releases for core and contrib modules, and backport them to Drupal 6 if they affect any of our clients.
Simple, right? Except not really as it can quickly become complicated figuring out who’s installed what version of each module; is the 6.x-1.x branch affected or the 6.x-3.x branch? was the module renamed when it was removed from core in Drupal 7? or when it was merged into core in Drupal 8? and so on.
So, we automated it. We wrote and maintain a simple Drupal tag1quo module with a trivially simple configuration of a single token which then securely pushes information about your website to our central server. At the same time, we track upstream security releases and security advisories from Drupal.org, both through parsing RSS feeds and scraping web pages.
And at the heart of all of this we created a special field type that strictly parses version strings in a way that allows reliable and quick comparisons. This both allows us to flag upstream releases needing review, as well as when we need to notify users of patches that affect them.
As upstream security releases are made, we review them to determine if they also apply to the Drupal 6 version of the code. When they do and we have subscribers using the module, we carefully backport patches, test them, share them with other D6 LTS providers for additional testing, and ultimately manage a coordinated release.
For the end user, all of this effort is hidden. Notification emails show up in your inbox with simple and clear instructions on how to apply an update.
Tag1 Quo: D6 LTS And Then Some
While we automated our D6 LTS support offering, we realized we had something that was useful for far more than just Drupal 6 Long Term Support. While the core functionality remains about keeping your website secure, we also highlight modules needing non-security updates, or those missing version information (such as those installed directly from source). We take the guesswork out of which updates affect you and simplify it with a pretty, graphical dashboard allowing you to quickly monitor all your website from on a single overview page. More complex searching and filtering across sites and projects is also provided.
At this time, we offer three levels of service:
Pro is our recommended option, as it includes our pro-active Drupal 6 Long Term Support. We monitor all your modules and themes for upstream Drupal 7 and Drupal 8 security releases as described earlier. Our expert engineers carefully review each upstream security release to determine whether or not your Drupal 6 code is also vulnerable. If it is, we backport, test, and deliver patches to fix all identified security issues. You’re covered.
Users desiring more direct support from Tag1 and an adaptable pricing structure for larger numbers of websites will be interested in our Enterprise level offering.
Finally, we also developed an option for those on a tighter budget that can’t afford to subscribe to Drupal 6 Long Term Support but still want to keep as up-to-date and secure as possible. Our Basic offering delivers all patches affecting your website that were paid for by our Pro and Enterprise subscribers. We don’t monitor all of your modules and themes, but your more popular modules can still be kept up to date and secure.
We have big plans for Tag1 Quo. We’ll continue to revisit our roadmap in future blogs, but briefly now this includes adding support for monitoring Drupal 7 and Drupal 8 websites. And when Drupal 9 is released and Drupal 7 is end of lifed, we’ll be there to support it. But before that, Tag1 Quo is still a hugely useful tool for proactively keeping your site up to date. Coming soon is a feature to help with planning upgrades, tracking your modules against what’s been ported to the version of Drupal you’re looking to migrate. We’re also working to support other open source CMS’s, starting with WordPress 4.5 and 4.6.
While we’re very proud of Tag1 Quo, we remain a consulting company at heart, and we’d love to hear about how we can help you with your project. Whether you’re building your own Drupal 8 website (or product), upgrading your Drupal 6 website, or making improvements to your existing website, we’d love to be involved! Our specialities include Security, Performance and Scalability, and Architecture. We’ve always preferred to do it right the first time, but we can also help get you out of a jam.
It’s exciting to have put so much effort into a product over the summer, and to finally have something we’re proud of that we can share. If you have a Drupal 6 website you should sign up today, affordably keeping your website up to date and secure!