Transcript: Drupal 7 extended support- Pt. 2: An overview of the Tag1 Quo Drupal 7 extended support service & how it works. - Tag1 TeamTalk #028.2

This is a transcript. For the video, please see Drupal 7 extended support- Pt. 2: An overview of the Tag1 Quo Drupal 7 extended support service & how it works. - Tag1 TeamTalk #028.2.

Preston So: [00:00:00] Hello, and welcome back to another episode of Tag1 TeamTalks, Tag1 Consulting's webinar series on emerging web technologies and the future of Drupal. I'm Preston So, editor in chief of Tag1 Consulting. And thank you for joining us on this amazing series about Drupal 7 End-of-Life with Tag1 Quo. I'm joined today by two of my dear friends and also colleagues, Jeremy Andrews, who's located in Tuscany, Italy. Founder and CEO of Tag1.

I'm also joined today by Michael Meyers Who's located in the Berkshires, Massachusetts, managing director of Tag1. I'm here in New York City. And this is part two of our three part series on Drupal 7 end-of-life Today. We're going to be talking about what exactly the Tag1 Quo extended support program for Drupal 7 is, what it entails, how it works, and why you should get involved and sign up for it today. Especially given that in the last part, we talked about a free plan that's available. We'll talk a little bit more about that today.

So let's go, go ahead and get started right now. I mean, Michael, why is extended support such an important thing And how has Tag1 been such a groundbreaking presence in terms of providing a sense of support in the Drupal ecosystem?

Michael Meyers: [00:01:08] You know, you, you shouldn't be forced to move off of a platform that works really well for you, and so the Drupal community has approved a small number of organizations to provide what's called extended support. Which we talked about in part one, but in summary we make sure that security vulnerabilities that are addressed major bugs are taken care of. We help you maintain contrib modules.

And so essentially we provide you as an organization with the ability to continue to run on Drupal for many, many years to come. and you know, I think it's important to know this is not a this isn't a new thing. Drupal has been providing extended support for legacy versions for a very long time.

Now, there are two organizations Tag1 included that offer Drupal 6 long term support. and you'd be really be surprised, the number of organizations that are still running on Drupal 6 and expect to be able to do so. You know, we have committed to offering Drupal 6 extended support for at least another two or three years because there's the commercial demand for it.

So I would say rest assured you know, we have with five years of experience doing this for Drupal 6 we have proven the model. We have really turned it into a well oiled machine and there should be a lot of confidence there's, gosh, there's gotta be over a quarter million, 300 or thousand sites that are gonna be running on Drupal 7 after it goes end of life, if not, significantly more.

And so there's a really robust ecosystem out there. There's a large number of organizations. You know, I want organizations to know that with confidence they should be able to continue to run Drupal 7 for a long time five, six, 7 years even. So.

Preston So: [00:03:05] And you raised the point that I think is this is really important, emphasize Michael, which is that obviously Tag1 this is not the first time Tag1's been around the block Tag1's you know, obviously has provided the sort of Drupal 6 long term support that a lot of people in the community still rely on and know and love, so obviously, the track record is, is really, really, amazing for Tag1. So, so what exactly is the kind of program that Drupal 7 ES maintainers are?

**Michael Meyers: **Putting out there in terms of extended support by vendors. You know, I understand that Tag1 is one of the very special kind of cabal. Honestly, let's not say cabal but a really nice subset of companies that are providing an amazing, kind of extended support offering.

Preston So: So what exactly does that mean in terms of Drupal 7, extended support?

Michael Meyers: [00:04:00] You know, we're the number two all time contributor to Drupal and we are really proud of our contributions to the community and the innovations that we've driven, that's what differentiates Tag1 from other organizations out there.

And, and that's a really important part of an extended support program - the organizations that have been approved to provide extended support have to be meaningfully involved in Drupal development. Right. You know, If you're going to be providing security, patches and updates, you need to have people that are already on the security team, you know?

And so there's a number of, I would say minimum requirements that organizations must meet, and, and some rules that they must follow in order to be approved for officially supporting Drupal 7 long term support. First and foremost you have to make a commitment that you're going to, test and create security patches for Drupal 7 core.

You know, sometimes there are vulnerabilities that are discovered in eight or nine or other versions of Drupal that apply to all versions or many other versions. And so when a Drupal 8 or 9 security patch is being worked on, oftentimes simultaneously we're going to be working on a Drupal 7 version.

And the same thing, we're required, as a vendor of extended support to test and provide patches for a few specific contributed modules. And this list hasn't been formally identified yet, but I think it's safe to say that it's going to be a select number of the most popular and widely used modules for the reason that we talked about in.

In part one, which is most considered module developers have already moved on to other versions of Drupal. So even if core end of life isn't until 2022, a lot of Drupal, 7 contrib modules are effectively end of life already. And so by providing official support for at least a small number of the most popular modules will help a lot of organizations.

And then, another thing, any patch that an extended support vendor creates must be open sourced and, and this is anything so as a member of a Tag1 Quo Enterprise we can work with you to create feature enhancements for a Drupal 7 module or or, or patch a bug, under the rules of the extended support program, we are obligated to open source that, so that anybody on Drupal 7 can benefit from it.

And of course we’ve got to follow rules of the Drupal security team, which means that while we are aware of a security problem and working on a patch, we can't communicate with people outside of the security team. So there's no advanced notification we don't necessarily we can't give you the You know, we can't give you insight into what's going on privately.

But we do release those patches at the same time as say the Drupal 8 release or, or very quickly thereafter. and so you are in the know and with that notification system from Tag1 Quo, you're, you're in the know immediately, And the last thing is we want to, we only wanna ensure that vendors can commit to doing this for at least three years, so that again, companies can rest assured that this is something that they can rely on.

So that's that's the minimum that all extended support vendors have to provide. Over and above that you are free to do whatever you think will best meet the needs of your customers. And that's why we created Quo because it provides all of these tools and features on top of this base functionality.

That really makes a big difference.

Preston So: [00:08:01] I think that's one of the really big advantages of, of coming on board to Tag1's you know, Quo service, as opposed to some of the other vendors that are out there you know, obviously we've got a minimum baseline of requirements, but I know from my experience using Tag1 Quo that it goes well beyond what you just described.

Michael. So I'm curious, Jeremy, how exactly does Tag1 Quo exceed the expectations that are part of that vendor, extended support program and go well beyond to serve things that a lot of customers might not even have thought of yet?

Jeremy Andrews: [00:08:33] Yeah. Well, to start off, while we're required to just maintain a few contrib modules, Quo will support 100% of contrib modules that have a release on drupal.org. Which means it doesn't matter how many people are using it. If you're the only website or there's lots, if a security issue is raised, we will work to provide the patch to test it and to release it, to make sure that your website is protected.

Similar to drupal.org, we provide both a patch form, which is useful depending on your deployment model, but also we provide pre-patch releases. So you can download a tar ball or a zip and extract it, or you can apply the patch yourself, whatever works better for you. Our notification system is robust to make sure you don't miss notifications.

if you subscribe to security releases currently, you're going to see a lot of security issues coming out. And it can be difficult to know which ones affect you and which ones don't affect you. With Quo, You only learn about the issues that actually affect your website. You get pushed information about why it's important, through multiple mechanisms, whether it's emails, Slack, ticketing, systems, you name it, that's how we're going to get up, get a hold of you.

And then beyond that, we've been building out a dashboard for many years now. That's quite useful. that gives you an overview, not just of like one site, but it scales up to tens or hundreds of websites, or more so that you can manage. If you have lots of Drupal, 7 properties, you can make sure they're all up to date and you can quickly figure out which ones are effective, which ones, you know, the patches have been deployed on.

There's lots of purposes for that. Okay. Beyond that, We're a consulting company and we can offer bespoke services if you want proactive security reviews, or custom development. We, we still enjoy working on Drupal 7. Several very active Drupal 7 maintainers are on our team and we're more than happy to help fix a problem with a custom module, write to a new custom module ,back port functionality whatever's required. So we, we intend to go above and beyond the minimum requirements.

Michael Meyers: [00:10:46] Yeah, I think that's particularly important because when you think about Drupal 6, which has been around for a long time now and been end of life for over five years, there are a few people in the world that, that are positioned to do anything with Drupal 6 at this point.

And so having organizations that are willing to provide custom development services on these legacy versions is a huge asset to organizations.

Preston So: [00:11:17] Absolutely. I couldn't agree more. and I think it it's, it's one of those things that I, that really gets spotlighted when you actually see that working in practice. when you see those notifications come in and you see exactly how all of these sites are going to keep on remaining well-maintained and stable well into the future.

so let's go ahead and segue a little bit away from what the extent of support program entails. And let's talk about exactly how we get set up with Tag1 Quo. I think a lot of folks are interested in, in, in how exactly they can, they can sign up for Tag1 Quo, how can they get, get up and running with it?

So Jeremy what's the best way to get started with Tag1 Quo?

Jeremy Andrews: [00:11:57] If you want to get started today, we currently require that you enter a credit card and you start a month to month plan. When we start offering the free Quo, which will start in November of next year, that won't be required.

Obviously you'll be able to sign up for free no credit card, no commitment continues. In any case, once you set up your plan and you decide how many sites, you have to download the Tag1 Quo module and install it on any site that you want to have monitored, so after you install the Tag1 Quo module, what it'll do is it'll, it'll basically scan your website, understand what versions of which modules are installed. And it'll push that up to our central server, where we maintain a database of every release that has ever been done on drupal.org.

And we determined, through version checks to see whether or not there are. Whether or not, you have a vulnerable version installed. and then from that point on the service is working. It'll start pushing existing patches that we already know about. If you don't have them installed yet, it'll let you know if there's security patches or just regular updates on drupal.org that have been released.

And behind the scenes, it will notify us if you have a module that we've not seen before. because what that means is that we have to have people involved. They get online and look and say, okay, have there been security? Problems for this, and Quo tells us, okay. Yes, these are the issues. And we go and we manually review them and see if they affect your Drupal 7 website.

At that point, we actually test it. We backport it, we test it and ultimately we'll send the patch to you. We do all of this, whether it's core or it's contrib modules. And so, yeah, that's, that's, that's the general process though, at that point, you are in the queue for getting any security issues that are reported.

Preston So: [00:13:45] So I think the other thing that that's really important is there's all this underlying activity going on that you just mentioned, Jeremy, where all of these things are happening within Tag1, to help you with those security vulnerabilities, help you with those core and contrib bugs.

But how do we actually as customers of this service? get these updates and these notifications, do we get them on drupal.org? Is it on the Tag1 Quo, dashboard, Michael? How, how, like, how exactly do we get notified of these things?

Michael Meyers: [00:14:13] That's a great question.

Tag1 Quo is going to have its own public repos. And that's because drupal.org, Core is going to be locked, you're not going to be able to post any patches to Drupal Core once D7 end of life happens. And Contrib is likely going to be dead. You know, people that have been maintaining contributed modules for a decade at this point, people have asked a lot of them they're really ignoring any requests, so you know we'll ask them, Hey, can we become a maintainer of this module officially on drupal.org?

Most of them are just going to ignore that request. And so again without being a maintainer for those modules, no one can contribute patches, directly to that module. So there is going to be a, a Drupal 7 extended support project and the issue queues. it's, it's really confusing, frankly.

We did this for Drupal 6 long time support as well, where the patches are going to be posted, but the issue is going to be closed out so you can monitor it, but it's a little hard to follow. and, and really one of the benefits of working with an extended support vendor is that we take away all of that pain.

As Jeremy said, we provide you With access to the patches you need for your site. You don't have to monitor all of this. And each vendor is a, it's up to you, to them. How they want to do patches is how they want to release them, how they want to provide them to you. There is no set release schedule.

There is no public announcements. There's no consistency in versioning. So for example, you know what, what we do with Quo, we go out of our way to carefully come up with a numbering scheme for future releases to maximize compatibility with the future, say, Contrib releases on drupal.org.

If it is being maintained, as well as our past Quo releases. And so what a vendor. Might package into each release. You know what we call 7, 10, not one may have different things. Then another vendor who, who comes out with a similar numbering scheme or they might use an entirely different numbering scheme, most likely.

And so that's something to keep in mind. You know, you can switch between extended support vendors if you want, but that's an important factor to consider, you'll need to reconcile and clean that all up and get onto the, the new numbering scheme to make that happen.

Preston So: [00:16:46] I think this just goes to, so how many aspects of, these challenging logistics around some of these modules and how to keep track of them, Tag1 Quo takes care of a lot of these things and really kind of lets you.

Rest easy when it comes to, this whole extended support program. so one question I had for you, Jeremy, is, is, are there any requirements for me, like any, anything that I need to set up ahead of time for me to get a Drupal 7 extended support with Tag1 Quo?

Jeremy Andrews: [00:17:17] Okay. Talk me through the process of downloading the Tag1 called module, which is where, how we know what you have installed on your website.

Beyond that. The patches are made for the latest release of either Drupal Core or the various Contrib modules. So one requirement is that you have your site up to date. That's certainly something we can help you with. If it's something you need help with. but for the patches to apply, you will have to be on the latest version.

We only backport patches that are, for modules installed by at least one of our paying customers. So you only find those modules in our system if you are, or somebody else is paying, for that backporting.

If we end up fixing a problem. Like if you were to bring us in and to fix an issue on your Drupal 7 sites, one requirement that we have as part of the open source, community is if we're fixing something in a Contrib module that's hosted on drupal.org, that has to be released, that fix has to be released as open source.

Just to make it clear if you have proprietary code in your website and you need help fixing that, or even if you bring us in to fix what seems to be a Contrib problem, and it turns out to be a problem in your proprietary code, proprietary code, that does not have to be released. Proprietary code stays proprietary in any fixes we do in your proprietary code you continue to own, so it only, this only applies if it's already open source.

Preston So: [00:18:47] I'm sure that comes as a relief to a lot of folks who have a lot of custom modules and want to make sure to keep those under wraps, but also. To make sure to keep them up to date. thanks to the work that Tag1 can do.

So I'm going to ask a question. I'm a very frugal person. I've been frugal all my life. I don't really pay for a lot of things. I don't subscribe to Netflix. So here's the question for you, Jeremy? I mean, if all the patches are freely available okay. And just get them, why should I pay for Tag1 Quo, just to play devil's advocate here.

Jeremy Andrews: [00:19:18] It is true that the patches are there and the patches will be there as long as somebody is paying. So if nobody pays, then these patches are not going to happen. so to a certain degree, it makes sense that to be a part of this, what we tried to do was keep the pricing extremely low, so that you can afford to do it.

And that's, that's an attempt to try to build up this pool of, of patches that are available to everybody. Obviously beyond that, our goal is to make it not just patches. but it's the entire tool set that we provide to you. Tag Quo is much, much more than just patches.

So, so in some cases it seems it's pretty common that people have a, generally have a set of modules that are the same as other people, but it's also common that people have a handful of modules that no one else seems to install. So by being a paying customer, you make sure that every single one of your modules is covered, not just the ones that somebody else has installed.

We've talked a little bit about the dashboard that gives you an overview and that shows you yes, you actually applied it. we have customers that obviously Hey, here's a patch. They say,

okay, I installed it. But then you look at the dashboard and it says, no, you didn't go back and look into it and realize that the patch was never actually deployed.

So the dashboard gives you peace of mind. That you actually are fixing the problems you think you're fixing and deploying them. it has the notifications, it also, you know, gives you access to the Tag1 team, lots of experts that can help you fix your problems, do custom development if any of that's required.

So I hope that we make it compelling and that, yeah, people will pay for the service.

Preston So: [00:21:04] Well you've convinced me. I mean, I think it's all part of the greater good, it's all part of supporting a program that doesn't just support me in my Drupal 7 sites, but it supports those over there, those over here.

All right. I can, I can get on board with that and I think. A lot of people in our audience, can, can, can really understand, the value inside. And as you mentioned, Jeremy, it's not just patches, it's not just notifications it's really about, taking care of all of that heavy duty work for you and taking care of a lot of the things that a lot of people have so much trouble with when it comes to this exact kind of long term support.

So Michael, just to finish things off here can anyone provide this kind of extended support or like, like just to play devil's advocate again,

Why should I go with Tag1?

Like are there other people that I could go with instead?

Michael Meyers: [00:21:52] I mean sure. It's technically anyone can do anything.

But, yeah I would caution you that there are only a very small number of organizations that are approved by the Drupal Association to offer extended support. And that's because you want to make sure that the people you're working for or with have a tremendous amount of in-depth Drupal experience.

You know, In order to become an extended support vendor officially, for example, you need to have people on your team that are actively engaged in the Drupal security team already. And you know, they need to understand Drupal and, and, and really from the inside out to be able to create the kind of security patches and participation in Drupal core development, not just security, understanding the inner workings these are all critical to.

Really being able to offer a real extended support service, and no other vendor can claim to be doing this as long as we have, or to have contributed as much to Drupal Core as we have. you know, we've created the model for extended support with Drupal 6, we're the number two, all time contributor to Drupal, and so we're really a trusted partner that you can rely on. And as I mentioned a few minutes ago this is going to become even more and more important over or time you think about Drupal 6. There are no developers out there that do Drupal 6 development you know, it is a little bit less of an issue right now, with Drupal 7, but a few years down the line, it's going to be critically important that you have extended support vendors there for you that can do this.

And so that's why they approve just a small number of companies to do this. And we're really proud to be one of them.

Preston So: [00:23:40] Absolutely. and let me just highlight one one thing that you mentioned just now, Michael, and, and something you mentioned earlier, as, as well, Jeremy, which is the fact that Tag1 has some of the some of the most important and some of the most, storied, talent in Drupal 7, not only Drupal 7 development in general, but also Drupal 7 maintenance and Drupal7 stability. So unfortunately that's all the time we have for today for this part of the three part series we have on Drupal 7 extended support with Tag1 Quo. I want to thank my dear friends, Michael and Jeremy for joining me today. And as always, please remember to Share, Upvote, Like, Subscribe to our YouTube channel, to all of our podcast and webinars, sources. And also please remember to hit us up. If you have any suggestions for topics that tagteamtalks@Tag1consulting.com And thanks so much for joining us, stay tuned for the next installment, which will be about Drupal 8. Thank you so much and see you next time.