We've made 99 Drupal 6 Long-Term Support releases... what does that mean for Drupal 7?

Parent Feed: 

by David Snopek on January 3, 2019 - 12:34am

As you may or may not know, we've been providing Drupal 6 Long-Term Support (D6LTS) since February 24, 2016, as one of two vendors officially blessed by the Drupal Security Team to do so.

In that time, we have made 99 releases (both Drupal core and contrib) for D6LTS!

Most of those were security releases, but there were also a handful of bug fixes, and most recently, updates to support PHP 7.2(FYI: As of a couple days ago, PHP 5 has also reached it's End-of-Life (EOL) - do you have a plan to update to PHP 7.1 or 7.2?)

When we were first talking to potential customers about D6LTS, I remember many people doubting that we'd be releasing anything at all!

They'd say something like "Drupal 6 has been around so long, aren't all the security issues shaken out by now?" Almost 100 releases later, and I'd say there was plenty to be done. There still is! :-)

In this article, I'm going to look back on Drupal 6 LTS, and also look forward to what that may mean for Drupal 7 extended support after it reaches its End-of-Life.

Lessons learned from Drupal 6 LTS

We learned many unexpected things from doing Drupal 6 Long-Term support over the last few years, which I suspect will continue to apply to Drupal 7's extended support.

The age/visibility of the code doesn't matter

This should have been obvious by looking at other Open Source projects. Many of the recent vulnerabilities found in OpenSSH (a hugely visible project, used by almost every Linux server on the planet) were introduced many years before anyone noticed (in one case, it took almost 20 years).

So, it doesn't matter that Drupal 6.0 was released almost 11 years ago - odds are, there are still some security vulnerabilities in there.

Looking at the projects we released the security updates for, the most common were also the most widely used, for example:

  • Drupal core: 4 security releases
  • views: 4 security releases
  • xmlsitemap: 2 security releases

These highly popular projects have gotten the most scrutiny, but that hasn't meant there aren't more issues to find.

This is especially true of Drupal core, which is independently audited several times a year by security companies hired by large organizations to evaluate their sites. (BTW, this is a great source of security issues reported to the Drupal Security Team.)

I suspect this will continue to be true for Drupal 6 and Drupal 7: we'll keep finding security issues for years to come.

Many issues affected Drupal 6, 7 & 8

Despite the fact that each major version of Drupal up to this point included breaking changes, and Drupal 8 could almost be considered a "rewrite", many security issues affected Drupal 6, 7 and 8, both in Drupal core and contrib.

In the case of the Highly Critical SA-CORE-2018-002, which came out in the Spring of 2018, all three versions (6, 7 & 8) - and even Drupal 5 - were affected!

The code fixes for each version of Drupal were quite different in some of these cases, but the shared history, and the test-driven of evolution of Drupal 7 into Drupal 8 has meant that many bugs (including security bugs) have been preserved.

Even as we move towards Drupal 9 (which is removing and re-organizing even more legacy code), I suspect we'll continue to see security issues in Drupal 9 or 10 that also affect Drupal 6 or 7.

Keeping up with PHP is going to be a thing

After PHP 5.3, there was a relatively long period where not that many breaking changes were introduced to PHP -- so long as you stayed with PHP 5. But now that PHP 5 has reached its End-of-Life, you can't stay on PHP 5 any longer.

PHP 7 has also entered into a regularly scheduled cycle of releases, and each release is making more aggressive deprecations and breaking changes. Many Drupal projects are just switching to PHP 7 now, but at some point PHP 8 will be released and remove all those deprecated features.

Keeping up with changes to PHP is going to be a thing that we'll have to constantly think about now -- in Drupal development in general, but especially for any Long-Term Support effort, whether that's Drupal 6 or 7.

As we've mentioned previously, we plan to offer commercial support for Drupal 7 after its End-of-Life, that will be very similar to what we've done for D6LTS.

And, as per the lessons above, we also expect that extended support will be essential for anyone who intends to remain on Drupal 7 after its End-of-Life!

The most important difference this time around is that Drupal 7's End-of-Life has been announced years in advance. This a huge change from the Drupal 6 EOL, which was "coming any day now" (along with Drupal 8) for 2-3 years, and then happened suddenly with only 3 extra months of support.

So, you have a lot more time to plan, but also, you have something concrete to plan for: Drupal 9 will be out for a year before Drupal 7's EOL, and intention is for the upgrade from Drupal 8 to 9 to much easier than previous major version upgrades - on par with upgrading from Drupal 8.5 to 8.6 (well... hopefully ;-)).

That said, if you do wish to stay on Drupal 7 for some time after its End-of-Life... I think D6LTS has shown that commercial extended support can work, and what that will probably look like.

Original Post: 

About Drupal Sun

Drupal Sun is an Evolving Web project. It allows you to:

  • Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
  • Facet based on tags, author, or feed
  • Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
  • View the entire article text inline, or in the context of the site where it was created

See the blog post at Evolving Web

Evolving Web