Long Term Support (LTS) BoF at DrupalCon Portland

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
christefano's picture
Posted by christefano on May 20, 2013 at 10:19pm
Start: 
2013-05-22 12:00 - 14:00 America/Los_Angeles
Organizers: 
christefano
Event type: 
User group meeting

http://portland2013.drupal.org/bof/lts-long-term-support-bof

Exaltation of Larks is hosting a BoF (birds of a feather) discussion on long-term Drupal support (particularly for Drupal 6 sites when Drupal 8 comes out and bug fixes and security releases for Drupal 6 are discontinued).

Long Term Support is a topic that is near and dear to us and a number of our clients and this BoF is a followup to our earlier post, Drupal 6 End of Life When Drupal 8 is Released… Or Not.

We're also preparing an "LTS" version of Drupal 6 and have a lot more planned. Stay tuned to the DrupalCon BoF schedule and @LarksLA on Twitter for news of when this BoF gets scheduled.

Comments

Drupal 6 Hosters After Drupal 8 is out

Posted by johnbarclay on May 30, 2013 at 8:16pm
johnbarclay's picture

Does anyone know of hosting providers that will host Drupal 6 after Drupal 8 comes out, assuming some LTS approach solidifies?

I have a typical scenario where a client with some custom modules has Drupal 6 sites, but doesn't plan to invest in upgrading and additional development until they have a chance and/or Drupal 8 is more mature. Their current provider is hesistant to host Drupal 6 after official security patches end.

www.johnbarclay.com

Drupal 6 Hosters After Drupal 8 is out

Posted by johnbarclay on May 30, 2013 at 8:16pm
johnbarclay's picture

Does anyone know of hosting providers that will host Drupal 6 after Drupal 8 comes out, assuming some LTS approach solidifies?

I have a typical scenario where a client with some custom modules has Drupal 6 sites, but doesn't plan to invest in upgrading and additional development until they have a chance and/or Drupal 8 is more mature. Their current provider is hesistant to host Drupal 6 after official security patches end.

www.johnbarclay.com

Yes, we will be providing

Posted by damien_vancouver on May 30, 2013 at 11:21pm
damien_vancouver's picture

Yes, we will be providing managed Drupal 6 hosting for as long as possible at CanTrust Hosting Co-Op, using PHP 5.2 (from php52-backports), FastCGI, and an elevated security environment. We plan to have a specific service offering set up for this by the time Drupal 8 is released.

In my experience, most Drupal end-customers cannot or will not do major upgrades (which amount to a full rewrite and re-investment most of the time). There will be a large number of clients for whom upgrading is simply not a feasible option, who will need continued hosting support. As long as we can, we'll be offering that to them at CanTrust as we have many many customers in this boat (most of whom are non profits, NGOs and social change organizations who cannot afford to replace their site, nor have it suddenly switched off).

I will ping this thread when we have the offering ready. It will be described on our new website, coming.. before D8, hopefully! You can send me a private message via Drupal to inquire, or email us at info@cantrusthosting.coop.

Interesting idea. I can see

Posted by greggles on June 7, 2013 at 1:25pm
greggles's picture

Interesting idea. I can see how this would be appealing to customers.

Do you plan to backport the security fixes of core and contrib from Drupal 7 to Drupal 6?

knaddison blog | Morris Animal Foundation

No drupal backporting no

Posted by damien_vancouver on June 11, 2013 at 6:24pm
damien_vancouver's picture

No, we are not intending to backport Drupal fixes, as that's way beyond the resources we have available. It may happen, if we find that we're able to do it when something comes up.

Rather we are focusing on keeping a stable and secure OS environment going. There may come a day when a heinous vulnerability prevents running D6, D5, or even D4.7 sites. On this black day we may have to inform customers that the only option left is to cripple functionality and/or convert their site to a static read-only site. But so far that day hasn't come for 4.7 or 5. We no longer have any 4.7 sites but a couple 5 sites live on and still seem to be working.

... still works

Posted by limas on June 11, 2013 at 8:12pm
limas's picture

There is at least one D4.7 site I know off. (http://kultur-online.net)

D6 LTS is a great idea. For me D7 is just a bit on the slow side.

Use a Virtual Machine

Posted by mc0e on June 11, 2013 at 1:14am
mc0e's picture

The concerns hosting providers have with hosting a potentially insecure site, are mostly about your site compromising the security of others. If you run your site on a virtual machine, then you're pretty well isolated from other sites, so hosting providers which provide hosting on that basis won't be too worried about what version of software you run.

If your site is compromised and starts abusing others over the network, that's a different story of course.

A couple notes on our

Posted by damien_vancouver on June 11, 2013 at 6:32pm
damien_vancouver's picture

A couple notes on our experiences along these lines, and our rationale against using lots of small VMs:

  1. It's much harder to get PHP 5.2 compiled properly on a modern OS flavour than it is to do a pretty good job of securing it afterwards. Just try and build PHP 5.2 from source on the latest Debian or Ubuntu and you will see what I mean.
  2. Running PHP 5.2 via FastCGI allows you much greater security between sites on a single server than in the old mod_php days. However you still need to stay on top of the security backports since it is built from source. One day those backports will end, so you can mitigate risk by keeping the server really locked down.
  3. People who can't get their site updated are even less likely to keep a VM up to date.... Multiple customer-managed VMs that are out of date are a much greater security hazard than a single site out of date. Advising customers to use a VM puts the burden of security on the customer, which is not a good idea when running old sketchy versions of stuff compiled from source! Also they are not going to have much luck with the compile on their own as per point 1. PHP 5.4 which will come with their new VM is not likely to work.

Notes from Portland BOF on LTS

Posted by johnbarclay on May 30, 2013 at 8:18pm
johnbarclay's picture

Are there any notes from Portland BOF on LTS. I don't have a logon for that site to see the BOF space.

www.johnbarclay.com