Implemented Automatic upgrade / update

S

Shamil

Well-known member
I think that the forum software should be able to do autonomous updates within a minor series, i.e. 1.0 ->1.0.1 ->1.0.2, however, not for 1.1 or 1.2. Might be useful for bugfixes, etc.

This saves a little time downloading and uploading files.

Security could be ensured by means of simple md5 or whatever to verify integrity of the file downloaded by the system.

What do you guys think?
 
Upvote 57
This suggestion has been implemented. Votes are no longer accepted.
Mez said:
From a security standpoint, having an auto-update/one-click update feature is a BIG no no, as it requires that the files be available for writing by an untrusted user on the server. This either means chmodding the files so that they're writable by anyone, or making them writable by the webserver user. For anyone not on their own hosting, with their own security in place, this means that outsiders could potentially insert custom code into the XF files... a BAD idea. (phpshell anyone?). That said, I do use the wordpress one-click upgrade thing, but I do that on a dev server, commit the changes to bzr, then push them to the server (where the file permissions are locked down)
If this were an open source project, I'd not see much harm in adding it, but as a commercial application, I think this has the potential for some rather horrid problems.
Click to expand...

Make them available for writing only when they need to be? If you're that concerned, automatic via FTP will work then.
 
Eriksrocks said:
Doesn't matter, as it's an internal connection (the server is connecting to itself). Anyone sniffing it would already be inside the server. :)
Click to expand...
Indeed - but again, shared hosting - this'd then give them access to your account...
Oh, and sometimes - the FTP server isn't the same server hosting.
Oh, and if the hosts file isn't setup properly - well - then it'll use an external connection.
 
Mez said:
Indeed - but again, shared hosting - this'd then give them access to your account...
Click to expand...
If someone else can sniff an internal connection within your server, then you need to get a new host. Or just use SFTP.
Mez said:
Oh, and sometimes - the FTP server isn't the same server hosting.
Oh, and if the hosts file isn't setup properly - well - then it'll use an external connection.
Click to expand...
It will still be in the same data center, in which case the internal network would be insecure and you shouldn't be using that host. An FTP abstraction layer is much less dangerous than using FTP from home, which most of us do every day. :)
 
Eriksrocks said:
If someone else can sniff an internal connection within your server, then you need to get a new host. Or just use SFTP.

It will still be in the same data center, in which case the internal network would be insecure and you shouldn't be using that host. An FTP abstraction layer is much less dangerous than using FTP from home, which most of us do every day. :)
Click to expand...
Or if you're sensible, use secure connections. SSH ftw
 
Kier said:
If we can come up with a foolproof, secure and atomic way to achieve semi-automatic upgrades, it is most certainly something we would like to pursue.
Click to expand...
How about a shell script which wget/curl (after prompt for customer credentials), extract, and run upgrade script via command line php or bash?
It is "semi-automatic" enough that only those with SSH access can invoke, and automated sufficiently that most people with sufficient access would be able to use it without too much trouble.
 
Andy Huang said:
It is "semi-automatic" enough that only those with SSH access can invoke, and automated sufficiently that most people with sufficient access would be able to use it without too much trouble.
Click to expand...
Someone on the vBulletin team stated that most of their customers don't even know how to use FTP. I would argue that running an upgrade script through an SSH shell is even harder and I'm pretty confident that most people would have no idea how to do it and wouldn't be interested in learning.

It needs to be done through the admin panel, like WordPress. WordPress has been doing it without any problems, so I don't think it would be too hard to write an implementation that is easy, robust, and secure. :)
 
A WordPress-inspired updater would really make XenForo stand out in the crowd. All of the forums require you to manually upload updates, or go through some irritating process - put an end to this!
 
Only issue if you use a wordpress-like update script, it will not work on windows server 2008. Well would not work on the setup on i am now with IIS. So if Xenforo did go with something like that they would have to test it on a lot of different configs.
 
ChrisR said:
Only issue if you use a wordpress-like update script, it will not work on windows server 2008. Well would not work on the setup on i am now with IIS. So if Xenforo did go with something like that they would have to test it on a lot of different configs.
Click to expand...

It works with on my Windows server, but that's me :/
 
Be interesting to know the statistics of the amount of people who'd run XF on LAMP (or similar) and benefit from WP-inspired updating vs the amount running on Windows Server 2008.
 
Darfuria said:
Be interesting to know the statistics of the amount of people who'd run XF on LAMP (or similar) and benefit from WP-inspired updating vs the amount running on Windows Server 2008.
Click to expand...
You can always do a manual update, so 80% of users (?) is better than 0% of users. :)
 
Eriksrocks said:
You can always do a manual update, so 80% of users (?) is better than 0% of users. :)
Click to expand...

True - but I do wonder if the 80% of users would be less users because of the lack of a facility to easily update. So - would automatic/simple updating attract more users? I think it would.
 
Wordpress is huge, they have automatic update system, as far as I am aware, I've never heard of any issues/problems/exploits etc.

Just use their system :P
 
I think when the new version is ready an alert should display with the link to download (customers area). And it must be viewable only to Super-Admins (if xenForo use this system).
 

Similar threads

Kruzya
  • Suggestion Suggestion
Lack of interest "Skip this version"
Replies
9
Views
669
Mendalla
Mendalla
Tyluur
  • Question Question
XF 2.1 Automatic upgrade via ACP - Error
Replies
3
Views
554
Paul B
Paul B
djbaxter
  • Question Question
XF 2.2 Automatic upgrader stalled on "Upgrading" message
Replies
4
Views
540
Paul B
Paul B
cosmin85
  • Question Question
XF 2.1 How to automatic upgrades change the group instead of aditional group ?
Replies
3
Views
693
beerForo
beerForo
T
  • Question Question
XF 2.0 Automatic update of forums and threads?
Replies
1
Views
3K
Mike
Mike
Top Bottom