> When's the last time an update-to-date Drupal site was hacked?
When was the last time that people had an easy enough time of keeping their drupal sites up-to-date with the latest patches without breaking their existing site ?
This is a major and often overlooked problem, it really isn't rare for minor (often security related) upgrades to break the site. You then have two choices, dig in (which is what you should do) or roll back (which is what plenty of people do) and cross your fingers.
Sure, they only have themselves to blame. But still, the number of out-of-date drupal sites out there is very large.
If the upgrade process (and imo that's drupals achilles heel) would be smoother a lot of these headaches would go away.
> If you set your Drupal installation up to faciliate it (using symlinks) minor updates take ~5 minutes.
If it works. I've seen several cases where such a minor update broke the system in non-obvious ways.
> It's the major version updates where APIs change that are tough and it's no different for any other project with an ecosystem as large as Drupal's.
That's a real problem and I think it is seriously limiting.
Over the years I've upgraded quite a few pieces of software with at least as large an ecosystem (Apache, linux, python, PHP to name a few) and I've never had things break as spectacularly as with drupal. There really is no excuse for this, it is causing a lot of grief and a very negative experience for drupal users.
Instead of chasing the features I really think drupal should start to take backwards compatibility and API design a lot more serious than they've done to date.
There seems to be some movement in that direction, but they haven't made it the central point of their offering yet.
Until they do I'll be advising people against using drupal, because effectively I'd be telling them that within two years they can throw their site away.
To make an architectural analogy, the foundation you build on should be at least as long lived as your house. Otherwise you have a very serious problem.
When was the last time that people had an easy enough time of keeping their drupal sites up-to-date with the latest patches without breaking their existing site ?
This is a major and often overlooked problem, it really isn't rare for minor (often security related) upgrades to break the site. You then have two choices, dig in (which is what you should do) or roll back (which is what plenty of people do) and cross your fingers.
Sure, they only have themselves to blame. But still, the number of out-of-date drupal sites out there is very large.
If the upgrade process (and imo that's drupals achilles heel) would be smoother a lot of these headaches would go away.