It's not news that Drupal 7 is approaching its end-of-life (EOL), in fact, it has been a long time coming, but the EOL date (November 1, 2023) will be here before you know it, and it seems less and less likely by the day that it will be extended further.
There has been a lot of talk about what it takes to upgrade to "modern Drupal," but less ink has been spilled painting a picture of what it will actually be like to still be responsible for a Drupal 7 site and its security after that date. Keep reading this article (or listen to our Drupal 7 End-of-Life Podcast) to learn all about what it means for you.
Trust the Process
Drupal has long had a stellar reputation for security and it would be easy to think that was due to the fact that it is open-source. I would argue the level of security offered by Drupal's codebase is a product of its security process. The Drupal Security Team is responsible for triaging security issues for Drupal core and contributed modules, mobilizing developers to create fixes, and getting information about the vulnerability, along with the corresponding fix, in front of users as efficiently as possible.
When Drupal 7 reaches EOL, its code will still be open-source, but it will not benefit from any of the structure or processes that have been built to get Drupal to where it is now. It will be a bit like living in a frontier town with no infrastructure or help available when something inevitably goes wrong. It will be a matter of when not if. This is not what anyone responsible for the security of a website wants to hear.
Drupal's Security Process
As a refresher, this is a high-level overview of the steps that would occur if you discover a vulnerability in a supported version of Drupal.
- You discover a security vulnerability in Drupal core or a contributed module.
- You report the vulnerability to the Drupal Security Team.
- The security team will triage the issue and if they confirm it, contact the relevant maintainers in private. This is important so that a fix can be created before the vulnerability is made public.
- The security team will coordinate with the maintainers to ensure the issue has been resolved.
- When the issue has been fixed, and new releases created, the security team will publicize the vulnerability and its fix. Drupal users only need to concern themselves with following the security team's announcements to stay up to date on vulnerabilities and their corresponding fixes.
Life After End-of-Life
The original EOL announcement from 2019 details what will be different when Drupal 7 reaches end-of-life:
The Drupal Security Team will no longer provide support or Security Advisories for Drupal 7 core or contributed modules, themes, or other projects. Reports about Drupal 7 vulnerabilities might become public creating 0 day exploits.
The security processes detailed above will not exist for Drupal 7. The security team will no longer accept or triage reports for Drupal 7, coordinate/publish fixes, or publicize their release. It will be increasingly likely that vulnerabilities will be disclosed publicly before fixes are identified and published.
No Trusted Announcements
Providing security requires more than simply posting a patch to Drupal.org. Hundreds of thousands of people rely on the Drupal security team to notify them of known vulnerabilities. The security team coordinates security announcements in release cycles and evaluates whether security issues are ready for release several days in advance.
Even if a developer is kind enough to publish a fix for a vulnerability, no official announcements will be made. You will be on your own to identify and vet any security disclosures and fixes.
- Is this vulnerability real?
- Does this patch actually resolve a real issue or could it be creating a new vulnerability?
- Do I trust the person who is sharing this patch?
These are just some of the questions you will have to ask yourself in a post-EOL world.
No Commits or Releases
There will be no more core commits to Drupal 7.
There will be no further commits or packaged releases for Drupal 7. When a vulnerability is disclosed you will be responsible for finding or creating a fix and then tracking and applying your own security patches. As you add more patches over time, you will be responsible for making sure that patches continue to apply cleanly if there are conflicts between one or more of them.
No Community Support
Drupal 7 will no longer be supported by the community at large.
How many teams out there have a member who is an expert in an area of Drupal core's codebase? How many have experts in every area? Drupal's vibrant open-source community, means this is not necessary when working with a supported version. We all get to benefit from the expertise of others while contributing back in our own areas of expertise.
Post-EOL every team will be on their own to identify, vet, or even create fixes for Drupal subsystems as varied as forms, user authentication, the database, caching, theming, and so on. The Drupal Security Team, comprised of 30 talented volunteers, will no longer be of help and their contributions will not be easily reproduced. Even with a staff of dedicated engineers, this is a heavy burden for any team, let alone a small team, to carry.
The end of the story remains the same. We must migrate off of Drupal 7 before it enters end-of-life.
We're providing real time coverage and consolidating resources and information to support the teams faced with the decision of upgrading or migrating from D7.
Also, check out our Drupal 7 End-of-Life Podcast wherever you get your podcasts.
Roadmap Your Drupal 7 Transition
We’re offering free 45 minute working sessions to help you assess your organizations level of risk, roadmap your transition plan, and identify viable options! Drop us a note, and we’ll reach out to schedule a time.