Securing Drupal's Auto-Update Infrastructure


The #1 reason site administrators desire auto-update support is security. Yet, automatically replacing the code of a site from a remote source creates its own security risks. In this presentation, we will present the security design for Drupal's auto-update infrastructure. From offline root keys to verification on PHP 5.x, we've balanced strength, flexibility, and compatibility to deliver a system that can support the project's future without neglecting its legacy.