 I think that's pretty much it. I don't know, you can't really say it, can you? We'll try it, see what happens. It either a call or it won't. It might get a black presentation with no audio. I just think someone like that. OK, no problems. It's going to be a nice quiet one. One C, one C. PGLC? Yeah. Yeah, you've got them D2 and microphone, E-L-G-O-C. E-L-G-O-C, it's not being enforced. It's just for the reporting. Is that the lapel or is that another one? The cable microphone you can take up is down. It's just small rooms so if you have reinforced speakers in there, it'd be a bit of a kill. OK, so I assume that records. Yeah, if you take it out of the stand and just use it like a regular mic, it won't have the reinforcement but it'll be much better for the recording. Does that mean he wants you to take it out or...? I guess it's one of them. Yeah, OK, we're going to take it out. Yeah, so wait a minute. I don't know with issue with this one last year. It's too small of a room, isn't it, for it to be way better? Which one to make sure it does the recording? Last year, if you do the recordings, it didn't work. Is that in Wiggy's hand or are you in the fishbowl? Yeah, they're not sure if the microphone's running or not. We'll get started in a few minutes, hopefully. I think it's more for the recording, really. It's a pain to have the microphone out of the room. Yeah, so it's just for the recording. Yeah, exactly. I should have explained about this microphone. No, don't worry. It's fine as it is. I mean, you can have it on your person or you can leave it down here. It's just for quality of audio. Yeah, that's fine. Has someone actually got a recording? Yeah, I've set up the recording. Oh, yeah, it's so dramatic. I'm just going to take one of these away. Yes, there was one in the room, so you can take that. Thank you. Thank you very much, man. We'll get it going now as hopefully we're all sorted. So my name is Mike Davis. I'm a lead developer at Deeson, a Drupal agency that's working with other platforms like WordPress and Narraval and stuff as well. This afternoon's talk is on an application we've got called Warden. I don't know if we've got any developers in here at all today. That's okay. Well, for those who aren't, I don't know why there's no code on this one. This is the application called Warden, which I'll run through in a minute, but a system which kind of helps report on the sites you maintain as you're at different agencies. So these days, online security, it's a massive deal, isn't it? Everyone's talking about it. Everything's going online. It needs to be checking what's going on with security, how log-ins are happening, whether we've got SSL, whether we've got password protection at various different levels. It's a big thing at the moment. I remember a couple of years ago, I used to be able to remember all the passwords I needed for my email accounts, my online bank, everything. Even though I had different passwords, different things, there was only a handful of things you had. I thought about 10 passwords. I thought, pretty good, I've got a hundred or 10 passwords. Nowadays, with the different things we've got, the levels of security, the two-factor authentication, you need other things, but security is a massive deal that we're looking at these days with everything we're doing. Chrome stated at the end of last year that starting at the beginning of this year, actually they're going to start flagging up sites which don't have SSL certificates and marking them as insecure. I think starting at around about March time with a later update they'll be releasing then, it'll not only be a grey box saying it's secure, it'll start saying red box saying it's secure, which obviously is a quite big flag for a lot of people. So when people are using our sites, we need to make sure that actually we're making sure that our sites have SSL certificates on them. Security is on our client agendas. Quite often nowadays we're finding that clients are wanting to make sure that what we're doing to make sure their data is secure, what we're doing to make sure the platform that we're running on is secure. So they're actually thinking about it as well and wanting to pay attention to what's going on with that. Drupal Geddon. I don't know how many of you will be aware of this. I'm sure many of you will be. It's a massive security breach that was not breached. The vulnerability that was announced in Drupal a couple of years ago, they reckoned if you hadn't applied the patch within about six hours, seven hours of it being announced, your site would most likely be hacked. At that point in there you'd better off to take your site down, restore from a backup and bring it back up again because the data on there could have been breached and could have been tampered with in some way. It's just a kind of a paper of strength. Yes. So that is a massive deal for Drupal community. I think we've got press, probably worldwide, nationally and stuff, and there's a lot of press about it. But yeah, a big thing and something we need to make sure of. We actually need to make sure, have we updated our sites? How do we know we've updated our sites? How do we know we've got everything handled with that? It's important to know from our client's perspective that actually we as agencies are on top of this that when we get an announcement like this we can actually update our sites quickly and efficiently and know whether we've actually updated everything. So in this age, security is a big thing. How much does it really matter? Online security and other things? Well, Carphone Warehouse were fined £400,000 recently fought by the ICO due to serious failures placing customer and employer data at risk. They had an audit at their site, so using a WordPress site that was found to be out of date, considerably out of date, exposed to the internet and suffering from multiple vulnerabilities. Because it was out of date, the vulnerabilities are there. Their attacker, BAA, sort of safe attacker if you like, was able to exploit the vulnerabilities because they could tell what version was running, they could isolate things, and they could access a site. They got customer data, they even got credit card data about customers. If this had been an actual attack by a hacker, by someone who was fishing around, trying to see what was going on, the amount of data that they would have got and the level of data they would have got was very serious, that they could have used it for all kinds of malicious behaviour. So it was a big thing. I mean, Carphone Warehouse is a big name, they have come to this kind of thing as well. So they were fined £400,000 just as last month for that. But with the introduction of GDPR, coming out in March this year, that fineness likely to increase to around £20 million. So this is a big thing. This is something that clients need to be aware of, need to know that we're on top of this, as agencies that are managing their sites, that are actually maintaining their sites and providing the service for them. Incidentally, if you're still unsure about GDPR, at least in addition to white paper, which is a very good read, explaining it very clearly for those who are not sure about it. So where does that leave us with Drupal? Well, Drupal, as hopefully most of you may know, they've got their own security team. They have people in the community who are helping to understand what's going on with core code, but also module codes when vulnerabilities are submitted around modules or core. They're isolated, they're dealt with by the security team and module maintainers. They are helping to keep the code secure where they can. They issue out weekly notifications, usually by email. There's a post on Drupal.org which lists out the security announcements. You can get an RSS feed from that. We have one that runs into our Slack account, so we can actually tell everyone what's going on with that. It's something that all your developers really should be signed up to, so if they're not, make sure they are, because we want to be aware of what security announcements are coming out and being aware of how that affects our sites. The fact that we have this security team, I think is a big plus for Drupal. It's something we can sell to our clients. It's something that we can help encourage our clients in and actually saying, well, Drupal as a whole, as a system, make sure that your site is going to be up to date. Yes, it's up to us to make sure we update it, but there is premise in place and systems in place to make sure that as long as we are doing our job and updating it, that it is kept up to date and it's not going to fall behind. So a little bit of background on what we can do with Drupal. Drupal has a status page which tells you whether it's updated or not. There's the module listening page which uses traffic-like system to tell you whether it's up to date or it's got security updates. It's great, great for a single site, but if you actually, most of us here, I'm sure we've got more than one site that we're all dealing with, so to trawl through those and trawl through the sites can be quite time-consuming to run through and check which sites actually need updates and how it's going to affect that site. Pantheon, Acrea, Common Drupal hosting solutions, they provide in their dashboards an overview of the security updates as well. So you actually don't have to log in to your site so you can see it through your dashboards. Now, that's great, but it's one level above maybe. It does require your developers to log in to their Acrea account assuming they have access to all the different sites you have on Acrea to actually go through each of the sites in turn and check to see whether they've got security announcements or security updates pending on there. Once they've done that with Acrea they may have to move across to Pantheon and move it on there. I imagine most of us probably don't just have sites in Acrea and Pantheon. We might then have them on PlatformSH, even on AWS or other custom hosting platforms. These ones, these different platforms don't provide that kind of dashboard to actually give you a sense of what's going on so you still have to then go into these sites, check whether these sites need updating or not and for your developers to actually run through and find out across your status sites if you hold as an agency which ones are affected by a core update, which hopefully we mentioned them, but module updates that come out as well. We're decent, face this exact same problem several years ago and each week when security announcements came out we were going to scrub it around and find out which sites were available, everyone's on hands, making updates, working out what we need to do. We're sure we've captured everything, we end up with spreadsheets, we end up with all different reporting stuff trying to find out whether you get what's happening and whether you actually managed to update all your sites or not. Through looking around, trying to find out other solutions where we could do this, we came across this module called system status which at the time was reported into an online dashboard which was a free service which captured your information from the site, had a dashboard there to handle it meant that you have all the information available to you. The company has now become known as Lumirio and is a pay-for service which offers a set of dashboard, offers updates and things on there. Feel free to check it out, it is a good system. It looks like it does everything we want to do. The problem we had as an agency was passing all our client data onto another third-party company. We weren't necessarily that happy about doing that when you've got all the different sites that you're managing and you've got potential security updates needing and you're passing it to third-party company we weren't too comfortable with that especially at the time it was a free service we didn't know what they were doing with that data we didn't know where they were going to go what the company was going to do we spoke to the module maintainer, system status to see if there was any way you could have an off-the-shelf sort of install it where you want system where we could have the system install it on our own service somewhere so that we maintain the data for it and it wasn't held by then. Although this was an idea he liked and was floating around it wasn't something that fitted their business at the time so feel free to have a look at them it seems to be a good system seems to match and take those boxes but certainly for us it didn't seem to sit well with us at the time we wanted to be in control of our data we wanted to make sure that we were aware of what was going on so we developed Wardham what started up was a little bit of an internal project to see what we could do with it see what we could take from the lessons we learned from system status to develop something which would be a central reporting tool it is a high-level reporting tool that means that you can see all your sites you deal with an agency it doesn't matter where they're hosted SSH, ADRS, Acquia, Pantheon your own custom hosting your next door neighbours server wherever it is it can report the data from your Drupal sites into Wardham through the Drupal module Wardham application itself uses Drupal's only security API to update itself to understand what the latest versions are so we can match those and understand and see your sites so you then go to a central place where you can actually see which sites have been affected because we wanted to make it so that other people could use it I haven't got something established it's now available on GitHub you can download it, install it we'll caveat that in terms of it does require a little bit of DevOps it's a symphony-based application so it requires a server or system somewhere that can support symphony it also runs off MongoDB currently so as long as you've got that setup and you can configure that and you're handling on there it means that you're then in control of your data you as an agency maintain that data nobody else has got it as long as you've got your own secured servers and you maintain that then you're handling that data it's your clients, your data nobody else can tamper with it no one else can see what's going on with it it's up to you how you manage that and what you do with it but it means that you have a central place for all your sites to understand where they are understand what needs to be updated it's a standard symphony application so once you've downloaded it install it using Composer and it goes off as normal so what does Warden really do? we've seen that high level thing when you log in it gives you a central dashboard highlighting all sites which you've got a security update depending on them be it a core update or it could even be a straight core module update you might have one or two modules that be released in a security announcement which you need updating they will share up on the dashboard as well this gives you a central place where you can go all your developers can log in access it see what needs to be done they can dish out the different sites between the teams they want to or if there's various sites they know they're maintaining they can go yep I've got that and that and I'm doing this and between them once the update's been released and pushed out to production servers this can update and therefore you can see that list producing hopefully during the day and therefore you can pick off and say actually well okay we've still not got this site done what do we need to do with this and it's a way of essentially managing what sites have been updated and what we still need to do the update process runs on a for one job so you can have it run overnight you can actually run it through and keep an eye on what's going on with the sites we've got on there it also provides a full list of sites you have so the dashboard shows you which ones need updating you've also got a full list of sites it also highlights which ones have got the update pending but it means you can see a full list of everything you've got going on with your state of sites, the clients you deal with you can actually have a look at that you can monitor that, you can see how that's going there's a full list of what's going on rather than having to scrabble around with different spreadsheets you might have or someone's got a list here and someone's got a list there and it helps to bring everything together within each site we also show the information about that site so core modules the core version the list of modules that are available for that site and stored in that site alongside that we also then break it down in terms of well which versions are using or whether they need a security release on them so you see on that one that top one's highlighted in red and the other one needs a security update whereas the previous one will put it down in yellow, they just update so you can manage that as you need to on there, whether you worry about those or not or whether you have a process again where okay they're all out of date, we need to update them all or over time you can keep them up to date and maintain the actual they may not have a security update but you can still make sure the modules are up to date too many times you go through the process of building a site get everything ready make sure your modules are up to date before going live go live, 6-12 months later you come back and look at it and everything's out of date because everything's been had module updates and version updates and things going on you've kept core possibly up to date with security updates that come out but you have a ton of modules where there are 15 versions or 12 versions out of date in one sense they might be alright depends on how you look at it, if it's not got a security update it's fine but also we have had problems where a module has been 6, 8, 10 minor releases out of date and then a security update comes out and suddenly we have a world of pain because we have to update 10 minor versions and in those minor versions various different changes have gone on and we end up by finding that there's been a whole bunch of different things that happen problems to solve that we should deal with from doing sort of jump of versions at least running through this you can see what your version differences are you can have a process of not only making sure that your sites are up to date with security versions but also we're actually saying is there a threshold of what minor versions you want to go to are we happy for it to go for more than 3 or 4 minor versions and you can then manage that with your developers, manage that with how you want to update your sites with that it will also update and show you if a release has become unsupported there might be a 2.x version which is currently running and you've got version 2.4 under group of 7 for instance and the module retainer has now released a 3.x version and mark the 2.x as unsupported they're no longer supporting that version you're still using it and not aware of the sites really fine the board will help to understand that the board will highlight those and show you that it's been unsupported so you can see that on the site you can see that on the individual site page and so take action as to what you want to do with that again it's up to you how you manage that you may be happy leaving it where it is the site is working and you don't want to touch it fine equally actually jumping from a 2.x release to a 3.x release might give you more functionality might be better if it comes out you might be a security update in the 3.4 version you've then got to jump from a 2.4 to a 3.4 and deal with the headache of that so it helps to give you an overview of what's going on with your site again it's kind of keeping information in one place helping you and your developers to understand what's going on with the site and keep an eye on what's going on with all your sites we've also got on the list there you've got JavaScript, PHP and server variables we've got another mechanism in place where you can report on third party libraries used so we can report on the JavaScript libraries that are used within your sites the PHP libraries that are used in the sites so you can see what versions you're using across the different sites you're on there we've used the server one more for kind of knowing what PHP version we're using we don't tend to go into any details we haven't at the moment of knowing which version or varnished version or anything else around detailed server variables are used but PHP version is quite an interesting one because it comes under life a little while ago where PHP 5.3 is under life and we have to go around all your sites making sure which one's running on that version make sure they're upgraded and updated and updated your accuracy settings to run PHP 5.6 and how does that affect your sites so actually knowing what versions of PHP your sites are running on is useful there might be limitations to do with hosting that you have to run on a certain PHP version that's fine but at least you've got somewhere you can see what's going on with that so as well as seeing the sites and seeing the information about sites we also look at it from the other side of things so we have a full list of all the modules that are used across your sites you can see the number of sites that are using the modules so you can actually get a breakdown of what's going on and you can see where they're used when you go into view an individual module you get a breakdown of the versions available but you also get a breakdown of what sites are using that module so if you've had a security announcement come out for a particular module we had entity API the week you could look up entity API see which sites are affected by that module and prepare yourself for what needs to be going on what's happening with that it could be actually you have a best practice internally it says what modules you want to install on your sites you need to make sure all your sites are running particular modules or particular subset of modules that you want to make sure you're using again here you can make sure you can come in see either any sites aren't using the module and therefore in the situation where you've got that you might say, yeah, for instance, per thought obviously it's a classic one to use on all your sites but for some reason if there's a site that's not using it why is that? there might be a valid reason but equally it's checking what's going on you can see what's happening you can see which sites aren't using your modules a good use case for this was recently I think it was in January just for Christmas if you can't remember Acrea released an application saying that their search module needed to be updated to the latest version by the end of January Acrea were changing the way that they were handling their search and that you needed to make sure that any sites that were using Acrea's search or 2.8 version of their module so we went to Warden looked at the modules, found the Acrea's search module easily got a list of all the sites that were using Acrea's search you can see from that list which versions they were using 7 had the latest version fine, don't need to do it, anything with them those that had an older version we can then plan in and say, okay, right, here's 5 or 6 sites which are using an older version we need to make sure that we've got that booked in for the developers to update that module to make sure it's using the white version the latest version of Acrea's search before the end of January so we had a few weeks to do it but you can plan that into the developers day you can plan that in when it's going to be done and make sure it's done before the end of January and we can check back to Warden on weekly basis do we have it updated which sites still need to be updated so when it came to the end of January and Acrea changed their search interface and the way their search worked we were using it, we're fine there wasn't going to be a problem had we not known that it's more a question of yet to go through all the sites yet to work out what's going on and really find out which sites were doing it which can be quite a time-consuming exercise I mentioned the third parties third party libraries on the sites again, like the module page we've got a third party library page which gives an overview of all the third party libraries that used JavaScript, PHP which again, you can see how many sites are using it and then by drilling down into it see which sites those are and what versions they're using third party libraries is an interesting one spent some time looking around to see whether we could find out a central place to deal with vulnerabilities security announcements for JavaScript libraries, PHP libraries there isn't really anything we could find if you know of any, please tell me but there was one central place that dealt with some of them but it did deal with all of them and there was something else that dealt with some others and not all of them and there was cross-pollination between them and it became a big mess to try and work out how you could sensibly find a solution to check all of these different libraries as to whether there was any announcement for them and even the fact that whether a particular JavaScript library or PHP library even gave security announcements so although we can't report on any security announcements against the libraries you've got a central place where you can look at what's going on that if you're keeping an eye on announcements that come out from various different providers for JavaScript libraries, for PHP libraries that you can actually see which sites might be affected so though this doesn't update you and won't tell you when there's updates it still gives you that central place you can go to so when you're monitoring things or you hear of an update that needs to be done to jQuery or CK Editor or some other PHP library you can actually come and find out which ones are using that and then take appropriate action to update your sites there is an email notification that can be sent out from Warden this again is triggered by a Quan command so you can send it out on a weekly basis following security update announcements from the security team so come Thursday morning your developers can have a nice email in their inbox detailing which sites need to be updated so they don't necessarily have to log in to Warden to see it what they want to do and how they want to do with it it might be that you want to trigger that to both managers and the team or anything else so that equally they don't have to log in but they're aware that actually there's sites that need updating this gives the same information essentially as what's on the dashboard so it's the sites that require security updates so it's not any updates it's just a security update there obviously the critical ones we want to report on so Warden gives a central place for storing your sites central place for detailing which sites need updating and have security updates depending it makes it easy for your developers to be able to identify which sites need updating take appropriate action and be able to see whether they've been updated or not so you can see that list disappear down you can actually know that all your sites have been dealt with and updated there's no more pain in them going around trying to spend hours working out which sites need updating it makes you more efficient deal with it in time and then move on with the day we've been using Warden now for the last two years internally and we found our developers have come to rely on it it's become part of our toolset that we use on a weekly basis when it comes to security announcements everyone jumps on and has a look at what's going on what sites are affected we've got these three sites to deal with tomorrow who's going to do this site they self-organize themselves they can easily deal and see what's going on and see how things are going and actually if the site hasn't been updated and someone else has finished their site they can jump on and go I'll do that, I'll sort that out they work as a team together and they work really well they're very clear as to what needs to be done and what they can do with it so the future of Warden it's on GitHub it's on Vable Open Source to use and download there that we've been using to report things internally with stuff on there there are other users using it across Europe, quite a few users that expressed interest and I started to use it on their systems but we're looking out for the next release is Slack notifications I'm sure many people use Slack nowadays it seems to be everywhere but we've got we have Slack notifications of the incoming security notifications we don't have access feed from drip.org but we don't have anything that details what sites that affects us with so we're looking at having a Slack notification in the same way the email notification can come in but it can come into our Slack channel again it's made it clearly available to everyone who needs to know that actually these are the sites they need updating it's currently going to need supporting Drupal sites we want to extend that further we want to make it more pluggable so that we can actually drop in the support for WordPress sites other CMS sites we can then report on the modules or the versions of systems that they provide and have a central dashboard where you can handle all the sites you're dealing with WordPress they have a constant updates of call that you can trigger but the modules themselves they don't necessarily have so much of an update process or an API that's able to detail what security updates are there so although we can report as well I know we can certainly report from the WordPress sites and find out what versions but having that same sort of level of security updates from WordPress or other CMS systems may not be as efficient as that if they're available great we can use them but as I know at the moment there's nothing for that in the same way we have for Drupal we're looking at potentially using the Drupal status page you can trigger warning to the Drupal status page we want to see what we're looking at whether we hook into that and provide certain warnings back to the dashboard back to the Drupal site so as developers you might have an API you connect to for a CRM system or something and you might want to report on the problems with that so actually if that connection goes down or something happens that report gets shipped up to the status page and ultimately that's picked up by wardens API is sent through to wardens so actually your dashboard can then be flagged to say there's a problem with your site what's going on so the things like that we're looking at we're looking at producing a docker image to make it easy to deploy and install warden on a service somewhere that can support docker be it ADRS or docker supported systems somewhere else as it's open source we want feedback from people we've been using it safe the last two years so we've been making changes on it tweaks on it looking at how we can make it more usable for ourselves but we don't want us to be the actual authority of what goes on and they say so what's happening we want other people and other agencies to be using it and actually finding out what would be useful for the whole community to actually make it better make it more report more information and useful information for us as a whole some of you may have heard of DropGuard again a bit like Limerio it's another top system that handles updates don't know much about them they provide a system, a solution that connects or use your Git account to automatically apply updates from Drupal to it and then deploy that to an environment I'm not using myself but it looks like a great system it is a paid-for system as well it's a paid-for solution like Limerio so it's something that you pay for there is limits on the number of sites you can have and you can possibly pay on a per site basis so it depends on how many sites you manage on that but it does deploy to an environment now it still involves a certain amount of testing from all developers to actually check that I wouldn't want to deploy that to a live environment there's been too many times when I applied a module update to what seems like a simple module update and suddenly my whole site is blown up because that update is another module updating and something else to happen it's to be a Wednesday or the third week it takes you a few hours to figure out what's going on update what relevant needs to be done test it and then chip it up although it's a good system although it helps that flow of actually updating the system already developers can actually check if it's a dev site and see if anything is broken or not before deploying it out manually it's another way of looking at things again, I've got no problem for drop guards certainly check it out if you haven't already and look at it as to whether it will support your business again for us as a paid for solution and for someone, something that was connecting to our Git accounts and updating Git we weren't as happy with that at the time Drupal provides plenty of documentation about best practices in code writing your developers should be aware of this they should be making sure their writing code which is secure although the security team will check and be aware of codes that's in core as well as in Contrib modules custom modules for our sites we all have custom behavior that sites adhere to and needs for what they're doing so we need to make sure that we're writing code which is still secure it's pointless us having the security team and managing everything else that's going on that if we create a small module which just opens up a massive hole that someone can jump in to the site and access our site's data so we need to make sure the user input data is sanitized we need to make sure we're not bringing up holes to SQL injection there's plenty of other security vulnerability to be aware of when we're writing code but there's plenty of documentation that people to all provide and there's plenty of other stuff online that developers and you guys can look at to make sure that they're actually adhering to those and writing the best code they can finally a bit of marketing spiel to push in there decency hiring we are a specialist open source agency we have distributed team across Europe so we have developers across Europe working for us as well we work in Drupal, Lara Val and WordPress if you're interested then visit the careers area it's a we are kind of company looking at making sure we're actually producing what we need for our clients that's key in what we're doing finally, any questions what do you ask I think the biggest obstacle is convincing a client that they need to upgrade so do you expose any of this data to the client to make them aware and get them involved in that process not directly we have taken the stance of and we speak to our clients about it we are very clear that we want to make their sites as up to date and from a security body be responsible so most of our clients we have support contracts with and so when the security updates come out we will automatically apply those updates and notify them that an update has been applied we are very clear and open with the clients about this we say that we want to make sure that your sites are up to date we don't want to wait for your approval for three months for us to do a core update if it's a security update we generally need to get on and do it up front yes this is a carrier yes that's part of it yes we make sure it's part of our maintenance contract we make sure it's part of a process within that but the clients are very aware of that we don't want to hide it we don't want to hide it away as to some other line item in the building but actually it is something that we want to make sure that our sites are secure up to date do you do that in the intermediate versions of that if you wait 26 versions for a security update to come out in a world of pain so do you always have to keep updating even the smallest updates all the time yes in terms of intermediate updates for small increments again we try and put that in within what we're doing as well so there is a level sometimes we will engage a bit more around that it's keeping them up to date what's going on and saying to them actually well we've got a few modules here which are quite far behind they don't have a security release but we want to make sure they're up to date so it's sometimes getting there a lot of time getting their approval on that as well but often because they've bought into the idea that we want them to make sure their sites are up to date especially from a security point of view they're actually the idea of keeping their updates going as well they're quite happy with and they buy into that and they're quite aware of it as well I think the complexity as well a module might change drastically between versions because open source development might decide we want to do it in a different way so one looks from the service like a simple upgrade could be like we could work so yeah I guess that's a different conversation if you want to keep things up to date for big jumps there's been a 2.x and 3.x where they must have changed things then yes it can be a they're always trying to sort out what's going on sometimes but with those big updates again we will notify the client we'll say actually that there's a big update the version you want is currently out of date it's been made, it's no longer supported we want to make sure you're on the latest copy of everything and make sure that when there is a script that comes out we don't have a lot of pain so we think we're going to spend a couple of hours looking at this and it's again there's a level of getting their approval on that as well it's not an immediate effect that needs to help you have it on their sites but it's helping them and getting them to buy into the whole process so making sure that the site is up to date we generally do most minor updates are half an hour worth of work, check it but yeah sometimes you can do that for 4 hours 4 hours later such a small update there's two questions sometimes we both in DrudgeMate as well as in Composer we may not only use the FTP data port version and I believe the sites that you use in the info file the signature comes from data port or do you use any other way to detect the version in terms of where the version number comes from the version number comes from the info file of the module so as long as you're using the versions in there then it's available, if you're using Matefiles to install and create your Drupal sites, if you're using Composer that's still downloading versions Exactly, so both in Matefiles as well as in Composer you use the FTP and FTP Drupal.alpha is the one in which the info file gets the automatic signature but if you use GIF instead of FTP because either the module has the latest version but you need something more than that like you need two more commits under work then you can just say and the Composer as well as Matefiles can say that so does it cover the port like any release? So the question is around if you're using Composer or Matefiles to connect directly to a Git version that's not an official release necessarily it might be a release or something on there So if you're connected to a dev release for instance so you've got no official version number, it's a dev release often we'll say dev release in it so on the gifl.org when you actually expose the dev version it still has a 7 dot whatever hyphen dev release on it so actually we report on those as well so actually in your listings if it's got a dev release we highlight those to say we've got a dev release highlighted it doesn't do anything else but it highlights the fact that actually you've got dev versions we're using if you've actually connected directly to the master branch and it's downloaded repository straight from Git for instance then that's not going to have a version in the info file so therefore it will report essentially a blank version and so forth it shows up in the list but it's got a blank version number on it because there's nothing for us to report on in that and the second one is the same one but I'm using the version of the proper version but both in Matefiles and Composer you can do patches as well and in addition saying you are in 2.10 but you have a little bit more than 2.10 no there's no nothing in terms of so because if you had a patches applied to your version as well there's nothing that would tell us that patches have been applied to that version so we need to report on again what the version is so if you've got version 2.10 of the module but you applied 6 patches to that module there's nothing that we can at the moment still tell us that you've got 6 patches applied to that it's one of those things there if you downloaded the dev release often it has dev-dev plus 6 or something like that it gives you kind of a number of commits beyond the master version and that kind of stuff so that again because that's the version number that gets reported on there but if you're actually applied patches through Composer or through Matefile then we can't report on that at the moment I don't believe in any way we can tell what you're making Composer file that that's happened so it would be something you'd have to look into to support things like Composer files and patches and Matefiles and patches and stuff provides like service you will take your site put it on a specific environment to apply the patch notify you and let you go check see if it's all right so yes they have something similar to it a question around Acrea have a solution for automatically updating your site through their system yes they do it's a paid-for service I think you have to have an enterprise account with them they will take your production database put it in an environment usually called RA that's the remote administration so they'll take your production database production codes put it in there they'll apply all the patches needed and give it to you we we haven't had much luck with that they blindly apply patches and just hand it over to you they don't even test the site they don't apply a security patch they'll apply everything they'll just literally go rush update or something and you go and look at it and there's a big white page because they've not even checked what's going on they're not aware of stuff they just blindly apply anything we have one client who had the service as part of their Acrea account and they told them to turn it off they were interested because they kept breaking the site they were happier to pay us as part of the support contract to update the site to make sure it was updated with security updates because we actually made sure it was working we actually made sure the relevant patches were actually working before releasing it whereas as far as they were concerned they were paying Acrea for the service because they were applying the patches to fix them it's a funny one because they have the service there but they blindly do it thank you have you got MongoDB on that? I have you've got the connection details in your parameters file I believe I have I'm not familiar with Mongo is it Mongo? MongoDB this is a straightforward standard Mongo connection that you can connect to I imagine so not that familiar I had the same process that you went through that I looked at that service ages ago I don't really want to put all my stuff the system's safe this thing and it's quite nice this you get to work with which I'm quite happy with two minutes yeah that's the thing we generally don't deal with customers until after they've launched and then we start thinking yeah good to do watch the screen the change so I don't know if we might have changed it again what made you develop the same thing Mike, great presentation very intelligible I don't know why we wouldn't be using this great tool I'm going to dive into this composer rise and set it up as possible thank you do you think you're building a Drupal because then you've got fuses and stuff like that we wanted to build something we was kind of completely out of Drupal it just kind of makes it quite different for it simply with a platform that enables us to sign guides session going on here hopefully I can get it working now