So I saw two talks at LCA about security: Joh Clarke’s Hackers, Crackers and Security Basics, and Mark Piper’s Web application security, OPEN style. I still remember seeing Joh’s So you want to be a sysadmin talk in Melbourne 2 years ago, and mainly just my jaw dropping open for the whole talk at how she casually just knew this amazing amount of stuff that I had barely even grazed against. It was equally scary and awesome, and both talks this year were the same way.
Anyway, I had good reason this week to think that is more than time that I started to pay more than the bare minimum attention to security. And I thought about all my installed web things (mainly Textpattern and Wordpress), and how I don’t have any way to keep them systematically updated, unlike my desktop. Thanks to Ubuntu’s Update Manager, I get annoying red warning icons until I bother to update my system packages. So I actually do it within like a day of them being released.
So I was thinking how can I get these notifications… maybe I need to write some Update Manager-like little program to give me a taskbar icon when a new release comes out. So I need to know something about daemons and some basic GUI thing…and how do I detect when a new release comes out? The Textpattern blog doesn’t have a category just for release announcements. So how about the code? Google Code has a bunch of project feeds, but none of them seem to be “new release”. Oh well, maybe I can pray the trunk is stable?
Hmm. Then I was thinking, hey, I can solve this at a higher-level… just make the code update itself. As long as my webhost has the same VCS as the project, and I checkout the code from the dev branch, and the projects have a commitment to a stable trunk, I should be fine. Just make a script that does an “svn up” and put it in cron. In fact Werdna set this up for the Wikimedia Australia MediaWiki installs with his Wikimedia sync script, although there it updates to the version that is live on Wikipedia, rather than the utter-most bleeding edge.
But sadly, en.blog.wordpress.com is not as revealing as MediaWiki. In fact I can’t find any easy indication about which version it is running. So maybe that won’t work. OTOH, Wordpress has email & RSS notifications for new releases, and in the admin side a nice notification, which works well if you are updating it regularly, not so much for abandoned/finished sites.
Hm, Wordpress does have instructions for Updating WordPress with Subversion, including “Tracking stable versions”, but they don’t have an automatic method of telling when a new release is available. So close!
But wait… I just checked the Dreamhost panel and under one-click installs, they have an option for “Upgrade everything, now” and then “Automatically upgrade everything to the latest version”. Too good! That covers MediaWiki and Wordpress, but I guess I have to roll my own somethingorother for Textpattern.
Updating a-go-go…
