Preparing for PSA-2018-001

If you are reading this, then you are probably already aware of the impending security update that is due to drop this evening (UK time). At this stage, it is not clear quite how serious the security update is, we are hoping it's not at the level of Drupalgeddon (PSA-2014-003 - Oct '14) - but we are working on the assumption that it is.

So this means, we are aiming to get all sites we manage - including any test sites - secure and patched within 30 minutes of the release being made available.

Our developers are either starting late or finishing early today (Wednesday) in exchange for some of their time this evening. We have a clear plan of sites assigned to developers, everyone has a little tick list (mine is printed - I am oldskool) with the sites they need to do.

The plan is to assess the severity of the issue and make a quick decision on the approach. If we are dealing with a DEFCON 1 issue then the plan will be to 'hack' the patch direct onto the webroot of the live sites, and then sort out the proper build process once the sites are secure. We normally have a clear pull request based build workflow (requiring approval) to prevent code going live that shouldn't - but sometimes speed trumps process.