Automatic updates: Mandatory or optional?

Projects Core Development
10

We agree, and we are working on a set of recommendations and documentation to enable this use case. I think it looks something like this:

  • ClassicPress and plugins and themes are installed and managed via composer
  • All deploys are done first to a test environment, and then pushed through perhaps a staging server and then finally to production. Once a change is tested, approved, and committed, deploys are automatic.
  • At the filesystem/OS level, ClassicPress itself does not have permissions to write to anywhere outside of wp-content/uploads and perhaps other selected directories.

What we have so far is here - Installing with Composer | ClassicPress Documentation - and note that we explain how to disable automatic updates on this page.

Under such a scenario, I completely agree. I see two possibilities for such an IT organization or professional.

  1. They are ready, willing, and able to manage their own updates (will set up, test, and receive update notifications, and apply the updates in a timely fashion). They are therefore capable of understanding and editing the wp-config.php file to disable automatic updates, as well as following all of the other advanced steps involved in setting up this environment correctly. This is the current recommendation for people who need to disable automatic updates.
  2. They are not able to follow the necessary steps to do their own updates in a timely fashion, for whatever reason. Therefore they should let us handle updates instead. (Whether we like it or not, most normal users also fall under this category.)

This is not really even a maybe - this is mandatory. The ClassicPress committee voted today to always emphasize security first, and this is a decision I fully agree with.

On our side, we’re not going to use automatic updates for anything with backwards compatibility implications. This is due to our strict and well-defined versioning policy, something which WordPress lacks. More details here: Longevity for CP - #17 by james

I agree with this too, with one important exception: you already have a way to override this decision if you need it. It’s important that you don’t do this without a very good reason, however, so this is why we require that you edit a config file.

Frankly, if editing a config file is too much to ask, then you have no business disabling automatic updates.

5 Likes