Published: April 24, 2018 By

Before the critical security update to SA-CORE-2018-002 was released on March 28, I was doing the same thing as many other members of the Drupal community.

via GIPHY

I was also looking for any updates about the status of Drupal.org or the 7.58 update on various Slacks, Twitter and Reddit.  While there were a lot of jokes like asking everyone else to stop refreshing, there was also a lot of discussion about deployments and security.  In the Slack for people working with Drupal in higher education, several people thanked Michael Hess and the University of Michigan for the time he devotes to Drupal’s security.

People were asking a lot of questions about why the Drupal.org infrastructure wasn’t scaled in anticipation of the traffic.  Lots of suggestions for improving the experience were given including taking a page from Apple’s playbook to just take the entire site down and link just to the security update.  That one caught my eye. Apple doesn’t take their store down because they don’t know how to scale.

I’m not sure if this is where I first read about this, but Scotty Loveless was discussing this back in 2013.  At the time he wrote…

In 2013, do they really not have the web chops to update their store live?  Of course they do… 

I believe Apple takes down the online store prior to product launches because that's one of their 'Christmas morning' traditions.

They have done it as long as I can remember and will most likely continue long into the future.

In many ways Apple is more like a family than the average company.  Taking the key web properties down before major announcements allows more of their family to participate in the event.  Regardless of someone's role at Apple, they’ve contributed directly or indirectly to what is about to be announced.  They may not have been the lead engineer on the product or even have any idea what is about to be announced, but by doing their job well they enable other people to focus on a different job.  Shutting down parts of apple.com is a small way they all share in the excitement of what they are able to achieve as a group.

While most members of the Drupal community don’t contribute directly to the security team, everyone clicking refresh over and over again is trying to contribute to Drupal’s security by securing even one site.

I don’t follow Apple as closely as I used to, but it looks like they still take the store down before big announcements.

I might be too late to change the plan for tomorrow's release, but I would like to see Drupal.org taken down when the community is waiting for major security update like this.  Maybe respond to all requests for a URL on Drupal.org with a simple message like...

We’ve taken Drupal.org offline while we prepare to distribute a critical security update. 

When the update is available, it will be linked here.

While you wait, take a few minutes to think about the amazing community you are a part of who are likely all clicking refresh over and over again right now too.

Rather investing resources scaling Drupal.org up so it's able to run normally, let's embrace the fact that Wednesday is not normal and that we're all in this together.

I've started a thread on r/drupal/ to discuss.