I received this email this morning:
There is a security update available for your version of Drupal. To ensure
the security of your server, you should update immediately!
See the available updates page for more information:
https://XXXXX.web.cern.ch/admin/reports/updates
Your site is currently configured to send these emails only when security
updates are available. To get notified for any available updates,
https://XXXXX.web.cern.ch/admin/reports/updates/settings.
It seems that there is an update available, 8.6.13, while the installed version is 8.6.10.
But there is nothing I can do right? You do the updates, not us? So why does I receive this email?
Hi Vincent,
Drupal admins are responsible for the core updates. There is nothing you can do on your side.
Hi Vincent,
This message is a general update notification email that not only includes the core updates (managed by the infrastructure) but also the modules updates including local versions of them.
The local version of the modules is exactly why we centrally enable those email notifications. But the side effect is that users also get the core security updates and centrally managed modules security updates.
This behaviour can be changed from /admin/reports/updates/settings but we set them by default so people is aware when a new security update affects in particular local installed modules.
Hope that clarifies the situation.
I understand that this is an upstream feature, but please note that it will be extremely confusion for users:
- Emails containing only core updates would have to be ignored
- Emails containing non-core updates (esp. security updates) will have to be closely followed up
Wouldn’t it make sense to have a filter in place so that core updates are filtered out and not sent to users?
I don’t seem to be able to configure this in the settings. I can’t even disable notifications for security updates (I didn’t install any extension so AFAIU, all will be maintained by you…)
Can I bring this to your attention again?
Yet again I received a notification about a required security update for drupal core only (8.6.15), for which I cannot do anything.
As you are managing these update, could you please add a filter to these emails?
Hi @vbrillau,
Please, take a look to the following module https://www.drupal.org/project/update_notifications_disable , you can freely install it on your sites.
Simpler, consider removing the e-group mail from https://<your_site>.web.cern.ch/admin/reports/updates/settings
Cheers,
Ismael
Hi @iposadat,
Thanks, I removed the mail address from https://<my_site>.web.cern.ch/admin/reports/updates/settings, because I didn’t install any module myself and thus I understand that you (the drupal team) will update all installed (core) yourself.
Still, for people that have a mix of core modules maintained by you and modules they are installing themselves, it is still an issue. Disabling all notifications isn’t really a solution for them, only filtering is…
Cheers,
Vincent
I’m linking this explanation for easier discovery: Core updates - #3 by eduardoa