How to proceed with a D6 site after Feb 24, 2016 when D6 is end of life?


Drupal 6 has been announced to be end of life as of Feb 24, 2016, as detailed in Drupal 6 end-of-life announcement. Here is a partial quote of it:

What this means for you:

  1. Drupal 6 will no longer be supported by the community at large. The community at large will no longer be creating new projects, fixing bugs in existing projects, writing documentation, etc. around Drupal 6.
  2. There will be no more core commits on Drupal 6.x to the official tree. (see What if I have a Drupal 6 site still)
  3. The security team will no longer provide support or Security Advisories for Drupal 6
  4. All Drupal 6 releases on project pages will be flagged as not supported.
  5. At some point in the future update status may stop working for Drupal 6 sites.

What are my options for a D6 site after that date? I.e. to continue using a D6 site with the risk of running in security issues to a minimum?


1 answer

This one is the BEST answer!

Below is a possible answer based on what's included in "What to do about Drupal 6 End of Life?".

Regarding the Archive the site sugestion in it, it looks like "Creating a static archive of a Drupal site" should be helpful to do so.

What, specifically, will happen after February 24th?

  • All D6 modules will be marked as “unsupported” on - which will mean the ‘update’ module will start telling you that ALL your modules are out-of-date.
  • Also, the status information that the ‘update’ module uses could go away at any time - so, you’ll no longer be able to rely on that in general.
  • The Drupal security team will no longer be making Security Advisories (or coordinating security releases)
  • In general, most module maintainers will no longer pay attention to Drupal 6 issues and will stop making new releases.

What should people with Drupal 6 sites do?

  • Archive the site, or
  • Plan upgrade.
  • Buy Drupal 6 Long-Term Support (LTS) from one of the “official” vendors.

What makes the “official” vendors special (vs. any other vendor)?

  • Get confidential information from Drupal security team.
  • Agree to follow security team processes and release all security patches publicly.
  • Vetted by the Drupal security team.

How will the Drupal 6 LTS work?

  • Same process as security team - but work done by vendors rather than security team.
  • Will publish patches on the D6LTS project.
  • Likely, but not 100% decided:
    • Announce new patches on the D6LTS issue queue.
    • Make new Pressflow 6 releases with the Drupal core patches.

Can the community get this without working with a vendor?

  • Yes!
  • But each vendor only supporting those modules their customers depend on
  • Question: And what about security issues that hackers find first?