We’ve had a number of questions about the upgrade to EE 1.6.6, and I’d like to share our answers.
1) The EE site says “As always, if you do not skip any steps in our simple step by step update instructions, it should be a breeze and take just a few moments of your time.” So why do you charge for an hour’s update or more?
Well, many of our clients have asked us to build sites that are more complicated than the average EE install. If you have a site with 110 custom fields and 50,000 articles and 180,000 comments, the update script itself can certainly take longer to run than average.
In addition, many of our clients have integrated third-party extensions or special customizations to the core code which need to be tested on the new version and take time to add to the install. We also often take the time to upgrade those extensions to their latest version as well. We also make a careful backup of your database and your original files before we do anything, which takes time to run.
So yes, once the updated files are in place and you’re all backed up, an actual “upgrade” of EE takes just a few clicks and a few minutes. But that’s like saying that flying to Chicago takes just a few hours—if you include the planning and the packing and getting to the airport, your trip is actually a lot more time than just that.
2) Are you able to shed some light as to why EE feels like their customers should have to pay extra for a software upgrade to correct a small but serious security hole with their product? Generally when you purchase a program or piece of software, the provider doesn’t charge additional fees for upgrades to fix the existing product.
The truth is, most software companies actually do have end-of-life dates for upgrades to their products, after which they no longer offer updates to that branch. At that point, they require you to pay for a new version. So you get upgrades for a while, and then no longer. That’s pretty standard.
When you buy EE, you get free upgrades for a year. If you still covered by that, you won’t pay any more for the new secure version. If it’s been more than a year, in the update you’re getting not just the security fix, but more than a year’s worth of new features and other fixes. For this, you pay at most $40. That’s pretty decent, I’d say.
Some of our clients choose not to upgrade. Some choose to. It’s up to you.
3) Can EE not subsidize you guys for the work needed to be done to bring their product up to code?
That’s a valid point (and we wouldn’t mind getting subsidized), but there’s two issues here. First, you didn’t get installation for free from EE in the first place, so why should EE pay for installation of the fix? They provide you with a replacement product, but it’s your responsibility to implement it, just like it was when you bought it the first time.
Secondly, their product isn’t “below code”—there is no warranty or legal requirement for them to provide safe code. Whether there should be—that’s a separate issue, and in the future the legal necessity of providing security patches may change. But for now, there’s no specific laws about software security, liability and updates, other than general liability law (as far as I know—I’m not a lawyer).
4) I’m running EE v 1.6.4, and considering that my site is barely up for a month I’m not thrilled to hear both about a major security issue AND an upgrade, installation for which I am expected to pay. This is exactly NOT what I wanted for our site. I wanted to contract you guys to get it built and running, I do not want to hear I’ll be expected to pay hundreds of dollars every couple of months just to keep my site going.
We understand your position. The fact that there’s a security issue now—not major, but notable—just after your site launched, is simply a tragic co-incidence of timing. It’s been about three years since the last EE security incident. For comparison, many other web tools have one every month or two. I’m sorry it had to happen the month after your site launched, and not the month before, in which case, you’d (statistically) have three years of security-trouble-free living.
However, we never ever would have said you buy EE once and that’s that—any more than I’d tell you that you could buy a house and that’s that. All complex things require maintenance.
We would have said that, when you pick EE, you do get free upgrades for a year, and you wouldn’t ever have to pay again after the initial license unless there was a new feature that you wanted, or if there was a security hole that needed fixing, and only then if you wanted to close that security hole. In other words, once purchased, EE never stops running, and you can always keep using the same version you have, if that’s your choice.
As we said above, if you choose not to do it, your site will still keep running. Some people ride bikes without a helmet—this is more like that.
5) What is the risk factor involved with this small but serious security hole? i.e. worst case scenario, could we lose the website altogether? Would a backup of the website suffice to protect us?
EE has not released the specifics of the security hole, so I can’t specifically answer that. What I will say, is that none of our clients have had any problem traced directly to this issue so far.
A backup of the website would allow you to restore the site, but you’d have the same hole once the backup was restored. Hop Studios can’t (and wouldn’t want to) assess the potential cost and other fallout to your business if your website was to suffer a particularly bad hack. Hacks can involve subtle trickery or extremely graphic and awful destruction of your data and code. They can be malicious or benign, professional or amateur, and they can certainly create situations that might incur additional liability or cost for you, even if you can restore your site quickly.
The decision to upgrade is up to you, but we’re ready to step in and help now if you’d like, or later if something should happen to your site.