More thoughts on the Drupal upgrade model and Drupal 8.4
As I experienced some issues upgrading to Drupal 8.3, I thought I should be more prepared this time, and tried out the Release Candidate version of Drupal 8.4.
The previous minor version of Drupal is unsupported
The new upgrade model in Drupal 8 includes the policy that the previous minor version is unsupported. So if you want to have security support for your production site running Drupal 8, you must upgrade immediately, or at least be prepared to upgrade immediately if a patch release with a security fix comes out.
We already know that changes between minor versions of Drupal 8 can have major consequences for contrib modules. To be able to upgrade and keep security support, site maintainers need to test Drupal Release Candidates, and all possible issues with contrib modules need to be resolved before the new minor version of Drupal comes out.
Drupal 8.4 may introduce backwards compatibility issues
One of the changes in Drupal 8.4 is the inclusion of the Media module in core. Thankfully it looks like migrating from Media Entity to the core Media module will be a much better experience than it was with Layout Plugin and Layout Discovery. It is great that so much effort is put into this, undoubtedly partly because the Thunder and Lightning distributions depend so heavily on Media Entity. Thank you to everyone involved in bringing Media in core!
Drupal 8.4 also includes major version updates for two dependencies: Symfony 3.2 and jQuery 3. Both of these updates do sound like they could break many contrib modules. In my very limited testing on a couple of sites I maintain I found one module broken by the Symfony update, and one module broken by Drupal 8.4 for some reason. It is possible that both of these contrib modules will have a working release before Drupal 8.4 is released, but it will still be interesting to find out how many contrib modules altogether are affected.
Security support for the previous minor version would help a lot
I’d be surprised if I was the only one who feels a bit uneasy about the official policy of no security support for the previous minor version of Drupal. This policy most likely leads to increased testing of Release Candidates, which is a good thing. But I’m not sure if the time window between the first RC and the release is long enough for every problem to be discovered and fixed. This puts a lot of pressure on contrib.
A commitment to provide security support for the previous minor version of Drupal 8 would give more time to get everything fixed in contrib, and give more peace of mind for people responsible for maintaining secure production sites.
Update: I have now opened a core issue about this.