Enable unattended updates

@tedbow and @tim.plunkett discussed the plan for getting Automatic Updates, Project Browser and Package Manager into core. We're likely going to aim to land Package Manager first. So postponing this issue for now, until the dust settles on that.

Unpostoning this. since we are not sure when we will get into core and when TUF drupal.org will be done I propose we should do this in contrib first with TUF.

I need to update the summary here to make a better case for this and then I will email security@drupal.org because initially the restriction on not having unattended updates in Contrib without TUF was from the security team. I talked to @xjm and @pwolanin about this at DrupalCamp NJ and they proposed this path

Have to take a break but assigning to myself as I am in the middle of updating the summary, consider it unfinished for now

I have just emailed the Drupal security team about this issue since the decision not to support cron updates in contrib was originally because of advice from the security team.

I think we can still work on the issue as even if we commit it will only be in the 3.0.x branch which does not have any releases. xjm advised me we should wait 2 weeks for the security team to respond. At that point we could make a release with this issue completed, though practically we are planning on making 3.0.x releases that soon anyways.

Since we have the disabled code to do cron updates it will mostly just be adding the form.

Before enabling this, I think there needs to be a way to leave update off during the normal Drupal cron and include drush and drupal console commands to just run the updates (and for the core patch include a stand-alone script) + documentation on how to run these in a more secure mode where a system user other than the webserver user can write to the code and the command is executed by that user on an externally driven time (e.g. *nix crontab).

Just adding sample usage numbers for now

@pwolanin, do we really need a whole separate command for this?

Unattended updates are run during cron. This means that drush cron would do the trick. Why do we need to write a whole separate command for that?

Obviously, core cannot rely on Drush, but for now, surely it's okay to document that, for the contrib module, you can run updates with drush cron. Would core consider adding a console command to run cron? That would pretty much take care of this, and probably be very useful to everyone.

I think we can start to work on the UI parts of this while we figure out the answer to #22

added remaining tasks and postponing on 📌 Add new setting for how unattended updates will be run Fixed which will not do the UI part. We can do the UI for the new settings in this issue

add 📌 Switch failure marker file from *.json to *.yml to prevent it from being readable from the web Fixed

📌 Switch failure marker file from *.json to *.yml to prevent it from being readable from the web Fixed landed.

Great!

Automatically closed - issue fixed for 2 weeks with no activity.