Subscribe: drupal.org
http://drupal.org/rss.xml
Added By: Feedage Forager Feedage Grade B rated
Language: English
Tags:
community  content  core  documentation  drupal org  drupal  new  org  page  project  release  security  site  team  work 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: drupal.org

Drupal.org



Come for the software, stay for the community Drupal is an open source content management platform powering millions of websites and applications. It’s built, used, and supported by an active and diverse community of people around the world.



 



Drupal 8 turns one!

Fri, 18 Nov 2016 13:49:42 +0000

Republished from buytaert.net Tomorrow is the one year anniversary of Drupal 8. On this day last year we celebrated the release of Drupal 8 with over 200 parties around the world. It's a project we worked on for almost five years, bringing the work of more than 3,000 contributors together to make Drupal more flexible, innovative, scalable, and easier to use. To celebrate tomorrow's release-versary, I wanted to look back at a few of the amazing Drupal 8 projects that have launched in the past year. 1. NBA.com The NBA is one of the largest professional sports leagues in the United States and Canada. Millions of fans around the globe rely on the NBA's Drupal 8 website to livestream games, read stats and standings, and stay up to date on their favorite team. Drupal 8 will bring you courtside, no matter who you're rooting for. 2. Nasdaq allowfullscreen="" frameborder="0" height="480" src="https://www.youtube.com/embed/s2HTiiNBuzo" width="742"> Nasdaq Corporate Solutions has selected Drupal 8 as the basis for its next generation Investor Relations Website Platform. IR websites are where public companies share their most sensitive and critical news and information with their shareholders, institutional investors, the media and analysts. With Drupal 8, Nasdaq Corporate Solutions will be providing companies with the most engaging, secure, and innovative IR websites to date. 3. Hubert Burda Media For more than 100 years, Hubert Burda Media has been Germany's premier media company. Burda is using Drupal 8 to expand their traditional business of print publishing to reach more than 52 million readers online. Burda didn't stop there, the media company also open sourced Thunder, a distribution for professional publishers built on Drupal 8. 4. Jurassic World Drupal 8 propels a wide variety of sites, some of Jurassic proportion. Following the release of the blockbuster film, Jurassic World built its digital park on Drupal 8. Jurassic World offers fans games, video, community forums, and even interactive profiles all of the epic dinosaurs found on Isla Nublar. 5. WWF The World Wide Fund for Nature has been a leading conservation organization since its founding in 1961. WWF's mission is to protect our planet and Drupal 8 is on their team. WWF UK uses Drupal 8 to engage the community, enabling users to adopt, donate and join online. From pole to pole, Drupal 8 and WWF are making an impact. 6. YMCA Greater Twin Cities The YMCA is one the leading non-profit organizations for youth development, healthy living, and social responsibility. The YMCA serves more than 45 million people in 119 countries. The team at YMCA Greater Twin Cities turned to Drupal 8 to build OpenY, a platform that allows YMCA members to check in, set fitness goals, and book classes. They even hooked up Drupal to workout machines and wearables like Fitbit, which enables visitors to track their workouts from a D8 powered mobile app. The team at Greater Twin Cities also took advantage of Drupal 8's built-in multilingual capabilities so that other YMCAs around the world can participate. The YMCA has set a new personal record, and is a great example of what is possible with Drupal 8. 7. Jack Daniels The one year anniversary of Drupal 8 is cause for celebration, so why not raise a glass? You might try Jack Daniels and their Drupal 8 website. Jack Daniels has been making whiskey for 150 years and you can get your fill with Drupal 8. 8. Al Jazeera Media Network Al Jazeera is the largest news organization focused on the Middle East, and broadcasts news and current affairs 24 hours a day, 7 days a week. Al Jazeera required a platform that could unify several different content streams and support a complicated editorial workflow, allowing network wide collaboration and search. Drupal 8 allowed Al Jazeera to do that and then some. Content creators can now easily deliver critical news to their readers in real time. 9. Alabama.gov From Boston to LA and even Australia, Drupal is supporting the digital needs of governments around the globe. Alabama is leading the [...]



Drupal 8.2.3 and 7.52 released

Wed, 16 Nov 2016 18:11:36 +0000

Drupal 8.2.3 and Drupal 7.52, maintenance releases which contain fixes for security vulnerabilities, are now available for download.

See the Drupal 8.2.3 and Drupal 7.52 release notes for further information.

Upgrading your existing Drupal 8 and 7 sites is strongly recommended. There are no new features nor non-security-related bug fixes in these releases. For more information about the Drupal 8.2.x release series, consult the Drupal 8 overview. More information on the Drupal 7.x release series can be found in the Drupal 7.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 8 and 7 include the built-in Update Manager module, which informs you about important updates to your modules and themes.

Bug reports

Both Drupal 8.2.x and 7.x are being maintained, so given enough bug fixes (not just bug reports) more maintenance releases will be made available, according to our monthly release cycle.

Change log

Drupal 8.2.3 is a security release only. For more details, see the 8.2.3 release notes. A complete list of all changes in the stable 8.2.x branch can be found in the git commit log.

Drupal 7.52 is a security release only. For more details, see the 7.52 release notes. A complete list of all changes in the stable 7.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 8.2.3 and 7.52 were released in response to the discovery of security vulnerabilities. Details can be found in the official security advisories:

To fix the security problem, please upgrade to either Drupal 8.2.3 or Drupal 7.52.

Update notes

See the 8.2.3 and 7.52 release notes for details on important changes in this release.

Known issues

See the 8.2.3 release notes or 7.52 release notes for a list of known issues affecting each release.




Drupal 8 will no longer include dev dependencies in release packages

Sat, 12 Nov 2016 01:19:26 +0000

As a best practice, development tools should not be deployed on production sites. Accordingly, packaged Drupal 8 stable releases will no longer contain development PHP libraries, because development code is not guaranteed to be secure or stable for production.

This only applies to a few optional libraries that are provided with Drupal 8 for development purposes. The many stable required libraries for Drupal 8, like Symfony and Twig, will still be included automatically in packaged releases. Drupal 7 is not affected.

Updating your site

To adopt this best practice for your site, do one of the following (depending on how you install Drupal):

  • If you install Drupal using the stable release packages provided by Drupal.org (for example, with an archive like drupal-8.2.2.tar.gz or via Drush), update to the next release (8.2.3) as soon as it is available. (Read about core release windows.) Be sure to follow the core update instructions, including removing old vendor files. Once updated, your site will no longer include development libraries and no further action will be needed.
  • If you use a development snapshot on your production site (like 8.2.x-dev), you should either update to a stable release (preferred) or manually remove the dependencies. Remember that development snapshots are not supported for production sites.
  • If you install your site via Composer, you should update your workflows to ensure you specify --no-dev for your production sites.

Development and continuous integration workflows

If you have a continuous integration workflow or development site that uses these development dependencies, your workflow might be impacted by this change. If you installed from a stable Drupal.org package and need the development dependencies, you have three options:

  1. Install Composer and run composer install --dev,
  2. Use a development snapshot (for example, 8.2.x-dev) instead of a tagged release for your development site, or
  3. Install the development dependencies you need manually into Drupal's vendor directory or elsewhere.

However, remember that these development libraries should not be installed on production sites.

For background on this change, see Use "composer install --no-dev" to create tagged core packages. For more information on Composer workflows for Drupal, see Using Composer to manage Drupal site dependencies.




What’s new on Drupal.org? - October 2016

Fri, 11 Nov 2016 20:43:21 +0000

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community. The Drupal Association team has been getting back to work after coming back from DrupalCon Dublin in September. For the engineering team, October has been focused on some back-end services and infrastructure that support the Drupal project, while we continue to move forward on some longer term front facing initiatives. Drupal.org updates Promoting Drupal by Industry Last month we talked about the new homepage we released for Drupal.org, and using those editorial tools to build a membership campaign. We hinted that additional changes will be coming soon. While we're not ready to launch this new content - we can talk about it in some greater detail. Dries Buytaert, the project founder, has called Drupal the platform for ambitious digital experiences. That phrase expresses the incredible power and flexibility of Drupal, but also encapsulates an aspect of Drupal that can be difficult for newcomers. It can be very hard for newcomers to Drupal to understand how to take a base install of Drupal core, and extend that to achieve that ambitious vision. We want to help close that gap in understanding—to help evaluators see how Drupal achieves these ambitions. To do this, we'll be creating a series of landing pages that focus granularly on how Drupal creates success stories in particular industries. Look for more on this topic in coming months. DrupalCon Vienna Site Launched As is tradition, during the closing session of DrupalCon Dublin we announced that the next DrupalCon in Europe will be held in Vienna! We launched the splash page announcing the event at vienna2017.drupal.org and we have information about sponsorship and hotel reservations already available. DrupalCon Vienna will happen from the 25th to 29th of September 2017, and we'll hope to see you there! More flexible project testing We've made a significant update to how tests are configured on the Automated Testing tab of any project hosted on Drupal.org. Automated testing, using the DrupalCI infrastructure, allows developers to ensure their code will be compatible with core, and with a variety of PHP versions and database environments. In October, we updated the configuration options for module maintainers. Maintainers can now select a specific branch of core, a specific environment, and select whether to run the test once, daily, on commit, or for issues. Issues are limited to a single test configuration, to ensure that the code works in a single environment before being regression tested against multiple environments on on-commit or daily tests. Better database replication and reliability Behind the scenes, we've made some updates to our database cluster - part of our infrastructure standardization on Debian 8 environments managed in Puppet 4. We've made some improvements to replication and reliability - and while these changes are very much behind the scenes they should help maintain a reliable and performant Drupal.org. Response to Critical Security Vulnerabilities When it rains, it pours—a maxim we take to heart in Portland, Oregon—and that was especially true in the realm of security in October. The most widely known vulnerability disclosed was the 'DirtyCow' vulnerability in the Linux kernel. A flaw in the copy-on-write system of the Linux kernel made it possible, in principle, for an unprivileged user to elevate their own privileges. Naturally, responding to this vulnerability was a high priority in October, but DirtyCow was not the only vulnerability disclosed, as security releases were also made for PHP, mariadb, tar, libxslt, and curl. We mitigated each of these vulnerabilities in short order. Community Initiatives Community initiatives are a collaboration; with dedicated community volunteers building improvements to Drupal.org with the architectural guidance and oversight of the Drupal Association engineering tea[...]



Nasdaq Chooses Drupal 8

Fri, 21 Oct 2016 12:47:49 +0000

Republished from buytaert.net

(image)

I wanted to share the exciting news that Nasdaq Corporate Solutions has selected Drupal 8 as the basis for its next generation Investor Relations Website Platform. About 3,000 of the largest companies in the world use Nasdaq's Corporate Solutions for their investor relations websites. This includes 78 of the Nasdaq 100 Index companies and 63% of the Fortune 500 companies.

What is an IR website? It's a website where public companies share their most sensitive and critical news and information with their shareholders, institutional investors, the media and analysts. This includes everything from financial results to regulatory filings, press releases, and other company news. Examples of IR websites include http://investor.starbucks.comhttp://investor.apple.com andhttp://ir.exxonmobil.com -- all three companies are listed on Nasdaq.

All IR websites are subject to strict compliance standards, and security and reliability are very important. Nasdaq's use of Drupal 8 is a fantastic testament for Drupal and Open Source. It will raise awareness about Drupal across financial institutions worldwide.

In their announcement, Nasdaq explained that all the publicly listed companies on Nasdaq are eligible to upgrade their sites to the next-gen model "beginning in 2017 using a variety of redesign options, all of which leverage Acquia and the Drupal 8 open source enterprise web content management (WCM) system."

It's exciting that 3,000 of the largest companies in the world, like Starbucks, Apple, Amazon, Google and ExxonMobil, are now eligible to start using Drupal 8 for some of their most critical websites. 




What's new on Drupal.org? - September 2016

Thu, 20 Oct 2016 15:37:09 +0000

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community. This month's update comes to you a couple weeks late, but only because we were on site at DrupalCon together with the community to move the project forward! DrupalCon Dublin was a great event, with the entire Drupal Association staff engaged to make DrupalCon the best place to develop your Drupal skills, learn what's coming for the project, and sprint on core and contrib. We are tremendously thankful to the community that joins us for DrupalCon, and to the incredible volunteers that help us put on the event. If you couldn't join us in person, you can still review the session recordings. Now, on to the updates! Drupal.org updates New homepage Certainly the most visible change to Drupal.org in September was the refresh of our home page. As the front door of our community home, the front page needs to be inviting to both existing community members, and people new to Drupal who are just beginning their adoption journey. The changes are more than aesthetic. We also put in place new editorial tools to give us greater flexibility with the front page itself, and with future landing pages that we hope to create in the same highly-designed, attractive style. In addition to these structural and editorial changes we made some content changes as well, cleaning up our news feed, and giving DrupalCon a new, more prominent position on the home page. And there are more updates to come! Using the same editorial tools we'll soon be rolling out additional content for Drupal evaluators - promoting proven solutions built using Drupal in specific industries. Look forward to this in the coming months. Membership campaign We used the same editorial tools that built the new homepage to build a landing page for our fall membership campaign. This campaign showcases how Drupal Association members make community cultivation grants possible - and the stories that those grants create. These community stories run to the heart of our mission - enabling our global community build connections on the local level, and extending Drupal's reach across the world. Case studies on organization profiles In September we also made a small but significant update to organization profiles. We've moved the often unwieldy index of people associated with an organization to a subpage, in order to make room for listing the case studies that an organization has created. We want to encourage Drupal organizations of all kinds to share their stories of success, especially around Drupal 8. If your organization has never created a Drupal case study before, we have some materials to teach you how to create a case study on Drupal.org. Issue Credit Updates The issue credit system has had a remarkable impact on the community. Being able to quantify the contribution of organizations to Drupal's codebase has lead to an unprecedented level of healthy competition between organizations who support the project—each trying to outdo the other with their contributions. It has been amazing to see how generous these organizations are, sponsoring the work of committed community contributors to advance the project. To maintain this system in a healthy way, we need to monitor it carefully and make small adjustments to ensure that we're creating the right incentives for true contribution, and not a system to be gained for self-promotion. We've made a few small tweaks in september to reduce spurious re-opening of issues in order to 'reset the clock' on credits, and we have a few more fixes on the plate to keep this ecosystem healthy. We're also looking to expand the kinds of activities that receive contribution credit - so look forward to further updates on that front in the coming months. Community Initiatives Finally, here are some updates on our active community initiatives. Community initiatives are [...]



Technical Advisory Committee formed to modernize developer tools

Tue, 18 Oct 2016 18:37:51 +0000

(image) At DrupalCon Dublin, I spoke about The Association’s commitment to help Drupal thrive by improving the contribution and adoption journeys through our two main community assets, DrupalCon and Drupal.org. You can see the video here.

One area I touch on was my experience as a new code contributor. Contributing my patch was a challenging, but joyous experience and I want more people to have that feeling—and I want to make it as easy as possible for others to contribute, too. It’s critical for the health of the project.

At the heart of the Drupal contributor community are our custom development tools, including the issue tracker, Git repositories, packaging, updates server, and automated testing. We believe there are many aspects of Drupal’s development workflow that have been essential to our project's success, and our current tooling reflects and reinforces our community values of self-empowerment, collaboration, and respect, which we seek to continue to uphold.

It’s time to modernize these developer tools. To support the Association with this objective The Drupal Association created a Technical Advisory Committee (TAC). The TAC consists of community members Angie Byron, Moshe Weitzman, and Steve Francia, who is also our newest Drupal Association board member. The TAC acts in an advisory role and reports to me.

Building off of the work the community has already done, the TAC is exploring opportunities to improve the tools we use to collaborate on Drupal.org. The crux of this exploration is determining whether we should continue to rely on and invest in our self-built tools, or whether we should partner with an organization that specializes in open source tooling.

Our hope is that we will be able to bring significant improvements to our contribution experience faster by partnering with an organization willing to learn from our community and adapt their tools to those things we do uniquely well. Such a partnership would benefit both the Drupal community—with the support of their ongoing development—and potentially the broader open source community—by allowing our partner to bring other projects those aspects of our code collaboration workflow.

The TAC will use a collaborative process, working with staff and community to make a final recommendation. The TAC has already begun the process and has some very positive exploratory conversations. The TAC and staff will be communicating their progress with the community in upcoming blog posts.  




Drupal file upload by anonymous or untrusted users into public file systems -- PSA-2016-003

Mon, 10 Oct 2016 17:09:07 +0000

Description

Recently the Drupal Security Team has seen a trend of attacks utilizing a site mis-configuration.
This issue only affects sites that allow file uploads by non-trusted or anonymous visitors, and stores those uploads in a public file system. These files are publically accessible allowing attackers to point search engines and people directly to them on the site. The majority of the reports are based around the webform module, however, other modules are vulnerable to this misconfiguration as well.

For example, if a webform configured to allow anonymous visitors to upload an image into the public file system, that image would then be accessible by anyone on the internet. The site could be used by an attacker to host images and other files that the legitimate site maintainers would not want made publicly available through their site.

To resolve this issue:

  1. Configure upload fields that non-trusted visitors, including anonymous visitors, can upload files with, to utilize use the private file system.
  2. Ensure cron is properly running on the site. Read about setting up cron for for Drupal 7 or or Drupal 8).
  3. Consider forcing users to create accounts before submitting content.
  4. Audit your public file space to make sure that files that are uploaded there are valid.

Awareness acknowledgment

The Drupal Security Team became aware of the existence and exploits of this issue because the community reported this issue to the security team. As always, if your site has been exploited, even if the cause is a mistake in configuration, the security team is interested in hearing about the nature of the issue. We use these reports to look for trends and broader solutions.

Coordinated by

This post may be updated as more information is learned.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.




Drupal 8.2.0 is now available

Wed, 05 Oct 2016 09:57:28 +0000

Update: Drupal 8.2.1 is now available. Drupal 8.2.0, the second minor release of Drupal 8, is now available. With Drupal 8, we made significant changes in our release process, adopting semantic versioning and scheduled feature releases. This allows us to make extensive improvements to Drupal 8 in a timely fashion while still providing backwards compatibility. What's new in Drupal 8.2.x? This new version includes additional experimental modules to place blocks on pages, to edit configuration related to blocks without leaving the page, to create content moderation workflows, and to use date ranges. Several smaller authoring experience, site building, and REST and decoupled site improvements are included as well. (Experimental modules are provided with Drupal core for testing purposes, but are not yet fully supported.) Download Drupal 8.2.0 Easier to place and configure blocks on pages The new experimental Place Block module allows placing blocks on any page without having to navigate to the backend administration form. After selecting the region for placement, block configuration can be adjusted in a modal dialog allowing full control of all the details. There is also a much easier way to modify block configuration, with the experimental Settings Tray module. Editing a block opens a tray in a sidebar with the block's title and other settings. For the site name block, for example, you can edit the site name directly in the sidebar. For menu blocks, you can adjust the menu there. Content moderation now included Drupal has always supported both published and unpublished content, but more granular workflow support was not available in Drupal core. The new experimental Content Moderation module, based on the contributed Workbench Moderation project, allows defining content workflow states such as Draft, Archived, and Published, as well as which roles have the ability to move content between states. Support for date ranges The Datetime module included with core only supports storing single points in time. The experimental Datetime Range module provides a new field type that also allows end dates. This is important for helping contributed modules like the Calendar module to work with Drupal 8 core. Site building, content authoring, and administrative improvements Drupal 8.2.0 also improves stable functionality for administration, site building, and authoring. Drupal now enables revisions by default for new content types, to provide better accountability, to create a "safety net" for recovering from unintended changes, and to integrate with future workflow features. Content editors will enjoy a more seamless experience, as CKEditor's built-in dialogs are now styled to match Drupal-native dialogs, and creating any entity will always display a message linking to the new entity. Other incremental enhancements include: The user interface text has been improved on numerous administrative pages. The redirection of site-wide contact forms is now configurable. The comment view mode can now be selected in the display formatter form. Relative URLs are converted to absolute ones in generated RSS feeds (ensuring that images and links work wherever the feeds are used). Administrators can now elect to remove a module's content entities in order to uninstall the module. The internal page cache has been improved for 404 responses. Platform features for web services The Drupal 8.2 release continues to expand Drupal's support for web services that benefit decoupled sites and applications, with bug fixes, simplified configuration, improved responses, and new features. It is now possible to read (GET) configuration entities like vocabularies and content types as REST resources, resolving a significant limitation for REST functionality in 8.1.x and earlier. Login, logout, and user registration are also now possible with REST. The aut[...]



The first annual Drupal CEO Survey reports that there is a bright future for Drupal in the enterprise segment

Thu, 29 Sep 2016 09:42:55 +0000

Results from the global Drupal CEO business survey conducted by One Shoe and Exove, in partnership with the Drupal Association, indicate that Drupal will adopt a role as an enterprise level platform. The Drupal CEO Survey has been carried out this year out for the first time and gives insights in the key issues that Drupal agency owners and company leaders worldwide face. Among the surveyed 75 Drupal companies, the C-level respondents mainly work at digital agencies (37.8%) and software companies (27%). Most of the surveyed companies were small to medium sized enterprises. Only 9.9% said they have more than 80 employees, while 21.9% reported five or less employees. A bright future for Drupal in the enterprise segment A vast majority (90.5%) believes that Drupal has reinvented itself with the release of Drupal 8, the newest version of the CMS, released in November 2015. Even though Drupal has become somewhat more complex, respondents don’t think this is a turnoff for developers (77.1%). As one respondent said, "Some developers will resent the added complexity, but I see it becoming the defacto standard for 'Enterprise' CMSs." This respondent is not the only one: 89.2% of the respondents think that the popularity of Drupal for clients will grow in the next three years. Drupal is seen as being a leader in larger enterprise deployments in the future. As one respondent stated, "Drupal will see continued growth for clients who are committed to their digital strategy and see its importance as part of their overall business goals. But it will probably tail off for clients who just need a website." Or, as another respondent sees it: "Drupal will become the platform of choice for enterprise level solutions." Drupal is popular for enterprise healthcare projects The surveyed companies serve clients in numerous industries. From enterprise perspective, the major industries are healthcare and medicine (40.0% respondents have clients from this industry), banking and insurances (38.7%), and retail (37.3%). Overall, Drupal companies also work with charities and non-profit organizations (64%), government and public administration (56.0%), media (49.3%), IT (45.3%), and arts and culture (36.0%). The cost of an enterprise solution project varies from company to company. Most of the companies (28.0%) work in 100,000 - 250,000 euro range, while 18.7% of the companies charge 250,000 - 500,000 euro. Another 18.7% charge 50,000 - 100,000 euro for an enterprise level solution built on Drupal. Only a handful of companies, 4.0%, charge between half a million and one million euro. Compared to the typical cost of enterprise level solutions, Drupal based solutions are implemented with less costs. This is due to the good fit of Drupal to the enterprise needs, flexibility of the platform, and huge amount of readymade modules. Drupal empowers growth The most important strategic priorities of the companies also focus on growth: finding the right talent, 53.3%; ensuring financial growth, 45.3%; and developing new growth strategies, 41.3%. The executives expect to face challenges in the coming three years on the same areas: finding the right talent, 59.5%; talent retention, 36.5%; and ensuring financial growth, 33.8%. While finding and retaining the talent is seen challenging, 60.0% of the respondents do not outsource work to vendors. Companies operating in Europe less use outsourcing, as 67.0% of these companies do not employ vendors. European companies outsource work to Asia (17.0%) and Europe (17.0%), while non-European companies use vendors in North America (25.0%), South America (25.0%), and Asia (19%). Also illustrating the growth-empowering aspects of Drupal is the geographical presence of companies. One third (31.1%) of the surveyed companies have offices in more than one country, and 12.0% has offices[...]



The transformation of Drupal 8 for continuous innovation

Wed, 28 Sep 2016 07:00:00 +0000

Republished from buytaert.net. In the past, after every major release of Drupal, most innovation would shift to two areas: (1) contributed modules for the current release, and (2) core development work on the next major release of Drupal. This innovation model was the direct result of several long-standing policies, including our culture of breaking backward compatibility between major releases. In many ways, this approach served us really well. It put strong emphasis on big architectural changes, for a cleaner, more modern, and more flexible codebase. The downsides were lengthy release cycles, a costly upgrade path, and low incentive for core contributors (as it could take years for their contribution to be available in production). Drupal 8's development was a great example of this; the architectural changes in Drupal 8 really propelled Drupal's codebase to be more modern and flexible, but also came at the cost of four and a half years of development and a complex upgrade path. As Drupal grows — in lines of code, number of contributed modules, and market adoption — it becomes harder and harder to rely purely on backward compatibility breaks for innovation. As a result, we decided to evolve our philosophy starting after the release of Drupal 8. The only way to stay competitive is to have the best product and to help people adopt it more seamlessly. This means that we have to continue to be able to reinvent ourselves, but that we need to make the resulting changes less scary and easier to absorb. We decided that we wanted more frequent releases of Drupal, with new features, API additions, and an easy upgrade path. To achieve these goals, we adopted three new practices: Semantic versioning: a major.minor.patch versioning scheme that allows us to add significant, backwards-compatible improvements in minor releases like Drupal 8.1.0 and 8.2.0. Scheduled releases: new minor releases are timed twice a year for predictability. To ensure quality, each of these minor releases gets its own beta releases and release candidates with strict guidelines on allowed changes. Experimental modules in core: optional alpha-stability modules shipped with the core package, which allow us to distribute new functionality, gather feedback, and iterate faster on the modules' planned path to stability. Now that Drupal 8 has been released for about 10 months and Drupal 8.2 is scheduled to be released next week, we can look back at how this new process worked. Drupal 8.1 introduced two new experimental modules (the BigPipe module and a user interface for data migration), various API additions, and usability improvements like spell checking in CKEditor. Drupal 8.2 further stabilizes the migration system and introduces numerous experimental alpha features, including significant usability improvements (i.e. block placement and block configuration), date range support, and advanced content moderation — among a long list of other stable and experimental improvements. It's clear that these regular feature updates help us innovate faster — we can now add new capabilities to Drupal that previously would have required a new major version. With experimental modules, we can get features in users' hands early, get feedback quickly, and validate that we are implementing the right things. And with the scheduled release cycle, we can deliver these improvements more frequently and more predictably. In aggregate, this enables us to innovate continuously; we can bring more value to our users in less time in a sustainable manner, and we can engage more developers to contribute to core. It is exciting to see how Drupal 8 transformed our capabilities to continually innovate with core, and I'm looking forward to seeing what we accomplish next! It also raises questions about what t[...]



A new look for Drupal.org

Wed, 21 Sep 2016 19:09:50 +0000

As you can see we've put a fresh coat of paint on Drupal.org - but the changes run below the surface. This latest iteration of the front page brings the key concepts of our design system to the forefront: Clean, Modern, Technical.

(image)

This change also brings new editorial tools for Drupal.org content editors. The new home page provides us more flexibility with content and presentation, and so you'll see more frequent updates, more information about DrupalCon, and more editorial flexibility on the home page than you've seen in the past. These tools are also helping us to build cleaner, modern landing pages - like you've just seen with our Fall Membership Campaign.

We've previewed this work with several key members of the community and the board, and we want to say thank you to everyone who's given us their feedback on this first step for our new home page. We also want to give an extra special thank you to dyannenova for her contributions to this effort.

This is just the beginning - very soon we'll have a new visual look for the case studies that are featured on the home page, and then shortly after that we'll begin promoting solutions to Drupal evaluators in specific industries, like Higher Education, Media & Publishing, and Government.

If Drupal.org is the home of the community, then the front page is our front door. We want to welcome new users and evaluators of Drupal, highlight the project's strengths, and promote news and happenings from throughout the ecosystem.

We hope you like the changes, and we think you'll like the upcoming iterations even more. We'd love to hear your feedback!




Drupal 8.1.10 released

Wed, 21 Sep 2016 16:33:14 +0000

Drupal 8.1.10, a maintenance release which contains fixes for security vulnerabilities, is now available for download.

See the Drupal 8.1.10 release notes for further information.

Upgrading your existing Drupal 8 sites is strongly recommended. There are no new features nor non-security-related bug fixes in this release. For more information about the Drupal 8.x release series, consult the Drupal 8 overview.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 8 includes the built-in Update Manager module, which informs you about important updates to your modules and themes.

Bug reports

This is the final security release for the 8.1.x series. Future maintenance releases will be made available in the 8.2.x series, according to our monthly release cycle.

Change log

Drupal 8.1.10 is a security release only. For more details, see the 8.1.10 release notes. A complete list of all changes in the upcoming 8.2.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 8.1.10 was released in response to the discovery of security vulnerabilities. Details can be found in the official security advisories:

To fix the security problem, please upgrade to Drupal 8.1.10. (Sites testing the 8.2.x release should update to 8.2.0-rc2.)

Update notes

See the 8.1.10 release notes for details on important changes in this release.

This is the final security release of the 8.1.x series. Sites should prepare to update to 8.2.0 following this release.

Known issues

See the 8.1.10 release notes for known issues.




Can Drupal outdo native applications?

Wed, 14 Sep 2016 07:00:00 +0000

Republished from buytaert.net I've made no secret of my interest in the open web, so it won't come as a surprise that I'd love to see more web applications and fewer native applications. Nonetheless, many argue that "the future of the internet isn't the web" and that it's only a matter of time before walled gardens like Facebook and Google — and the native applications which serve as their gatekeepers — overwhelm the web as we know it today: a public, inclusive, and decentralized common good. I'm not convinced. Native applications seem to be winning because they offer a better user experience. So the question is: can open web applications, like those powered by Drupal, ever match up to the user experience exemplified by native applications? In this blog post, I want to describe inversion of control, a technique now common in web applications and that could benefit Drupal's own user experience. Native applications versus web applications Using a native application — for the first time — is usually a high-friction, low-performance experience because you need to download, install, and open the application (Android's streamed apps notwithstanding). Once installed, native applications offer unique access to smartphone capabilities such as hardware APIs (e.g. microphone, GPS, fingerprint sensors, camera), events such as push notifications, and gestures such as swipes and pinch-and-zoom. Unfortunately, most of these don't have corresponding APIs for web applications. A web application, on the other hand, is a low-friction experience upon opening it for the first time. While native applications can require a large amount of time to download initially, web applications usually don't have to be installed and launched. Nevertheless, web applications do incur the constraint of low performance when there is significant code weight or dozens of assets that have to be downloaded from the server. As such, one of the unique challenges facing web applications today is how to emulate a native user experience without the drawbacks that come with a closed, opaque, and proprietary ecosystem. Inversion of control In the spirit of open source, the Drupal Association invited experts from the wider front-end community to speak at DrupalCon New Orleans, including from Ember and Angular. Ed Faulkner, a member of the Ember core team and contributor to the API-first initiative, delivered a fascinating presentation about how Drupal and Ember working in tandem can enrich the user experience. One of Ember's primary objectives is to demonstrate how web applications can be indistinguishable from native applications. And one of the key ideas of JavaScript frameworks like Ember is inversion of control, in which the client side essentially "takes over" from the server side by driving requirements and initiating actions. In the traditional page delivery model, the server is in charge, and the end user has to wait for the next page to be delivered and rendered through a page refresh. With inversion of control, the client is in charge, which enables fluid transitions from one place in the web application to another, just like native applications. Before the advent of JavaScript and AJAX, distinct states in web applications could be defined only on the server side as individual pages and requested and transmitted via a round trip to the server, i.e. a full page refresh. Today, the client can retrieve application states asynchronously rather than depending on the server for a completely new page load. This improves perceived performance. I discuss the history of this trend in more detail in this blog post. Through inversion of control, JavaScript frameworks like Ember provide much more than seaml[...]



What's new on Drupal.org? - August 2016

Tue, 13 Sep 2016 14:44:43 +0000

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community. Our latest update about Drupal.org comes as the Drupal Association has moved out of our central office in Portland, OR, and gone to an all-distributed team. A move of that sort always creates some upheaval but amidst the move we've continued to push forward on several initiatives to improve Drupal.org. At the same time we've been pushing forward towards DrupalCon Dublin at the end of September- and we hope to see you there! Drupal.org updates A new home page, coming soon As we recently previewed on the Drupal.org blog, some changes are coming to the home page. We're building some new editorial tools to allow for more flexibility with the home page content, and to enable an increased focus on the adoption journey for visitors to Drupal.org. You'll see styles reminiscent of the Drupal 8 release announcement pages, and a continued modernization of theme. The launch of the new home page is coming soon, but as a precursor we've been making some small improvements. The new user menu which we launched in July has been updated for better keyboard accessibility, and to show a user picture as an indicator that a user has logged in. We've also moved the search feature into an icon in the top navigation. This gives us more flexibility with the header, which can be customized per-page type or per-section with the overall site search box still being present. For example, the header in the new documentation section features search box specific to this particular section, so while you are there you can search for other documentation without having to go through the full-site search and then filtering down. Lastly, we've merged the 'Get Started' and 'Download & Extend' pages. 90% of the content on these pages was duplicated with each other - and the new page presents a cleaner experience with the essential details needed for getting started with Drupal. The new front page is beginning editorial review, with the help of DA staff, a marketing task-force from the Drupal Association board, and a few key community members. We've also just launched our fall membership campaign, and we've used this opportunity to beta test some of these new editorial tools to build the campaign landing page. Your support makes our work possible. Thank you! Documentation There's some news to report on the documentation front as well. Firstly, as mentioned above, we've updated the header of the documentation section to default to a documentation-specific search box. While not so important for other areas of the site,, we want to preserve and improve the highly-visible, in context search for Documentation. We've also made some updates to the new system for Documentation maintainers. Authors of new documentation guides will now automatically become maintainers of those guides and automatically 'follow' the guide content so that they will receive notifications of activity in that guide. Any user following a guide can modify notifications settings at any time from their user profile. Within the notification settings a user can select their prefered method of receiving updates - via email or via their tracker page. Tvn has continued to spearhed the migration of documentation from the old book pages, to our new documentation system. We have completed the migration of the majority of the 'general' documentation. While that is done, there is still a lot of work to do to make the documentation content better using the new tools that are now available. We need community volunteers to take on small sub-sets of documentation to clean th[...]



Drupal 8.2.0-rc1 is available for testing

Wed, 07 Sep 2016 22:07:38 +0000

The first release candidate for the upcoming Drupal 8.2.0 release is now available for testing. With Drupal 8, we made major changes in our release process, adopting semantic versioning and scheduled releases. This allows us to make significant improvements to Drupal 8 in a timely fashion while still providing backwards compatibility. Drupal 8.2.0 is the second such update, expected to be released October 5. Download Drupal-8.2.0-rc1 8.2.x includes many REST improvements; new experimental modules for content moderation, block placement, a sidebar to configure site elements in place, and end date support; and many other features and improvements. You can read a detailed list of improvements in the announcements of beta1, beta2, and beta3. What does this mean to me? For Drupal 8 site owners The final bugfix release of 8.1.x has been released. 8.1.x will receive no further releases following 8.2.0, and sites should prepare to update from 8.1.x to 8.2.x in order to continue getting bug and security fixes. Use update.php to update your 8.1.x sites to the 8.2.x series, just as you would to update from (e.g.) 8.1.4 to 8.1.5. You can use this release candidate to test the update. (Always back up your data before updating sites, and do not test updates in production.) For module and theme authors Drupal 8.2.x is backwards-compatible with 8.1.x. However, it does include internal API changes and API changes to experimental modules, so some minor updates may be required. Review the change records for 8.2.x, and test modules and themes with the release candidate now. For translators Some text changes were made since Drupal 8.1.0. Localize.drupal.org automatically offers these new and modified strings for translation. Strings are frozen with the release candidate, so translators can now update translations. For core developers All outstanding issues filed against 8.1.x are automatically migrated to 8.2.x now. Future bug reports should be targeted against the 8.2.x branch. 8.3.x will remain open for new development during the 8.2.x release candidate phase. For more information, see the beta and release candidate phase announcement. Your bug reports help make Drupal better! Release candidates are a chance to identify bugs for the upcoming release, so help us by searching the issue queue for any bugs you find, and filing a new issue if your bug has not been reported yet. [...]



Who sponsors Drupal development?

Tue, 06 Sep 2016 17:32:58 +0000

Republished from buytaert.net There exist millions of Open Source projects today, but many of them aren't sustainable. Scaling Open Source projects in a sustainable manner is difficult. A prime example is OpenSSL, which plays a critical role in securing the internet. Despite its importance, the entire OpenSSL development team is relatively small, consisting of 11 people, 10 of whom are volunteers. In 2014, security researchers discovered an important security bug that exposed millions of websites. Like OpenSSL, most Open Source projects fail to scale their resources. Notable exceptions are the Linux kernel, Debian, Apache, Drupal, and WordPress, which have foundations, multiple corporate sponsors and many contributors that help these projects scale. We (Dries Buytaert is the founder and project lead of Drupal and co-founder and Chief Technology Officer of Acquia and Matthew Tift is a Senior Developer at Lullabot and Drupal 8 configuration system co-maintainer) believe that the Drupal community has a shared responsibility to build Drupal and that those who get more from Drupal should consider giving more. We examined commit data to help understand who develops Drupal, how much of that work is sponsored, and where that sponsorship comes from. We will illustrate that the Drupal community is far ahead in understanding how to sustain and scale the project. We will show that the Drupal project is a healthy project with a diverse community of contributors. Nevertheless, in Drupal's spirit of always striving to do better, we will also highlight areas where our community can and should do better. Who is working on Drupal? In the spring of 2015, after proposing ideas about giving credit and discussing various approaches at length, Drupal.org added the ability for people to attribute their work to an organization or customer in the Drupal.org issue queues. Maintainers of Drupal themes and modules can award issues credits to people who help resolve issues with code, comments, design, and more. A screenshot of an issue comment on Drupal.org. You can see that jamadar worked on this patch as a volunteer, but also as part of his day job working for TATA Consultancy Services on behalf of their customer, Pfizer. Drupal.org's credit system captures all the issue activity on Drupal.org. This is primarily code contributions, but also includes some (but not all) of the work on design, translations, documentation, etc. It is important to note that contributing in the issues on Drupal.org is not the only way to contribute. There are other activities—for instance, sponsoring events, promoting Drupal, providing help and mentoring—important to the long-term health of the Drupal project. These activities are not currently captured by the credit system. Additionally, we acknowledge that parts of Drupal are developed on GitHub and that credits might get lost when those contributions are moved to Drupal.org. For the purposes of this post, however, we looked only at the issue contributions captured by the credit system on Drupal.org. What we learned is that in the 12-month period from July 1, 2015 to June 30, 2016 there were 32,711 issue credits—both to Drupal core as well as all the contributed themes and modules—attributed to 5,196 different individual contributors and 659 different organizations. Despite the large number of individual contributors, a relatively small number do the majority of the work. Approximately 51% of the contributors involved got just one credit. The top 30 contributors (or top 0.5% contributors) account for over 21% of the total credits, indicating that these individual[...]



Documentation overhaul

Tue, 30 Aug 2016 16:11:34 +0000

One of the biggest content areas on Drupal.org—and one of the most important assets of any open source project—is documentation. Community-written Drupal documentation consists of about 10,000 pages. Preparations for the complete overhaul of the documentation tools were in the works for quite some time, and in the recent weeks we finally started to roll out the changes on the live site. Background Improving documentation on Drupal.org has been a part of a larger effort to restructure content on the site based on content strategy we developed. The new section comes after a few we launched earlier in the year. It also uses our new visual system, which will slowly expand into other areas. Goals and process The overall goal for the new Documentation section is to increase the quality of the community documentation. On a more tactical level, we want to: Introduce the concept of "maintainers" for distinct parts of documentation Flatten deep documentation hierarchy Split documentation per major Drupal version Notify people about edits or new documentation Make comments more useful To achieve those goals, we went through the following process: First, we wrote a bunch of user stories based on our user research and the story map exercise we went through with the Documentation Working Group members. Those stories cover all kinds of things different types of users do while using documentation tools. We then wireframed our ideas for how the new documentation system should look and work. We ran a number of remote and in person usability testing sessions on those wireframes. Our next step was to incorporate the feedback, update our wireframes, and create actual designs. And then we tested them again, in person, during DrupalCamp London. Incorporated feedback again, and started building. The new system So, how does the new documentation system work exactly? It is based on two new content types: Documentation guide: a container content type. It will group documentation pages on a specific topic, and provide an ability to assign 'maintainers' for this group of pages (similar to maintainers for contributed projects). Additionally, users will be able to follow the guide and receive notifications about new pages added or existing pages edited. Documentation page: a content type for the actual documentation content. These live inside of documentation guides. Example of a new documentation guide All of the documentation is split per major Drupal version, which means every documentation guide or page lives inside of one of a few top level 'buckets', e.g. Drupal 7 documentation, Drupal 8 documentation. It is also possible to connect guides and pages to each other via a 'Related content' field, which should make it easier to discover relevant information. One of our next to-do’s is to provide an easy way to connect documentation guides to projects, enabling 'official' project documentation functionality. More information on various design decisions we made for the new documentation system, and the reasons behind them, can be found in our DrupalCon New Orleans session (slides). Current status Right now, we have the new content types and related tools ready on Drupal.org. We are currently migrating existing documentation (all 10,000 pages!) into the new system. The first step is generic documentation (e.g. 'Structure Guide'), with contributed projects documentation to follow later. While working on the migration, we are recruiting maintainers for the new guides. If you are interested in helping out, sign up in the issue. Please only sign up if you actually have some time to work on doc[...]



Upcoming Changes to the Front Page

Wed, 24 Aug 2016 18:22:46 +0000

In recent weeks we've been making several small changes to Drupal.org: precursors to bigger things to come. First, we moved the user activity links to a user menu in the header. Next, we're moving the search function from the header to the top navigation. These changes aren't just to recover precious pixels so you can better enjoy those extra long issue summaries—these are the first step towards a new front page on Drupal.org.

As the Drupal 8 life-cycle has moved from development, to release, to adoption, we have adapted Drupal.org to support the needs of the project in the moment. And today, the need of the moment is to support the adoption journey.

As we make these changes you'll see echoes of the visual style we used when promoting the release of Drupal 8.

  • The Drupal wordmark region will help to define Drupal, and promote trying a demo.

  • A ribbon will promote contextual CTAs like learning more about Drupal 8.

  • The news feed will be tweaked.

  • DrupalCon will have a permanent home on the front page.

  • Community stats and featured case studies will be carried over(but may evolve).

  • The home page sponsorship format may change.

  • We'll be phasing in a new font throughout the site: Ubuntu - which you've already seen featured in the new Documentation section.

Here's a teaser

… a sneak preview of some new page elements and styles you'll see in the new home page.  

(image)

Our first deployment will introduce the new layout and styles. Additional changes will follow as we introduce content to support our turn towards the adoption journey. Drupal evaluators beginning their adoption journey want to know who uses Drupal, and what business needs Drupal can solve. We will begin promoting specific success stories: solutions built in Drupal to meet a concrete need.

What's next?

We're continuing to refine our content model and editorial workflow for the new front page. You'll see updates in the Drupal.org change notifications as we get closer to deployment.

Wondering why we're making these changes now? This turn towards the adoption journey is part of our changing priorities for the next 12 months.




Drupal 8.2, now with more outside-in

Tue, 23 Aug 2016 19:14:41 +0000

Republished from buytaert.net Over the weekend, Drupal 8.2 beta was released. One of the reasons why I'm so excited about this release is that it ships with "more outside-in". In an "outside-in experience", you can click anything on the page, edit its configuration in place without having to navigate to the administration back end, and watch it take effect immediately. This kind of on-the-fly editorial experience could be a game changer for Drupal's usability. When I last discussed turning Drupal outside-in, we were still in the conceptual stages, with mockups illustrating the concepts. Since then, those designs have gone through multiple rounds of feedback from Drupal's usability team and a round of user testing led by Cheppers. This study identified some issues and provided some insights which were incorporated into subsequent designs. Two policy changes we introduced in Drupal 8—semantic versioning and experimental modules—have fundamentally changed Drupal's innovation model starting with Drupal 8. I should write a longer blog post about this, but the net result of those two changes is ongoing improvements with an easy upgrade path. In this case, it enabled us to add outside-in experiences to Drupal 8.2 instead of having to wait for Drupal 9. The authoring experience improvements we made in Drupal 8 are well-received, but that doesn't mean we are done. It's exciting that we can move much faster on making Drupal easier to use. In-place block configuration As you can see from the image below, Drupal 8.2 adds the ability to trigger "Edit" mode, which currently highlights all blocks on the page. Clicking on one — in this case, the block with the site's name — pops out a new tray or sidebar. A content creator can change the site name directly from the tray, without having to navigate through Drupal's administrative interface to theme settings as they would have to in Drupal 7 and Drupal 8.1. Making adjustments to menus In the second image, the pattern is applied to a menu block. You can make adjustments to the menu right from the new tray instead of having to navigate to the back end. Here the content creator changes the order of the menu links (moving "About us" after "Contact") and toggles the "Team" menu item from hidden to visible. In-context block placement In Drupal 8.1 and prior, placing a new block on the page required navigating away from your front end into the administrative back end and noting the available regions. Once you discover where to go to add a block, which can in itself be a challenge, you'll have to learn about the different regions, and some trial and error might be required to place a block exactly where you want it to go. Starting in Drupal 8.2, content creators can now just click "Place block" without navigating to a different page and knowing about available regions ahead of time. Clicking "Place block" will highlight the different possible locations for a block to be placed in. Next steps These improvements are currently tagged "experimental". This means that anyone who downloads Drupal 8.2 can test these changes and provide feedback. It also means that we aren't quite satisfied with these changes yet and that you should expect to see this functionality improve between now and 8.2.0's release, and even after the Drupal 8.2.0 release. As you probably noticed, things still look pretty raw in places; as an example, the forms in the tray are exposing too many visual details. There is more work to do to bring this functionality to the level of the designs. We're focused [...]



Drupal goes to Rio

Tue, 16 Aug 2016 07:00:00 +0000

Republished from buytaert.net

(image)

As the 2016 Summer Olympics in Rio de Janeiro enters its second and final week, it's worth noting that the last time I blogged about Drupal and the Olympics was way back in 2008 when I called attention to the fact that Nike was running its sponsorship site on Drupal 6 and using Drupal's multilingual capabilities to deliver their message in 13 languages.

While watching some track and field events on television, I also spent a lot of time on my laptop with the NBC Olympics website. It is a site that has run on Drupal for several years, and this year I noticed they took it up a notch and did a redesign to enhance the overall visitor experience.

Last week NBC issued a news release that it has streamed over one billion minutes of sports via their site so far. That's a massive number!

I take pride in knowing that an event as far-reaching as the Olympics is being delivered digitally to a massive audience by Drupal. In fact, some of the biggest sporting leagues around the globe run their websites off of Drupal, including NASCAR, the NBA, NFL, MLS, and NCAA. Massive events like the Super Bowl, Kentucky Derby, and the Olympics run on Drupal, making it the chosen platform for global athletic organizations.

(image)

(image)




What’s new on Drupal.org? - July 2016

Fri, 12 Aug 2016 15:49:15 +0000

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community. The Drupal Association engineering team has been continuing to refine our focus for the next 12 months. In July, we worked through the details of setting new priorities for our work, after the organizational changes earlier this summer. As part of this prioritization process, we've set up a technical advisory committee: a collaboration between a few members of the staff, a representative from the board, and two members from the community. This committee will help us refine the roadmap for Drupal.org for the short term—while the Association is focused on fiscal health and sustainability—and will provide strategic vision for the long term, as our fiscal stability improves. As a result of these changes, you'll begin to see our updates in this blog series evolve. Expect a greater focus on: The adoption journey for users evaluating Drupal. Systematic improvements to make maintenance of critical Drupal.org services less labor intensive and more affordable. Community initiatives, where we're working together with community contributors who want to help us improve Drupal.org. So without further ado, let's talk about what we did in July. Drupal.org updates User Menu We've moved the user activity links (Login/Register, My Dashboard, My Account, etc.) to a user menu in the top navigation. This change is live on www.Drupal.org and all of the sub-sites that use the Bluecheese theme. The immediate effects of this change are a better look and feel and more vertical space for content on every page. But these weren’t the primary motivation. The larger reason for making this change is that it’s the first incremental step towards upcoming editorial changes on Drupal.org. More incremental changes will follow in August, including accessibility improvements to this new user menu and a new search icon to replace the embedded search box in the header. Better Packaging Behavior One of the basic features of Drupal.org's project hosting is packaging the code committed to our git repositories and providing tar.gz and zip files of releases. The packaging process, while generally reliable, has had its share of infrequent but persistent quirks and race conditions. In July, we fixed several aspects of packaging to eliminate race conditions and reduce the need for human intervention if it runs off the rails. The changes we made were: Storing and using commit file hashes instead of relying on timestamps to find files changed since the last packaging run. Considering the committer date for packaging. Update project release tables immediately when packaging occurs. Taken together, these changes have made packaging faster, more efficient, and less prone to race conditions that require staff time to fix. Supporting Drupal 8.2 Drupal 8.2 is coming soon, scheduled for release on October 5th. The beta period for this point release began on August 3rd, and so towards the end of July we spent some time supporting the Core developers who were trying to get their features ready for inclusion in the beta period. In particular, we updated PhantomJS to version 2.1.1 in our DrupalCI containers, to allow Core developers to test javascript interactions for file uploads—part of the new quick edit features targetted for this point release. Deprecated unstable releases In July, we also deprecated the use of the “unstable” release tag for p[...]



City of Boston launches Boston.gov on Drupal

Thu, 21 Jul 2016 17:00:00 +0000

Republished from buytaert.net Yesterday, the City of Boston launched its new website, Boston.gov, on Drupal. Not only is Boston a city well-known around the world, it has also become my home over the past 9 years. That makes it extra exciting to see the city of Boston use Drupal. As a company headquartered in Boston, I'm also extremely proud to have Acquia involved with Boston.gov. The site is hosted on Acquia Cloud, and Acquia led a lot of the architecture, development, and coordination. I remember pitching the project in the basement of Boston's City Hall, so seeing the site launched less than a year later is quite exciting. The project was a big undertaking, as the old website was 10 years old and running on Tridion. The city's digital team, Acquia, IDEO, Genuine Interactive, and others all worked together to reimagine how a government can serve its citizens better digitally. It was an ambitious project as the whole website was redesigned from scratch in 11 months; from creating a new identity, to interviewing citizens, to building, testing and launching the new site. Along the way, the project relied heavily on feedback from a wide variety of residents. The openness and transparency of the whole process was refreshing. Even today, the city made its roadmap public at http://roadmap.boston.gov and is actively encouraging citizens to submit suggestions. This open process is one of the many reasons why I think Drupal is such a good fit for Boston.gov. More than 20,000 web pages and one million words were rewritten in a more human tone to make the site easier to understand and navigate. For example, rather than organize information primarily by department (as is often the case with government websites), the new site is designed around how residents think about an issue, such as moving, starting a business or owning a car. Content is authored, maintained, and updated by more than 20 content authors across 120 city departments and initiatives. The new Boston.gov is absolutely beautiful, welcoming and usable. And, like any great technology endeavor, it will never stop improving. The City of Boston has only just begun its journey with Boston.gov—I’m excited see how it grows and evolves in the years to come. Go Boston! Last night, there was a launch party to celebrate the launch of Boston.gov. It was an honor to give some remarks about this project alongside Boston mayor, Marty Walsh (pictured above), as well as Lauren Lockwood (Chief Digital Officer of the City of Boston) and Jascha Franklin-Hodge (Chief Information Officer of the City of Boston).[...]



Drupal 8.1.7 released

Mon, 18 Jul 2016 14:00:09 +0000

Drupal 8.1.7, a maintenance release which contains fixes for security vulnerabilities, is now available for download.

See the Drupal 8.1.7 release notes for further information.

Download Drupal 8.1.7

Upgrading your existing Drupal 8 sites is strongly recommended. There are no new features nor non-security-related bug fixes in this release. For more information about the Drupal 8.1.x release series, consult the Drupal 8 overview.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 8 includes the built-in Update Manager module, which informs you about important updates to your modules and themes.

Bug reports

Drupal 8.1.x is actively maintained, so more maintenance releases will be made available, according to our monthly release cycle.

Change log

Drupal 8.1.7 is a security release only. For more details, see the 8.1.7 release notes. A complete list of all changes in the stable 8.1.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 8.1.7 was released in response to the discovery of security vulnerabilities. Details can be found in the official security advisories:

To fix the security problem, please upgrade to Drupal 8.1.7.

Update notes

See the 8.1.7 release notes for details on important changes in this release.

Known issues

See the 8.1.7 release notes for known issues.




Drupal Core - Highly Critical - Injection - SA-CORE-2016-003

Mon, 18 Jul 2016 13:53:22 +0000

Advisory ID: DRUPAL-SA-CORE-2016-003 Project: Drupal core Version: 8.x Date: 2016-July-18 Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Proof/TD:Default Vulnerability: Injection Description Drupal 8 uses the third-party PHP library Guzzle for making server-side HTTP requests. An attacker can provide a proxy server that Guzzle will use. The details of this are explained at https://httpoxy.org/. CVE identifier(s) issued CVE-2016-5385 Versions affected Drupal core 8.x versions prior to 8.1.7 Solution Install the latest version: If you use Drupal 8.x, upgrade to Drupal core 8.1.7 If you use Drupal 7.x, Drupal core is not affected. However you should consider using the mitigation steps at https://httpoxy.org/ since you might have modules or other software on your server affected by this issue. For example, sites using Apache can add the following code to .htaccess: RequestHeader unset Proxy We also suggest mitigating it as described here: https://httpoxy.org/ Also see the Drupal core project page. What if I am running Drupal core 8.0.x? Drupal core 8.0.x is no longer supported. Update to 8.1.7 to get the latest security and bug fixes. Why is this being released Monday rather than Wednesday? The Drupal Security Team usually releases Security Advisories on Wednesdays. However, this vulnerability affects more than Drupal, and the authors of Guzzle and reporters of the issue coordinated to make it public Monday. Therefore, we are issuing a core release to update to the secure version of Guzzle today. Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity Front page news: Planet DrupalDrupal version: Drupal 8.x[...]



What’s new on Drupal.org? - June 2016

Fri, 15 Jul 2016 15:20:03 +0000

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community. In June the Drupal Association had our annual staff retreat, where the remote team members joined the Portland, OR team for a three day retreat. This year's retreat was particularly important as we found our feet as a smaller, leaner team, and focused on our organizational roadmap for the next twelve months. For the engineering team in particular, our focus will be on maintaining the critical systems that make project successful: issue queues, updates, testing, packaging, etc, while at the same time finding new ways to support and enable Drupal's evolution. These were some heady days, but even as we worked through the best ways to continue serving the Drupal community on a strategic level in June, we also found the time to keep making Drupal.org a better home. Drupal.org updates Documentation Migration A long running initiative this year has been the creation of a new Documentation system for Drupal.org, a topic we've touched on in many prior updates as it has begun to come online. We are very happy to say that we are moving to the next stage of the documentation project: moving from development to migration. In June tvn recruited several volunteers to join our documentation migration team, and to become some of the first maintainers for the new Documentation Guides. General documentation, such as Understanding Drupal, Structure Guide, etc. will be migrated first. Documentation for contributed projects will follow in the coming weeks. Maintainers of contributed projects, who currently have their documentation on Drupal.org, will be added as maintainers to respective documentation guides and are encouraged to clean/tidy up their documentation post-migration. if you are interested in helping, or sign up as a maintainer for some of the new documentation guides. Composer Repositories are now in Beta Drupal.org's Composer repositories allow developers building sites with Drupal to use the Composer command line tool for dependency management. In June we collected feedback from a variety of users, as well as the community volunteers who assisted us with the Composer Community Initiative. We spent the month iterating quickly on the alpha implementation: fixing bugs and rebuilding the meta data to ensure that users get consistent and expected results. Because of those fixes, and after gathering yet more feedback from the community, we were able to move the Drupal.org Composer repositories to beta. We encourage you to begin transitioning your composer based workflows to use Drupal.org's composer facade. Package names are stable, and downtimes will be planned and announced. For more information on how to use Drupal.org's Composer repositories, read our documentation. Better issue credit tools for maintainers The Drupal.org issue credit system is a unique innovation of our community. By allowing users to attribute their contributions as volunteers, to their employers, or to client customers, we have an insight into the contribution ecosystem for Drupal that is unparalleled among open source projects. We've also already seen the impact of incentivizing organizations to give back to Drupal, by using the credit system as the basis for organization rankings in the marketplace. In June we added two new tool[...]



Drupal contrib - Highly Critical - Remote code execution PSA-2016-001

Tue, 12 Jul 2016 15:18:59 +0000

Update: Release Annoucements

The following modules have security releases that are now available, listed in order of severity. There are no more releases planned for today.

Description

There will be multiple releases of Drupal contributed modules on Wednesday July 13th 2016 16:00 UTC that will fix highly critical remote code execution vulnerabilities (risk scores up to 22/25). These contributed modules are used on between 1,000 and 10,000 sites. The Drupal Security Team urges you to reserve time for module updates at that time because exploits are expected to be developed within hours/days. Release announcements will appear at the standard announcement locations.

Drupal core is not affected. Not all sites will be affected. You should review the published advisories on July 13th 2016 to see if any modules you use are affected.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Edited to add: approximate usage of the modules, links to the final releases, that there are no more releases for today..

Drupal version: 



Drupal 7.50 released

Thu, 07 Jul 2016 18:28:17 +0000

Drupal 7.50, the next release in the Drupal 7 series, is now available for download. It contains a variety of new features, improvements, and bug fixes (no security fixes). Wait... Drupal 7.50? Yes, there is a version jump compared to the previous 7.44 release; this is to indicate that this Drupal 7 point release is a bit larger than past ones and makes a few more changes and new features available than normal. Updating your existing Drupal 7 sites is recommended. Backwards compatibility is still being maintained, although read on to find out about a couple of changes that might need your attention during the update. Download Drupal 7.50 Notable changes There are a variety of new features, performance improvements, security-related enhancements (although no fixes for direct security vulnerabilities) and other notable changes in this release. The release notes provide a comprehensive list, but here are some highlights. New "administer fields" permission added for trusted users The administrative interface for adding and configuring fields has always been something that only trusted users should have access to. To make that easier, there is now a dedicated permission which is required (in addition to other existing administrative permissions) to be able to access the field UI. For example, you can now assign the "administer taxonomy" permission (but withhold the new "administer fields" permission) to allow low-level administrators to manage taxonomy terms but not change their field structure. Read the change record for more information. Protection against clickjacking enabled by default Clickjacking is a technique a malicious site owner can use to attempt attacks on other sites, by embedding the victim's site into an iframe on their own site. To stop this, Drupal will now prevent your site from being embedded in an iframe on another domain. This is the default behavior, but it can be adjusted if necessary; see the change record to find out more. Support for full UTF-8 (emojis, Asian symbols, mathematical symbols) is now possible on MySQL If content creators on your site have been clamoring to use emojis, it's now possible on Drupal sites running MySQL (it was previously possible on PostgreSQL and SQLite). Turning this capability on requires the database to meet certain requirements, plus editing the site's settings.php file and potentially other steps, as described in the change record. Improved support for recent PHP versions, including PHP 7 Drupal core's automated test suite is now fully passing on a variety of environments where there were previously some failures (PHP 5.4, 5.5, 5.6, and 7). We have also fixed several bugs affecting those versions. These PHP versions are officially supported by Drupal 7 and recommended for use where possible. Because PHP 7 is the newest release (and not yet used on many production sites) extra care should still be taken with it, and there are some known bugs, especially in contributed modules (see the discussion for more details). However anecdotal evidence from a variety of users suggests that Drupal 7 can be successfully used on PHP 7, both before and after the 7.50 release. Improved performance (and new PHP warnings) when Drupal is trying to find a file that does not exist When Drupal cannot find a file that it expects to be in the filesystem, it will no lo[...]



A roadmap for making Drupal more API-first

Thu, 07 Jul 2016 14:06:50 +0000

Republished from buytaert.net In one of my recent blog posts, I articulated a vision for the future of Drupal's web services, and at DrupalCon New Orleans, I announced the API-first initiative for Drupal 8. I believe that there is considerable momentum behind driving the web services initiative. As such, I want to provide a progress report, highlight some of the key people driving the work, and map the proposed vision from the previous blog post onto a rough timeline. Here is a bird's-eye view of the plan for the next twelve months: 8.2 (Q4 2016) 8.3 (Q2 2017) Beyond 8.3 (2017+) New REST API capabilities Waterwheel initial release New REST API capabilities JSON API module GraphQL module? Entity graph iterator? New REST API capabilities Wim Leers (Acquia) and Daniel Wehner (Chapter Three) have produced a comprehensive list of the top priorities for the REST module. We're introducing significant REST API advancements in Drupal 8.2 and 8.3 in order to improve the developer experience and extend the capabilities of the REST API. We've been focused on configuration entity support, simplified REST configuration, translation and file upload support, pagination, and last but not least, support for user login, logout and registration. All this work starts to address differences between core's REST module and various contributed modules like Services and RELAXed Web Services. More details are available in my previous blog post. Many thanks to Wim Leers (Acquia), Daniel Wehner (Chapter Three), Ted Bowman (Acquia),Alex Pott (Chapter Three), and others for their work on Drupal core's REST modules. Though there is considerable momentum behind efforts in core, we could always benefit from new contributors. Please consider taking a look at the REST module issue queue to help! Waterwheel initial release As I mentioned in my previous post, there has been exciting work surrounding Waterwheel, an SDK for JavaScript developers building Drupal-backed applications. If you want to build decoupled applications using a JavaScript framework (e.g. Angular, Ember, React, etc.) that use Drupal as a content repository, stay tuned for Waterwheel's initial release later this year. Waterwheel aims to facilitate the construction of JavaScript applications that communicate with Drupal. Waterwheel's JavaScript library allows JavaScript developers to work with Drupal without needing deep knowledge of how requests should be authenticated against Drupal, what request headers should be included, and how responses are molded into particular data structures. The Waterwheel Drupal module adds a new endpoint to Drupal's REST API allowing Waterwheel to discover entity resources and their fields. In other words, Waterwheel intelligently discovers and seamlessly integrates with the content model defined on any particular Drupal 8 site. A wider ecosystem around Waterwheel is starting to grow as well. Gabe Sullice, creator of the Entity Query API module, has contributed an integration of Waterwheel which opens the door to features such as sorts, conditions and ranges. The Waterwheel team welcomes early adopters as well as those working on other REST modules such as JSON API and RELAXed or using native HTTP clients in JavaScript frameworks to add their own integrations to the mix. Water[...]



Drupal is for ambitious digital experiences

Wed, 29 Jun 2016 07:00:00 +0000

Republished from buytaert.net What feelings does the name Drupal evoke? Perceptions vary from person to person; where one may describe it in positive terms as "powerful" and "flexible," another may describe it negatively as "complex." People describe Drupal differently not only as a result of their professional backgrounds, but also based on what they've heard and learned. If you ask different people what Drupal is for, you'll get many different answers. This isn't a surprise, because over the years the answers to this fundamental question have evolved. Drupal started as a tool for hobbyists building community websites, but over time it's evolved to support large and sophisticated use cases. Perception is everything Perception is everything; it sets expectations and guides actions and inactions. We need to better communicate Drupal's identity, demonstrate its true value, and manage its perceptions and misconceptions. Words do lead to actions. Spending the time to capture what Drupal is for could energize and empower people to make better decisions when adopting, building, and marketing Drupal. Truth be told, I've been reluctant to define what Drupal is for, as it requires making trade-offs. I've feared that we'd make the wrong choice or limit our growth. Over the years, it's become clear that not defining what Drupal is used for leaves more people confused, even within our own community. For example, because Drupal evolved from a simple tool for hobbyists to a more powerful digital experience platform, many people believe that Drupal is now "for the enterprise." While I agree that Drupal is a great fit for the enterprise, I personally never loved that categorization. It's not just large organizations that use Drupal. Individuals, small startups, universities, museums, and non-profits can be equally ambitious in what they'd like to accomplish, and Drupal can be an incredible solution for them. Defining what Drupal is for Rather than using "for the enterprise," I thought "for ambitious digital experiences" was a good phrase to describe what people can build using Drupal. I say "digital experiences" because I don't want to confine this definition to traditional browser-based websites. As I've stated in my Drupalcon New Orleans keynote, Drupal is used to power mobile applications, digital kiosks, conversational user experiences, and more. Today I really wanted to focus on the word "ambitious." "Ambitious" is a good word because it aligns with the flexibility, scalability, speed and creative freedom that Drupal provides. Drupal projects may be ambitious because of the sheer scale (e.g. The Weather Channel), their security requirements (e.g. The White House), the number of sites (e.g. Johnson & Johnson manages thousands of Drupal sites), or specialized requirements of the project (e.g. the New York MTA powering digital kiosks with Drupal). Organizations are turning to Drupal because it gives them greater flexibility, better usability, deeper integrations, and faster innovation. Not all Drupal projects need these features on day one—or needs to know about them—but it is good to have them in case you need them later on. "Ambitious" also aligns with our community's culture. Our industry is in constant change (responsive design, web s[...]