Fri, 21 Apr 2017 03:19:55 +0000TL;DR: Both the community and Dries Buytaert, Project Lead, see a need to evolve Drupal community governance. The Drupal Association can help in a support role. We will start by hosting mediated community discussions so everyone around the world can participate, be heard and understood, and share their ideas. Creating a new governance model will take many months and will require an agile approach as we all feel our way through the proper steps. The Drupal Association will continue to find ways to support this process as we all move through it together. ------------- Over the last several weeks, the Drupal Association has been in listening mode — and we still are. We’re hearing community members say they need clarity and understanding, and that our community governance needs to change. As we process what we’re hearing, we want to find the best way to help the community address the issues being raised, within the boundaries of the Drupal Association charter. The Drupal Association’s mission is to unite the global community to help build and promote the software. We do that in two very specific ways: DrupalCon and Drupal.org. We’re determining how best to meet the community’s needs as it relates to these two key community homes. In the near future, I will publish blogs with ideas on how we might address the various needs we are hearing. Evolving Community Governance There is one need that we hear loud and clear that we can address today: The community needs support to evolve community governance structures and processes. Both the community at large, and Dries Buytaert, Project Lead, have expressed this need, and we are glad to see this alignment. It’s important to note that the Drupal Association has a very limited role in community governance. Our only role in governance stems directly from our charter to manage DrupalCon and Drupal.org. It’s not within our charter to oversee community governance or drive its evolution. The last thing the Drupal Association wants is to step outside of our charter or accidentally take away the community’s agency in self-organizing to create the new community governance model. However, we do want to facilitate forward movement. And so, we can take a support role. We hear that many in the community want to come together to talk. We can support this by providing a meeting place (both in person and online), and a mediator for community discussions. We have asked Whitney Hess, a coach who has worked with the Drupal community before, to facilitate and mediate community discussions, where people can come together to talk about current community issues and explore ideas for improved governance. These discussions will start at DrupalCon Baltimore and continue in a series of online meetings, scheduled at different times so members around the world can participate. [see more details below] To provide transparency for those who cannot attend the discussion sessions, we will post meeting minutes and summaries from each community discussion here: https://drupal.org/community/discussions. As facilitator of these community discussions, Whitney Hess will provide a summary to give us a broad perspective on the “voice of the community.” We hope these conversations will ground the community as it begins architecting its new governance model. Once we have had these discussions we can decide together on the appropriate next steps, and how the Association can help the community continue to move forward, together. Join Community Discussions We hope you'll join the conversation as these discussions begin. Again, our overarching aim is to support the community so it can be healthy and continue to thrive. We believe that open conversation is essential to the wellbeing of any community and we look forward to hosting Community Discussions mediated by Whitney Hess. Please join fellow community members to talk through recent community issues and to be part of co-creating Drupal’s new governance model. Here are the discussions you can join. Please note the ground rules below: At DrupalCon Baltim[...]
Wed, 19 Apr 2017 17:13:51 +0000
This is a critical access bypass vulnerability. A site is only affected by this if all of the following conditions are met:
rest) module enabled.
While we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we have also provided an 8.2.x release to ensure that sites that have not had a chance to update to 8.3.0 can update safely.
Also see the Drupal core project page.
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Tue, 18 Apr 2017 18:02:34 +0000Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community. The Drupal Association team is gearing up for DrupalCon Baltimore. We're excited to see you there and we'll presenting a panel giving an update on our work since Dublin, and our plans for the coming months. Drupal.org updates Project application revamp As we announced in mid-March, new contributors on Drupal.org can now create full projects and releases! Contributors no longer have to wait in the project application queue for a manual review before they are able to contribute projects. This is a very significant change in the Drupal contribution landscape, and it's something we approached carefully and will continue to monitor over the coming months. Drupal has always had a reputation for a high quality code, and we want to make sure that reputation is preserved with good security signals, project quality signals, and continued incentives for peer code review. That said, we're very excited to see how this change opens up Drupal to a wider audience of contributors. Please note that the removal of project applications to create full projects and releases means a change in the security advisory policy (see below for details). Security Advisory Opt-in and new Security Signals for Projects Are you responsible for the security of your clients' Drupal sites? Please note that Drupal's security advisory coverage policy has changed. Security advisory coverage for contributed projects is now only available for projects that have both opted in to receive coverage and made a stable release. You can see which projects have opted in by checking their project pages. If you have questions, please contact email@example.com. Because users may now create full projects and releases without opting in to security advisory coverage, it's critically important that we provide good security signals to users evaluating projects on Drupal.org. This is why we've added a security coverage warning to projects that aren't opted in to coverage. We've also: Opened up the opt-in process, allowing any maintainer of a project (not just the node author) to opt in to receive security advisory coverage Added a confirmation step when a user goes to make a stable release - this encourages users to be sure the project is ready for a release, and to opt-in to coverage if they haven't already Blocked security advisory opt-in if a project has an open, public security issue Started displaying info about public security issues on project pages that haven't opted into advisory coverage Added a filter to project browsing pages to make it easier to find projects with supported stable releases 2017 Community Elections Update The 2017 elections for the community-at-large seat on the board were held successfully in March. Drupal Association community board elections are conducted with the Instant Runoff Voting system. This voting methodology requires that voters rank their preferred candidates on their ballot, and we've heard that this system has been somewhat unwieldy in the past. Each year we try to improve the voter experience and so this year we deployed a new drag-and-drop ballot. Finally, we want to congratulate our newest board member Ryan Szrama! Better international datetime support throughout Drupal.org Drupal.org has grown organically over the course of more than a decade, and as features have been built out they were not always consistent in their display of datetime information. While it sometimes makes sense to have a few different formats for displaying date and time, many of the formats in use were simply arbitrary historical decisions. As a quality of life improvement, especially for users outside of the USA, we've standardized the datetime format used on Drupal.org. That format is: DD MMM YYYY - hh:mm (UTC±h). For example: 11 Aug 2016 - 16:42 (UTC+8) DrupalCI CSS Lint check style results When we implemented coding standards testing in D[...]
Mon, 17 Apr 2017 15:47:45 +0000
There will be a security release of Drupal 8.3.x and 8.2.x on April 19th 2017 between
17:00 - 18:00 UTC that will fix a critical vulnerability. While we don't normally provide security releases for unsupported minor releases, given the potential severity, we will provide an 8.2.x release that includes the fix for sites which have not had a chance to update to 8.3.0. The Drupal Security Team urges you to reserve time for core updates at that time because exploits are expected to be developed within hours or days. Security release announcements will appear at the standard announcement locations.
This vulnerability does not affect all Drupal 8 sites; it only affects sites with certain configurations. It requires authenticated user access to exploit. The security release announcement on April 19th 2017 will make it clear which configurations are affected. If this vulnerability affects your site, you will need to update. Please set aside time on Wednesday to look into this update.
Neither the Security Team, nor Security Team members, nor any Drupal-related company are able to release any more information about this vulnerability until the announcement is made in accordance with our security policies and responsible disclosure best practices.
We provide pre-release warnings when we believe the security risk is high and the steps to exploit are scriptable.
The Drupal security team can be reached at security at Drupal.org or via the contact form at https://www.drupal.org/contact.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity.
Tue, 11 Apr 2017 17:12:37 +0000In October of last year the Technical Advisory Committee was formed to evaluate options for the developer tools we use on Drupal.org. The TAC consists of Angie Byron, Moshe Weitzman, and Steve Francia, acting as advisors to Megan Sanicki, the Executive Director of the Drupal Association. The TAC's mandate is to recommend a direction for the future of our tools on Drupal.org. Megan will evaluate this recommendation, make a decision, and prioritize that work in the development roadmap of the Drupal Association engineering team. What is the motivation behind looking at our developer tools now? Close followers of the Drupal project will have noticed a trend in the last several months. From Dries' announcement of easy upgrades forever, to the revamp of the project application process, to the discussion about making tools for site builders— there is a unifying theme: broadening the reach of Drupal. This is the same motivation that underlies this evaluation of our developer tools, and defines the goals and constraints of this initiative: Adopt a developer workflow that will be familiar to the millions of developers outside our community Preserve those unique elements of how we collaborate that have made the Drupal project so successful If possible, leverage an expert partner who will help keeping our tooling up to date as open source collaboration tools continue to evolve This means looking at a number of elements of the Drupal.org developer tool stack: The underlying git service How we tag and package releases The contribution workflow (patch vs. pull request) Project management workflows (the issue queues and tags) CI integration Maintainership Project pages If this looks like a tremendous undertaking - that's because it is. But there are some things we already know: Drupal.org should continue to be the home of project pages We should adopt a pull request workflow (and ideally we want to be able continue to accept patches as well, at least in the interim) We should move contrib projects to semver, following core's lead We want to preserve our familiar understanding of maintainership We want to avoid forked code and forked conversation We want to ensure the security team still has the tools they need to provide their service to the community We also know that whatever decision is made, these changes cannot happen all at once. We'll need to take a progressive approach to the implementation, and focus on the parts of the stack that need to change together, so that we don't bite off more than we can chew. What options are being considered? At this time, the technical advisory committee is considering three options as they prepare to make their recommendation. The options are: GitLab, which offers both self-hosted and SaaS options; GitHub, which has recently been adding long-requested new features; or continuing to evolve our custom-built tooling, perhaps via issue workspaces. GitLab GitLab is the up-and-comer among Git hosts. GitLab can be self hosted using either their community or enterprise editions, or repositories can be hosted at GitLab.com. Though they recently stumbled, they have been notably open and transparent about their efforts to build a leading collaboration platform. Gitlab is itself open-source, and has just released its 9.0 edition. GitLab has aggressively pursued the latest in development tools and workflow features, including project management tools, a ui for merge conflict resolution with in-line commenting and cherry-picking, docker registries for projects, integration with CI tools, and even Gitter, an IRC alternative for real-time collaboration. GitHub For quite some time, GitHub was the only real player in git repository hosting outside of rolling a custom solution (as we did for Drupal.org). Over the years it has become the home of many open source projects, and while most of those don't match the sheer scale of Drupal in terms of codebase size and number of contributors, there are certainly [...]
Wed, 05 Apr 2017 22:03:27 +0000Drupal 8.3.0, the third minor release of Drupal 8, is now available. With Drupal 8, we made significant changes in our release process, adopting semantic versioning and scheduled feature releases. This allows us to make extensive improvements to Drupal 8 in a timely fashion while still providing backwards compatibility. Update: Drupal 8.3.1 is available and fixes a security vulnerability. You should update directly to 8.3.1 instead of 8.3.0. What's new in Drupal 8.3.0? This new version includes improvements to authoring experience, site administration, REST support, and a stable version of the BigPipe module. It also includes new experimental modules to abstract workflow functionality, to lay out content types differently (e.g. articles are two column vs. press releases are three column), and to provide a general layout API for contributed modules. Many smaller improvements for the experimental Content Moderation module are included as well. (Experimental modules are provided with Drupal core for testing purposes, but are not yet fully supported.) Download Drupal 8.3.1 New and improved content authoring Drupal 8.3 ships with the updated CKEditor 4.6, which contains a host of improvements, including better paste from Word, and a new default skin that better matches Drupal's Seven administration theme. We've also added the AutoGrow plugin, to better utilize larger screen sizes. Quick editing images now supports drag and drop. Site building and administrative improvements Drupal 8.3 ships with a redesigned admin status report, to better surface important status messages for your site. Other incremental enhancements include: The Views listing page is now standardized with other administrative listings. The "Allowed HTML tags" input has been converted to a textarea, which significantly improves the usability of HTML filter configuration (and thereby makes it easier to configure filters securely.) The Content and People overview pages' Views filters have been rearranged to match the column order of the listing, for more intuitive filtering. Image fields are now limited to only accepting images, so that users on mobile clients are not offered a confusing and non-functional video upload option. BigPipe for perceived performance The Drupal 8 BigPipe module (now stable!) provides an advanced implementation of Facebook's BigPipe page rendering strategy, leading to greatly improved perceived performance for pages with dynamic, personalized, or uncacheable content. See the BigPipe documentation. allowfullscreen="" frameborder="0" height="329" src="https://www.youtube.com/embed/JwzX0Qv6u3A?rel=0" width="585"> The core BigPipe improvements introduced in 8.3.0 are also utilized by the Sessionless BigPipe contributed module to use the same technique for serving the first (yet uncached) response to anonymous visitors. Platform features for web services Drupal 8.3 continues to expand Drupal's support for web services that benefit decoupled sites and applications, with bug fixes, improved responses, and new features. It is now possible to register users from the REST API, 403 responses now return a reason why access was denied, for greatly improved developer experience, and anonymous REST API performance has been increased by 60% when utilizing the internal page cache. The REST API also got a massive overhaul of its test coverage. Experimental: Choose different form and view display layouts for your entity types The new experimental Field Layout module provides the ability for site builders to rearrange fields on content types, block types, etc. into new regions, for both the form and display, on the same forms provided by the normal field user interface. Field Layout also uses the new the Layout Discovery module, which provides an API for modules or themes to register layouts as well as five common default layouts. By providing this API in core, we help make it possible for core and contributed layout[...]
Fri, 31 Mar 2017 15:54:55 +0000This is a joint statement from project lead Dries Buytaert and Megan Sanicki, Drupal Association Executive Director. Over the last week, the Drupal community has been in a debate over the various decisions made by us in relation to long-time Drupal developer Larry Garfield. As with any such decisions, and especially due to the circumstances of this one, there has been controversy, misinformation and rumors, as well as healthy conversation and debate. Many people feel hurt, worried, and confused. The fact that this matter became very public and divisive greatly saddens all of us involved, especially as we can see the pain it has caused many. First off, we want to apologize for not responding sooner. We had to take a pause to process the community’s reaction. We also wanted to take the time to talk to community members to make sure all of the concerns were heard and understood. This was further complicated by the fact that we don't have a playbook for how to respond in unusual situations like this. We also want to acknowledge that our communication has not been as clear as it should be on this matter, and we are sorry for the added confusion. We want to thank all of the community members who stepped in to help. Many spent days helping other community members by listening, hosting discussions to foster healthy, respectful conversations, and more. You have helped many people and your caring acts reminded us once again why we love to serve the community and why it is so special. Over the last week, we talked to many people and read hundreds of posts in various channels. These are some of the things that we heard: People are afraid that they will be asked to leave the community because of their beliefs or sexual lifestyles. There are concerns about Drupal leadership playing "thought police" on what are and are not acceptable viewpoints to hold. People want to hear more about the timeline, information gathered, and how decisions were made. People don't understand why there weren’t any ramifications for those who participated in gathering information about Larry's private life. People believe Dries has too much authority. People believe that a decision this complex should not be made by a single individual. And we heard much more. We know this has been difficult for all involved. There is no quick solution to the current situation; it will take time to heal, but we want to make a start today by providing better insight into our decision-making process, answering questions with the FAQ found below, and by placing a call for improvements in our governance, conflict-resolution processes, and communication. Addressing community questions and concerns One of the main concerns that has been voiced is that a long-standing member of the Drupal community was removed, based solely on his beliefs being outside the "norm". We feel this is not representative of the situation. We want to strongly emphasize that Drupal is an open-minded and inclusive community, and we welcome people of all backgrounds. Our community’s diversity is something to cherish and celebrate as well as protect. We apologize for any anxiety we caused you and reiterate that our decision was not based on anyone’s sexual practices. Dries and Megan based their decisions on information from a variety of sources, including the Community Working Group and Larry himself. This information included: (a) reports, both formal and informal (b) some of Larry's online interactions, both on and off Drupal.org (c) information provided by Larry during subsequent discussions to get clarity (d) information from one or more members-only sites. It should be strongly noted that we do not condone the manner in which this last source of information was gathered by members of our community. Insights from this collection of information caused us to take action, particularly given Larry's prominent leadersh[...]
Mon, 27 Mar 2017 15:51:54 +0000
Thu, 23 Mar 2017 22:49:26 +0000
We understand that there is uncertainty and concern in the Drupal community about project founder, Dries Buytaert, asking Larry Garfield to leave the Drupal community, and about the Drupal Association removing Larry's DrupalCon sessions and ending his term as track chair.
We want to be clear that the decision to remove Larry's DrupalCon session and track chair role was not because of his private life or personal beliefs. The Drupal Association stands by our values of inclusivity. Our decision was based on confidential information conveyed in private by many sources. Due to the confidential nature of the situation we cannot and will not disclose any information that may harm any members of our community, including Larry.
This decision followed our established process. As the Executive Director, charged with safekeeping the goodwill of the organization, I made this decision after considering input from various sources including the Community Working Group (CWG) and Drupal Project Lead, Dries Buytaert. Upon Larry’s request for an appeal, the full board reviewed the situation, all the evidence, and statements provided by Larry. After reviewing the entirety of the information available (including information not in the public view) the decision was upheld.
In order to protect everyone involved we cannot comment more, and trust that the community will be understanding.
We do see that there are many feelings and questions around this DrupalCon decision and we empathize with those community members. We will continue to monitor comments. We are listening.
Update: 29 Mar 2017
Thank you for taking the time to share your thoughts, concerns, and questions. I wanted to reach back out and reaffirm that we are listening. In addition to watching the comments here, we are also listening in other places like the Drupal community Slack, IRC, and the community blog posts that have come to our attention. Your comments are being heard and they are helping us to be thoughtful about our next steps.
Wed, 22 Mar 2017 14:45:00 +0000This case study was written as a collaboration between Drupal Association staff and Technology Supporting Partner Distil Networks. Drupal.org is the home of one of the largest open source communities in the world. We've been online for more than 13 years and collectively we build the Drupal software, provide support, write documentation, share networking opportunities, and more. The open source spirit pushes the Drupal project forward, and new members are always welcome. It falls to us to maintain our community home and preserve the welcoming atmosphere that leads people to say,"Come for the code, stay for the community." As stewards of Drupal.org, it's our responsibility to give the community a voice and welcome everyone who wants to participate in the project. At the same time, there are bad actors who would take advantage of our open community and platform for abusive purposes. Drupal.org long-standing presence on the web has given it authority in the eyes of search engines. The site hosts millions of pages of content - all generated by our users. This combination of authority and open access for users to create content makes us a very high value target for phishers and spammers. Spam is a nuisance to our existing community, devalues our project to the newcomers we are hoping to welcome, and left unchecked could degrade our search presence. Challenges Spammers create bogus accounts to post their junk content Only registered members can post content to the Drupal.org website, so there's a continuous onslaught of actors attempting to create accounts for the purpose of inserting link spam and other bad content onto the site. In the past, we've implemented a variety of strategies such as content analysis, behavioral analysis, social moderation, and rate limiting. And while these measures have been effective at reducing some of the spam we've seen, the onslaught continues. The reason for that? Much of our attempted spam is not coming from bots. These are real people using tools to cloak their identity and manually creating accounts en masse. In many cases they may not even post junk content immediately. They will often sit on "sleeper" accounts waiting to be paid by somebody to promote malicious content. It's too time consuming to manually remove spam content Spam fighting is also a thankless task. All time spent fighting spam, whether by members of the engineering staff or our incredibly dedicated community volunteers, is time not spent on the project. Spam fighting has an opportunity cost that creates burn-out among staff and volunteers, and is not something we can afford to leave to manual moderation. Especially when it comes to our community volunteers– they want to spend their time helping people with Drupal technical questions, not deleting spam. Fake accounts and spam pollute the community engagement metrics There are 1.9 million user accounts in the Drupal.org database, but using this data to measure community engagement is challenging because of the number of spammer accounts that have been registered over the years. When we have to work around so many illegitimate accounts, it's difficult to determine metrics for community health such as if our legitimate user growth is increasing or decreasing. We need cleaner user account data to give us more reliable community metrics, and help us make informed decisions. The Solution Before reaching out to Distil Networks, Drupal.org relied primarily on two modules to help us fight spam. Mollom is a Drupal stand-by—a content analysis tool that looks at what users are posting and compares them against known bad actor patterns. This content analysis helps us identify and block new waves of spam patterns, but it doesn't prevent these waves from being posted in the first place. The second module we use is Honeypot, which uses a co[...]
Fri, 17 Mar 2017 22:12:13 +0000Any user on Drupal.org who has accepted our Git usage policy may now create full projects with releases. This is a big change in policy for the Drupal project, representing an evolution of the contribution ecosystem in the past half a decade. What was the Project Application Process? Ever since the days when Drupal's code was hosted in CVS there has been some form of project application process in the Drupal Community. To prevent duplicate, low-quality, insecure, or otherwise undesirable projects from flooding Drupal, users would submit sandbox projects to an application queue to be reviewed by a group of volunteers. After resolving any issues raised in this review process, the user would be given the git vetted role, allowing them to promote their sandbox to a full project, claim a namespace, and create releases. Once a user had been vetted for their first project, they would remain vetted and be able to promote any future projects on their own, without submitting an additional application. The Problem Unfortunately, though the project application process was created with the best of intentions, in the long term it proved not to be sustainable. Drupal grew too fast for a group of volunteer reviewers to keep up with reviewing new projects, and at times there were applications waiting in queue for 6 months to 1 year, or even more. That is much too slow in the world of software development. This put Drupal in a difficult situation. After years of subjecting new projects and contributors to a rigorous standard of peer review, Drupal has a well-deserved reputation for code quality and security. Unlike many open source projects, we largely avoided the problem of having many duplicate modules that exist to serve the same purpose. We unified our community’s effort, and kept up a culture of collaboration and peer review. At the same time, many would-be contributors were unable or unwilling to navigate the application process and so simply chose not to contribute. The question became, how could we preserve the emphasis on quality while at the same time removing the barrier to contribution that the application process had become? Constraints on a solution Opening the contribution gates while retaining strong signals about code quality and security was a tricky problem. We established three constraints on a solution: We need to welcome new contributors, and eliminate the walls that prevent contribution. We need to continue to send strong signals about security coverage to users evaluating whether to use modules from Drupal.org. We need to continue our strong emphasis on quality and collaboration through changes to project discovery that will provide new signals about code quality, and by providing incentives and credit for peer review. The Solution In collaboration with the community, the security team, members of the board, and staff we outlined a solution in four phases: Phase 1: Send strong signals about security advisory coverage. We updated project pages to include messaging and a shield icon to indicate whether a project received security advisory coverage from the security team. We now serve security advisory coverage information in the Updates status information provided by Drupal.org, and we're working on a patch to display that information directly on the updates page of users' Drupal sites. Here are some examples of what these security signals look like on project pages: If a project is not opted in to security advisory coverage, this message will appear at the top of the project page: And this one will appear near the download table: If a project has opted in, this message will appear near the download table: And covered releases will show the coverage icon (note how the stable 7.x release has coverage and the 8.x release candidate does not): Ph[...]
Wed, 15 Mar 2017 19:24:43 +0000Drupal 8.2.7, a maintenance release which contains fixes for security vulnerabilities, is now available for download. Download Drupal 8.2.7 Update your existing Drupal 8 sites is strongly recommended. There are no new features nor non-security-related bug fixes in this release. See the 8.2.7 release notes for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release. Advisory ID: DRUPAL-SA-CORE-2017-001 Project: Drupal core Version: 8.x Date: 2017-March-15 Description Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377 When adding a private file via a configured text editor (like CKEditor), the editor will not correctly check access for the file being attached, resulting in an access bypass. Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379 Some administrative paths did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID. Remote code execution - Drupal 8 - Remote code execution - Moderately Critical - CVE-2017-6381 A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren’t vulnerable, you can remove the /vendor/phpunit directory from the site root of your production deployments. Solution Update to Drupal 8.2.7 Reported by Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377 Casey Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379 Samuel Mortenson Remote code execution - Drupal 8 - Remote code execution - Moderately Critical - CVE-2017-6381 Timo Hilsdorf Fixed by Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377 László Csécsy Wim Leers Alex Pott of the Drupal Security Team Klaus Purer of the Drupal Security Team Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379 Samuel Mortenson Sascha Grossenbacher Remote code execution - Drupal 8 - Remote code execution -Moderately Critical - CVE-2017-6381 Klaus Purer Of the Drupal Security Team Mixologic Updates Updated the above text to link to the correct update directions. Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [...]
Tue, 14 Mar 2017 16:16:26 +0000Republished from buytaert.net, please post your comments there. One of the key reasons that Drupal has been successful is because we always made big, forward-looking changes. As a result, Drupal is one of very few CMSes that has stayed relevant for 15+ years. The downside is that with every major release of Drupal, we've gone through a lot of pain adjusting to these changes. The learning curve and difficult upgrade path from one major version of Drupal to the next (e.g. from Drupal 7 to Drupal 8) has also held back Drupal's momentum. In an ideal world, we'd be able to innovate fast yet provide a smooth learning curve and upgrade path from Drupal 8 to Drupal 9. We believe we've found a way to do both! Upgrading from Drupal 8.2 to Drupal 8.3 Before we can talk about the upgrade path to Drupal 9, it's important to understand how we do releases in Drupal 8. With the release of Drupal 8, we moved Drupal core to use a continuous innovation model. Rather than having to wait for years to get new features, users now get sizeable advances in functionality every six months. Furthermore, we committed to providing a smooth upgrade for modules, themes, and distributions from one six-month release to the next. This new approach is starting to work really well. With the 8.1 and 8.2 updates behind us and 8.3 close to release, we have added some stable improvements like BigPipe and a new status report page, as well as experimental improvements for outside-in, workflows, layouts, and more. We also plan to add important media improvements in 8.4. Most importantly, upgrading from 8.2 to 8.3 for these new features is not much more complicated than simply updating for a bugfix or security release. Upgrading from Drupal 8 to Drupal 9 After a lot of discussion among the Drupal core committers and developers, and studying projects like Symfony, we believe that the advantages of Drupal's minor upgrade model (e.g. from Drupal 8.2 to Drupal 8.3) can be translated to major upgrades (e.g. from Drupal 8 to Drupal 9). We see a way to keep innovating while providing a smooth upgrade path and learning curve from Drupal 8 to Drupal 9. Here is how we will accomplish this: we will continue to introduce new features and backwards-compatible changes in Drupal 8 releases. In the process, we sometimes have to deprecate the old systems. Instead of removing old systems, we will keep them in place and encourage module maintainers to update to the new systems. This means that modules and custom code will continue to work. The more we innovate, the more deprecated code there will be in Drupal 8. Over time, maintaining backwards compatibility will become increasingly complex. Eventually, we will reach a point where we simply have too much deprecated code in Drupal 8. At that point, we will choose to remove the deprecated systems and release that as Drupal 9. This means that Drupal 9.0 should be almost identical to the last Drupal 8 release, minus the deprecated code. It means that when modules take advantage of the latest Drupal 8 APIs and avoid using deprecated code, they should work on Drupal 9. Updating from Drupal 8's latest version to Drupal 9.0.0 should be as easy as updating between minor versions of Drupal 8. It also means that Drupal 9 gives us a clean slate to start innovating more rapidly again. Why would you upgrade to Drupal 9 then? For the great new features in 9.1. No more features will be added to Drupal 8 after Drupal 9.0. Instead, they will go into Drupal 9.1, 9.2, and so on. To get the most out of this new approach, we need to make two more improvements. We need to change core so that the exact same module can work with Drupal 8 and 9 if the module developer uses the latest APIs. We also need to provide full data migration fr[...]
Mon, 13 Mar 2017 14:24:16 +0000
Join us at DrupalCon Baltimore from April 24-28 for a week of inspiration, networking, and learning. Meet Drupal experts and industry leaders who will share new ways to create digital experiences that delight customers, citizens, students, patients, and more.
The event offers programming for decision makers (CIO/Director) as well as digital teams (developers, project managers, site builders, content strategists). Be sure to check out these suggested sessions for both audiences.
Register today. Prices increase March 24th. Attendees can come for the week or just for a day. Plus, the Baltimore Convention Center is easy to reach - just 30 minutes from Baltimore Washington Airport and 15 minutes from the Amtrak Station.
We look forward to seeing you at DrupalCon Baltimore!
Thu, 09 Mar 2017 16:17:32 +0000Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community. Drupal.org updates Industry Pages Launched After a great deal of preparation, user research, and content development we've launched the first three 'Drupal in your Industry' pages. These first three pages highlight the power of Drupal in Media and Publishing, Higher Education, and Government. Each of these pages uses geo-targeted content to reach audiences in: the Americas; Europe, the Middle East, and Africa; and the Asia Pacific, Australia and New Zealand regions. These pages are targeted at evaluators of Drupal in these specific industries. From our research, we've found that these evaluators typically have Drupal on their short list of technology choices, but are not familiar with how a complete solution is built on Drupal, and they're eager to see success stories from their industry peers. We'll be expanding on this initiative with additional industry pages as time goes on. Project Application Revamp In February we completed phases 1 and 2 of the Project Application Process Revamp. This has meant polishing up the security advisory coverage messages that are provided on project pages, adding a new field for vetted users to opt-in to advisory coverage for their projects, and adding security advisory coverage information to the updates xml served from Drupal.org. With these issues complete we'll be able to move forward with Phase 3 (opening the project promotion gates) and Phase 4 (improving code quality signals and incentivizing peer review) as we roll into March. [Author's note] The project application revamp hit a major milestone in early March with the completion of Phase 3. Now, any user who has accepted the git terms of service may now promote sandbox projects to full projects with releases, and the application process has been re-purposed for vetting users who want the ability to opt into security advisory coverage for their projects. Look for more information in our upcoming March post. 2017 Community Elections are Live On February 1 we opened self-nominations for one of the two community-at-large seats on the Drupal Association Board of Directors. At the time of this post, self-nominations have closed and now it's time to vote!. Each year we make incremental improvements to the elections process. This year we've allowed each candidate to present a short 'statement of candidacy' video - and we've updated the ballot to allow easy drag-and-drop ranking of candidates. Voting closes on March 18th, so make sure to vote soon! Documentation polish, and new "call-out" templates As the migration of content into the new documentation system continues, we've continued to polish and improve the tools. In February we made a few small improvements including: help text for maintainers and fixes for links to the discuss page in email notifications. We also made one large improvement: Call-out templates for highlighting warning information or version-specific notes within a documentation page. These templates are available using the CKEditor Templates button when editing any documentation page. The documentation editor may select from the 'Warning note' template, which will highlight cautionary information in a visually distinct orange section on the page, or the 'Version-specific note' template, which allows users to highlight information that may only be relevant to a specific minor release of Drupal. Here are two examples of what the call-outs will look like to a documentation reader. DrupalCI Coding standards testing DrupalCI continues to accelerate the pace of Drupal development as we [...]
Wed, 08 Mar 2017 00:04:43 +0000
The Engineering Team provides support to many community members and everyone at the Association. Every day, the team helps people who are at different stages of the Drupal adoption journey. As part of our membership campaign, we're taking a close look at how the team makes an impact throughout this cycle through the work to support a few different Association programs.
The team played a key role in the Industry Pages project—from conception to execution. The industry pages help decision makers see how Drupal achieves the vision Dries' set forth when he described Drupal as the platform for ambitious digital experiences.
The first three industry pages for media and publishing, higher education, and government are now on Drupal.org. These pages tell stories of success with Drupal for three verticals with geo-targeted content to show our global audience the solutions that are most meaningful to them. We plan to learn from this project and to expand into new verticals. By highlighting what Drupal can do for you, and connecting decision makers to service providers and industry peers, the industry pages are a powerful tool for leading the way to wider adoption.
The team is responsible for Drupal Jobs, the subsite dedicated to helping employers and job seekers connect for Drupal-related opportunities. Ever since Drupal Jobs launched in 2015, it has helped increase awareness of the Drupal project. As the pool of employers grows, so do the career opportunities. When more Drupal jobs are available, our ecosystem grows. Wider Drupal adoption becomes possible.
DrupalCon unites our global community and people who want to know more about the project. On the Events site, the engineering team supports everyone—event organizers who post content, speakers who submit sessions, and attendees who register using Drupal Commerce and CoD. With a great UX on con sites and fun theme implementation, we show users what Drupal can do for you.
As the adoption journey goes full circle and we see these efforts continue to help maintain and grow a strong ecosystem, we appreciate that you are coming along with us. To help sustain the work of the Drupal Association, join as a member. Thank you!
Mon, 06 Mar 2017 22:55:05 +0000
Voting is now open for the 2017 At-Large Board positions for the Drupal Association! If you haven't yet, check out the candidate profiles including their short videos found on the profile pages. Get to know your candidates, and then get ready vote.
How does voting work? Voting is open to all individuals who have a Drupal.org account by the time nominations open and who have logged in at least once in the past year.
To vote, you will rank candidates in order of your preference (1st, 2nd, 3rd, etc.). The results will be calculated using an "instant runoff" method. For an accessible explanation of how instant runoff vote tabulation works, see videos linked in this discussion.
Elections will be held from 6 March, 2017 through 18 March, 2017. During this period, you can review and comment on the candidate profiles.
Have questions? Please contact me: Megan Sanicki
Thu, 02 Mar 2017 23:20:11 +0000As you know, we've been highlighting the work of the Drupal Association Engineering Team during our membership campaign. Every day, this small team moves the needle forward so that we all have a better experience as users of Drupal.org. In this post, we explore how the team's recent work results in faster, less expensive Drupal development. Helping Drupal development move faster with DrupalCI DrupalCI testbots are the next generation of testing infrastructure for Drupal.org, funded by the Drupal Association and maintained by the Engineering team. For any project on the site, DrupalCI testing can be enabled from the Automated Testing link on the Project page. Every time a contribution to the Drupal project needs to be tested, DrupalCI spins up a testbot on AWS to test those changes. The DrupalCI testbots are helping Drupal contributors to test patches faster than ever before and they are more cost effective than our last generation testbots, both in price-per-test and in expense to maintain. In recent months, we've added a number of new features including: checkstyle testing to ensure code contributions adhere to Drupal coding standards automatic builds of vagrant boxes so you can easily use DrupalCI testing on your local machine updates to the PHP containers to make tests compatible with a variety of PHP versions and quite a few other improvements per the DrupalCI roadmap. We're proud to say that our work on DrupalCI has increased the speed of Drupal development, saving time and money! We'd also like to thank the volunteers who've helped us to bring this project to life: Mile23, jthorson, nick_schuch, dasrecht, ricardoamaro, mikey_p, chx, shyamala, webchick, and jhedstrom. Want to keep up with the engineering team? Subscribe to change notifications so you can see ongoing improvements. Making the greatest impact with member and donor funds with a leaner Drupal.org Drupal.org is more portable and maintainable because of updates in 2016 that streamline our infrastructure. We've virtualized the majority of the infrastructure and standardized on Debian 8 images. We've also updated our configuration and user management from Puppet 3 + LDAP to Puppet 4 + Hiera. Dev sites are more robust and we can create staging and development environments faster than before. All of this makes Drupal.org more cost-effective to run, easier to maintain, and increases our development velocity when we're working on new features to support the community. These efficiencies help to conserve membership and donor funds for other programs to help the Drupal community, like fiscal sponsorship for camps, and Community Cultivation Grants. Improving developers' lives by supporting Composer workflows for Drupal Composer is the defacto standard for managing dependencies in the PHP world. Over the course of 2016, the Drupal Association Engineering Team developed Composer endpoints for Drupal allowing Drupal developers to use Composer to manage dependencies, and allowing PHP developers at large to manage Drupal as part of their larger PHP projects in this standard workflow. Composer is a force multiplier for enterprise site owners and developers within the Drupal community and at large. By supporting Composer, we've further opened Drupal to the wider PHP community, thus bringing new people into the fold to contribute. A big thanks to everyone who helped with Composer: seldeak - the creator of Composer and Packagist.org, webflo - the creator and maintainer of http://packagist.drupal-composer.org, timmillwood, dixon_, badjava, cweagans, tstoeckler, mile23, and also Appnovation, who sponsored the[...]
Wed, 01 Mar 2017 16:50:13 +0000The first release candidate for the upcoming Drupal 8.3.0 release is now available for testing. Drupal 8.3.0 is expected to be released April 5. Download Drupal-8.3.0-rc1 8.3.x includes new experimental modules for workflows, layout discovery and field layouts; raises stability of the BigPipe module to stable and the Migrate module to beta; and includes several REST, content moderation, authoring experience, performance, and testing improvements among other things. You can read a detailed list of improvements in the announcements of alpha1 and beta1. What does this mean to me? For Drupal 8 site owners The final bugfix release of 8.2.x has been released. A final security release window for 8.2.x is scheduled for March 15, but 8.2.x will receive no further releases following 8.3.0, and sites should prepare to update from 8.2.x to 8.3.x in order to continue getting bug and security fixes. Use update.php to update your 8.2.x sites to the 8.3.x series, just as you would to update from (e.g.) 8.2.4 to 8.2.5. You can use this release candidate to test the update. (Always back up your data before updating sites, and do not test updates in production.) For module and theme authors Drupal 8.3.x is backwards-compatible with 8.2.x. However, it does include internal API changes and API changes to experimental modules, so some minor updates may be required. Review the change records for 8.3.x, and test modules and themes with the release candidate now. For translators Some text changes were made since Drupal 8.2.0. Localize.drupal.org automatically offers these new and modified strings for translation. Strings are frozen with the release candidate, so translators can now update translations. For core developers All outstanding issues filed against 8.2.x were automatically migrated to 8.3.x. Future bug reports should be targeted against the 8.3.x branch. 8.4.x will remain open for new development during the 8.3.x release candidate phase. For more information, see the release candidate phase announcement. Your bug reports help make Drupal better! Release candidates are a chance to identify bugs for the upcoming release, so help us by searching the issue queue for any bugs you find, and filing a new issue if your bug has not been reported yet. [...]
Fri, 24 Feb 2017 21:59:10 +0000Did you know you have a say in who is on the Drupal Association Board? Each year, the Drupal community votes in a member who serves two years on the board. It’s your chance to decide which community voice you want to represent you in discussions that set the strategic direction for the Drupal Association. Go here for more details. Voting takes place from March 6 - March 18. Anyone who has a Drupal.org profile page and has logged in to their account in the last year is eligible to vote. This year, there are many candidates from around the world. Now it’s time for you to meet them. Meet the candidates We just concluded the phase where 13 candidates nominated themselves for the board seat. From now through March 4, 2017 we encourage you to check out each person’s candidate profile, where they explain which board discussion topics they are most passionate about and what perspectives they will bring to the board. This year, we asked candidates to include a short video - a statement of candidacy - that summarizes why you should vote for them. Be sure to check them out. Videos are found in the candidate’s profile as well as here: What To Consider When reviewing the candidates, it is helpful to know what the board is focusing on over the next year or two, so you can decide who can best represent you. Here are the key topics the board will focus on. Strengthening Drupal Association’s sustainability. The board discusses how the Association can improve its financial health while expanding its mission work. Understanding what the Project needs to move forward and determine how the Association can help meet those needs through Drupal.org and DrupalCon. Growing Drupal adoption through our own channels and partner channels. Developing the strategic direction for DrupalCon and Drupal.org. There are certain duties that a candidate must be able to perform as a board member. The three legal obligations are duty of care, duty of loyalty, and duty of obedience. In addition to these legal obligations, there is a lot of practical work that the board undertakes. These generally fall under the fiduciary responsibilities and include: Overseeing Financial Performance Setting Strategy Setting and Reviewing Legal Policies Fundraising Managing the Executive Director Hopefully providing this context gives you a helpful way to assess the candidates as you decide how to vote from March 6 - March 18. We encourage you to ask the candidates questions. Use comments to leave a question on their candidate profile page. [...]
Thu, 23 Feb 2017 17:25:00 +0000The Drupal Association Engineering Team delivers value to all who are using, building, and developing Drupal. The team is tasked with keeping Drupal.org and all of the 20 subsites and services up and running. Their work would not be possible without the community and the project would not thrive without close collaboration. This is why we are running a membership campaign all about the engineering team. These are a few of the recent projects where engineering team + community = win! Want to hear more about the work of the team, rather than read about it? Check out this video from 11:15-22:00 where Tim Lehnen (@hestenet) talks about the team's recent and current work. Leading the Documentation System migration We now have a new system for Documentation. These are guides Drupal developers and users need to effectively build and use Drupal. The new system replaces the book outline structure with a guides system, where a collection of pages with their own menu are maintained by the people who volunteer to keep the guides updated, focused, and relevant. Three years of work from the engineering team and community collaborators paid off. Content strategy, design, user research, implementation, usability testing and migration have brought this project to life. Pages include code 'call-outs' for point-version specific information or warnings. Thanks to the collaborators: 46 have signed up to be guide maintainers, the Documentation Working Group members (batigolix, LeeHunter, ifrik, eojthebrave), to tvn, and the many community members who write the docs! Enabling Drupal contribution everywhere Helping contributors is what we do best. Here are some recent highlights from the work we're doing to help the community: Users now have better profiles to make into Drupal résumés. Months of content strategy work resulted in a better communication plan, including improved user experience for newly registered users. Organization pages have expanded in scope to encourage more participants than just Drupal service providers. The organization list, new layout making case studies and contributions stand out, and a more robust contribution credit system are all helping to bring more contributors to the Drupal ecosystem. We're expanding the contribution credit system to include more types of contribution, and we'll keep working on improving the system with check-ins every 6 months. Our project to help contributors currently in development is revamping the project applications process. More on this soon on our blog. When a community need doesn't match our roadmap We have a process for prioritizing community initiatives so we can still help contributors. Thanks to volunteers who have proposed and helped work on initiatives recently, we've supported the launch of the Drupal 8 User guide and the ongoing effort to bring Dreditor features into Drupal.org itself. Thanks to the collaborators: jhodgdon, eojthebrave, and the contributors to the user guide. Thanks also to markcarver for the Dreditor effort. How to stay informed and support our work. The change list and the Drupal.org roadmap help you to see what the board and staff have prioritized out of the many needs of the community. You can help sustain the work of the Drupal Association by joining as a member. Thank you![...]
Fri, 17 Feb 2017 18:51:30 +0000
(image) Drupal.org is home of the Drupal project and the Drupal community. It has been continuously operating since 2001. The Engineering Team— along with amazing community webmasters— keeps Drupal.org alive and well. As we launch the first membership campaign of 2017, our story is all about this small and productive team.
Join us as we celebrate all that the engineering team has accomplished. From helping grow Drupal adoption, to enabling contribution; improving infrastructure to making development faster. The team does a lot of good for the community, the project, and Drupal.org.
Check out some of their accomplishments and if you aren't yet a Drupal Association member, join us! Help us continue the work needed to make Drupal.org better, every day.
Share these stories with others - now until our membership drive ends on March 8.
Thank you for supporting our work!
Tue, 14 Feb 2017 23:30:09 +0000We are excited to announce that the first three industry pages are now live on Drupal.org, highlighting the power of Drupal solutions in higher education, government and media/publishing. The pages are designed to quickly inform and inspire technical evaluators and connect them to service providers and technology vendors who can help them move further through their Drupal adoption journey. The Drupal Association is incredibly proud to showcase the Drupal community’s innovation, creativity, and ability to solve end users’ challenging problems. More importantly, these pages are a resource that Drupal businesses can point to as they convince potential clients that Drupal is the right choice for them. We know this is a needed resource not only because Drupal agencies have asked for this, but because our user research was resoundingly positive. One government digital director said “I wish this was around when I was pitching my state CIO on Drupal”. This launch is the first phase for this initiative. We will learn and iterate to keep improving the pages and we will expand the industries to include pages like healthcare, finance, ecommerce, and more. The Research We Used Building the industry pages was a community effort. Drupal Association staff framed the concept and then reached out to end-users of Drupal in these industries, service providers who've built solutions for these markets, and the community at large. We listened to all of you who shared your thoughts in the original blog post about this initiative. We conducted user research, interviewing decision makers and influencers at end user organizations to make sure the pages resonated strongly with them. We talked to organizations like Weather.com, Burda Media, State of North Carolina, Georgia Technology Authority, Duke University, Cornell University - and more! We also talked to people at agencies who pitch Drupal solutions all day long such as Acquia, Ashday, Blackmesh, Digital Echidna, FFW, Forum One, ImageX Media, Kwall, Lingotek, Lullabot, Palantir.net, Pantheon, and Phase2. We will continue to take feedback from our global community. Our goal is to keep iterating on these industry pages as we learn more. About The Pages The industry pages are part of the About Drupal section and they are promoted from the Drupal.org front page. The homepage of Drupal.org receives about 350,000 visits a month, and about 50% of those visitors are new to Drupal.org The front page is primarily technical evaluators coming to learn more about Drupal and we see this as they click on our evaluator resources like About Drupal, TryDrupal, and Case Studies. Based on user research, we know that before someone comes to the industry pages, they likely know that Drupal is an open source community-built CMS and their organization is leaning towards an open source solution. However, we did make sure the pages do not assume the visitor already knows what Drupal is, because some will find the page through search. Another key feature is geo-targeting. Currently, we serve localized content for the Americas, EMEA, and AP/Australia/New Zealand regions. This allows us to showcase case studies that will resonate to visitors based on their location. For example, on the Americas page, we highlight the Department of Energy - a U.S federal agency. In EMEA, we highlight City of London - a UK city, and in AP/Australia/New Zealand we highlight the State Revenue Office of Victoria, Australia - a federal agency. W[...]
Tue, 14 Feb 2017 16:42:33 +0000Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community. Drupal.org updates Recognizing more types of contribution in the Drupal.org Marketplace We were very pleased to announce an expansion of the issue credit system into a broader contribution credit system which recognizes more than just code contributions for the purposes of ranking organizations in the marketplace. We now calculate the following 4 types of contribution into overall contribution credit: Issue credits — helping build the Drupal software happens in the issue queues. Issue credits remain the primary factor in ranking, and continue to be shown prominently. Issue credits on more widely used projects, like Drupal Core, will also receive greater weight in the ranking. Learn how to help in the issue queue Drupal 8 case studies — success stories show how Drupal is used across industries and the world, helping effectively introduce Drupal to more people. Learn how to write a case study Drupal Association Supporter Programs and Organization Membership — our partners and members help us build and maintain Drupal.org. Learn about supporter programs and organization membership Projects supported — the work to maintain a project sometimes happens outside of issues. Project maintainers can credit organizations which help provide time and sponsorship. Learn more about crediting project contributions User research for the upcoming industry pages In a previous blog post on Drupal.org, we talked about our increasing focus on the adoption journey and our plans to create industry specific landing pages on Drupal.org. In January we did extensive user research with people in media and publishing, higher education, and government, which will be the first industries we promote. We're hoping to launch these pages very soon, so keep an eye on the home page. Preparing for community elections for the Drupal Association board The elections process for the community seats on the Drupal Association board kicks off with self-nominations in February each year. This means that we dedicated some time in January to making small refinements and improvements to the nomination process. In particular we've added more in-context educational materials about the board to the self-nomination form, including a video by executive director Megan Sanicki. We've also refined our candidate questions to help candidates express their unique qualifications. If you're interested in bringing your perspective to the Drupal Association board, please nominate yourself. Membership history messaging To make it easier for members to understand their membership history, we've added new messaging to the membership join and renew pages. Users who go to join or renew their Drupal Association membership will now see a message indicating their current membership expiration date, their last contribution amount, a link to contribute again, and their auto-renewal status. Migration of Drupal Association content to Drupal.org In January we also migrated the majority of content from assoc.drupal.org to a new section on Drupal.org itself. This effort is part of our larger content restructure initiative. By moving Drupal Association content into Drupal.org we hope to increase discoverability of information about the DA, and create a tighter integration between Drupal Association news and the fron[...]
Fri, 27 Jan 2017 20:11:57 +0000Now that Drupal 8 is a year old, it is an exciting time to be on the Drupal Association Board. With Drupal always evolving, the Association must evolve with it so we can continue providing the right kind of support. And, it is the Drupal Association Board who develops the Association’s strategic direction by engaging in discussions around a number of strategic topics throughout their term. As a community member, you can be part of this important process by becoming an At-large Board Member. We have two At-large positions on the Association Board of Directors. These positions are self-nominated and then elected by the community. Simply put, the At-large Director position is designed to ensure there is community representation on the Drupal Association Board. If you are interested in helping shape the future of the Drupal Association, we encourage you to read this post and nominate yourself between 1 February and 19 February 2017. How do nominations and elections work? Specifics of the election mechanics were decided through a community-based process in 2012 with participation by dozens of Drupal community members. More details can be found in the proposal that was approved by the Drupal Association Board in 2012 and adapted for use this year. What does the Drupal Association Board do? The Board of Directors of the Drupal Association are responsible for financial oversight and setting the strategic direction for serving the Drupal Association’s mission, which we achieve through Drupal.org and DrupalCon. Our mission is: Drupal powers the best of the Web. The Drupal Association unites a global open source community to build and promote Drupal. New board members will contribute to the strategic direction of the Drupal Association. Board members are advised of, but not responsible for matters related to the day-to-day operations of the Drupal Association, including program execution, staffing, etc. Directors are expected to contribute around five hours per month and attend three in-person meetings per year (financial assistance is available if required). Association board members, like all board members for US-based organizations, have three legal obligations: duty of care, duty of loyalty, and duty of obedience. In addition to these legal obligations, there is a lot of practical work that the board undertakes. These generally fall under the fiduciary responsibilities and include: Overseeing Financial Performance Setting Strategy Setting and Reviewing Legal Policies Fundraising Managing the Executive Director To accomplish all this, the board comes together three times a year during two-day retreats. These usually coincide with the North American and European DrupalCons as well as one February meeting. As a board member, you should expect to spend a minimum of five hours a month on board activities. Some of the topics that will be discussed over the next year or two are: Strengthening Drupal Association’s sustainability Understanding what the Project needs to move forward and determine how the Association can help meet those needs through Drupal.org and DrupalCon Growing Drupal adoption through our own channels and partner channels Developing the strategic direction for DrupalCon and Drupal.org And more! Please watch this video to learn more. Who can run? There are no restrictions on who can run, and only self-nominations are accepted. Before self-nominating, we want candidat[...]
Wed, 25 Jan 2017 00:04:24 +0000Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community. Our December update comes to you a bit later than our usual monthly posts, for all the usual practical reasons: holidays, vacations, and our staff retreat in early January. But also, because we've been reflecting on the past year, and planning for the year to come. You'll soon hear about our initiatives for 2017, but for now— let's dive into what we did in December. Drupal.org updates DrupalCon Baltimore At the beginning of December we launched the full site for DrupalCon Baltimore, which is coming up April 24-28. For the first time, we launched the full event site including the call for papers, scholarship applications, and registration all on the same day. Early bird pricing is available for a limited time, so we encourage you to register today. Stable release of the Composer Façade Drupal.org's support for Composer has been in development since the beginning of last year. We released the public alpha of our composer endpoints at DrupalCon New Orleans, and then entered beta over the course of this past summer. After a period of feedback, bug fixes, and further refinement with the help of core and contrib developers we announced the stable release of Drupal.org's composer support on December 21st. We'd like to thank the following community members for their help with this initiative: seldeak, webflo, timmillwood, dixon_, badjava, cweagans, tstoeckler, and mile23. We'd also like to thank Appnovation for sponsoring our initial Composer support work. Improved messaging for new users One of the innovations of Drupal.org's online community that we introduced about 2 years ago, is the process by which new users get confirmed by trusted users. As a user of Drupal.org, you know that when you see a new user with a 'confirm' button under their user icon, you can check their recent activity and help confirm for us that they're a real user (not a bot or spammer who managed to slip through). However, we received some feedback from recently registered users, that this process was too opaque. New users did not have enough guidance to understand that they can only perform a sub-set of site activities until another user confirms them. After hearing this feedback, we spent some time in December improving the messaging tonew users when they first sign up on Drupal.org— so they can better understand how to become confirmed. DrupalCI refactored and updated to use composer In December we also completed a refactor of DrupalCI and updated the testing system to use Composer when testing Drupal. This means we can now test projects with external composer dependencies on Drupal.org. Other new features and bugfixes include: more available test artifacts; dependency changes can now be submitted in patches to composer json; the test runner produces a build file that can be downloaded and run locally to re-execute any test verbatim. There are more added features as well.. This work has continued into January, particularly around making more testing environments available, and adding new test types (such as code sniffer). Look for additional updates in the upcoming January report. Special thanks to mile23 for collaborating with us on this work. Jenkins upgraded to better manage our EC2 Instances The cost of automated[...]
Tue, 17 Jan 2017 05:00:00 +0000
The Drupal Community Working Group is pleased to announce that nominations for the 2017 Aaron Winborn Award are now open. This annual award recognizes an individual who demonstrates personal integrity, kindness, and above-and-beyond commitment to the Drupal community. It will include a scholarship and stipend to attend DrupalCon and recognition in a plenary session at the event.
Nominations are open to not only well-known Drupal contributors, but also people who have made a big impact in their local or regional community. If you know of someone who has made a big difference to any number of people in our community, we want to hear about it.
This award was created in honor of long-time Drupal contributor Aaron Winborn, whose battle with Amyotrophic lateral sclerosis (ALS) (also referred to as Lou Gehrig's Disease) came to an end on March 24, 2015. Based on a suggestion by Hans Riemenschneider, the Community Working Group, with the support of the Drupal Association, launched the Aaron Winborn Award.
Nominations are open until March 1, 2017. A committee consisting of the Community Working Group members and past award winners will select a winner from the submissions. Members of this committee and previous winners are exempt from winning the award.
Previous winners of the award are:
* 2015: Cathy Theys
* 2016: Gábor Hojtsy
If you know someone amazing who should benefit from this award please nominate them at https://www.drupal.org/aaron-winborn-award
Sun, 15 Jan 2017 19:18:51 +0000
Like last year around this date, it is the time of year where we predict what the future wil bring for Drupal. Will decoupled Drupal get a head start? Wil chatbots be written in Drupal, will our tool fuel the Internet of Things, will the Whitehouse still run Drupal and will there be an IPO of a Drupal company?
Time to put your predictions, deep thoughts and even deeper thoughts online, and post them as a comment here. And in case you lack inspiration, see the previous predictions for 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015 and 2016.
Thu, 12 Jan 2017 20:56:05 +0000Within weeks of introducing the contribution credit system on Drupal.org we realized we had created something powerful. Like all open source projects, Drupal has a behind-the-scenes economy of contribution in which individuals, organizations, and end users work together to maintain the software as a public good. That behind-the-scenes economy was brought to the fore when we chose to rank the Drupal Marketplace by issue credits. For the first time, Drupal.org gave businesses a direct financial incentive to contribute code. Being good stewards of these incentives is a sobering responsibility, but also a great opportunity. We can use this system to recognize the selfless effort of our community volunteers, to reward the organizations that sponsor their employees' time to give back to the project, and to connect end-users with the organizations that are the biggest contributors. But as we often say in this community—contribution is more than code. It is the time provided by dedicated volunteers; the talent of community organizers, documentation maintainers, and developers; and the treasure provided by organizations that sponsor Drupal events and fund the operations and infrastructure that maintain the project. What are we changing? We’re updating the ranking algorithm for Drupal.org’s Marketplace of service providers and list of all organizations in the Drupal ecosystem. We've expanded on the issue credit system to create a more generic contribution credit system which lets us recognize more types of contribution. Each type of contribution is now weighted to give the organization an overall amount of contribution credit. We've built this system so that we can continuously evolve the incentives it creates by adjusting the weight given to each type of contribution as the project's needs change. To prevent gaming, we will not be publishing the exact weights or total contribution score, but those weights have been reviewed by the Association Board and Community Working Group. We've carefully chosen a few new types of contribution to factor into the ranking. These were selected because they create incentives to reach specific goals: encouraging organizations to sponsor development of Drupal, gathering more Drupal 8 success stories that can be used to promote Drupal adoption, and recognizing the financial contributions that promote the fiscal health of the Drupal association. We now calculate the following 4 types of contribution into overall contribution credit: Issue credits — helping build the Drupal software happens in the issue queues. Issue credits remain the primary factor in ranking, and continue to be shown prominently. Issue credits on more widely used projects, like Drupal Core, will also receive greater weight in the ranking. Learn how to help in the issue queue Drupal 8 case studies — success stories show how Drupal is used across industries and the world, helping effectively introduce Drupal to more people. Learn how to write a case study Drupal Association Supporter Programs and Organization Membership — our partners and members help us build and maintain Drupal.org. Learn about supporter programs and organization membership Projects supported — the work to maintain a project sometimes happens outside of issues. Project maintainers can credit organi[...]
Fri, 06 Jan 2017 17:49:54 +0000Republished from buytaert.net Nine months ago I wrote about the importance of improving Drupal's content workflow capabilities and how we set out to include a common base layer of workflow-related functionality in Drupal 8 core. That base layer would act as the foundation on which we can build a list of great features like cross-site content staging, content branching, site previews, offline browsing and publishing, content recovery and audit logs. Some of these features are really impactful; 5 out of the top 10 most requested features for content authors are related to workflows (features 3-7 on the image below). We will deliver feature requests 3 and 4 as part of the "content workflow initiative" for Drupal 8. Feature requests 5, 6 and 7 are not in scope of the current content workflow initiative but still stand to benefit significantly from it. Today, I'd like to provide an update on the workflow initiative's progress the past 9 months. The top 10 requested features for content creators according to the 2016 State of Drupal survey. Features 1 and 2 are part of the media initiative for Drupal 8. Features 3 and 4 are part of the content workflow initiative. Features 5, 6 and 7 benefit from the content workflow initiative. Configurable content workflow states in Drupal 8.2 While Drupal 8.0 and 8.1 shipped with just two workflow states (Published and Unpublished), Drupal 8.2 (with the the experimental Content moderation module) ships with three: Published, Draft, and Archived. Rather than a single 'Unpublished' workflow state, content creators will be able to distinguish between posts to be published later (drafts) and posts that were published before (archived posts). The 'Draft' workflow state is a long-requested usability improvement, but may seem like a small change. What is more exciting is that the list of workflow states is fully configurable: you can add additional workflow states, or replace them with completely different ones. The three workflow states in Drupal 8.2 are just what we decided to be good defaults. Let's say you manage a website with content that requires legal sign-off before it can be published. You can now create a new workflow state 'Needs legal sign-off' that is only accessible to people in your organization's legal department. In other words, you can set up content workflows that are simple (like the default one with just three states) or that are very complex (for a large organization with complex content workflows and permissions). This functionality was already available in Drupal 7 thanks to the contributed modules like the Workbench suite. Moving this functionality into core is useful for two reasons. First, it provides a much-requested feature out of the box – this capability meets the third most important feature request for content authors. Second, it encourages contributed modules to be built with configurable workflows in mind. Both should improve the end-user experience. Support for different workflows in Drupal 8.3 Drupal 8.3 (still in development, planned to be released in April of 2017) goes one step further and introduces the concept of multiple types of workflows in the experimental Workflows module. This provides a more intuitive way to set up different workflows for different content typ[...]