Subscribe: drupal.org
http://drupal.org/rss.xml
Added By: Feedage Forager Feedage Grade A rated
Language: English
Tags:
content  core  drupal drupal  drupal  layout  media  module  modules  new  people  release  security  site  sites  update 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: drupal.org

Drupal.org



Come for the software, stay for the community Drupal is an open source content management platform powering millions of websites and applications. It’s built, used, and supported by an active and diverse community of people around the world.



 



Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2018-003

Wed, 18 Apr 2018 15:34:09 +0000

Project: Drupal coreDate: 2018-April-18Security risk: Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription:  CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses). We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window. Solution: If you are using Drupal 8, update to Drupal 8.5.2 or Drupal 8.4.7. The Drupal 7.x CKEditor contributed module is not affected if you are running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable. If you installed CKEditor in Drupal 7 using another method (for example with the WYSIWYG module or the CKEditor module with CKEditor locally) and you’re using a version of CKEditor from 4.5.11 up to 4.9.1, update the third-party JavaScript library by downloading CKEditor 4.9.2 from CKEditor's site. Reported By: Kyaw Min Thein Fixed By: Marek Lewandowski of the CKEditor team Wiktor Walc of the CKEditor team Wim Leers xjm Of the Drupal Security Team Lee Rowlands of the Drupal Security Team Daniel Wehner Hai-Nam Nguyen Matthew Grill [...]



Dries Buytaert Shares His View on Decoupled Drupal: When, Why, and How

Mon, 16 Apr 2018 18:04:33 +0000

The following blog was written by Drupal Association Signature Hosting Supporter, Acquia.  More and more developers are choosing content-as-a-service solutions known as decoupled CMSes, and due to this trend, people are asking whether decoupled CMSes are challenging the market for traditional CMSes. By nature, decoupled CMSes lack end-user front ends, provide few to no editorial tools for display and layout, and as such leave presentational concerns almost entirely up to the front-end developer. Luckily, Drupal has one crucial advantage that propels it beyond these concerns of emerging decoupled competitors. Join Dries Buytaert, founder of Drupal and CTO at Acquia, as he shares his knowledge on how Drupal has an advantage over competitors, and discusses his point-of-view on why, when, and how you should implement decoupled Drupal. Dries will touch on: His thoughts on decoupled CMSes - where is the CMS market headed and when? His opinion on whether decoupled CMSes will replace traditional CMSes The advantages of decoupled Drupal vs. emerging decoupled competitors Considerations when determining if decoupled Drupal is right for your project Click here to watch the webinar. Dries Buytaert CHAIRMAN, CHIEF TECHNOLOGY OFFICERACQUIA, INC. Dries Buytaert is an open source developer and technology executive. He is the original creator and project lead for Drupal, an open source platform for building websites and digital experiences. Buytaert is also co-founder and chief technology officer of Acquia, a venture-backed technology company. Acquia provides an open cloud platform to many large organizations, which helps them build, deliver and optimize digital experiences. A Young Global Leader at the World Economic Forum, he holds a PhD in computer science and engineering from Ghent University and a Licentiate Computer Science (MsC) from the University of Antwerp. He was named CTO of the Year by the Massachusetts Technology Leadership Council, New England Entrepreneur of the Year by Ernst & Young, and a Young Innovator by MIT Technology Review. He blogs frequently on Drupal, open source, startups, business, and the future at dri.es. LinkedIn Twitter https://www.acquia.com/resources/webinars/dries-buytaert-shares-his-view-decoupled-drupal-when-why-and-how?cid=7010c000002ZXzYAAW&ct=online-advertising&ls=drupalpremiumbenefits-dries&lls=pro_ww_drupalassociationpremiumbenefits_2018[...]



Implementation Guide on Headless and Decoupled CMS

Mon, 02 Apr 2018 21:03:18 +0000

The following blog was written by Drupal Association Signature Hosting Supporter, Acquia

(image)

The rapid evolution of diverse end-user clients and applications has given rise to a dizzying array of digital channels to support.

Websites in the past were built from monolithic architectures utilizing web content management solutions that deliver content through a templating solution tightly “coupled” with the content management system on the back-end.

Agile organizations crave flexibility, and strive to manage structured content across different presentation layers consistently in a way that’s scalable.

Accomplishing this efficiently requires that teams have flexibility in the front-end frameworks that dominate the modern digital landscape. That’s why decoupled and headless CMS is taking off. That’s why you’re here. But now you need the right technology to support the next phase of the web and beyond.

Download this eBook on headless and decoupled CMS




Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002

Wed, 28 Mar 2018 18:14:10 +0000

Project: Drupal coreDate: 2018-March-28Security risk: Highly critical 24∕25 AC:None/A:None/CI:All/II:All/E:Exploit/TD:DefaultVulnerability: Remote Code Execution Description:  CVE: CVE-2018-7600 A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. The security team has written an FAQ about this issue. Solution: Upgrade to the most recent version of Drupal 7 or 8 core. If you are running 7.x, upgrade to Drupal 7.58. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.) If you are running 8.5.x, upgrade to Drupal 8.5.1. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.) Drupal 8.3.x and 8.4.x are no longer supported and we don't normally provide security releases for unsupported minor releases. However, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0. Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x. Please take the time to update to a supported version after installing this security update. If you are running 8.3.x, upgrade to Drupal 8.3.9 or apply this patch. If you are running 8.4.x, upgrade to Drupal 8.4.6 or apply this patch. This issue also affects Drupal 8.2.x and earlier, which are no longer supported. If you are running any of these versions of Drupal 8, update to a more recent release and then follow the instructions above. This issue also affects Drupal 6. Drupal 6 is End of Life. For more information on Drupal 6 support please contact a D6LTS vendor.Reported By:  Jasper Mattsson Fixed By:  Jasper Mattsson Samuel Mortenson Provisional Drupal Security Team member David Rothstein of the Drupal Security Team Jess (xjm) of the Drupal Security Team Michael Hess of the Drupal Security Team Lee Rowlands of the Drupal Security Team Peter Wolanin of the Drupal Security Team Alex Pott of the Drupal Security Team David Snopek of the Drupal Security Team Pere Orga of the Drupal Security Team Neil Drumm of the Drupal Security Team Cash Williams of the Drupal Security Team Daniel Wehner Tim Plunkett Contact and more information The Drupal security team can be reached by email at security at drupal.org or via the contact form. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. [...]



Thunder, the Drupal 8 Distribution for Professional Publishing

Tue, 27 Mar 2018 23:41:58 +0000

Thunder is proud sponsor of the Media and Publishing Summit ahead of the DrupalCon in Nashville. Meet us on 9th April and during the DrupalCon to learn more about Thunder and how it is used in professional publishing. https://thunder.org/ Thunder is the Drupal 8 distribution for professional publishing. Thunder was designed by Hubert Burda Media and released as open-source software under the GNU General Public License in 2016. As members of the Thunder community, publishers, partners, and developers build custom extensions and share them with the community to further enhance Thunder. Thunder consists of the current Drupal 8 functionality, lots of handpicked publisher-centric modules with custom enhancements (our own Thunder Admin Theme, the Paragraphs module, the Media Entity module, the Entity Browser module, and lots more), and an environment which makes it easy to install, deploy and add new functionality (e.g. the Thunder Updater). To learn more about Thunder projects, read these case studies: German magazine Mein Schöner Garten (Gardening Magazine for Hubert Burda Media), US magazine American Heritage (American Heritage Magazine Migration – Drupal 8), and Serbian television and radio station PannonRTV (News portal for media house – PannonRTV). About the idea: We at the Thunder Core Team believe that publishers do not compete with each other through technology, but rather through content and brands. That is why the German publisher Hubert Burda Media established the Thunder community which aims to join forces among media companies by sharing code and innovation power. The goal is to innovate faster and spend less money overall by working together. The Thunder community’s core product is the open-source content management system Thunder. Community members develop useful modules, use them for their own purposes and share them with the community by publishing them under the GNU General Public License. Neither Hubert Burda Media nor the other publishers in the community charge anyone for their contributions. Any company publishing content professionally is welcome as a member of the Thunder community - both as user and as contributor. Anyone can join by contributing to the distribution. The usefulness and richness of Thunder’s functionality directly benefit from the number of contributors. Why Drupal was chosen:  For Burda, Drupal is the content management platform of choice. It is a free and open-source content-management framework written in PHP and distributed under the GNU General Public License. The standard Drupal core already provides the essential features, e.g. user management, menu management, RSS feeds, taxonomy, page layout customization, and system administration. It is easily adaptable and extensible with thousands of modules provided by a global community of users and developers. In addition, developers at Hubert Burda Media have had previous good experiences with Drupal. Drupal is therefore a tried and tested basis and has become even better with Drupal 8. Describe the project (goals, requirements and outcome):  Thunder started as a way to share innovation and synergies among the many different brands and products within the Burda Corporation to save costs and speed up the time to market. It did not take long until we realized that the model that worked within the very diverse Burda universe would be useful for almost all digital publishers. That was when we decided to open source the distribution. Due to its open source basis on Drupal 8, all features and functionality within Thunder are available to anyone wishing to benefit from Burda’s industry experience. Individual brands can add modules to tailor the system to their specific needs. Many of those “specific” customizations will prove to be valuable to more than just the organizations they originated from. We therefore designed Thunder in a way that we can easily incorporate those add-ons into the main distribution and sha[...]



Drupal 7 and 8 core highly critical release on March 28th, 2018 PSA-2018-001

Wed, 21 Mar 2018 19:13:16 +0000

  • Advisory ID: DRUPAL-PSA-2018-001
  • Project: Drupal Core
  • Version: 7.x, 8.x
  • Date: 2018-March-21

Description

There will be a security release of Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28th 2018 between 18:00 - 19:30 UTC, one week from the publication of this document, that will fix a highly critical security vulnerability. The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page.

While Drupal 8.3.x and 8.4.x are no longer supported and we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that include the fix for sites which have not yet had a chance to update to 8.5.0. The Drupal security team strongly recommends the following:

  • Sites on 8.3.x should immediately update to the 8.3.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
  • Sites on 8.4.x should immediately update to the 8.4.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
  • Sites on 7.x or 8.5.x can immediately update when the advisory is released using the normal procedure.

The security advisory will list the appropriate version numbers for all three Drupal 8 branches. Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x, but temporarily updating to the provided backport for your site's current version will ensure you can update quickly without the possible side effects of a minor version update.

This will not require a database update.

Patches for Drupal 7.x and 8.3.x, 8.4.x, 8.5.x and 8.6.x will be provided.

The CVE for this issue is CVE-2018-7600. The Drupal-specific identifier for the issue is SA-CORE-2018-002.

The Security Team or any other party is not able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.drupal.org/security, over Twitter, and in email for those who have subscribed to our email list. To subscribe to the email list: log in on drupal.org, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.

Journalists interested in covering the story are encouraged to email security-press@drupal.org to be sure they will get a copy of the journalist-focused release. The Security Team will release a journalist-focused summary email at the same time as the new code release and advisory.

If you find a security issue, please report it at https://www.drupal.org/security-team/report-issue.

updated 2018-03-22: Added information about database updates

updated 2018-03-27: Added information about patches

updated 2018-03-28: Added information about CVE and identifiers




Drupal 8.5.0 is now available

Wed, 07 Mar 2018 21:51:41 +0000

What's new in Drupal 8.5.0? This new version makes Media module available for all, improves migrations significantly, stabilizes the Content Moderation and Settings Tray modules, serves dynamic pages faster with BigPipe enabled by default, and introduces a new experimental entity layout user interface. The release includes several very important fixes for workflows of content translations and supports running on PHP 7.2. Download Drupal 8.5.0 Media in core improved and available to all site builders In Drupal 8.4, we added a Media API to core that drew on work from the contributed Media Entity module, but the module was hidden from the user interface due to user experience issues. In Drupal 8.5, many of the usability issues have been addressed, and the module now can be enabled normally. Media in Drupal 8.5 supports uploading and playing audio and video files, as well as listing and reusing media. For an optimal user experience, we suggest enhancing the core feature set with the rich ecosystem of contributed modules that extends the core Media module. In future releases, we will improve the core user experience with a media library and other tools, add WYSIWYG integration, add support for remote media types like YouTube videos, and provide an upgrade path for existing basic File and Image field data on existing sites. Settings Tray and Content Moderation now stable Two experimental modules originally added with Drupal 8.2.0 have been steadily improving in past releases and are now stable. The Settings Tray module provides a quick solution to manage settings in context, such as moving items around in a menu block. The Content Moderation module allows defining content workflow states such as Draft, Archived, and Published, as well as which roles have the ability to move content between states. Drupal 8.5.0 also adds support for translations to be moderated independently. New experimental Layout Builder module The new experimental Layout Builder module provides display layout capabilities for articles, pages, user profiles, and other entity displays. Layout Builder uses the same "outside-in" user interface that Settings Tray module does, allowing site builders to edit their layouts on the actual page (rather than having to go to a separate form on the backend). The current user interface is a basic implementation but we expect it will improve significantly in the coming months. Big steps for migrations After over four years of work, this release marks the Migrate system's architecture stable. The Drupal Migrate and Drupal Migrate UI modules are also considered stable for upgrading monolingual sites. (Multilingual site upgrades are still not fully supported.) Support for incremental migrations is also included in this release. See the migrate announcement for further details on migrating to Drupal 8. BigPipe by default The BigPipe module provides an advanced implementation of Facebook's BigPipe page rendering strategy for greatly improved perceived performance for pages with dynamic, personalized, or uncacheable content. The module was added in Drupal 8.1.0 experimentally and became stable in Drupal 8.3.0. Following real-world testing, Big Pipe is now included as part of Drupal 8.5.0's Standard installation profile, so that all Drupal 8 sites will be faster by default. BigPipe is also the first new Drupal 8 feature to mature from an experimental prototype all the way to being part of a standard installation! Groundwork for a Drupal 8 "Out of the Box" demo Drupal 8.5.0 includes the groundwork for a new demo profile and theme from the Out of the Box Initiative, which will be a beautiful, modern demonstration of Drupal's capabilities. This will allow us to provide the demo experimentally, possibly in a future Drupal 8.5 release. (The demo profile and theme should not be used on actual production or development sites since no backwards compatibility or upgrade paths[...]



Big steps for migrations in Drupal 8.5.0

Wed, 07 Mar 2018 21:51:04 +0000

After over four years of work with over 570 contributors and 1300+ closed issues, Drupal 8.5.0 releases the Migrate system's architecture as fully stable. This means that developers can write migration paths without worrying for stability of the underlying system.

On top of that the Migrate Drupal and Migrate Drupal UI modules (providing Drupal 6 and 7 to Drupal 8 migrations) are considered stable for upgrading monolingual sites. All of the remaining critical issues for the Migrate Drupal module's upgrade paths and stability are related to multilingual migration support (so multilingual site upgrades are still not fully supported).

Support for incremental migrations is now also available, which means that site owners can work gradually on their new Drupal 8 site while content is still being added to the old site. When migrations (including incremental migrations) are run through the user interface, site owners will now see a warning if some data on the Drupal 8 site might be overwritten. (A similar fix for Drush is not yet available, so be careful not to overwrite data if you run a migration on the command line.) 

Upgrade instructions for Drupal 6 and Drupal 7 sites can be found in the Upgrading to Drupal 8 handbook. Your old site can still remain up and running while you test migrating your data into your new Drupal 8 site. If you happen to find a bug, that is not a known migrate issue, your detailed bug report with steps to reproduce is a big help!

Unlike previous versions, Drupal 8 stores translated content as single entities. Multilingual sites with reference fields (node_reference, entity_reference) or multilingual menus can upgrade to Drupal 8 using Drush, executing the desired migrations one by one. In this process you need to create and run a series of additional custom migrations to reflect the new entity identifiers assigned during earlier migrations. There is no automation implemented for this process yet.

Data can be migrated to Drupal 8 also from non-Drupal sources such as CSV, XML, JSON, or directly from 3rd party systems' databases. For instructions and examples, refer to Migrate API handbook.

Huge thanks again to all the contributors who made this possible.

(image)




Drupal 8.5.0-rc1 is available for testing

Mon, 26 Feb 2018 23:28:10 +0000

The first release candidate for the upcoming Drupal 8.5.0 release is now available for testing. Drupal 8.5.0 is expected to be released March 7. Download Drupal-8.5.0-rc1 8.5.x makes the Media module available for all, improves migrations significantly, stabilizes the Content Moderation and Settings Tray modules, serves dynamic pages faster with BigPipe enabled by default, and introduces the new experimental Layout Builder module. The release includes several very important fixes for workflows of content translations and supports PHP 7.2. Finally, 8.5.0-rc1 also includes the same security updates that are provided in 8.4.5. What does this mean to me? For Drupal 8 site owners Drupal 8.4.5, a security update and the final release of the 8.4.x series, has also been released this week. 8.4.x sites should update immediately to 8.4.5, but going forward, 8.4.x will receive no further releases following 8.5.0's release date, and sites should prepare to update from 8.4.x to 8.5.x in order to continue getting bug and security fixes. Use update.php to update your 8.4.x sites to the 8.5.x series, just as you would to update from (e.g.) 8.4.2 to 8.4.3. You can use this release candidate to test the update. (Always back up your data before updating sites, and do not test updates in production.) If you're an early tester who is already running 8.5.0-alpha1 or 8.5.0-beta1, you should update to 8.5.0-rc1 immediately. 8.5.0-rc1 includes security fixes (the same fixes that were released in Drupal 8.4.5). Site owners should also take note of the fact that Drupal 8's support for PHP 5 will end in one year, in March 2019. PHP 7.2 is now the best recommended PHP version to use with Drupal 8. For module and theme authors Drupal 8.5.x is backwards-compatible with 8.4.x. However, it does include internal API changes and API changes to experimental modules, so some minor updates may be required. Review the change records for 8.5.x, and test modules and themes with the release candidate now. For translators Some text changes were made since Drupal 8.4.0. Localize.drupal.org automatically offers these new and modified strings for translation. Strings are frozen with the release candidate, so translators can now update translations. For core developers All outstanding issues filed against 8.4.x were automatically migrated to 8.5.x. Future bug reports should be targeted against the 8.5.x branch. 8.6.x will remain open for new development during the 8.5.x release candidate phase. The 8.5.x branch will be subject to release candidate restrictions, with only critical fixes and certain other limited changes allowed. Your bug reports help make Drupal better! Release candidates are a chance to identify bugs for the upcoming release, so help us by searching the issue queue for any bugs you find, and filing a new issue if your bug has not been reported yet. [...]



Remembering J-P Stacey

Mon, 26 Feb 2018 05:35:24 +0000

In 2017 we saw the passing of J-P, community friend, mentor, leader, and contributor. Within the community J-P's was known for his passions: Drupal, programming culture, gardening, cycling and the environment. We invited people to share their memories of J-P and his impact; we share them with you now in memoriam. This is a moving tribute and a celebration of his life. We invite you to also share your tributes in the comments section. J-P Stacey on the Tour de Drupal 2016 Photo by Christian Ziegler The person J-P was a bright intelligent, quirky chap, ADORED animals, he would melt at the mention of our pets names, he would happily spend hours cooing over stories of his beloved cat Indie, he'd oblige you in hours and hours of stories about your beloved animals - kae76 Whenever I was with JP he was always smiling. He was always there to help and it was always a pleasure to see JP at Drupal events and chat to him on IRC - aburrows Nice. My overriding memory of J-P is how nice he was. When he moved up to Sheffield and started attending the Yorkshire meetups he fitted right in straight away. He always found time to ask how people were doing and genuinely cared what they were saying. He was always patient, positive and happy to help others - kmbremner I remember first meeting J-P at DrupalCamp Oxford in 2012, when I had just started out running a small business and I remember thinking how much of a mad professor he looked, and discussing different parts of Oxford with him. The last time I saw J-P was sharing a meal with at DrupalCamp London 2017 near Euston. Both times J-P was actively seeking to engage people from the edges of the community (all the other Drupalists at the meal were freelancers or small businesses) and I know that was something he was highly instrumental at working with. I actually went back to that restaurant recently, and it seems slightly strange that I won't see J-P at another event - willhallonline J-P being present just simply makes you happy, such an open genuine chap. Always disappointment around if he can't attend a catch-up, and anticipation if you know he will be there. J-P, always the gentleman, honoured my poor jokes with a titter or a laugh, even if it first met with an understandable groan - waako I knew J-P, in that we participated together every year as mentors at the Friday Core Sprints at Drupalcon. Last year at Drupalcon Dublin, I asked J-P to be my "mentor mentor" because I was so impressed by his gentle and unruffled style. He organized the team at his table with exemplary grace and good humour. I was particularly struck by how quickly he gathered a group of enthusiastic people around him. Bye J-P, it was a true honour to have known you, if only once a year, in this particular context - michaellenahan He was *always* cheerful! - greg.harvey JP always took the time to talk to people and explain things to people who needed help. It's safe to say that helping people was a passion for JP - Ikit-claw I recall the Friday evening of Drupalcamp London 2017, J-P and I met at Old Street Station and travelled to Kings Cross to meet up with fellow Drupalists for a meal at the Diwana Bhel Poori house for a meal. The trip and the hour long wait there for the rest to join us was filled with fun and interesting conversation. We realised how much we had in common and made each other laugh. That plus stimulating conversation over great food I will remember for a long while - TechnoTim2010 The thing I will always remember best about J-P his determination to stick to his principles; be they in code, in process, in environmental matters or even his house and garden! It was so sweet on occasion to see him struggle when pragmatism meant they couldn’t always be followed but it constantly reminded me to try harder myself. I miss J-P but I know I’ll be[...]



Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2018-001

Wed, 21 Feb 2018 17:10:55 +0000

Project: Drupal coreVersion: 8.4.x-dev7.x-devDate: 2018-February-21Security risk: Critical 16∕25 AC:Basic/A:User/CI:Some/II:Some/E:Exploit/TD:DefaultVulnerability: Multiple Vulnerabilities Description: This security advisory fixes multiple vulnerabilities in both Drupal 7 and Drupal 8. See below for a list. Comment reply form allows access to restricted content - Critical - Drupal 8 - CVE-2017-6926 Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments. JavaScript cross-site scripting prevention is incomplete - Critical - Drupal 7 and Drupal 8 - CVE-2017-6927 Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output is not auto-escaped by either Drupal 7 or Drupal 8). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected. Private file access bypass - Moderately Critical - Drupal 7 - CVE-2017-6928 When using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability. This vulnerability is mitigated by the fact that it only occurs for unusual site configurations. jQuery vulnerability with untrusted domains - Moderately Critical - Drupal 7 - CVE-2017-6929 A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module. Language fallback can be incorrect on multilingual sites with node access restrictions - Moderately Critical - Drupal 8 - CVE-2017-6930 When using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability. This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hook_node_access_records(). Note that the update will mark the node access tables as needing a rebuild, which will take a long time on sites with a large number of nodes. Settings Tray access bypass - Moderately Critical - Drupal 8 - CVE-2017-6931 The Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for. If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses. This vulnerability can be mitigated by disabling the Settings Tray module. External link injection on 404 pages when linking to the current page - Less Critical[...]



DrupalCamp London 2-4 Mar'18

Mon, 19 Feb 2018 19:45:30 +0000

The following blog was written by Drupal Association Premium Supporting Partner, DrupalCamp London. The people surrounding Drupal have always been one of its strongest selling points; hence the motto “Come for the code, stay for the community”. We bring individuals from a multitude of backgrounds and skill sets together to push forward towards a common goal whilst supporting and helping each other. Within the community, there are a number of ways to connect to each other; both online and in person. A good way to meet in person is by attending DrupalCons and DrupalCamps. DrupalCamps A DrupalCamp can be similar to a DrupalCon but is on a much smaller scale. Where a ‘Con has 1,600+ attendees a ‘Camp ranges anywhere from 50-600 people. In Europe alone there were over 50 camps in 2017, including DrupalCamp London. DrupalCamp London DrupalCamp London brings together hundreds of people from across the globe who use, develop, design, and support the Drupal platform. It’s a chance for Drupalers from all backgrounds to meet, discuss, and engage in the Drupal community and project. DrupalCamp London is the biggest camp in Europe (followed very closely by Kiev), at ~600 people over three days. Due to its size and location, we’re able to run a wide range of sessions, keynotes, BoFs, Sprints, and activities to take part in. What happens over the three days? Friday (CxO day) Friday (CxO day) is primarily aimed at business leaders who provide or make use of Drupal services (i.e web development agencies, training companies, clients etc), but naturally, everyone is welcome. Throughout the day we'll have speakers talking about their experiences working with Drupal and Open Source technologies in their sector(s) or personal life. With a hot food buffet for lunch and a free drinks reception at the end of the day, you'll also have ample time to network with the other attendees. Benefits of attending  Benefits for CTOs, CMOs, COOs, CEOs, Technical Directors, Marketing Directors and Senior Decision Makers:  Understand how leading organisations leverage the many benefits of Drupal Network with similar organisations in your sector Learn directly from thought leaders via specific case studies Saturday/Sunday (Weekend event) Over the weekend, we have 3 Keynote speakers, a choice of over 40 sessions to attend, BoF (Birds of a Feather) talks, Sprints, great lunch provided (both days) and a Saturday social. With all the activity there is something for everyone to get involved in. Benefits of attending  Networking  Over 500 people attended the weekend event last year and we are expecting it to grow even more this year. Not all attendees are devs either, with a fair share of managers, designers, C-Level, and UX leads there's a great opportunity for all skill sets to interact with each other. Big brands use Drupal (MTV, Visit England, Royal.gov, Guardian, Twitter, Disney) and this is a chance to meet with people from those companies to compare notes, and learn from each other.  Recruitment As above, the chance to meet so many people from various skill sets is a great way to line up potential interviews and hires for any aspect of your business. At the very least you'll be able to meet interesting people for any future potential hires.  Marketing & Raising company profile  Attending an event with a huge turnout is a great way to meet people and talk to them about what you and your company do. Embedding your name within the tight-knit Drupal community can attract the attention of other companies. Sponsoring the camp means that your logo and additional information can be seen around the camp, in tote bags given to attendees, and online. The social and sponsors stands are the perfect chance to talk to other companies and people attendin[...]



Predictions for 2018

Sun, 11 Feb 2018 16:35:38 +0000

We have had a tradition since 2005. Every new year we have a posting on the predictions for the year ahead for our beloved open source CMS and community. Sometimes this posting went up in december, sometimes in January. But never in February.

Time to start a new tradition, predict the year ahead from February on :-)

Leave a comment if you do think that blogging will get hip again, RSS will gain new ground. What will the roll of the Drupal Association be in the new year? Where will the next DrupalCon be? Will the community grow and in what direction? API first, customer first, mobile first?

Polish your crystal ball and tell us what the future of Drupal wil be.

If you need some inspiration, take a look at 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015.2016 and 2017.

And yes, this posting was once month late. Apologies. Feel free to predict when the new prediction posting will go up on d.o :-)




Creating a Living Style Guide with Open Social

Tue, 06 Feb 2018 20:06:11 +0000

The following blog was written by Drupal Association Signature Supporting Partner, Open Social by GoalGorilla. A living style guide - a way to control markup or CSS - has been making a name for itself. And for a good reason; they’re an important tool for web development. They keep developers in sync, communicate design standards, and help organize complex interfaces. In this post, I want to discuss how and why living style guides are important and how to implement one for Open Social using Drupal for software. We're using a living style guide because it serves as a valuable internal resource for development; we’re able to write reusable and consistent code that's easy to maintain. And it’s a great external resource for client deliverables. Ready to see how to make a living style guide work with Drupal software? Let’s go! Moving From Static to Dynamic We didn’t always rely on a living style guide. Open Social was built and maintained using different strategies such as component libraries and atomic designs. These strategies have advantages, such as reusability, facilitating collaboration within the team, and ensuring design consistency. There were, however, disadvantages to a static style of working. In the past, a component library or style guide was usually graphic-based. The designer would create a visual representation of a component (in PS or Sketch, for example) and then the front-end developer would transfer these visuals to HTML and CSS. This immediately meant double maintenance; for instance, if the markup or CSS changes, the graphics style guide would need to be updated to reflect this change and vice-versa. In our experience, the shelf life of these “static” systems is only a few iterations before the graphic version gets left behind and forgotten due to too much maintenance and not enough return. Yikes. This is why we decided that it was time for a change. What we needed what a more dynamic system: a living style guide. A Living Style Guide Is the Best Any style guide is better than none but a living style guide is the best. A living style guide consists of a single source of code, thankfully. The style guide’s markup, javascript, and CSS are the same as what was used in production. This provides a wide array of benefits. See below! Sharing design capabilities. Our team easily shares design capabilities between designers and front-end developers, which also benefits the backend developers and project managers who work with us. Less reliance on other team members. The developers refer to the style guide and reuse components for new features without being heavily reliant on the designers and front-end developers for implementation. Most importantly, the client benefits. The project manager offers new feature ideas and lower-cost solutions to the client, based on reusing and recombining existing components. Inevitably our clients benefit from this, especially when they begin thinking this way themselves. While this blog post focuses on how we work on Open Social enterprise projects, it is also an accurate reflection of working in the Drupal frontend nowadays. A quick google for “Drupal Living Style Guide” can give you some ideas about the current popularity, challenges, and general atmosphere surrounding the subject. In the next section of the blog, I will take you through the steps of setting up a living style guide with Open Social. Creating the Living Style Guide It’s important to note that this section assumes you have a copy of the Open Social distribution running locally on your development machine (here’s where you can install the Open Social distro if you’re looking for it). This demonstration uses a copy of the Social Blue theme, [...]



Has Drupal 8 Usage Hit a Tipping Point?

Mon, 22 Jan 2018 06:21:16 +0000

The following blog was written by Drupal Association Premium Technology Partner, Lingotek. It wasn’t a question of if, but a question of when and the Drupal.org weekly usage statistics are showing it’s happening now. Usage of Lingotek’s Drupal 8 Module finally caught up to and exceeded that of Drupal 7. Is this the tipping point? Is the community finally making the switch to the latest Drupal module? The Drupal.org Usage Statistics for Lingotek Translation provides information about the usage of the Lingotek Translation project--Lingotek - Inside Drupal 7 Module and the Lingotek - Inside Drupal 8 Module--with summaries across all versions and details for each release. It shows the week and the number of sites that reported using a given version of the project. The usage figures reflect the number of sites using the project/item that week. The results can give an idea of how popular the different projects are and may help users choose modules and themes for their own sites. The figures are an indicator of which modules are being used. Note: Only Drupal websites using the Update Status module are included in the data. In the past 6 months, the Drupal.org weekly statistics showed Drupal 7 usage was still going strong. There were twice as many users using the Drupal 7 version in April, May, June, July, August, and September. But starting in October, Drupal 8 usage began to tick upward. In the first week, only 269 reported using the D8 version. Then the momentum quickly shifted. By the second week of October, they were almost equal with 441 users of Drupal 7 and 420 using Drupal 8; they were a scant 19 users apart. Then came the tipping point. In the third week of October, Drupal 8 usage overtook that of Drupal 7. In a huge turnaround, 772 reported using Drupal 8 when compared to only 447 using Drupal 7. Since then, the gap narrowed somewhat, but regained a solid lead once again in early November with 894 D8 users and 416 using the D7 version. We’re predicting the lead is here to stay. The tipping point was inevitable. The support is likely the result of the growing need for localized content. Multilingual web content is critical to engage a global audience that wants to search, shop, and buy in their own language. The Drupal 8 version, with its built in multilingual capability, makes it easier than ever to create content for a global audience. The module supports translation of any content and configuration, including: Content entities - nodes, comments, messages, taxonomy terms and even paragraphs (including nested ones) Configuration entities - fields, blocks, taxonomy vocabularies, views, fields, etc. Configuration items - site name, system emails, etc. The Lingotek - Inside Drupal Module is the only Drupal module to integrate a Translation Management System directly into Drupal, allowing the Drupal community to use professional-grade translation technologies (e.g. machine translation, translation memory, CAT tool) without ever leaving the Drupal environment. It is built on Drupal's standard multilingual modules (Locale, content translation, entity translation, internationalization, etc.) and helps Drupal administrators, agencies, and web marketers get a Drupal site multilingual-ready within minutes, instead of days. Many Drupal users have strong opinions about which is better--Drupal 7 or Drupal 8, but one thing is clear: Drupal 8 is the future. The level of innovation and improved functionality available in each new release will be hard to ignore. These usage statistics reflect that the community has begun wholesale migration to Drupal 8 and that we’ve finally reached the tipping point.[...]



Happy seventeenth birthday Drupal

Mon, 15 Jan 2018 22:30:00 +0000

This blog has been re-posted and edited with permission from Dries Buytaert's blog. Please leave your comments on the original post.

Seventeen years ago today, I open-sourced the software behind Drop.org and released Drupal 1.0.0. When Drupal was first founded, Google was in its infancy, the mobile web didn't exist, and JavaScript was a very unpopular word among developers.

Over the course of the past seventeen years, I've witnessed the nature of the web change and countless internet trends come and go. As we celebrate Drupal's birthday, I'm proud to say it's one of the few content management systems that has stayed relevant for this long.

While the course of my career has evolved, Drupal has always remained a constant. It's what inspires me every day, and the impact that Drupal continues to make energizes me. Millions of people around the globe depend on Drupal to deliver their business, mission and purpose. Looking at the Drupal users in the video below gives me goosebumps.

allow="autoplay; encrypted-media" allowfullscreen="" frameborder="0" height="360" src="https://www.youtube.com/embed/iHpPGGpxBEA?rel=0" width="640">

Drupal's success is not only marked by the organizations it supports, but also by our community that makes the project more than just the software. While there were hurdles in 2017, there were plenty of milestones, too:

  • At least 190,000 sites running Drupal 8, up from 105,000 sites in January 2016 (80% year over year growth)
  • 1,597 stable modules for Drupal 8, up from 810 in January 2016 (95% year over year growth)
  • 4,941 DrupalCon attendees in 2017
  • 41 DrupalCamps held in 16 different countries in the world
  • 7,240 individual code contributors, a 28% increase compared to 2016
  • 889 organizations that contributed code, a 26% increase compared to 2016
  • 13+ million visitors to Drupal.org in 2017
  • 76,374 instance hours for running automated tests (the equivalent of almost 9 years of continuous testing in one year)

Since Drupal 1.0.0 was released, our community's ability to challenge the status quo, embrace evolution and remain resilient has never faltered. 2018 will be a big year for Drupal as we will continue to tackle important initiatives that not only improve Drupal's ease of use and maintenance, but also to propel Drupal into new markets. No matter the challenge, I'm confident that the spirit and passion of our community will continue to grow Drupal for many birthdays to come.

Tonight, we're going to celebrate Drupal's birthday with a warm skillet chocolate chip cookie topped with vanilla ice cream. Drupal loves chocolate! ;-)

Note: The video was created by Acquia, but it is freely available for anyone to use when selling or promoting Drupal.




How to decouple Drupal in 2018

Fri, 12 Jan 2018 18:19:36 +0000

This blog has been re-posted and edited with permission from Dries Buytaert's blog. Please leave your comments on the original post. In this post, I'm providing some guidance on how and when to decouple Drupal. Almost two years ago, I had written a blog post called "How should you decouple Drupal?". Many people have found the flowchart in that post to be useful in their decision-making on how to approach their Drupal architectures. Since that point, Drupal, its community, and the surrounding market have evolved, and the original flowchart needs a big update. Drupal's API-first initiative has introduced new capabilities, and we've seen the advent of the Waterwheel ecosystem and API-first distributions like Reservoir, Headless Lightning, and Contenta. More developers both inside and outside the Drupal community are experimenting with Node and adopting fully decoupled architectures. Let's start with the new flowchart in full: All the ways to decouple Drupal The traditional approach to Drupal architecture, also referred to as coupled Drupal, is a monolithic implementation where Drupal maintains control over all front-end and back-end concerns. This is Drupal as we've known it — ideal for traditional websites. If you're a content creator, keeping Drupal in its coupled form is the optimal approach, especially if you want to achieve a fast time to market without as much reliance on front-end developers. But traditional Drupal 8 also remains a great approach for developers who love Drupal 8 and want it to own the entire stack. A second approach, progressively decoupled Drupal, offers an approach that strikes a balance between editorial needs like layout management and developer desires to use more JavaScript, by interpolating a JavaScript framework into the Drupal front end. Progressive decoupling is in fact a spectrum, whether it is Drupal only rendering the page's shell and populating initial data — or JavaScript only controlling explicitly delineated sections of the page. Progressively decoupled Drupal hasn't taken the world by storm, likely because it's a mixture of both JavaScript and PHP and doesn't take advantage of server-side rendering via Node. Nonetheless, it's an attractive approach because it makes more compromises and offers features important to both editors and developers. Last but not least, fully decoupled Drupal has gained more attention in recent years as the growth of JavaScript continues with no signs of slowing down. This involves a complete separation of concerns between the structure of your content and its presentation. In short, it's like treating your web experience as just another application that needs to be served content. Even though it results in a loss of some out-of-the-box CMS functionality such as in-place editing or content preview, it's been popular because of the freedom and control it offers front-end developers. What do you intend to build? The most important question to ask is what you are trying to build. If your plan is to create a single standalone website or web application, decoupling Drupal may or may not be the right choice based on the must-have features your developers and editors are asking for. If your plan is to create multiple experiences (including web, native mobile, IoT, etc.), you can use Drupal to provide web service APIs that serve content to other experiences, either as (a) a content repository with no public-facing component or (b) a traditional website that is also a content repository at the same time. Ultimately, your needs will determine the usefulness of decoupled Drupal for your use case. There is no technical reason to decou[...]



Drupal 8 Content Migration: A Guide For Marketers

Tue, 09 Jan 2018 18:28:21 +0000

The following blog was written by Drupal Association Premium Supporting Partner, Phase2. If you’re a marketer considering a move from Drupal 7 to Drupal 8, it’s important to understand the implications of content migration. You’ve worked hard to create a stable of content that speaks to your audience and achieves business goals, and it’s crucial that the migration of all this content does not disrupt your site’s user experience or alienate your visitors. Content migrations are, in all honesty, fickle, challenging, and labor-intensive. The code that’s produced for migration is used once and discarded; the documentation to support them is generally never seen again after they’re done. So what’s the value in doing it at all? YOUR DATA IS IMPORTANT (ESPECIALLY FOR SEO!)  No matter what platform you’re working to migrate, your data is important. You’ve invested lots of time, money, and effort into producing content that speaks to your organization’s business needs. Migrating your content smoothly and efficiently is crucial for your site’s SEO ranking. If you fail to migrate highly trafficked content or to ensure that existing links direct readers to your content’s new home you will see visitor numbers plummet. Once you fall behind in SEO, it’s difficult to climb back up to a top spot, so taking content migration seriously from the get go is vital for your business’ visibility. Also, if you work in healthcare or government, some or all of your content may be legally mandated to be both publically available, and letter-for-letter accurate. You may also have to go through lengthy (read: expensive) legal reviews for every word of content on your sites to ensure compliance with an assortment of legal standards – HIPPA, Section 508 and WCAG accessibility, copyright and patent review, and more.   Some industries also mandate access to content and services for people with Limited English Proficiency, which usually involves an additional level of editorial content review (See https://www.lep.gov/ for resources).   At media organizations, it’s pretty simple – their content is their business! In short, your content is an business investment – one that should be leveraged. SO WHERE DO I START WITH A DRUPAL 8 MIGRATION? Like with anything, you start at the beginning. In this case that’s choosing the right digital technology partner to help you with your migration. Here’s a handy guide to help you choose the right vendor and start your relationship off on the right foot. Once you choose your digital partner content migration should start at the very beginning of the engagement. Content migration is one of the building blocks of a good platform transition. It’s not something that can be left for later – trust us on this one. It’s complicated, takes a lot of developer hours, and typically affects your both content strategy and your design. Done properly, the planning stages begin in the discovery phase of the project with your technology vendor, and work on migration usually continues well into the development phase, with an additional last-sprint push to get all the latest content moved over. While there are lots of factors to consider, they boil down to two questions: What content are we migrating, and how are we doing it? WHICH CONTENT TO MIGRATE You may want to transition all of your content, but this is an area that does bear some discussion. We usually recommend a thorough content audit before embarking on any migration adventure. You can learn more about website content audits here. Since most migration happens at a code &[...]



Kia ora DrupalSouth - stories, insights, Drupal

Wed, 13 Dec 2017 04:37:52 +0000

This month’s Drupal Spotlight is a Q&A snapshot from some amazing speakers and organisers behind the recent DrupalSouth in Auckland, New Zealand. We look in and beyond the code at the voices and perspectives of people  building in Drupal and influencing our community, including how they got into technology, and vision for the future. Please note: videos of the DrupalSouth presentations will be up in the New Year - we will let you know when they are up so you can come back and watch! Katie Graham Code | Lego | cats (or for a second opinion) Interested | introverted | innovator How did you get your start in technology? As a kid I was always interested in finding out how things worked so I was obsessed with computers from when I first encountered one when I was four or five. We got dial up internet when I was about 14 and I soon figured out how to create websites, later learning PHP and MySQL. I never wanted to get paid for developing websites as I thought it might make it less fun, but a few years later I ended up doing a design degree and it was there that everything came together and I realised that development is what I should be doing. I started using Drupal in the final year of my degree and haven’t looked back! As one of the organisers of this years DrupalSouth what is the number one tip you could give to people running Drupal events? There were certain areas that were a lot more work than I anticipated, for example, we received so many more session submissions than we were expecting, so it was quite overwhelming. I think it’s really important to have a solid core team organising the conference and a lot of helpers for things that need to be done closer to and during the conference. Shout out to the other organisers and everyone who helped us! I’d also say try to relax and enjoy the event itself if you can... You are the technical director for a New Zealand web company, looking forward how do you expect to see the skill set of the people you need to hire changing over the next five years? That’s a tricky one as it depends on the direction that technology heads in, as well as what our clients are after. These days we’re hiring people with much different skill sets than we were five years ago as we’ve moved from primarily creating websites to creating apps and business systems too, plus we’re using front end frameworks like Vue which didn’t exist five years ago. I think what will stay consistent is that I’ll be looking for people who want to continue learning and are happy to try new things. DrupalSouth organising team (and @Schnitzel!) Nicole Kirsch | Dave Sparks |  Michael Schmid | Pam Clifford  | Katie Graham | Morten Kjelstrup Rebecca Rodgers Passionate | honest | energetic  How did you get your start in technology? I kind of fell into it as a HR professional, I was the only one in my team that could translate what the users needed to the tech guys so they could understand it.  That led to a post-grad in online education before moving on to designing great employee experiences. You specialise in intranets, on day one of looking at an intranet build, what’s the most important advice you give to organisations and their staff when preparing for the journey? Don't try to tackle too much.  Take a user centred design approach by understanding your employee needs, create a strategy that takes those needs and the needs of the organisation into account and go from there.  Let the needs and strategy drive the project rather than the technology.  What’s a trend in intranets and adoption of digital [...]



Accelerate Drupal 8 by funding a Core Committer

Tue, 12 Dec 2017 16:44:13 +0000

This blog has been re-posted and edited with permission from Dries Buytaert's blog. Please leave your comments on the original post. We have ambitious goals for Drupal 8, including new core features such as Workspaces (content staging) and Layout Builder (drag-and-drop blocks), completing efforts such as the Migration path and Media in core, automated upgrades, and adoption of a JavaScript framework. I met with several of the coordinators behind these initiatives. Across the board, they identified the need for faster feedback from Core Committers, citing that a lack of Committer time was often a barrier to the initiative's progress. We have worked hard to scale the Core Committer Team. When Drupal 8 began, it was just catch and myself. Over time, we added additional Core Committers, and the team is now up to 13 members. We also added the concept of Maintainer roles to create more specialization and focus, which has increased our velocity as well. I recently challenged the Core Committer Team and asked them what it would take to double their efficiency (and improve the velocity of all other core contributors and core initiatives). The answer was often straightforward; more time in the day to focus on reviewing and committing patches. Most don't have funding for their work as Core Committers. It's something they take on part-time or as volunteers, and it often involves having to make trade-offs regarding paying work or family. Of the 13 members of the Core Committer Team, three people noted that funding could make a big difference in their ability to contribute to Drupal 8, and could therefore help them empower others: Lauri 'lauriii' Eskola, Front-end Framework Manager — Lauri is deeply involved with both the Out-of-the-Box Experience and the JavaScript Framework initiatives. In his role as front-end framework manager, he also reviews and unblocks patches that touch CSS/JS/HTML, which is key to many of the user-facing features in Drupal 8.5's roadmap. Francesco 'plach' Placella, Framework Manager — Francesco has extensive experience in the Entity API and multilingual initiatives, making him an ideal reviewer for initiatives that touch lots of moving parts such as API-First and Workflow. Francesco was also a regular go-to for the Drupal 8 Accelerate program due to his ability to dig in on almost any problem. Roy 'yoroy' Scholten, Product Manager — Roy has been involved in UX and Design for Drupal since the Drupal 5 days. Roy's insights into usability best practices and support and mentoring for developers is invaluable on the core team. He would love to spend more time doing those things, ideally supported by a multitude of companies each contributing a little, rather than just one. Funding a Core Committer is one of the most high-impact ways you can contribute to Drupal. If you're interested in funding one or more of these amazing contributors, please contact me and I'll get you in touch with them. Note that there is also ongoing discussion in Drupal.org's issue queue about how to expose funding opportunities for all contributors on Drupal.org. [...]



Massachusetts launches Mass.gov on Drupal 8

Tue, 05 Dec 2017 16:04:18 +0000

This blog has been re-posted and edited with permission from Dries Buytaert's blog. Please leave your comments on the original post. Earlier this year, the Commonwealth of Massachusetts launched Mass.gov on Drupal 8. Holly St. Clair, the Chief Digital Officer of the Commonwealth of Massachusetts, joined me during my Acquia Engage keynote to share how Mass.gov is making constituents' interactions with the state fast, easy, meaningful, and "wicked awesome". allow="encrypted-media" allowfullscreen="" frameborder="0" gesture="media" height="315" src="https://www.youtube.com/embed/dK4k2w7MZyY" width="560"> Constituents at the center Today, 76% of constituents prefer to interact with their government online. Before Mass.gov switched to Drupal it struggled to provide a constituent-centric experience. For example, a student looking for information on tuition assistance on Mass.gov would have to sort through 7 different government websites before finding relevant information. To better serve residents, businesses and visitors, the Mass.gov team took a data-driven approach. After analyzing site data, they discovered that 10% of the content serviced 89% of site traffic. This means that up to 90% of the content on Mass.gov was either redundant, out-of-date or distracting. The digital services team used this insight to develop a site architecture and content strategy that prioritized the needs and interests of citizens. In one year, the team at Mass.gov moved a 15-year-old site from a legacy CMS to Drupal. The team at Mass.gov also incorporated user testing into every step of the redesign process, including usability, information architecture and accessibility. In addition to inviting over 330,000 users to provide feedback on the pilot site, the Mass.gov team partnered with the Perkins School for the Blind to deliver meaningful accessibility that surpasses compliance requirements. This approach has earned Mass.gov a score of 80.7 on the System Usability Scale; 12 percent higher than the reported average. Open from the start As an early adopter of Drupal 8, the Commonwealth of Massachusetts decided to open source the code that powers Mass.gov. Everyone can see the code that make Mass.gov work, point out problems, suggest improvements, or use the code for their own state. It's inspiring to see the Commonwealth of Massachusetts fully embrace the unique innovation and collaboration model inherent to open source. I wish more governments would do the same! Congratulations Mass.gov The new Mass.gov is engaging, intuitive and above all else, wicked awesome. Congratulations Mass.gov! [...]



We have 10 days to save net neutrality

Tue, 05 Dec 2017 16:01:35 +0000

This blog has been re-posted and edited with permission from Dries Buytaert's blog. Please leave your comments on the original post. Last month, the Chairman of the Federal Communications Commission, Ajit Pai, released a draft order that would soften net neutrality regulations. He wants to overturn the restrictions that make paid prioritization, blocking or throttling of traffic unlawful. If approved, this order could drastically alter the way that people experience and access the web. Without net neutrality, Internet Service Providers could determine what sites you can or cannot see. The proposed draft order is disheartening. Millions of Americans are trying to save net neutrality; the FCC has received over 5 million emails, 750,000 phone calls, and 2 million comments. Unfortunately this public outpouring has not altered the FCC's commitment to dismantling net neutrality. The commission will vote on the order on December 14th. We have 10 days to save net neutrality. Although I have written about net neutrality before, I want to explain the consequences and urgency of the FCC's upcoming vote. What does Pai's draft order say? Chairman Pai has long been an advocate for "light touch" net neutrality regulations, and claims that repealing net neutrality will allow "the federal government to stop micromanaging the Internet". Specifically, Pai aims to scrap the protection that classifies ISPs as common carriers under Title II of the Communications Act of 1934. Radio and phone services are also protected under Title II, which prevents companies from charging unreasonable rates or restricting access to services that are critical to society. Pai wants to treat the internet differently, and proposes that the FCC should simply require ISPs "to be transparent about their practices". The responsibility of policing ISPs would also be transferred to the Federal Trade Commission. Instead of maintaining the FCC's clear-cut and rule-based approach, the FTC would practice case-by-case regulation. This shift could be problematic as a case-by-case approach could make the FTC a weak consumer watchdog. The consequences of softening net neutrality regulations At the end of the day, frail net neutrality regulations mean that ISPs are free to determine how users access websites, applications and other digital content. It is clear that depending on ISPs to be "transparent" will not protect against implementing fast and slow lanes. Rolling back net neutrality regulations means that ISPs could charge website owners to make their website faster than others. This threatens the very idea of the open web, which guarantees an unfettered and decentralized platform to share and access information. Gravitating away from the open web could create inequity in how communities share and express ideas online, which would ultimately intensify the digital divide. This could also hurt startups as they now have to raise money to pay for ISP fees or fear being relegated to the "slow lane". The way I see it, implementing "fast lanes" could alter the technological, economic and societal impact of the internet we know today. Unfortunately it seems that the chairman is prioritizing the interests of ISPs over the needs of consumers. What can you can do today Chairman Pai's draft order could dictate the future of the internet for years to come. In the end, net neutrality affects how people, including you and me, experience the web. I've dedicated both my spare time and my professional career to the open web be[...]



Holistic Collaboration

Fri, 01 Dec 2017 20:44:24 +0000

The following blog was written by Drupal Association Premium Supporting Partner, Wunder Group. For the past couple of years I have been talking about the holistic development and operations environments at different camps. As this year’s highlight,  I gave  a session in DrupalCon Vienna around that same topic. The main focus of my talk has been on the improvement opportunities offered by a holistic approach, but there is another important aspect I’d like to introduce: The collaboration model. Every organization has various experts for different subject matters. Together these experts can create great things. As the saying goes “the whole is more than the sum of its parts”, which means there is more value generated when those experts work together, than from what they would individually produce. This however, is easier said than done.  These experts have usually worked within their own specific domains and for others their work might seem obscure. It’s easy to perceive them as “they’re doing some weird voodoo” while not realizing that others might see your work in your own domain the same way. Even worse, we raise our craft above all others and we look down at those who do not excel in our domain. How IT people see each other: But each competence is equally important. You can’t ignore one part and focus on the other. The whole might be greater than the sum of its parts, but the averages do factor in. Let's take for example a fictional project. Sales people do great job getting the project in, upselling a great design. The design team delivers and it gets even somehow implemented, but nobody remembered to consult the sysops. Imagine apple.com, the pinnacle of web design, but launched on this:   (Sorry for the potato quality).   Everything needs to be in balance. The real value added is not in the work everybody does individually, but in what falls in between. We need to fill those caps with cooperation to get the best value out of the work.  So how do you find the balance? The key to find balance and to get the most out of the group of experts is communication and collaboration. There needs to be active involvement from every part of the organization right from the start to make sure nothing is left unconsidered. The communication needs to stay active throughout the whole project. It is important to speak the same language. I know it’s easy to start talking in domain jargon. And every single discipline has their own. The terms might be clear to you, but remember that the other party might not have ever heard of it. So pay attention to the terms you use.  “Let's set the beresp ttl down to 60s when the request header has the cache-tag set for all the bereq uris matching /api/ endpoint before passing it to FastCGI” - Space Talk Instead of looking down to each other we should see others like they see themselves. Respect both their knowledge and the importance of their domain. How IT people should see each other:  (Sysadmins: not because we like to flip at everybody, but because Linus, the guy who can literally change the source code of the real world Matrix, the Web.)   Everybody needs to acknowledge the goal and work towards it together. Not just focus on their own area but also make sure their work is compatible with that of others. There needs to be a shared communications channel where everyone can reach each other. It should also be possible to communicate directly to those people who know best [...]



An update on the Workflow Initiative for Drupal 8.4/8.5

Wed, 22 Nov 2017 17:57:15 +0000

This blog has been re-posted with permission from Dries Buytaert's blog. Please leave your comments on the original post. Over the past weeks I have shared an update on the Media Initiative and an update on the Layout Initiative. Today I wanted to give an update on the Workflow Initiative. Creating great software doesn't happen overnight; it requires a desire for excellence and a disciplined approach. Like the Media and Layout Initiatives, the Workflow Initiative has taken such an approach. The disciplined and steady progress these initiative are making is something to be excited about. 8.4: The march towards stability As you might recall from my last Workflow Initiative update, we added the Content Moderation module to Drupal 8.2 as an experimental module, and we added the Workflows module in Drupal 8.3 as well. The Workflows module allows for the creation of different publishing workflows with various states (e.g. draft, needs legal review, needs copy-editing, etc) and the Content Moderation module exposes these workflows to content authors. As of Drupal 8.4, the Workflows module has been marked stable. Additionally, the Content Moderation module is marked beta in Drupal 8.4, and is down to two final blockers before marking stable. If you want to help with that, check out the Content Moderation module roadmap. 8.4: Making more entity types revisionable To advance Drupal's workflow capabilities, more of Drupal's entity types needed to be made "revisionable". When content is revisionable, it becomes easier to move it through different workflow states or to stage content. Making more entity types revisionable is a necessary foundation for better content moderation, workflow and staging capabilities. But it was also hard work and took various people over a year of iterations — we worked on this throughout the Drupal 8.3 and Drupal 8.4 development cycle. When working through this, we discovered various adjacent bugs (e.g. bugs related to content revisions and translations) that had to be worked through as well. As a plus, this has led to a more stable and reliable Drupal, even for those who don't use any of the workflow modules. This is a testament to our desire for excellence and disciplined approach. 8.5+: Looking forward to workspaces While these foundational improvements in Drupal 8.3 and Drupal 8.4 are absolutely necessary to enable better content moderation and content staging functionality, they don't have much to show for in terms of user experience changes. Now a lot of this work is behind us, the Workflow Initiative changed its focus to stabilizing the Content Moderation module, but is also aiming to bring the Workspace module into Drupal core as an experimental module. The Workspace module allows the creation of multiple environments, such as "Staging" or "Production", and allows moving collections of content between them. For example, the "Production" workspace is what visitors see when they visit your site. Then you might have a protected "Staging" workspace where content editors prepare new content before it's pushed to the Production workspace. While workflows for individual content items are powerful, many sites want to publish multiple content items at once as a group. This includes new pages, updated pages, but also changes to blocks and menu items — hence our focus on making things like block content and menu items revisionable. 'Workspaces' group all these individual elements (page[...]



An update on the Layout Initiative for Drupal 8.4/8.5

Wed, 15 Nov 2017 16:39:11 +0000

This blog has been re-posted with permission from Dries Buytaert's blog. Please leave your comments on the original post. Now Drupal 8.4 is released, and Drupal 8.5 development is underway, it is a good time to give an update on what is happening with Drupal's Layout Initiative. 8.4: Stable versions of layout functionality Traditionally, site builders have used one of two layout solutions in Drupal: Panelizer and Panels. Both are contributed modules outside of Drupal core, and both achieved stable releases in the middle of 2017. Given the popularity of these modules, having stable releases closed a major functionality gap that prevented people from building sites with Drupal 8. 8.4: A Layout API in core The Layout Discovery module added in Drupal 8.3 core has now been marked stable. This module adds a Layout API to core. Both the aforementioned Panelizer and Panels modules have already adopted the new Layout API with their 8.4 release. A unified Layout API in core eliminates fragmentation and encourages collaboration. 8.5+: A Layout Builder in core Today, Drupal's layout management solutions exist as contributed modules. Because creating and building layouts is expected to be out-of-the-box functionality, we're working towards adding layout building capabilities to Drupal core. Using the Layout Builder, you start by selecting predefined layouts for different sections of the page, and then populate those layouts with one or more blocks. I showed the Layout Builder in my DrupalCon Vienna keynote and it was really well received: allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/Hx4EEzI7aNE" width="560">8.5+: Use the new Layout Builder UI for the Field Layout module One of the nice improvements that went in Drupal 8.3 was the Field Layout module, which provides the ability to apply pre-defined layouts to what we call "entity displays". Instead of applying layouts to individual pages, you can apply layouts to types of content regardless of what page they are displayed on. For example, you can create a content type 'Recipe' and visually lay out the different fields that make up a recipe. Because the layout is associated with the recipe rather than with a specific page, recipes will be laid out consistently across your website regardless of what page they are shown on. The basic functionality is already included in Drupal core as part of the experimental Fields Layout module. The goal for Drupal 8.5 is to stabilize the Fields Layout module, and to improve its user experience by using the new Layout Builder. Eventually, designing the layout for a recipe could look like this: Layouts remains a strategic priority for Drupal 8 as it was the second most important site builder priority identified in my 2016 State of Drupal survey, right behind Migrations. I'm excited to see the work already accomplished by the Layout team, and look forward to seeing their progress in Drupal 8.5! If you want to help, check out the Layout Initiative roadmap. Special thanks to Angie Byron for contributions to this blog post, to Tim Plunkett and Kris Vanderwater for their feedback during the writing process, and to Emilie Nouveau for the screenshot and video contributions. [...]



An update on the Media Initiative for Drupal 8.4/8.5

Fri, 10 Nov 2017 15:49:06 +0000

This blog has been re-posted with permission from Dries Buytaert's blog. Please leave your comments on the original post. In my blog post, "A plan for media management in Drupal 8", I talked about some of the challenges with media in Drupal, the hopes of end users of Drupal, and the plan that the team working on the Media Initiative was targeting for future versions of Drupal 8. That blog post is one year old today. Since that time we released both Drupal 8.3 and Drupal 8.4, and Drupal 8.5 development is in full swing. In other words, it's time for an update on this initiative's progress and next steps. 8.4: a Media API in core Drupal 8.4 introduced a new Media API to core. For site builders, this means that Drupal 8.4 ships with the new Media module (albeit still hidden from the UI, pending necessary user experience improvements), which is an adaptation of the contributed Media Entity module. The new Media module provides a "base media entity". Having a "base media entity" means that all media assets — local images, PDF documents, YouTube videos, tweets, and so on — are revisable, extendable (fieldable), translatable and much more. It allows all media to be treated in a common way, regardless of where the media resource itself is stored. For end users, this translates into a more cohesive content authoring experience; you can use consistent tools for managing images, videos, and other media rather than different interfaces for each media type. 8.4+: porting contributed modules to the new Media API The contributed Media Entity module was a "foundational module" used by a large number of other contributed modules. It enables Drupal to integrate with Pinterest, Vimeo, Instagram, Twitter and much more. The next step is for all of these modules to adopt the new Media module in core. The required changes are laid out in the API change record, and typically only require a couple of hours to complete. The sooner these modules are updated, the sooner Drupal's rich media ecosystem can start benefitting from the new API in Drupal core. This is a great opportunity for intermediate contributors to pitch in. 8.5+: add support for remote video in core As proof of the power of the new Media API, the team is hoping to bring in support for remote video using the oEmbed format. This allows content authors to easily add e.g. YouTube videos to their posts. This has been a long-standing gap in Drupal's out-of-the-box media and asset handling, and would be a nice win. 8.6+: a Media Library in core The top two requested features for the content creator persona are richer image and media integration and digital asset management. The results of the State of Drupal 2016 survey show the importance of the Media Initiative for content authors. With a Media Library content authors can select pre-existing media from a library and easily embed it in their posts. Having a Media Library in core would be very impactful for content authors as it helps with both these feature requests. During the 8.4 development cycle, a lot of great work was done to prototype the Media Library discussed in my previous Media Initiative blog post. I was able to show that progress in my DrupalCon Vienna keynote: allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/S82paYMycNE" width="560">The Media Library work uses the new Media API in core. Now that the new Media AP[...]



Major League Soccer (MLS)

Wed, 01 Nov 2017 21:00:40 +0000

(image)

Multisite Drupal Migration to Score the Best Fan Experience

Major League Soccer (MLS Digital) is a professional soccer league representing the sport's highest level in both the United States and Canada. Since its initial season in 1996, the league has expanded to include 22 teams - 19 in the U.S. and 3 in Canada. The organization sought Phase2’s assistance to migrate each team’s site to a single Drupal 7 platform.

(image)
(image)

A Customized, Flexible, and Consistent Platform

Migrating 20 club sites onto a new platform while maintaining the legacy platform was no small task. MLS also needed highly sophisticated customization options based on each team’s design, content priorities, and site maintainers’ capabilities. Each site had to have the same code base and capabilities, but offer full flexibility for each team’s site owners. At the same time, each legacy site had to be supported as the migration took place over several months.

(image)
(image)

Learn more about Phase2 and Sports




5 Steps to Get Your Drupal Site Multilingual Ready

Wed, 01 Nov 2017 20:43:18 +0000

The following blog was written by Drupal Association Premium Technology Partner, Lingotek. Everyone is jumping on the localization bandwagon because it’s dawning on enterprises everywhere that creating site content in a customer’s language is one way to personalize their experience and improve engagement. That means more organizations are going to prioritize making their Drupal websites multilingual, so we’ve created a handy checklist to help you get ready. From Module Mayhem to Built-in Language Support Drupal 7 is a very stable and well-used content management platform and it supports a vast array of modules, but it wasn’t built with multilingual in mind. Making a Drupal 7 site multilingual can be a time-intensive process for developers. To address this issue, the Drupal community went to work to rebuild language support. Drupal 8 was created to understand language from the beginning. Custom or contributed modules or themes don’t have to understand language support--it’s already built in. Drupal 8 is a great platform to work with, not only because it is so multilingual capable out-of-the-box, but also because you can easily expand while maintaining the translatability of your data. The Drupal 8 multilingual core paves the way for more automation, more seamless workflows, and better publication management. Whether you use Drupal 7 or Drupal 8, every Drupal developer who works with contributed or custom modules designed for multilingual or non-English sites needs to know how to build the best integration possible. To make your path to global engagement and localization easier, we’ve created a checklist for getting your Drupal site multilingual ready in five steps. Step 1: Understand Your Site First step in your multilingual prep is to understand your site! Take a look at your customizations, nodes, fields, and modules so you have an idea of the size and scope of your multilingual prep. Let’s be honest though, most of us will never really know our sites completely. But that doesn’t mean you shouldn’t try. Start your multilingual readiness by taking a look at your theme, content, and modules. Step 2: Examine Your Theme Next step, review any customizations you have. Make sure all strings are wrapped in a t() function. You need to ensure both your base and sub-themes are multilingual ready. It helps if you use a well-established, multilingual-ready base theme like Zen, BootStrap3, etc. Step 3: Think About Your Content Figure out how many nodes are on your site and familiarize yourself with how and where they are used. Find out how many different content types you have and make note of diverse custom fields. The more types of content, the more complex your site translation will be. It’s also important to know how many languages are currently on the site, so check your node language settings. If they aren’t set up correctly, it can lead to translation barriers down the road. Step 4: Rein In Your Modules Find out how many modules are installed on your site. For multilingual, the fewer modules installed, the better! When it comes to contributed modules, you’ve got to rein them in. Too many modules can compromise functionality and interfere with site translation. Limit your modules to those that you really need and use. It’s best to have as few as you can (under 200). Be sure t[...]



Pinterest for Business

Tue, 31 Oct 2017 19:27:54 +0000

(image)

Elevating Global Brand and Driving Growth with Drupal 8

Working closely with the engineering and design teams at Pinterest, Phase2 architected a Drupal 8 system to elevate their global brand and drive growth via a new suite of marketing, business, and community sites.

(image)
(image)
(image)

Creating Truly Reusable Design Systems

Business.pinterest.com is the first in a series of marketing, business, and community sites that will help drive international growth for Pinterest. Ensuring that brand standards, design, and user experience are consistent across all properties is paramount.

A big component of this project was the integration of Pattern Lab Starter 8, Phase2's starter theme with Pattern Lab, which acts as the style guide, component library, and prototyping tool needed for a modern approach to theming. Pattern Lab Starter 8 uses Pattern Lab 2 and the same templating engine that powers Drupal 8: Twig.

(image)
(image)
(image)

By using the same templating engine, along with the help of the Component Libraries Drupal Module, the tool gives Drupal the ability to directly include, extend, and embed the Twig templates that Pattern Lab uses for its components without the need for template duplication.

This approach speeds up the entire development cycle and empowers Pinterest to create a consistent suite of marketing, business, and community sites.

Learn more about Phase2 and High Tech




Community Spotlight: Rwandan enthusiasm for Drupal causes big challenge

Wed, 18 Oct 2017 19:00:16 +0000

For Ildephonse Bikino (bikilde) of Rwanda, it was supposed to be an uneventful Drupal Global Training Day call-out; he expected 50 people but he got 388! Bikino began working to get local interest in Drupal, sharing information by creating a simple website and posting information about the trainings on groups.drupal.org and sharing it locally. Hoping to reach the room capacity of 50 people, the registrations came flowing in. “The venue, which is kLab, where I was expecting to run my first training, they only accommodate 50 people. And the channel I used to announce the training, I was not expecting too many people attending, but people ...shared my communication to different channels and in so many different ways. I was surprised to get more than 388 applications.” How do you deal with the logistics of training 388 people? That’s hard! Bikino was committed to the challenge. One session became eight over a number of weekends. Bikino made sure everyone got the opportunity to attend! Discovering Drupal Bikino's start with Drupal began commonly enough; through his job. Like many small teams, staff get mixed roles and he inherited the website role. His experience grew from there. In 2016 he had the opportunity to attend DrupalCon New Orleans via scholarship through the Drupal Association. This let him discover the global opportunities and connections that open source software and the Drupal community can provide. “My interest [in going to DrupalCon New Orleans] was to learn how thousands of people can just work together to deliver one single platform, how it works, and how people can really do it as volunteering work and through contributions. [The experience left me feeling that] I could really share that culture and community with young Rwandan people… and how they can love what they are doing this much. That’s where my inspiration came from.” Bikino says technology offers more than just jobs, it provides local activities, ways to collaborate, and a chance to build knowledge. He plans to create a platform for the Rwanda Drupal community to share skills, projects, opportunities and experience. Moving Forward The local support for the Drupal Global Training Day is a sign of changing times in Rwanda. Those attending the training are educated, but there can be a lack of connection between what they are learning in school and the outside market. Bikino wants to connect those gaps by creating opportunities to learn, build, and develop. Like many countries across the globe, the Rwandan government sees technology as a way to build economic diversity, nurture jobs, and transform the country. Local Projects The Rwanda Information and Communication Association (RICTA) and partners launched The 1K Websites project, to promote Local Content Hosting. For now most of the websites made are Government, but they are expanding the project. With good internet infrastructure already in place, this is the start of local content creation and websites for business and community.. Diversity in the community is going to be a challenge, but Bikino realises it’s an important one. The Sustainable Development Goals 5 is “achieve gender equality and empower women and girls”, and access to technology in developing countries such as Rwanda is important for s[...]