Subscribe: drupal.org
http://drupal.org/rss.xml
Added By: Feedage Forager Feedage Grade A rated
Language: English
Tags:
association  community  core  drupal association  drupal org  drupal security  drupal  new  org  project  projects  release  security 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: drupal.org

Drupal.org



Come for the software, stay for the community Drupal is an open source content management platform powering millions of websites and applications. It’s built, used, and supported by an active and diverse community of people around the world.



 



Community Spotlight: Rwandan enthusiasm for Drupal causes big challenge

Wed, 18 Oct 2017 19:00:16 +0000

For Ildephonse Bikino (bikilde) of Rwanda, it was supposed to be an uneventful Drupal Global Training Day call-out; he expected 50 people but he got 388! Bikino began working to get local interest in Drupal, sharing information by creating a simple website and posting information about the trainings on groups.drupal.org and sharing it locally. Hoping to reach the room capacity of 50 people, the registrations came flowing in. “The venue, which is kLab, where I was expecting to run my first training, they only accommodate 50 people. And the channel I used to announce the training, I was not expecting too many people attending, but people ...shared my communication to different channels and in so many different ways. I was surprised to get more than 388 applications.” How do you deal with the logistics of training 388 people? That’s hard! Bikino was committed to the challenge. One session became eight over a number of weekends. Bikino made sure everyone got the opportunity to attend! Discovering Drupal Bikino's start with Drupal began commonly enough; through his job. Like many small teams, staff get mixed roles and he inherited the website role. His experience grew from there. In 2016 he had the opportunity to attend DrupalCon New Orleans via scholarship through the Drupal Association. This let him discover the global opportunities and connections that open source software and the Drupal community can provide. “My interest [in going to DrupalCon New Orleans] was to learn how thousands of people can just work together to deliver one single platform, how it works, and how people can really do it as volunteering work and through contributions. [The experience left me feeling that] I could really share that culture and community with young Rwandan people… and how they can love what they are doing this much. That’s where my inspiration came from.” Bikino says technology offers more than just jobs, it provides local activities, ways to collaborate, and a chance to build knowledge. He plans to create a platform for the Rwanda Drupal community to share skills, projects, opportunities and experience. Moving Forward The local support for the Drupal Global Training Day is a sign of changing times in Rwanda. Those attending the training are educated, but there can be a lack of connection between what they are learning in school and the outside market. Bikino wants to connect those gaps by creating opportunities to learn, build, and develop. Like many countries across the globe, the Rwandan government sees technology as a way to build economic diversity, nurture jobs, and transform the country. Local Projects The Rwanda Information and Communication Association (RICTA) and partners launched The 1K Websites project, to promote Local Content Hosting. For now most of the websites made are Government, but they are expanding the project. With good internet infrastructure already in place, this is the start of local content creation and websites for business and community.. Diversity in the community is going to be a challenge, but Bikino realises it’s an important one. The Sustainable Development Goals 5 is “achieve gender equality and empower women and girls”, and access to technology in developing countries such as Rwanda is important for sustainability. Bikino is actively working with kLab management to find funds to develop opportunities for women in technology. The Future The last group of the 388 people have just gone through their training. The aim now is to develop local freelancers, do projects within the community, and find mentors to share tips, guidance and best practices. The group would even like to contribute to translating Drupal into the local language (Kinyarwanda). And of course one day, host an African DrupalCon. Peel away the layers of an impressive attendance to a Drupal Global Training Day event, and you have a story about the potential for technology and Drupal to transform people, communities and industry. You can follow and connect with Bikino via Twitter or say hi to him in the Drupa[...]



Drupal looking to adopt React

Wed, 11 Oct 2017 17:05:15 +0000

This blog has been re-posted with permission from Dries Buytaert's blog. Please leave your comments on the original post. Last week at DrupalCon Vienna, I proposed adding a modern JavaScript framework to Drupal core. After the keynote, I met with core committers, framework managers, JavaScript subsystem maintainers, and JavaScript experts in the Drupal community to discuss next steps. In this blog post, I look back on how things have evolved, since the last time we explored adding a new JavaScript framework to Drupal core two years ago, and what we believe are the next steps after DrupalCon Vienna. As a group, we agreed that we had learned a lot from watching the JavaScript community grow and change since our initial exploration. We agreed that today, React would be the most promising option given its expansive adoption by developers, its unopinionated and component-based nature, and its well-suitedness to building new Drupal interfaces in an incremental way. Today, I'm formally proposing that the Drupal community adopt React, after discussion and experimentation has taken place. Two years ago, it was premature to pick a JavaScript framework Three years ago, I developed several convictions related to "headless Drupal" or "decoupled Drupal". I believed that: More and more organizations wanted a headless Drupal so they can use a modern JavaScript framework to build application-like experiences. Drupal's authoring and site building experience could be improved by using a more modern JavaScript framework. JavaScript and Node were going to take the world by storm and that we would be smart to increase the amount of JavaScript expertise in our community. (For the purposes of this blog post, I use the term "framework" to include both full MV* frameworks such as Angular, and also view-only libraries such as React combined piecemeal with additional libraries for managing routing, states, etc.) By September 2015, I had built up enough conviction to write several long blog posts about these views (post 1, post 2, post 3). I felt we could accomplish all three things by adding a JavaScript framework to Drupal core. After careful analysis, I recommended that we consider React, Ember and Angular. My first choice was Ember, because I had concerns about a patent clause in Facebook's open-source license (since removed) and because Angular 2 was not yet in a stable release. At the time, the Drupal community didn't like the idea of picking a JavaScript framework. The overwhelming reactions were these: it's too early to tell which JavaScript framework is going to win, the risk of picking the wrong JavaScript framework is too big, picking a single framework would cause us to lose users that favor other frameworks, etc. In addition, there were a lot of different preferences for a wide variety of JavaScript frameworks. While I'd have preferred to make a bold move, the community's concerns were valid. Focusing on Drupal's web services instead By May of 2016, after listening to the community, I changed my approach; instead of adding a specific JavaScript framework to Drupal, I decided we should double down on improving Drupal's web service APIs. Instead of being opinionated about what JavaScript framework to use, we would allow people to use their JavaScript framework of choice. I did a deep dive on the state of Drupal's web services in early 2016 and helped define various next steps (post 1, post 2, post 3). I asked a few of the OCTO team members to focus on improving Drupal 8's web services APIs; funded improvements to Drupal core's REST API, as well as JSON API, GraphQL and OpenAPI; supported the creation of Waterwheel projects to help bootstrap an ecosystem of JavaScript front-end integrations; and most recently supported the development of Reservoir, a Drupal distribution for headless Drupal. There is also a lot of innovation coming from the community with lots of work on the Contenta distribution, JSON API, GraphQL, and more. The end result? Drupal's web service APIs have progressed significantly the past year. [...]



Progress on the Salesforce Suite for D8 and a Call for Participation

Mon, 09 Oct 2017 19:21:51 +0000

The following blog was written by Drupal Association Premium Supporting Partner, Message Agency. After months of work, hundreds of commits, and lots of new thinking, the Salesforce Suite for Drupal 8 is reaching maturity.  There is tremendous interest in these modules, and many enterprises are waiting for this milestone to integrate D8 sites with Salesforce. In an effort to accelerate refinement and adoption of this important contribution, the module’s developers are raising awareness about the release and asking the community to start downloading and contributing. A few months ago at Drupalcon Baltimore, Message Agency announced a release candidate (8.x-3.0-rc1) for the Salesforce Suite in Drupal 8.  This collection of modules supports integration with Salesforce by mapping Drupal entities with standard or custom Salesforce objects and pushing Drupal data to Salesforce as well as pulling Salesforce data into Drupal. Since then, we've continued to expand the Suite and build out critical features. We've also continued to groom the 8.x roadmap, solicit community participation through webinars, and build awareness about how to use the modules. With a solid foundation and full functionality, the Suite is beginning to gain traction and see increasing adoption as projects switch to Drupal 8. What’s new in the Suite? The modules are a complete rewrite of the Suite for Drupal 8, and they fully leverage Drupal core’s object-oriented code patterns.  Message Agency’s senior software engineer, Aaron Bauman, was the original architect of the Suite for 6.x in 2009 and has continued to support this important tool ever since. He took the lead in porting the modules for Drupal 8, based on feedback from the community, clients, and nearly a decade of experience integrating these two powerful platforms. There is much to be excited about in this new version. There have been a number of updates from Drupal 7.x: Queue on failure. There is now an attempt to push synchronization immediately on entity save and enqueue for asynchronous push only on failure. This feature idea is a great compromise between the previous binary sync/async decision point. Test coverage.  Testing 3rd-party web services can be tricky, and requires careful planning and mocking. This Salesforce 8.x release includes test coverage for push and pull operations using mock REST features, allowing for proper regression testing and test-driven development. Push queue overhaul, and cron-based push.  Drupal 7's asynchronous push left a lot to be desired. Lack of error handling made debugging and troubleshooting difficult to impossible. Lack of optimizations burned unnecessary API calls. Both of these limitations were imposed by Drupal Queue API's fundamental nature. In Drupal 7, our options for extending the Queue system were limited. In Drupal 8, we've implemented a Salesforce Push Queue service, building on Drupal core's overhauled Queue API. We've taken the opportunity to normalize queue items, optimize queue operations, and implement error handling and recovery. Objectification of Salesforce resources. Moving in the direction of a proper REST PHP SDK, we now have proper classes for Query Result, SObject, Salesforce ID, various REST Responses, and others. This not only allows for simple type-hinting across other classes, but also gives developers consistent and reliable interfaces, and paves the way for even greater extensibility in the future. Queue settings per mapping. The Suite now allows administrators to assign sync intervals per-mapping, instead of running all sync operations on every cron run. This feature idea will allow administrators to tweak their synchronizations according to business needs, without the need to implement extensive hook-based logic. Several new features for Drupal 8 also have been developed: Goodbye hooks, hello events.  Leveraging Salesforce.api.php, we mapped old hooks onto new events—a key advantage for folks already familiar with the 7.x version. A new plugin system for ma[...]



An update on projects created for Drupal

Sat, 07 Oct 2017 07:00:00 +0000

About six months ago we made a significant change to the way that modules, themes, and distributions are created on Drupal.org. In the past, contributors had to first create a sandbox project, and then request manual review of their project in the Project Applications issue queue. The benefit of this community-driven moderation process was that modules were vetted for code quality and security issues by a group of volunteers. Project maintainers who completed this process also received the benefit of security advisory coverage from the Security Team for stable releases of their projects. Unfortunately, the rate of project applications outpaced what volunteers could keep up with, and many worthy projects were never promoted to full project status, or moved off of Drupal.org to be hosted elsewhere. To ameliorate this issue, we changed the process so that any confirmed user on Drupal.org may now make full projects. To mitigate the risks of low code quality or security vulnerabilities we added new signals to project pages: including highlighting which release is recommended by the maintainer, displaying recent test results, and indicating whether the project receives security coverage both on the project page and in the composer 'extra' attribute. We're continuing to work on identifying additional signals of project quality that we can include, as well as surfacing some of this information in Drupal core. We also converted the project applications issue queue into a 'request security advisory coverage' issue queue. What we hoped to see We knew this would be a significant change for the project and the community. While many community members were excited to see the gates to contribution opened, others were concerned about security issues and Drupal's reputation for code quality. Our prediction was that the lower barrier to contribution would result in an increase in full projects created on Drupal.org. This would indicate that new contributors or third party technology providers were finding it easier to integrate with Drupal and contribute those integrations back for use by others. At the same time, we also expected to see an increase in the number of full projects that do not receive coverage from the security team. The question was whether this increase would be within an acceptable range, or represent a flood of low quality or insecure modules. The results The table below provides statistics about the full projects created on Drupal.org in the 5 months before March 17th, 2017 - when we opened the creation of full projects to all confirmed users. Full projects created from 2016-10-16 to 2017-03-17… # % of projects created in this period … without stable release 431 55.76% … with stable releases 342 44.24% … with usage >= 50 sites 237 30.66% … with usage >= 50 sites and without stable release 68 8.80% … with usage >= 50 sites and with stable release 169 21.86% … with an open security coverage application* 18 2.33% Sub-total with security coverage 342 44.24% Sub-total without security coverage 431 55.76% Sub-total with security coverage and >=50 usage 169 21.86% Sub-total without security coverage and >= 50 usage 68 8.80% Total 773 * note: full projects that did not have stable releases were not automatically opted in to security coverage when we opened the full project creation gates. … and this table provides statistics about the projects created in the 5 months after we opened the creation of full projects to all confirmed users: Full projects created from 2017-03-17 to 2017-08-16… # Diff % of projects created Diff % … without stable release 851 +420 69.53% +97% … with stable releases 373 +31 30.47% +9% … with usage >= 50 sites 156 -81 12.75% -34% … with usage >= 50 sites and without stable release 64 -4 5.23% -6% … with usage >= 50 sites and with stable release 92 [...]



Drupal 8.4.0 is now available

Wed, 04 Oct 2017 20:20:46 +0000

What's new in Drupal 8.4.0? This new version is an important milestone of stability for Drupal 8. It adds under-the-hood improvements to enable stable releases of key contributed modules for layouts, media, and calendaring. Many other core experimental modules have also become stable in this release, including modules for displaying form errors inline and managing workflows. The release includes several very important fixes for content revision data integrity as well as an update to stop the deletion of orphaned files that was causing data loss for many sites, alongside numerous improvements for site builders and content authors. Download Drupal 8.4.0 Important: If you use Drush to manage Drupal, be sure to update to Drush 8.1.12 or higher before updating Drupal. Updating to Drupal 8.4.0 using Drush 8.1.11 or earlier will fail. (Always test minor version updates carefully before making them live.) Inline Form Errors The Inline Form Errors module provides a summary of any validation errors at the top of a form and places the individual error messages next to the form elements themselves. This helps users understand which entries need to be fixed, and how. Inline Form Errors was provided as an experimental module from Drupal 8.0.0 on, but it is now stable and polished enough for production use. Datetime Range The Datetime Range module provides a field type that allows end dates to support contributed modules like Calendar. This stable release is backwards-compatible with the Drupal 8.3.x experimental version and shares a consistent API with other Datetime fields. Future releases may improve Views support, usability, Datetime Range field validation, and REST support. Layout Discovery API The Layout Discovery module provides an API for modules or themes to register layouts as well as five common layouts. Providing this API in core enables core and contributed layout solutions like Panels and Display Suite to be compatible with each other. This stable release is backwards-compatible with the 8.3.x experimental version and introduces support for per-region attributes. Media API The new core Media module provides an API for reusable media entities and references. It is based on the contributed Media Entity module. Since there is a rich ecosystem of Drupal contributed modules built on Media Entity, the top priority for this release is to provide a stable core API and data model for a smoother transition for these modules. Developers and expert site builders can now add Media as a dependency. Work is underway to provide an update path for existing sites' Media Entity data and to port existing contributed modules to the refined core API. Note that the core Media module is currently marked hidden and will not appear on the 'Extend' (module administration) page. (Enabling a contributed module that depends on the core Media module will also enable Media automatically.) The module will be displayed to site builders normally once once related user experience issues are resolved in a future release. Similarly, the REST API and normalizations for Media are not final and support for decoupled applications will be improved in a future release. Content authoring and site administration experience improvements The "Save and keep (un)published" dropbutton has been replaced with a "Published" checkbox and single "Save" button. The "Save and..." dropbutton was a new design in Drupal 8, but users found it confusing, so we have restored a design that is more similar to the user interface for Drupal 7 and earlier. Both the "Comments" administration page at `/admin/content/comment` and the "Recent log messages" report provided by dblog are now configurable views. This allows site builders to easily customize, replace or clone these screens. Updated migrations This release adds date and node reference support for Drupal 6 to Drupal 8 migrations. Core provides migrations for most Drupal 6 data and can be used for migrating Drupal 6 sites to[...]



State of Drupal presentation (September 2017)

Wed, 27 Sep 2017 14:33:25 +0000

This blog has been re-posted with permission from Dries Buytaert's blog. Please leave your comments on the original post. Yesterday, I shared my State of Drupal presentation at DrupalCon Vienna. In addition to sharing my slides, I wanted to provide some more detail on how Drupal is evolving, who Drupal is for, and what I believe we should focus on. Drupal is growing and changing I started my keynote by explaining that Drupal is growing. Over the past year, we've witnessed a rise in community engagement, which has strengthened Drupal 8 adoption. This is supported by the 2017 Drupal Business Survey; after surveying 239 executives from Drupal agencies, we can see that Drupal 8 has become the defacto release for them and that most of the Drupal businesses report to be growing. While the transition from Drupal 7 to Drupal 8 is not complete, Drupal 8's innovation continues to accelerate. We've seen the contributed modules ecosystem mature; in the past year, the number of stable modules has more than doubled. Additionally, there are over 4,000 modules in development. In addition to growth, both the vendor and technology landscapes around Drupal are changing. In my keynote, I noted three primary shifts in the vendor landscape. Single blogs, portfolio sites and brochure sites, which represent the low end of the market, are best served by SaaS tools. On the other side of the spectrum, a majority of enterprise vendors are moving beyond content management into larger marketing suites. Finally, the headless CMS market segment is growing rapidly, with some vendors growing at a rate of 500% year over year. There are also significant changes in the technology landscape surrounding Drupal, as a rising number of Drupal agencies have also started using modern JavaScript technologies. For example, more than 50% of Drupal agencies are also using Node to support the needs of their customers. While evolving vendor and technology landscapes present many opportunities for Drupal, it can also introduce uncertainty. After listening to many people in the Drupal community, it's clear that all these market and technology trends, combined with the long development and adoption cycle of Drupal 8, has left some wondering what this all means for Drupal, and by extension also for them. Drupal is no longer for simple sites Over the past year, I've explained why I believe Drupal is for ambitious digital experiences, in both my DrupalCon Baltimore keynote and on my blog. However, I think it would be valuable to provide more detail on what I mean by "ambitious digital experiences". It's important that we all understand who Drupal is for, because it drives our strategy, which in turn allows us to focus our efforts. Today, I believe that Drupal is no longer for simple sites. Instead, Drupal's sweetspot is sites or digital experiences that require a certain level of customization or flexibility — something I refer to as "richness". Ambitious is much more than just enterprise This distinction is important because I often find that the term "ambitious" becomes conflated with "enterprise". While I agree that Drupal is a great fit for the enterprise, I personally never loved that categorization. It's not just large organizations that use Drupal. Individuals, small startups, universities, museums and nonprofits can be equally ambitious in what they'd like to accomplish and Drupal can be an incredible solution for them. An example of this could be a small business that manages 50 rental properties. While they don't have a lot of traffic (reach), they require integrations with an e-commerce system, a booking system, and a customer support tool to support their business. Their allotted budget is $50,000 or less. This company would not be considered an enterprise business; however, Drupal would be a great fit for this use case. In many ways, the "non-enterprise ambitious digital experiences" represent the majority of the Drupal [...]



Drupal Business Survey 2017

Mon, 25 Sep 2017 10:02:13 +0000

The Drupal Business Survey 2017 shows that Drupal has a steady position in the market, and Drupal 8 has secured its role as the most popular version for new Drupal projects. Further, Drupal is often becoming part of a larger set of solutions. The Drupal Business Survey is an annual survey that aims to give insights into the key issues that Drupal agency owners and company leaders worldwide face. The survey is an initiative of Exove, One Shoe and the Drupal Association and has been carried out this year for the second time. It covers topics about Drupal business in general, Drupal projects and talent needs. This article summarizes the most important findings along with commentary and insights from a total of 239 respondents. Drupal is growing steadily The Drupal Business Survey gleaned its data for 2017 from 239 respondents in CEO/COO/CTO/founder role (87%), director role (4.6%) or management role (4.6%), working at Drupal companies with a total of 300 offices spread around the globe. The most popular office location (30.1%) was USA. The second most popular with 12.1% was UK, and after that Germany, Netherlands, India, Canada and France. There were respondents from Africa, Asia, Europe, North America, South America and Oceania. Analysis of the data made immediately clear that Drupal is a healthy business: Drupal project pipeline grows For almost half of the respondents (48.5%) the Drupal project pipeline grew within the last year. For 28.9% it stayed roughly the same, and for 22.6% the pipeline shrank. Size of Drupal projects grows For a majority (52.3%) of the respondents the average size of Drupal project deals grew. For about one third (31.4%) the Drupal deal size stayed roughly the same, and for only 16.3% the size of deals shrank. Drupal’s project win rate stays roughly the same Despite the increasing competition in the CMS market, for many (46.4%) of the companies their Drupal project win rate has stayed on the same level over the last year, and about a third (34.7%) have managed to grow their win rate. For less than a fifth of the companies (18.8%) the win rate had decreased. Drupal’s position as a high-demand service platform is steady, especially for projects in the Charities and Non-Profit sector, which is catered to by two thirds (64.9%) of the respondents. Other popular industries that use Drupal are Government & Public Administration (56.1%) and Healthcare & Medicine (49.4%). There are no major differences in industries served by Drupal companies compared to the 2016 survey results.   Choosing Drupal When choosing the right platform, Drupal clients trust the technical provider’s expertise: Drupal is often chosen by the clients as a result of the provider’s recommendation. In some cases the client’s previous experience or familiarity with Drupal is the definitive factor. Besides Drupal being open-source and free of licensing fees, the definitive reasons for choosing Drupal are that Drupal is a reliable and flexible CMS choice with a strong reputation: Without -most often than not- being able to precisely explain the reasons for which they prefer Drupal, those who do, sense that it is a better solution for their business; we shall imagine that this is due to the image of the CMS, which evokes a more robust, and serious CMS than the others. Can do anything. Secure. Choosing the company When Drupal itself is less the dominating factor for the client, other unique aspects are often key factor for clients choosing a supplier, agency, or partner. The respondents mentioned that trust, commitment, quality, level of service, full service proposition, technical expertise, good reputation, and references were important factors for client decision making. Drupal 8 has a strong place in the market Drupal 8, the newest version of the CMS, seems to have taken a strong place in the market. The respondents’ new Drupal projects were most co[...]



What’s new on Drupal.org? - August 2017

Tue, 19 Sep 2017 16:38:14 +0000

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community. Announcement TLS 1.0 and 1.1 deprecated Drupal.org uses the Fastly CDN service for content delivery, and Fastly has depreciated support for TLS 1.1, 1.0, and 3DES on the cert we use for Drupal.org, per the mandate by the PCI Security Standards Council. This change took place on 9 Aug 2017. This means that browsers and API clients using the older TLS 1.1 or 1.0 protocols will no longer be supported. Older versions of curl or wget may be affected as well. Almost time for DrupalCon Vienna DrupalCon Vienna is almost here! From September 26-29 you can join us for keynotes, sessions, and sprinting. Most of the Drupal Association engineering team will be on site, and we'll be hosting a panel discussion about recent updates to Drupal.org, and our plans for the future. We hope to see you there! Drupal.org updates 8.4.0 Alpha/Beta/Release Candidate 1 On August 3rd, Drupal 8.4.0 received its alpha release, followed on the 17th by a beta release, and on September 6th by the first release candidate. Several new stable API modules are now included in core for everything from workflow management to media management. Core maintainers hope to reach a stable release of Drupal 8.4 soon. Improvements to Project Pages We made a number of improvements to project pages in August, one of which was to clean up the 'Project information' section and add new iconography to make signals about project quality more clear to site builders. In the same vein, we've also improved the download table for contrib projects, by making it more clear which releases are recommended by the maintainer, providing pre-release information for minor versions, and displaying recent test results. Metadata about security coverage available to Composer Developers who build Drupal sites using Composer may miss some of the project quality indicators from project pages on Drupal.org. Because of this, we now include information about whether a project receives security advisory coverage in the Composer 'extra' attribute. By including this information in the composer json for each project, we hope to make it easier for developers using Composer to ensure they are only using modules with security advisory coverage. This information is also accessible for developers who may want to make additional tools for managing composer packages. Automatic issue credit for committers Just about the last step in resolving any code-related issue is for a project maintainer to commit the changes. To make sure these maintainers are credited for the work they do to review these code changes, we now automatically add issue credit for committers. Performance Improvements for Events.Drupal.org With DrupalCon coming up in September we spent a little bit of time tuning the performance of Events.Drupal.org. We managed to resolve a session management bug that was the root cause of a significant slow down, so now the site is performing much better. Syncing your DrupalCon schedule to your calendar A long requested feature for our DrupalCon websites has been the ability to sync a user's personal schedule to a calendar service. In August we released an initial implementation of this feature, and we're working on updating it in September to support ongoing syncing - stay tuned! Membership CTA on Download and Extend We've added a call to action for new members on the Drupal.org Download and Extend page, which highlights some great words and faces from the community. Membership contributions are a crucial part of funding Drupal.org and DrupalCon, but much the majority of traffic we receive on Drupal.org is anonymous, and may not reach the areas of the site where we've promoted membership in the past. We're hoping this campaign will help us reach a wider audience[...]



Drupal Association Board Meeting Announcement

Mon, 11 Sep 2017 20:39:50 +0000

The Drupal Association Board of Directors will meet twice during DrupalCon Vienna. They have a board retreat the weekend before the conference and there is  an open board meeting during DrupalCon for the community to attend. Below are details about each meeting.

Board Retreat

During a retreat, the board and the Executive Director meet in an extended executive session to plan and discuss the strategy for the Drupal Association. Normally, the retreat lasts two days and non-board members including staff are invited to participate in presentations and discussions on specific topics.

However for the upcoming retreat in Vienna, we will be exploring a holistic view of the strategy for Drupal and are structuring the retreat differently to accommodate this expanded conversation.

Open Board Meeting

The board will meet again during DrupalCon Vienna on Wednesday, 27 September  from 11:45 - 13:00 in the convention center Business Suite 3-4. This is open to the community and lunch will be served to all who attend. You can also attend remotely via Zoom. See the dial in information below.

The agenda for this meeting includes:

  • Vote to approve last board meeting minutes

  • Executive Update

  • Drupal.org Update

  • DrupalCon Europe Update

  • Community Governance update from the CWG

  • Community Q&A

  • Celebrate departing board members

Those dialing into the meeting can join zoom by registering here: https://zoom.us/webinar/register/1b63252cf48650c9d746f627e8486654

Or join by phone (see link for # by country):

https://zoom.us/zoomconference?m=ZTp9iSy-nW5sqyKJKRfhbTbxDueqU9W   

Webinar ID: 460 900 173




Drupal 8.4.0-rc1 is available for testing

Thu, 07 Sep 2017 12:47:04 +0000

The first release candidate for the upcoming Drupal 8.4.0 release is now available for testing. Drupal 8.4.0 is expected to be released October 4.

8.4.x includes new stable modules for storing date and time ranges, display form errors inline and manage workflows. New stable API modules for discovering layout definitions and media management are also included. The media API module is new in core, all other new stable modules were formerly experimental. The release also includes several important fixes for content revision data integrity, orphan file management and configuration data ordering among other things. You can read a detailed list of improvements in the announcements of alpha1 and beta1.

What does this mean to me?

For Drupal 8 site owners

The final bugfix release of 8.3.x has been released. A final security release window for 8.3.x is scheduled for September 20, but 8.3.x will receive no further releases following 8.4.0, and sites should prepare to update from 8.3.x to 8.4.x in order to continue getting bug and security fixes. Use update.php to update your 8.3.x sites to the 8.4.x series, just as you would to update from (e.g.) 8.3.4 to 8.3.5. You can use this release candidate to test the update. (Always back up your data before updating sites, and do not test updates in production.)

For module and theme authors

Drupal 8.4.x is backwards-compatible with 8.3.x. However, it does include internal API changes and API changes to experimental modules, so some minor updates may be required. Review the change records for 8.4.x, and test modules and themes with the release candidate now.

For translators

Some text changes were made since Drupal 8.3.0. Localize.drupal.org automatically offers these new and modified strings for translation. Strings are frozen with the release candidate, so translators can now update translations.

For core developers

All outstanding issues filed against 8.3.x were automatically migrated to 8.4.x. Future bug reports should be targeted against the 8.4.x branch. 8.5.x will remain open for new development during the 8.4.x release candidate phase. For more information, see the release candidate phase announcement.

Your bug reports help make Drupal better!

Release candidates are a chance to identify bugs for the upcoming release, so help us by searching the issue queue for any bugs you find, and filing a new issue if your bug has not been reported yet.




Kickstarting the Drupal Community Spotlight

Thu, 31 Aug 2017 15:23:21 +0000

Let's face it, it's been a crappy year in many ways. Internally and externally there are pressures that have made all of us think "what's the point?"

Instead of a world where we build and move forward together there is conflict, uncertainty, and so many why moments. From the macro to the micro, communities and ecosystems are struggling. The ideals of open source software often feel exploited, and the feeling of wonderment and discovery as we build together has been cast aside to something that feels very much like... well, work.

Drupal has not been immune. Like I need to tell you that.

For those of us that are optimists, and change makers, and idealists, and believers, nothing hits home the impact of our work than stories about how we use this code called Drupal to create impact. I think the world needs a little of that right now.

So, we have a team, we have energy and we are ready to shine the crap out of the brilliance of the people behind, in front, and to the side of Drupal.

I for one am looking forward to us injecting so much positivity into this community that even the chronic eye rollers won’t be able to help but give a slight smile.

(image)

A highlight of DrupalCon: the live code commit! Photo by Michael Cannon

The first thing we are working on is getting a way to start collecting stories. We might use a form. Or we might build an entire website. Just coz we can. So how about y’all give me a *whoop* *whoop* and start thinking about helping the Drupal Spotlight Committee unlock stories of Drupal impact from across the globe. It’s going to be fun.




Help us Celebrate Community Heroes. Join the Community Spotlight Committee

Thu, 17 Aug 2017 14:23:39 +0000

TL:DR; Our community is full of amazing people. Let’s celebrate them. Join the Community Spotlight committee to review community-nominated heroes so we can recognize and celebrate those who have contributed to Drupal in special ways.

+++++++++++++

Drupal is a single expression of collaboration amongst thousands of people from around the world who are passionate, smart, and caring. They donate countless hours, moving the project forward by contributing code, mentoring new contributors, writing documentation, organizing camps, sharing knowledge, and so much more. These selfless acts are Drupal’s lifeblood and deserve being celebrated and appreciated.

It’s clear from a recent #drupalthanks twitter-fest that our community is eager to show their appreciation for each other. That is why, the Drupal Association, with the help of Lyndsey Jackson,  is re-launching Community Spotlight, a program that highlights community-nominated heroes who have contributed to the project in a special way. This program went on hold last year when the Drupal Association downsized, making the organization more sustainable. Lyndsey offered to bring the program back by forming a committee who will select nominees to be highlighted on Drupal.org and through Drupal Association communication channels.

The Drupal Association is thankful for Lyndsey’s passion for celebrating the community and for making time to bring Community Highlights back. Lyndsey has a great vision for the program. In her own words, she says: "We want the Community Spotlight to represent a shared story or an experience that will resonate and connect with where the community and the project is at that point in time. We want to highlight the depth of experience that exists, and the evolving potential through emerging leaders and new energy"

Will you join the Community Spotlight Committee?

Lyndsey is creating a Community Spotlight committee to drive this important program forward. It will consist of 3-5 people with diverse backgrounds. They will review the community-nomination forms and pick who we will celebrate. They will also help convert the nomination form into a blog post, which the Drupal Association will promote.  The monthly time commitment would be about 2-4 hours. This group also has the autonomy to evolve the program. I’m sure there are many ways we can improve how we celebrate our community.

To join this committee, please complete this form




Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-004

Wed, 16 Aug 2017 16:38:37 +0000

Drupal 8.3.7 is a maintenance release which contain fixes for security vulnerabilities. Download Drupal 8.3.7 Updating your existing Drupal 8 sites is strongly recommended (see instructions for Drupal 8). This release fixes security issues only; there are no new features nor non-security-related bug fixes in this release. See the 8.3.7 release notes for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release. Advisory ID: DRUPAL-SA-CORE-2017-004 Project: Drupal core Version: 8.x Date: 2017-Aug-16 Security risk: 15/25 ( Critical) AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:Default Multiple vulnerabilities Description Views - Access Bypass - Moderately Critical - Drupal 8 - CVE-2017-6923 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them. REST API can bypass comment approval - Access Bypass - Moderately Critical - Drupal 8 - CVE-2017-6924 When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments. Entity access bypass for entities that do not have UUIDs or have protected revisions - Access Bypass - Critical - Drupal 8 - CVE-2017-6925 There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity. Versions affected Drupal core 8.x versions prior to 8.3.7 Solution Install the latest version: If you use Drupal 8.x, upgrade to Drupal core 8.3.7 Drupal 7 core is not affected, however, Drupal 7 Views is: see Views - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-068 Also see the Drupal core project page. Reported by Views - Access Bypass Maxim Podorov REST API can bypass comment approval - Access Bypass Arshad Entity access bypass for entities that do not have UUIDs or protected revisions - Access Bypass Miles Worthington Fixed by Views - Access Bypass Klaus Purer Daniel Wehner Michael Hess of the Drupal Security Team Len Swaneveld Wim Leers REST API can bypass comment approval - Access Bypass Daniel Wehner Arshad Lee Rowlands of the Drupal Security Team Wim Leers Sascha Grossenbacher Entity access bypass for entities that do not have UUIDs or protected revisions - Access Bypass Andrei Mateescu Peter Wolanin of the Drupal Security Team Matthew Donadio xjm of the Drupal Security Team Sascha Grossenbacher Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [...]



What’s new on Drupal.org? - July 2017

Thu, 03 Aug 2017 19:41:07 +0000

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community. Drupal.org updates Better Distribution packaging Distributions are a cornerstone of Drupal, giving site-builders a head start by packaging together proven modules and themes from contrib to build a Drupal site to purpose. In July we spent some time improving the functionality for packaging distributions on Drupal.org, by updating Drupal.org's packaging system to use Drush 8. This resolves several issues: Distributions may now use features from version 8 of Drush. Package manifest details are now properly displayed for all distributions. Distributions no longer need to nest contrib projects. We hope that these changes will help distribution maintainers reCAPTCHA One of the key tools we use to prevent spam on Drupal.org is Mollom, which will reach end of life next year. To replace it, we've implemented reCAPTCHA on Drupal.org, and updated our privacy policy accordingly. We have not yet disabled Mollom, because Mollom is a content analysis tool in addition to a captcha tool. Because reCAPTCHA does not duplicate that content analysis functionality we'll be monitoring spam attack patterns on Drupal.org to see whether reCAPTCHA will be a sufficient as a standalone replacement. Easier addition of new documentation guides and pages It's hard to believe that the new documentation system has been in use for almost a year. We've made a number of improvements after the initial release to improve usability for both contributors and maintainers of documentation, and to encourage project maintainers to migrate their docs. One piece of feedback we've heard several times is that the 'add content' links the sidebar of a documentation guide were too difficult to find. To make it easier for documentation contributors to add new sub-guides and pages, we've added a new page link to the 'Edit' menu of documentation guides. Webmasters and documentation moderators can administer all docs Finding maintainers for the over 12,000 pages of documentation on Drupal.org continues to be a challenge, and so we've given all users with the Webmaster and Documentation Moderator role the ability to administer any documentation guide. This will expand the pool of users who can help to manage documentation and manage documentation maintainers. Good documentation for a project with Drupal's scale is a community-driven effort and we're incredibly thankful for all the volunteers who contribute. Any confirmed user may claim unmaintained documentation guides We also now allow any unmaintained guide to be claimed by any confirmed user—automatically adding them as the maintainer for that guide. This should make it much easier for new contributors to take up the mantle of maintaining sections of documentation on Drupal.org. Learn more about maintaining documentation by reading our content guidelines. For evaluators Updated industry page call to action The Drupal.org industry pages are a new experiment for the Drupal Association this year, with a goal of reaching out to Drupal evaluators in specific markets. The success stories we showcase on these pages demonstrate the power of Drupal in these industries, but we also want these pages to be an opportunity to connect evaluators with experts who can help them achieve their goals with Drupal. To enhance our efforts to connect Drupal evaluators to experts in their industry - we've added an additional call to action at the top of the industry page to encourage evaluators to connect with experts. Front page case study promotion for supporting partners and top contributors In July we laid the groundwork for promoti[...]



What’s new on Drupal.org? - June 2017

Tue, 18 Jul 2017 15:46:17 +0000

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community. Drupal.org updates Healthcare industry page launched One of our major goals this year is to highlight the power of Drupal in key industries. The Drupal.org industry pages highlight the story of building a custom-tailored solution for each industry using third-party integrations, expert hosting, or even purpose built distributions for the industry. Each page also highlights case studies which show demonstrated success stories using Drupal in each industry. In June we've launched our latest industry page, highlighting the Healthcare industry. Semantic Labels for Development Branches With a six month release cycle for Drupal core, the environment that project maintainers should test their code against will change fairly frequently. To make it easier for maintainers to keep up to date with testing - we've introduced semantic labels for the core branches. Maintainers can now configure tests against Default — the current development branch of Drupal, Stable — the most recent release of core, and Supported — the current patch/bug-fix branch. These semantic labels should make it easier for project maintainers to manage testing. We hope to expand on this with a few more labels, and may even extend these semantic labels to the version field that issues are filed against in the future. UTF8MB4 support As mentioned in last month's update, we've updated the Drupal.org and the sub-sites to support the UTF8MB4 extended character set. While the changes for the sub-sites were deployed in May, we finished up by adding support to Drupal.org itself in June. Among other things, this means that Drupal.org will no longer throw errors if emoji are used in content. 😄 Updating our membership CRM Drupal Association Membership is managed using the CiviCRM platform - and in June we spent a bit of time updating to the latest version and troubleshooting some issues around receipting and renewals. Members can check their current membership status on the membership page. If you're not yet a member or you need to renew, check out our membership certificate offer. Performance improvements To increase performance on Drupal.org we've updated to the latest version of the Advanced Aggregator module (special thanks to u/mikeytown2). The latest updated includes aggregation of font from the Google fonts api, which should make a material difference in Drupal.org page render times. Better spam moderation tools A recent surge of spam attacks targeting Drupal.org has lead us to take another pass at updating our spam moderation tools. Spammers continue with a never ending escalation of tactics, and so we are constantly evolving our tools for managing spam. We've implemented some rate limiting protections as well as some new moderation views that will make it easier for us to bulk moderate spam. We'll be continuing with some of this work into July so that we can keep Drupal.org's home free from spam and productive. Infrastructure Infrastructure partner selected In March we kicked off an RFP process to find a Managed Infrastructure Services vendor to partner with us to help maintain and improve the Drupal.org infrastructure. In June we reached a decision and have selected Tag1 Consulting as our partner. We're now working with Tag1 to audit our current infrastructure, policies, as well as monitoring and alerting systems as we kick off this relationship. Tag1 brings a tremendous amount of experience in Drupal infrastructure management as well as making Drupal performant at scale - and we're grateful to have them on board. With [...]



Take the Survey on the Community Governance Summit

Tue, 18 Jul 2017 13:28:39 +0000

I recently shared the community needs and potential strategies for evolving community governance, which resulted from the Community Discussions we held in person and online throughout April and May. You can find the webinar recording and written transcript, as well as the meeting minutes from all Community Discussions, at https://www.drupal.org/community/discussions.

Many community members who participated in these discussions agreed that the next step to take in this process is to hold a Community Governance Summit. However, we are not yet clear on where and when this event should take place, who should participate, and several other important details. I worked with community members to develop this survey so we can answer those questions.

Please take 5 minutes to take this community survey and tell us your thoughts about the Community Governance Summit. This survey will remain open until 11:59pm EDT on July 28, 2017. We will analyze the findings and report back on what we learned in a follow-up blog post by Friday, August 4.

Thank you for your time and participation.




Drupal Association Board Meeting Summary - 28 June, 2017

Sat, 15 Jul 2017 19:09:18 +0000

On 28 June, 2017, the Drupal Association Board held the second of four annual public meetings. It was a full meeting where staff provided operational updates and gained some strategic direction from board members on how to proceed in various areas. Some highlights included:

  • Summary of DrupalCon Baltimore’s performance and impact.

  • Progress on securing future DrupalCon locations.

  • Discussion on how to unblock community outreach efforts by making appropriate changes to the Drupal.org privacy policy

  • An update on the Drupal.org infrastructure RFP that was recently awarded to Tag1.

Whitney Hess also attended the board meeting to give an update on the Community Discussion work and invited the community to attend her webinar that shared her findings and next steps. You can learn more and watch the recorded webinar here.

Also, Jamie Nau, our “virtual CFO” from Summit CPA attended the meeting to review April 2017 financial statements, which showed that DrupalCon Baltimore exceeded expectations, positioning the Drupal Association for a healthier year, financially. This is encouraging news as we work through our financial turnaround, which started a year ago.

In an effort to be more transparent about board activities, the board chose to use this public forum to vote to approve the January through April 2017 financial statements. April 2017 financial statements showed that April was a successful month primarily due to DrupalCon Baltimore's strong financial performance. 

You can find the meeting minutes and board materials here

We were pleased to have community members attend and invite you to attend our next board meeting on 27 September, 2017 at noon CEST. It is located in the DrupalCon Vienna convention center and can also be attended via zoom.  




How you can help during our membership campaign

Tue, 11 Jul 2017 20:47:41 +0000

Join in the fun during the Drupal Association membership campaign happening now through August 4. We're providing personalized certificates of membership to individual and organization members who join or renew during the campaign and we need your help spreading the word. The campaign has two goals: help us deliver 500 certificates and raise $18,250 during July 10-August 4. By sharing and encouraging Drupal users and people in the community to join us, you'll help us meet these goals. If we are told by 5 or more members that you referred them to us during this campaign, we'll thank you on social media. Grab words and graphics from this post and share away. If you are a member who would like your own certificate let us know and we'll send one your way. Post your selfie or hang your certificate on the wall. Thanks for sharing! Social Share why you are a member. Share Tweet Graphics Use these with https://www.drupal.org/association/campaign/certificate-2017 300 x 250px 440 x 220px (good for Twitter) 300 x 140px Thank you for supporting the Drupal Association and for being part of our community.File attachments:  mem_campaign_2017_q3_300x140.jpg mem_campaign_2017_q3_300x250.jpg mem_campaign_2017_q3_twitter_1.jpg[...]



Now Available: The Community Discussions Webinar Recording

Thu, 06 Jul 2017 23:09:10 +0000

Last week, we shared the high-level findings from our recent Community Discussions. Today, Whitney Hess hosted a webinar to explain those findings in depth, along with proposals from the community on how to evolve community governance.

We encourage you to watch the video and post your questions in the comment section here. If you have comments but wish to remain private, Whitney asks you to email her directly at whitney@whitneyhess.com.

You can find the transcript here.




Community Discussions Findings and Webinar

Wed, 28 Jun 2017 15:46:51 +0000

Over the last few years, many of us have seen the need to evolve community governance. Up until now, we had to focus on other priorities, but now is the time to address our needs for community governance especially in light of recent community events. Our project has matured greatly and participation has expanded from developers and site builders to also include more content editors, designers, and marketing managers who work not only as freelancers or at Drupal shops, but also for large digital agencies or system integrators. We want all community members to be included in these community discussions so the redefined community governance serves everyone. This is an exciting time to create an even healthier future for our ever-growing community. The Drupal Association is committed to staying in a support role as the community determines how to best evolve community governance to support everyone’s needs. We started helping by hosting Community Discussions that were mediated by Whitney Hess. There were 7 sessions at DrupalCon Baltimore and 7 virtual sessions between April and May. You can find the meeting minutes here. The Community Discussions surfaced several common needs and identified several strategies for addressing those needs. The most commonly shared needs of the community are (in order of frequency): Awareness Participation Transparency Clarity Contribution Healing Trust Understanding Communication Connection Empowerment Process Progress Strategies to address those needs ranged from clarifying the responsibilities and boundaries of the leadership roles throughout the Drupal project, determining how and where to communicate community decisions, improving processes for community management, and providing easier access to documentation about leadership roles and clearly communicating what is expected of Drupal community members. In terms of next steps, the participants were in agreement that we need to come together in a Governance Summit to start architecting improvements to today’s governance structure. However, the community did not define the best way to hold this meeting. It is still unclear when and where it should be, and who should participate and facilitate. We will send out a community survey next to get input from you to answer these questions. Attend The Webinar We invite to you attend a webinar on July 6 at 11 am ET / 1600 BST / 8:30 pm IST hosted by Whitney Hess. Whitney will review the findings from our Community Discussions in more detail. We will record the video and share it with you afterwards, along with a written transcript. Dial in details are below: Video:    https://zoom.us/j/589988397 Or Telephone:    Dial: +1 646 558 8656 (US Toll) or +1 408 638 0968 (US Toll)    Meeting ID: 589 988 397    International numbers available:        https://zoom.us/zoomconference?m=KQN5xFuem0PrbwaqFQC3HJyEWuwQ7QHT Thank you for your patience and participation as we tackle these big questions and move forward together as a stronger community.[...]



Calling all Drupal Agency Leaders: Participate in the 2017 Drupal Business Survey

Mon, 26 Jun 2017 14:06:29 +0000

Surrounding Drupal is a thriving global business ecosystem and thanks to collaboration with One Shoe and Exove, we’ve created an annual survey that gives insight into its health, focus, and needs. Businesses benefit by learning from their peers and seeing Drupal’s business trends. This survey also helps the Drupal Association find new ways to help support this community. Analysis of the 2016 edition of the survey can be found here.

We encourage all business leaders to take this year’s Drupal Business Survey.  

The survey aims to provide a picture of the current Drupal Business landscape, including the health of Drupal companies, obstacles and enablers for Drupal’s business success and D8 adoption.

Participation is completely anonymous and takes fewer than 10 minutes. The first results will be presented at the Drupal CEO Dinner at DrupalCon Vienna on Wednesday, September 27th, 2017. Analysis and insights will officially be published on Drupal.org and in Drupal Watchdog Magazine.

Participate!

You can participate anytime now until July 19th, 2017.

The survey can be accessed here.




Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-003

Wed, 21 Jun 2017 17:44:54 +0000

Drupal 8.3.4 and Drupal 7.56 are maintenance releases which contain fixes for security vulnerabilities. Download Drupal 8.3.4 Download Drupal 7.56 Updating your existing Drupal 8 and 7 sites is strongly recommended (see instructions for Drupal 8 and for Drupal 7). This release fixes security issues only; there are no new features nor non-security-related bug fixes in this release. See the 8.3.4 release notes and the 7.56 release notes for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release. Advisory ID: DRUPAL-SA-CORE-2017-003 Project: Drupal core Version: 7.x, 8.x Date: 2017-June-21 Multiple vulnerabilities Description PECL YAML parser unsafe object handling - Critical - Drupal 8 - CVE-2017-6920 PECL YAML parser does not handle PHP objects safely during certain operations within Drupal core. This could lead to remote code execution. File REST resource does not properly validate - Less Critical - Drupal 8 - CVE-2017-6921 The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource. Files uploaded by anonymous users into a private file system can be accessed by other anonymous users - Moderately Critical - Drupal 7 and Drupal 8 - CVE-2017-6922 Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system. The security team has also received reports that this vulnerability is being exploited for spam purposes, similar to the scenario discussed in PSA-2016-003 for the public file system. Versions affected Drupal core 7.x versions prior to 7.56 Drupal core 8.x versions prior to 8.3.4 Solution Install the latest version: If you use Drupal 7.x, upgrade to Drupal core 7.56 If you use Drupal 8.x, upgrade to Drupal core 8.3.4 Also see the Drupal core project page. Reported by PECL YAML parser unsafe object handling Heine Deelstra of the Drupal Security team File REST resource does not properly validate Samuel Mortenson Files uploaded by anonymous users into a private file system can be accessed by other anonymous users Greg Knaddison of the Drupal Security team Mori Sugimoto of the Drupal Security team iancawthorne Fixed by PECL YAML parser unsafe object handling xjm of the Drupal Security team Alex Pott of the Drupal Security team Peter Wolanin of the Drupal Security team File REST resource does not properly validate Samuel Mortenson Wim Leers Alex Pott of the Drupal Security team xjm of the Drupal Security team Sascha Grossenbacher Files uploaded by anonymous users into a private file system can be accessed by other anonymous users David Rothstein of the Drupal Security team Peter Wolanin of the Drupal Security team Michael Hess of the Drupal Security team xjm of the Drupal Security team Chris McCafferty of the Drupal Se[...]



What’s new on Drupal.org? - May 2017

Tue, 20 Jun 2017 19:37:54 +0000

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community. After returning from DrupalCon Baltimore at the end of April, we spent May regrouping and focusing on spring cleaning tasks. It's important for any technical team to spend time on stability and maintenance, and we used May to find improvements in these areas and look for some other efficiencies. Drupal.org updates 🎉 UTF8MB4 Support Support for the UTF8MB4 character set has been a long outstanding issue for Drupal.org and the sub-sites. This expanded character set supports supplementary characters outside of the basic unicode multilingual character plane, including symbols and emoji. Previously the use of any of these characters on Drupal.org would result in an error. This extended support has been rolled out to Drupal.org and all of the sub-sites except Groups, our legacy Drupal 6 site on LTS. Protecting Localize.Drupal.org from Spam After a spike in spam form submissions was reported (thanks Gábor!) we enabled form protection on Localize.drupal.org. Hopefully this will keep our many translation volunteers focused on the hard work of localizing Drupal, instead of on spam fighting. The techniques that spammers use to bypass protections continue to escalate, so we'll be continuing to evaluate new ways to fight spam as time goes on. Infrastructure Stability and Maintenance We spent a portion of our time in May focused on some basic infrastructure issues. One of the Drupal.org production webnodes experienced a filesystem and networking issue and had to be removed from the rotation. We performed some forensics to identify the cause of the issue, and then rebuilt the virtual machine and put it back into rotation. We also spent some time updating the remote access configuration with our data center, to make remote troubleshooting easier and more efficient for our internal team. Finally, we performed an audit and inventory of our owned hardware. This helped us to identify underutilized resources that we could re-purpose, and will help us more quickly on-board our new managed infrastructure services partner at the conclusion of our RFP process. Infrastructure RFP The deadline for responses to our Managed Infrastructure Services RFP was Monday May 8th. Once we'd received proposals from all participating vendors, we began our process to review those proposals internally and schedule interviews with the vendors. As we move into June this RFP process is wrapping up, and we will be announcing the results of the RFP soon. DrupalCI General Updates One of the primary features of DrupalCI is that it allows developers to test against a variety of environments. To make sure that we're more easily able to keep up with the latest PHP patch releases (e.g: 7.0.x/7.1.x/5.6.x), the PHP environment containers are now rebuilt nightly. Coding standards test results were added in April, and to make it easier for developers to see where the code standards issues appear within the code base, we're now linking the standards results to CGIT. More efficient test result saving Since we began parsing DrupalCI test results onto Drupal.org we pretty rapidly reached more than 100,000,000 database rows of test results, taking up more than 100G of database space. To make offering this service more sustainable, we've implemented changes to how we store test result data. Instead of storing complete results for ea[...]



Growing community in Moldova

Tue, 20 Jun 2017 15:03:20 +0000

This guest blog post is from Drupal Moldova's Association (not affiliated with Drupal Association). Get a glimpse of what is happening in Moldova's community and how you can get involved. Drupal Moldova Association’s mission is to promote Drupal CMS and Open Source technologies in Moldova, and to grow and sustain the local community by organising Events, Camps, Schools, Drupal meetups and various Drupal and Open Source related trainings, and by establishing partnerships with Companies, the Government, and NGO’s. Come and share your expertise in Moldova at our events! We're looking for international speakers to speak about Drupal and open source. Among DMA’s (short for Drupal Moldova Association) numerous commitments, the following are of special importance: to gather the community around Drupal and Open Source technologies; to train students and professionals who want to learn and work with Drupal; to organise events to keep the community engaged and motivated to improve, learn, and share experience; to make sure Drupal is accessible to everyone by offering scholarships to those who can't afford our programs; to elaborate a well defined program that helps students learn Drupal, acquire enough knowledge to get accepted for internships by IT companies, and be able to build Drupal powered websites;   to assist new IT companies in establishing a local office, promote themselves, collaborate with other companies, and connect with the local Drupal community by giving them the opportunity to support our projects. Over the last 5 years, we have been dedicated to achieving our goals! DMA have organized over 20 projects and events, including Drupal Global Training Days, Drupal Schools, and the regional DrupalCamp -- Moldcamp. Our projects have gathered over 700 local and international participants and speakers, and more than 15 International Companies that have supported us during these years (FFW, Adyax, IP Group, Intellix, Endava and many others). Moldova is rich in great developers and people driven to take initiative and to grow and place the country on the world map. We are aiming to go beyond our limits and have a bigger impact in the year (‘17-’18), therefore we have created a yearly plan that contains projects similar to those we have done in the past years, as well as new and exciting ones: Drupal School (3 step program), starting with Drupal School 8 plus PHP (step 1):  Drupal School is an educational program - split into 2 months, 25 courses of different levels (Beginner, Intermediate, Advanced).Drupal School aims to introduce people to Drupal 8 and PHP, and help them become Drupal professionals; Moldcamp 2017: Sep - Oct 2017. A regional DrupalCamp that gathers around 150 Drupal professionals, enthusiasts, beginners and any-Drupal-related-folk in one place for knowledge-sharing, presentations, networking, etc. We will announce the event soon and allow speaker registration. Please follow us and don’t miss out on the opportunity; Drupal Global Training Day: Dec 1-2. A one-day workshop that has the purpose of introducing people to Drupal, both code and community. Drupal Meetups: These are organized each month and they allow our community to be active and share knowledge. Tech Pizza: - Jun, Aug, Oct, Dec. A bi-monthly event, where the ICT community can gather in a casual and an informal environment around a pizza and  soda and discuss the latest IT trends and news. Th[...]



DrupalCon Vienna t-shirts are back! - but there’s a catch.

Fri, 02 Jun 2017 14:42:28 +0000

(image)

Remember how we are making changes to DrupalCon Europe? These were hard decisions and some things we love we found just weren’t financially viable. Like free t-shirts. But one thing we heard a lot was “please don’t take away the t-shirts!”  

We heard you. And while it doesn’t make financial sense to give free t-shirts to all attendees, we still want to be able to continue to offer them. So we’ve come up with a plan.   

At DrupalCon Vienna, t-shirts will be offered to the following groups:

  • Individual Drupal Association members who register for DrupalCon Vienna between 5 - 16 June 2017. You must register in this two week window AND be an individual member of the Drupal Association.

  • Volunteers who work at least four (4) hours onsite in Vienna 26 - 29 September. You must check the volunteer box during registration and must show up on site to volunteer for four (4) hours or until released by event staff.

  • Volunteers as part of the DrupalCon Program Team

  • Sprint Mentors

The fine print FAQ

I’m already a member, how do I make sure that I'll get a shirt?

If you are already an individual member, you get a t-shirt! BUT you MUST register in the first two weeks of ticket sales. Registrations after 16 June will not receive a t-shirt, member or not.

I’m not a member, can I do that during registration and still get a shirt?

Yes. If you are not a member you can become an individual member during your conference registration. You will be presented with a page during check-out that gives you the option to become a member.

I already registered but JUST saw this post! What do I do?

If you are a true early bird and register in the two weeks, but somehow missed this news post until after registering - that’s ok. As long as you become a member before the end of 16 June and you’ll still get a t-shirt.

The registration didn’t say anything about t-shirts or ask for my t-shirt size? What’s up?

After the 16 June cut-off date, eligible registrants will receive an email confirming their t-shirt along with a link to select their t-shirt size.

You got a session selected? Great!

We’ll refund your registration amount (but not your membership) and you get to keep the t-shirt. Our regular no-refund policy applies to all other sales.

You’re part of an organization that is buying a bulk amount of tickets for employees? Lucky you.

Your organization should provide you with an individual redemption code. You’ll need to redeem your individual registration before 16 June AND also be an individual member of the Drupal Association in order to get a t-shirt.




What’s new on Drupal.org? - April 2017

Wed, 24 May 2017 15:20:15 +0000

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community. At the end of April we joined the community at DrupalCon Baltimore. We met with many of you there, gave our update at the public board meeting, and hosted a panel detailing the last 6 months worth of changes on Drupal.org. If you weren't able to join us for this con, we hope to see you in Vienna! Drupal.org updates DrupalCon Vienna Full Site Launched! Speaking of Vienna, in April we launched the full site for DrupalCon Vienna which will take place from September 26-29th, 2017. If you're going to join us in Europe you can book your hotel now, or submit a session. Registration for the event will be opening soon! DrupalCon Nashville Announced with new DrupalCon Brand Each year at DrupalCon the location of the next conference is held as closely guarded secret; the topic of speculation, friendly bets, and web crawlers looking for 403 pages. Per tradition, at the closing session we unveiled the next location for DrupalCon North America - Nashville, TN taking place from April 9-13th in 2018. But this year there was an extra surprise. We've unveiled the new brand for DrupalCon, which you will begin to see as the new consistent identity for the event from city to city and year to year. You'll still see the unique character of the city highlighted for each regional event, but with an overarching brand that creates a consistent voice for the event. Starring Projects Users on Drupal.org may now star their favorite projects - making it easier to find favorite modules and themes for future projects, and giving maintainers a new dimension of feedback to judge their project's popularity. Users can find a list of the projects they've starred on the user profile. Over time we'll begin to factor the number of star's into a project's ranking in search results. At the same time that we made this change, we've also added a quick configuration for managing notification settings on a per-project basis. Users can opt to be notified of all issues for a project, only issues they've followed, or no issues. While these notification options have existed for some time, this new UI makes it easier than ever to control issue notifications in your inbox. Project Browsing Improvements One of the important functions of Drupal.org is to help Drupal site builders find the distributions, modules, and themes, that are the best fit for their needs. In April, we spent some time improving project browsing and discovery. Search is now weighted by project usage so the most widely used modules for a given search phrase will be more likely to be the top result. We've also added a filter to the project browsing pages to allow you to filter results by the presence of a supported, stable release. This should make it easier for site builders to sort out mature modules from those still in initial development. Better visual separation of Documentation Guide description and contents In response to user feedback, we've updated the visual display of Documentation Guides, to create a clearer distinction between the guide description text and the teaser text for the content within the guides. Promoting hosting listings on the Download & Extend page To leverage Drupal to the fullest requires a good hosting partner, and so we've begun promoting[...]



The Process for Evolving Community Governance

Fri, 05 May 2017 18:59:46 +0000

Discover > Plan > Build > Iterate There comes a time when we must all recognize that what got us here won't get us there. Now is that time for Drupal. The governance models that were put in place to support the needs of the community years ago are no longer working as well as they should. The Drupal community has reached a level of maturity that requires greater clarity, integrity, and resilience. An effort is underway to evolve Drupal’s community governance. The Drupal community is in the driver’s seat. The Drupal Association is helping navigate and get the community where it wants to go by providing the structure, support, and resources that are desperately needed to make progress. I, Whitney Hess, have been engaged to be a neutral facilitator of this process. We are proposing a multi-phase approach to redesign Drupal’s community governance models, management, and decision-making practices: Discover > Plan > Build > Iterate. In this first phase, our goal is to gain a deeper understanding of the needs of the Drupal community. We are conducting this research through a variety of methods: one-on-one interviews with select individuals; mediated group discussions; surveys and feedback forms. We held seven hour-long Community Discussions over three days of DrupalCon. There were 6-10 participants per session. Though every session had its own energy and topics varied, all discussions were fruitful and impactful. Many participants said they left feeling better than when they arrived. While there was some discussion about recent events in the sessions, the focus quickly shifted to brainstorming ideas for how to improve Drupal’s community governance. As mediator, it is my role to help people articulate their needs, and to support the community in devising strategies to better get those needs met. Please read the meeting summaries if you would like to get a sense of what was discussed. There are currently seven online sessions scheduled over the next two weeks at a variety of times for the global community to participate in these facilitated discussions, and more will be scheduled if needed. If you want your voice heard, I strongly encourage you to join us. If you have questions or concerns about the sessions, you’re welcome to contact me directly at whitney@whitneyhess.com. Once these sessions are completed, we will be conducting a short survey and other types of feedback forms to have the widest possible reach. We want to ensure that people have a variety of ways to constructively contribute to making Drupal the best it can be. We expect to launch these in late-May. At the conclusion of the Discovery phase, we will move into Planning. We are at the earliest stages of conceiving a Governance Summit over 1-2 days in June to take all of the learnings from Discovery, and craft a strategy for specifically how to change Drupal’s community management and governance. As of today, we do not yet have dates, location, or participant information. We are waiting to see what comes out of Discovery before we devise any framework for how this can be achieved effectively and equitably. Again, the Drupal Association’s role here is to be a support, and to create space for the community to decide how it wants its governance to change. I have very clearly heard a need for greater transparency into this process and how dec[...]



Supporting the next evolution of Drupal's Community Governance

Fri, 21 Apr 2017 03:19:55 +0000

TL;DR: Both the community and Dries Buytaert, Project Lead, see a need to evolve Drupal community governance. The Drupal Association can help in a support role. We will start by hosting mediated community discussions so everyone around the world can participate, be heard and understood, and share their ideas. Creating a new governance model will take many months and will require an agile approach as we all feel our way through the proper steps. The Drupal Association will continue to find ways to support this process as we all move through it together. ------------- Over the last several weeks, the Drupal Association has been in listening mode — and we still are. We’re hearing community members say they need clarity and understanding, and that our community governance needs to change. As we process what we’re hearing, we want to find the best way to help the community address the issues being raised, within the boundaries of the Drupal Association charter. The Drupal Association’s mission is to unite the global community to help build and promote the software. We do that in two very specific ways: DrupalCon and Drupal.org. We’re determining how best to meet the community’s needs as it relates to these two key community homes. In the near future, I will publish blogs with ideas on how we might address the various needs we are hearing. Evolving Community Governance There is one need that we hear loud and clear that we can address today: The community needs support to evolve community governance structures and processes. Both the community at large, and Dries Buytaert, Project Lead, have expressed this need, and we are glad to see this alignment.   It’s important to note that the Drupal Association has a very limited role in community governance. Our only role in governance stems directly from our charter to manage DrupalCon and Drupal.org. It’s not within our charter to oversee community governance or drive its evolution. The last thing the Drupal Association wants is to step outside of our charter or accidentally take away the community’s agency in self-organizing to create the new community governance model. However, we do want to facilitate forward movement. And so, we can take a support role. We hear that many in the community want to come together to talk. We can support this by providing a meeting place (both in person and online), and a mediator for community discussions. We have asked Whitney Hess, a coach who has worked with the Drupal community before, to facilitate and mediate community discussions, where people can come together to talk about current community issues and explore ideas for improved governance. These discussions will start at DrupalCon Baltimore and continue in a series of online meetings, scheduled at different times so members around the world can participate. [see more details below] To provide transparency for those who cannot attend the discussion sessions, we will post meeting minutes and summaries from each community discussion here: https://drupal.org/community/discussions. As facilitator of these community discussions, Whitney Hess will provide a summary to give us a broad perspective on the “voice of the community.” We hope these conversations will ground the community as it begins architecting its new governance model. Once we have had the[...]



Drupal Core - Critical - Access Bypass - SA-CORE-2017-002

Wed, 19 Apr 2017 17:13:51 +0000

Advisory ID: DRUPAL-SA-CORE-2017-002 Project: Drupal core Version: 8.x Date: 2017-April-19 CVEID: CVE-2017-6919 Security risk: 17/25 ( Critical) AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default Vulnerability: Access bypass Description This is a critical access bypass vulnerability. A site is only affected by this if all of the following conditions are met: The site has the RESTful Web Services (rest) module enabled. The site allows PATCH requests. An attacker can get or register a user account on the site. While we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we have also provided an 8.2.x release to ensure that sites that have not had a chance to update to 8.3.0 can update safely. CVE identifier(s) issued CVE-2017-6919 Versions affected Drupal 8 prior to 8.2.8 and 8.3.1. Drupal 7.x is not affected. Solution If the site is running Drupal 8.2.7 or earlier, upgrade to 8.2.8. If the site is running Drupal 8.3.0, upgrade to 8.3.1. Also see the Drupal core project page. Reported by Samuel Mortenson Fixed by Alex Pott of the Drupal Security Team xjm of the Drupal Security Team Lee Rowlands of the Drupal Security Team Wim Leers Sascha Grossenbacher Daniel Wehner Tobias Stöckler Nathaniel Catchpole of the Drupal Security Team Coordinated by The Drupal Security team Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [...]



What's new on Drupal.org? - March 2017

Tue, 18 Apr 2017 18:02:34 +0000

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community. The Drupal Association team is gearing up for DrupalCon Baltimore. We're excited to see you there and we'll presenting a panel giving an update on our work since Dublin, and our plans for the coming months. Drupal.org updates Project application revamp As we announced in mid-March, new contributors on Drupal.org can now create full projects and releases! Contributors no longer have to wait in the project application queue for a manual review before they are able to contribute projects. This is a very significant change in the Drupal contribution landscape, and it's something we approached carefully and will continue to monitor over the coming months. Drupal has always had a reputation for a high quality code, and we want to make sure that reputation is preserved with good security signals, project quality signals, and continued incentives for peer code review. That said, we're very excited to see how this change opens up Drupal to a wider audience of contributors. Please note that the removal of project applications to create full projects and releases means a change in the security advisory policy (see below for details). Security Advisory Opt-in and new Security Signals for Projects Are you responsible for the security of your clients' Drupal sites? Please note that Drupal's security advisory coverage policy has changed. Security advisory coverage for contributed projects is now only available for projects that have both opted in to receive coverage and made a stable release. You can see which projects have opted in by checking their project pages. If you have questions, please contact security@drupal.org. Because users may now create full projects and releases without opting in to security advisory coverage, it's critically important that we provide good security signals to users evaluating projects on Drupal.org. This is why we've added a security coverage warning to projects that aren't opted in to coverage. We've also: Opened up the opt-in process, allowing any maintainer of a project (not just the node author) to opt in to receive security advisory coverage Added a confirmation step when a user goes to make a stable release - this encourages users to be sure the project is ready for a release, and to opt-in to coverage if they haven't already Blocked security advisory opt-in if a project has an open, public security issue Started displaying info about public security issues on project pages that haven't opted into advisory coverage Added a filter to project browsing pages to make it easier to find projects with supported stable releases 2017 Community Elections Update The 2017 elections for the community-at-large seat on the board were held successfully in March. Drupal Association community board elections are conducted with the Instant Runoff Voting system. This voting methodology requires that voters rank their preferred candidates on their ballot, and we've heard that this system has been somewhat unwieldy in the past. Each year we try to improve the voter experience and so this year we deployed a new drag-and-drop ballot. Finally, we want to congratulate our newest boar[...]