Added By: Feedage Forager Feedage Grade A rated
Language: English
community  content  core  documentation  drupal org  drupal  new  org  page  project  release  security  site  time  work 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics

Come for the software, stay for the community Drupal is an open source content management platform powering millions of websites and applications. It’s built, used, and supported by an active and diverse community of people around the world.


Nasdaq Chooses Drupal 8

Fri, 21 Oct 2016 12:47:49 +0000

Republished from


I wanted to share the exciting news that Nasdaq Corporate Solutions has selected Drupal 8 as the basis for its next generation Investor Relations Website Platform. About 3,000 of the largest companies in the world use Nasdaq's Corporate Solutions for their investor relations websites. This includes 78 of the Nasdaq 100 Index companies and 63% of the Fortune 500 companies.

What is an IR website? It's a website where public companies share their most sensitive and critical news and information with their shareholders, institutional investors, the media and analysts. This includes everything from financial results to regulatory filings, press releases, and other company news. Examples of IR websites include http://investor.starbucks.com and -- all three companies are listed on Nasdaq.

All IR websites are subject to strict compliance standards, and security and reliability are very important. Nasdaq's use of Drupal 8 is a fantastic testament for Drupal and Open Source. It will raise awareness about Drupal across financial institutions worldwide.

In their announcement, Nasdaq explained that all the publicly listed companies on Nasdaq are eligible to upgrade their sites to the next-gen model "beginning in 2017 using a variety of redesign options, all of which leverage Acquia and the Drupal 8 open source enterprise web content management (WCM) system."

It's exciting that 3,000 of the largest companies in the world, like Starbucks, Apple, Amazon, Google and ExxonMobil, are now eligible to start using Drupal 8 for some of their most critical websites. 

What's new on - September 2016

Thu, 20 Oct 2016 15:37:09 +0000

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community. This month's update comes to you a couple weeks late, but only because we were on site at DrupalCon together with the community to move the project forward! DrupalCon Dublin was a great event, with the entire Drupal Association staff engaged to make DrupalCon the best place to develop your Drupal skills, learn what's coming for the project, and sprint on core and contrib. We are tremendously thankful to the community that joins us for DrupalCon, and to the incredible volunteers that help us put on the event. If you couldn't join us in person, you can still review the session recordings. Now, on to the updates! updates New homepage Certainly the most visible change to in September was the refresh of our home page. As the front door of our community home, the front page needs to be inviting to both existing community members, and people new to Drupal who are just beginning their adoption journey. The changes are more than aesthetic. We also put in place new editorial tools to give us greater flexibility with the front page itself, and with future landing pages that we hope to create in the same highly-designed, attractive style. In addition to these structural and editorial changes we made some content changes as well, cleaning up our news feed, and giving DrupalCon a new, more prominent position on the home page. And there are more updates to come! Using the same editorial tools we'll soon be rolling out additional content for Drupal evaluators - promoting proven solutions built using Drupal in specific industries. Look forward to this in the coming months. Membership campaign We used the same editorial tools that built the new homepage to build a landing page for our fall membership campaign. This campaign showcases how Drupal Association members make community cultivation grants possible - and the stories that those grants create. These community stories run to the heart of our mission - enabling our global community build connections on the local level, and extending Drupal's reach across the world. Case studies on organization profiles In September we also made a small but significant update to organization profiles. We've moved the often unwieldy index of people associated with an organization to a subpage, in order to make room for listing the case studies that an organization has created. We want to encourage Drupal organizations of all kinds to share their stories of success, especially around Drupal 8. If your organization has never created a Drupal case study before, we have some materials to teach you how to create a case study on Issue Credit Updates The issue credit system has had a remarkable impact on the community. Being able to quantify the contribution of organizations to Drupal's codebase has lead to an unprecedented level of healthy competition between organizations who support the project—each trying to outdo the other with their contributions. It has been amazing to see how generous these organizations are, sponsoring the work of committed community contributors to advance the project. To maintain this system in a healthy way, we need to monitor it carefully and make small adjustments to ensure that we're creating the right incentives for true contribution, and not a system to be gained for self-promotion. We've made a few small tweaks in september to reduce spurious re-opening of issues in order to 'reset the clock' on credits, and we have a few more fixes on the plate to keep this ecosystem healthy. We're also looking to expand the kinds of activities that receive contribution credit - so look forward to further updates on that front in the coming months. Community Initiatives Finally, here are some updates on our active community initiatives. Community initiatives are a collaboration; with dedicated community volunteers building improvements to with the architectur[...]

Technical Advisory Committee formed to modernize developer tools

Tue, 18 Oct 2016 18:37:51 +0000

(image) At DrupalCon Dublin, I spoke about The Association’s commitment to help Drupal thrive by improving the contribution and adoption journeys through our two main community assets, DrupalCon and You can see the video here.

One area I touch on was my experience as a new code contributor. Contributing my patch was a challenging, but joyous experience and I want more people to have that feeling—and I want to make it as easy as possible for others to contribute, too. It’s critical for the health of the project.

At the heart of the Drupal contributor community are our custom development tools, including the issue tracker, Git repositories, packaging, updates server, and automated testing. We believe there are many aspects of Drupal’s development workflow that have been essential to our project's success, and our current tooling reflects and reinforces our community values of self-empowerment, collaboration, and respect, which we seek to continue to uphold.

It’s time to modernize these developer tools. To support the Association with this objective The Drupal Association created a Technical Advisory Committee (TAC). The TAC consists of community members Angie Byron, Moshe Weitzman, and Steve Francia, who is also our newest Drupal Association board member. The TAC acts in an advisory role and reports to me.

Building off of the work the community has already done, the TAC is exploring opportunities to improve the tools we use to collaborate on The crux of this exploration is determining whether we should continue to rely on and invest in our self-built tools, or whether we should partner with an organization that specializes in open source tooling.

Our hope is that we will be able to bring significant improvements to our contribution experience faster by partnering with an organization willing to learn from our community and adapt their tools to those things we do uniquely well. Such a partnership would benefit both the Drupal community—with the support of their ongoing development—and potentially the broader open source community—by allowing our partner to bring other projects those aspects of our code collaboration workflow.

The TAC will use a collaborative process, working with staff and community to make a final recommendation. The TAC has already begun the process and has some very positive exploratory conversations. The TAC and staff will be communicating their progress with the community in upcoming blog posts.  

Drupal file upload by anonymous or untrusted users into public file systems -- PSA-2016-003

Mon, 10 Oct 2016 17:09:07 +0000


Recently the Drupal Security Team has seen a trend of attacks utilizing a site mis-configuration.
This issue only affects sites that allow file uploads by non-trusted or anonymous visitors, and stores those uploads in a public file system. These files are publically accessible allowing attackers to point search engines and people directly to them on the site. The majority of the reports are based around the webform module, however, other modules are vulnerable to this misconfiguration as well.

For example, if a webform configured to allow anonymous visitors to upload an image into the public file system, that image would then be accessible by anyone on the internet. The site could be used by an attacker to host images and other files that the legitimate site maintainers would not want made publicly available through their site.

To resolve this issue:

  1. Configure upload fields that non-trusted visitors, including anonymous visitors, can upload files with, to utilize use the private file system.
  2. Ensure cron is properly running on the site. Read about setting up cron for for Drupal 7 or or Drupal 8).
  3. Consider forcing users to create accounts before submitting content.
  4. Audit your public file space to make sure that files that are uploaded there are valid.

Awareness acknowledgment

The Drupal Security Team became aware of the existence and exploits of this issue because the community reported this issue to the security team. As always, if your site has been exploited, even if the cause is a mistake in configuration, the security team is interested in hearing about the nature of the issue. We use these reports to look for trends and broader solutions.

Coordinated by

This post may be updated as more information is learned.

Contact and More Information

The Drupal security team can be reached at security at or via the contact form at

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal 8.2.0 is now available

Wed, 05 Oct 2016 09:57:28 +0000

Update: Drupal 8.2.1 is now available. Drupal 8.2.0, the second minor release of Drupal 8, is now available. With Drupal 8, we made significant changes in our release process, adopting semantic versioning and scheduled feature releases. This allows us to make extensive improvements to Drupal 8 in a timely fashion while still providing backwards compatibility. What's new in Drupal 8.2.x? This new version includes additional experimental modules to place blocks on pages, to edit configuration related to blocks without leaving the page, to create content moderation workflows, and to use date ranges. Several smaller authoring experience, site building, and REST and decoupled site improvements are included as well. (Experimental modules are provided with Drupal core for testing purposes, but are not yet fully supported.) Download Drupal 8.2.0 Easier to place and configure blocks on pages The new experimental Place Block module allows placing blocks on any page without having to navigate to the backend administration form. After selecting the region for placement, block configuration can be adjusted in a modal dialog allowing full control of all the details. There is also a much easier way to modify block configuration, with the experimental Settings Tray module. Editing a block opens a tray in a sidebar with the block's title and other settings. For the site name block, for example, you can edit the site name directly in the sidebar. For menu blocks, you can adjust the menu there. Content moderation now included Drupal has always supported both published and unpublished content, but more granular workflow support was not available in Drupal core. The new experimental Content Moderation module, based on the contributed Workbench Moderation project, allows defining content workflow states such as Draft, Archived, and Published, as well as which roles have the ability to move content between states. Support for date ranges The Datetime module included with core only supports storing single points in time. The experimental Datetime Range module provides a new field type that also allows end dates. This is important for helping contributed modules like the Calendar module to work with Drupal 8 core. Site building, content authoring, and administrative improvements Drupal 8.2.0 also improves stable functionality for administration, site building, and authoring. Drupal now enables revisions by default for new content types, to provide better accountability, to create a "safety net" for recovering from unintended changes, and to integrate with future workflow features. Content editors will enjoy a more seamless experience, as CKEditor's built-in dialogs are now styled to match Drupal-native dialogs, and creating any entity will always display a message linking to the new entity. Other incremental enhancements include: The user interface text has been improved on numerous administrative pages. The redirection of site-wide contact forms is now configurable. The comment view mode can now be selected in the display formatter form. Relative URLs are converted to absolute ones in generated RSS feeds (ensuring that images and links work wherever the feeds are used). Administrators can now elect to remove a module's content entities in order to uninstall the module. The internal page cache has been improved for 404 responses. Platform features for web services The Drupal 8.2 release continues to expand Drupal's support for web services that benefit decoupled sites and applications, with bug fixes, simplified configuration, improved responses, and new features. It is now possible to read (GET) configuration entities like vocabularies and content types as REST resources, resolving a significant limitation for REST functionality in 8.1.x and earlier. Login, logout, and user registration are also now possible with REST. The authentication mechanism used by a REST Export Views Display is now configurable, and a cors.config service para[...]

The first annual Drupal CEO Survey reports that there is a bright future for Drupal in the enterprise segment

Thu, 29 Sep 2016 09:42:55 +0000

Results from the global Drupal CEO business survey conducted by One Shoe and Exove, in partnership with the Drupal Association, indicate that Drupal will adopt a role as an enterprise level platform. The Drupal CEO Survey has been carried out this year out for the first time and gives insights in the key issues that Drupal agency owners and company leaders worldwide face. Among the surveyed 75 Drupal companies, the C-level respondents mainly work at digital agencies (37.8%) and software companies (27%). Most of the surveyed companies were small to medium sized enterprises. Only 9.9% said they have more than 80 employees, while 21.9% reported five or less employees. A bright future for Drupal in the enterprise segment A vast majority (90.5%) believes that Drupal has reinvented itself with the release of Drupal 8, the newest version of the CMS, released in November 2015. Even though Drupal has become somewhat more complex, respondents don’t think this is a turnoff for developers (77.1%). As one respondent said, "Some developers will resent the added complexity, but I see it becoming the defacto standard for 'Enterprise' CMSs." This respondent is not the only one: 89.2% of the respondents think that the popularity of Drupal for clients will grow in the next three years. Drupal is seen as being a leader in larger enterprise deployments in the future. As one respondent stated, "Drupal will see continued growth for clients who are committed to their digital strategy and see its importance as part of their overall business goals. But it will probably tail off for clients who just need a website." Or, as another respondent sees it: "Drupal will become the platform of choice for enterprise level solutions." Drupal is popular for enterprise healthcare projects The surveyed companies serve clients in numerous industries. From enterprise perspective, the major industries are healthcare and medicine (40.0% respondents have clients from this industry), banking and insurances (38.7%), and retail (37.3%). Overall, Drupal companies also work with charities and non-profit organizations (64%), government and public administration (56.0%), media (49.3%), IT (45.3%), and arts and culture (36.0%). The cost of an enterprise solution project varies from company to company. Most of the companies (28.0%) work in 100,000 - 250,000 euro range, while 18.7% of the companies charge 250,000 - 500,000 euro. Another 18.7% charge 50,000 - 100,000 euro for an enterprise level solution built on Drupal. Only a handful of companies, 4.0%, charge between half a million and one million euro. Compared to the typical cost of enterprise level solutions, Drupal based solutions are implemented with less costs. This is due to the good fit of Drupal to the enterprise needs, flexibility of the platform, and huge amount of readymade modules. Drupal empowers growth The most important strategic priorities of the companies also focus on growth: finding the right talent, 53.3%; ensuring financial growth, 45.3%; and developing new growth strategies, 41.3%. The executives expect to face challenges in the coming three years on the same areas: finding the right talent, 59.5%; talent retention, 36.5%; and ensuring financial growth, 33.8%. While finding and retaining the talent is seen challenging, 60.0% of the respondents do not outsource work to vendors. Companies operating in Europe less use outsourcing, as 67.0% of these companies do not employ vendors. European companies outsource work to Asia (17.0%) and Europe (17.0%), while non-European companies use vendors in North America (25.0%), South America (25.0%), and Asia (19%). Also illustrating the growth-empowering aspects of Drupal is the geographical presence of companies. One third (31.1%) of the surveyed companies have offices in more than one country, and 12.0% has offices in five or more countries. Comments The survey organizers Janne Kalliola from Exove and Michel van Velde fro[...]

The transformation of Drupal 8 for continuous innovation

Wed, 28 Sep 2016 07:00:00 +0000

Republished from In the past, after every major release of Drupal, most innovation would shift to two areas: (1) contributed modules for the current release, and (2) core development work on the next major release of Drupal. This innovation model was the direct result of several long-standing policies, including our culture of breaking backward compatibility between major releases. In many ways, this approach served us really well. It put strong emphasis on big architectural changes, for a cleaner, more modern, and more flexible codebase. The downsides were lengthy release cycles, a costly upgrade path, and low incentive for core contributors (as it could take years for their contribution to be available in production). Drupal 8's development was a great example of this; the architectural changes in Drupal 8 really propelled Drupal's codebase to be more modern and flexible, but also came at the cost of four and a half years of development and a complex upgrade path. As Drupal grows — in lines of code, number of contributed modules, and market adoption — it becomes harder and harder to rely purely on backward compatibility breaks for innovation. As a result, we decided to evolve our philosophy starting after the release of Drupal 8. The only way to stay competitive is to have the best product and to help people adopt it more seamlessly. This means that we have to continue to be able to reinvent ourselves, but that we need to make the resulting changes less scary and easier to absorb. We decided that we wanted more frequent releases of Drupal, with new features, API additions, and an easy upgrade path. To achieve these goals, we adopted three new practices: Semantic versioning: a major.minor.patch versioning scheme that allows us to add significant, backwards-compatible improvements in minor releases like Drupal 8.1.0 and 8.2.0. Scheduled releases: new minor releases are timed twice a year for predictability. To ensure quality, each of these minor releases gets its own beta releases and release candidates with strict guidelines on allowed changes. Experimental modules in core: optional alpha-stability modules shipped with the core package, which allow us to distribute new functionality, gather feedback, and iterate faster on the modules' planned path to stability. Now that Drupal 8 has been released for about 10 months and Drupal 8.2 is scheduled to be released next week, we can look back at how this new process worked. Drupal 8.1 introduced two new experimental modules (the BigPipe module and a user interface for data migration), various API additions, and usability improvements like spell checking in CKEditor. Drupal 8.2 further stabilizes the migration system and introduces numerous experimental alpha features, including significant usability improvements (i.e. block placement and block configuration), date range support, and advanced content moderation — among a long list of other stable and experimental improvements. It's clear that these regular feature updates help us innovate faster — we can now add new capabilities to Drupal that previously would have required a new major version. With experimental modules, we can get features in users' hands early, get feedback quickly, and validate that we are implementing the right things. And with the scheduled release cycle, we can deliver these improvements more frequently and more predictably. In aggregate, this enables us to innovate continuously; we can bring more value to our users in less time in a sustainable manner, and we can engage more developers to contribute to core. It is exciting to see how Drupal 8 transformed our capabilities to continually innovate with core, and I'm looking forward to seeing what we accomplish next! It also raises questions about what this means for Drupal 9 — I'll cover that in a future blog post.[...]

A new look for

Wed, 21 Sep 2016 19:09:50 +0000

As you can see we've put a fresh coat of paint on - but the changes run below the surface. This latest iteration of the front page brings the key concepts of our design system to the forefront: Clean, Modern, Technical.


This change also brings new editorial tools for content editors. The new home page provides us more flexibility with content and presentation, and so you'll see more frequent updates, more information about DrupalCon, and more editorial flexibility on the home page than you've seen in the past. These tools are also helping us to build cleaner, modern landing pages - like you've just seen with our Fall Membership Campaign.

We've previewed this work with several key members of the community and the board, and we want to say thank you to everyone who's given us their feedback on this first step for our new home page. We also want to give an extra special thank you to dyannenova for her contributions to this effort.

This is just the beginning - very soon we'll have a new visual look for the case studies that are featured on the home page, and then shortly after that we'll begin promoting solutions to Drupal evaluators in specific industries, like Higher Education, Media & Publishing, and Government.

If is the home of the community, then the front page is our front door. We want to welcome new users and evaluators of Drupal, highlight the project's strengths, and promote news and happenings from throughout the ecosystem.

We hope you like the changes, and we think you'll like the upcoming iterations even more. We'd love to hear your feedback!

Drupal 8.1.10 released

Wed, 21 Sep 2016 16:33:14 +0000

Drupal 8.1.10, a maintenance release which contains fixes for security vulnerabilities, is now available for download.

See the Drupal 8.1.10 release notes for further information.

Upgrading your existing Drupal 8 sites is strongly recommended. There are no new features nor non-security-related bug fixes in this release. For more information about the Drupal 8.x release series, consult the Drupal 8 overview.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 8 includes the built-in Update Manager module, which informs you about important updates to your modules and themes.

Bug reports

This is the final security release for the 8.1.x series. Future maintenance releases will be made available in the 8.2.x series, according to our monthly release cycle.

Change log

Drupal 8.1.10 is a security release only. For more details, see the 8.1.10 release notes. A complete list of all changes in the upcoming 8.2.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 8.1.10 was released in response to the discovery of security vulnerabilities. Details can be found in the official security advisories:

To fix the security problem, please upgrade to Drupal 8.1.10. (Sites testing the 8.2.x release should update to 8.2.0-rc2.)

Update notes

See the 8.1.10 release notes for details on important changes in this release.

This is the final security release of the 8.1.x series. Sites should prepare to update to 8.2.0 following this release.

Known issues

See the 8.1.10 release notes for known issues.

Can Drupal outdo native applications?

Wed, 14 Sep 2016 07:00:00 +0000

Republished from I've made no secret of my interest in the open web, so it won't come as a surprise that I'd love to see more web applications and fewer native applications. Nonetheless, many argue that "the future of the internet isn't the web" and that it's only a matter of time before walled gardens like Facebook and Google — and the native applications which serve as their gatekeepers — overwhelm the web as we know it today: a public, inclusive, and decentralized common good. I'm not convinced. Native applications seem to be winning because they offer a better user experience. So the question is: can open web applications, like those powered by Drupal, ever match up to the user experience exemplified by native applications? In this blog post, I want to describe inversion of control, a technique now common in web applications and that could benefit Drupal's own user experience. Native applications versus web applications Using a native application — for the first time — is usually a high-friction, low-performance experience because you need to download, install, and open the application (Android's streamed apps notwithstanding). Once installed, native applications offer unique access to smartphone capabilities such as hardware APIs (e.g. microphone, GPS, fingerprint sensors, camera), events such as push notifications, and gestures such as swipes and pinch-and-zoom. Unfortunately, most of these don't have corresponding APIs for web applications. A web application, on the other hand, is a low-friction experience upon opening it for the first time. While native applications can require a large amount of time to download initially, web applications usually don't have to be installed and launched. Nevertheless, web applications do incur the constraint of low performance when there is significant code weight or dozens of assets that have to be downloaded from the server. As such, one of the unique challenges facing web applications today is how to emulate a native user experience without the drawbacks that come with a closed, opaque, and proprietary ecosystem. Inversion of control In the spirit of open source, the Drupal Association invited experts from the wider front-end community to speak at DrupalCon New Orleans, including from Ember and Angular. Ed Faulkner, a member of the Ember core team and contributor to the API-first initiative, delivered a fascinating presentation about how Drupal and Ember working in tandem can enrich the user experience. One of Ember's primary objectives is to demonstrate how web applications can be indistinguishable from native applications. And one of the key ideas of JavaScript frameworks like Ember is inversion of control, in which the client side essentially "takes over" from the server side by driving requirements and initiating actions. In the traditional page delivery model, the server is in charge, and the end user has to wait for the next page to be delivered and rendered through a page refresh. With inversion of control, the client is in charge, which enables fluid transitions from one place in the web application to another, just like native applications. Before the advent of JavaScript and AJAX, distinct states in web applications could be defined only on the server side as individual pages and requested and transmitted via a round trip to the server, i.e. a full page refresh. Today, the client can retrieve application states asynchronously rather than depending on the server for a completely new page load. This improves perceived performance. I discuss the history of this trend in more detail in this blog post. Through inversion of control, JavaScript frameworks like Ember provide much more than seamless interactions and perceived performance enhancements; they also offer client-side storage and offline func[...]

What's new on - August 2016

Tue, 13 Sep 2016 14:44:43 +0000

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community. Our latest update about comes as the Drupal Association has moved out of our central office in Portland, OR, and gone to an all-distributed team. A move of that sort always creates some upheaval but amidst the move we've continued to push forward on several initiatives to improve At the same time we've been pushing forward towards DrupalCon Dublin at the end of September- and we hope to see you there! updates A new home page, coming soon As we recently previewed on the blog, some changes are coming to the home page. We're building some new editorial tools to allow for more flexibility with the home page content, and to enable an increased focus on the adoption journey for visitors to You'll see styles reminiscent of the Drupal 8 release announcement pages, and a continued modernization of theme. The launch of the new home page is coming soon, but as a precursor we've been making some small improvements. The new user menu which we launched in July has been updated for better keyboard accessibility, and to show a user picture as an indicator that a user has logged in. We've also moved the search feature into an icon in the top navigation. This gives us more flexibility with the header, which can be customized per-page type or per-section with the overall site search box still being present. For example, the header in the new documentation section features search box specific to this particular section, so while you are there you can search for other documentation without having to go through the full-site search and then filtering down. Lastly, we've merged the 'Get Started' and 'Download & Extend' pages. 90% of the content on these pages was duplicated with each other - and the new page presents a cleaner experience with the essential details needed for getting started with Drupal. The new front page is beginning editorial review, with the help of DA staff, a marketing task-force from the Drupal Association board, and a few key community members. We've also just launched our fall membership campaign, and we've used this opportunity to beta test some of these new editorial tools to build the campaign landing page. Your support makes our work possible. Thank you! Documentation There's some news to report on the documentation front as well. Firstly, as mentioned above, we've updated the header of the documentation section to default to a documentation-specific search box. While not so important for other areas of the site,, we want to preserve and improve the highly-visible, in context search for Documentation. We've also made some updates to the new system for Documentation maintainers. Authors of new documentation guides will now automatically become maintainers of those guides and automatically 'follow' the guide content so that they will receive notifications of activity in that guide. Any user following a guide can modify notifications settings at any time from their user profile. Within the notification settings a user can select their prefered method of receiving updates - via email or via their tracker page. Tvn has continued to spearhed the migration of documentation from the old book pages, to our new documentation system. We have completed the migration of the majority of the 'general' documentation. While that is done, there is still a lot of work to do to make the documentation content better using the new tools that are now available. We need community volunteers to take on small sub-sets of documentation to clean them up post-migration and to maintain going forward. If you don't want to commit to maintaining a guide, you c[...]

Drupal 8.2.0-rc1 is available for testing

Wed, 07 Sep 2016 22:07:38 +0000

The first release candidate for the upcoming Drupal 8.2.0 release is now available for testing. With Drupal 8, we made major changes in our release process, adopting semantic versioning and scheduled releases. This allows us to make significant improvements to Drupal 8 in a timely fashion while still providing backwards compatibility. Drupal 8.2.0 is the second such update, expected to be released October 5. Download Drupal-8.2.0-rc1 8.2.x includes many REST improvements; new experimental modules for content moderation, block placement, a sidebar to configure site elements in place, and end date support; and many other features and improvements. You can read a detailed list of improvements in the announcements of beta1, beta2, and beta3. What does this mean to me? For Drupal 8 site owners The final bugfix release of 8.1.x has been released. 8.1.x will receive no further releases following 8.2.0, and sites should prepare to update from 8.1.x to 8.2.x in order to continue getting bug and security fixes. Use update.php to update your 8.1.x sites to the 8.2.x series, just as you would to update from (e.g.) 8.1.4 to 8.1.5. You can use this release candidate to test the update. (Always back up your data before updating sites, and do not test updates in production.) For module and theme authors Drupal 8.2.x is backwards-compatible with 8.1.x. However, it does include internal API changes and API changes to experimental modules, so some minor updates may be required. Review the change records for 8.2.x, and test modules and themes with the release candidate now. For translators Some text changes were made since Drupal 8.1.0. automatically offers these new and modified strings for translation. Strings are frozen with the release candidate, so translators can now update translations. For core developers All outstanding issues filed against 8.1.x are automatically migrated to 8.2.x now. Future bug reports should be targeted against the 8.2.x branch. 8.3.x will remain open for new development during the 8.2.x release candidate phase. For more information, see the beta and release candidate phase announcement. Your bug reports help make Drupal better! Release candidates are a chance to identify bugs for the upcoming release, so help us by searching the issue queue for any bugs you find, and filing a new issue if your bug has not been reported yet. [...]

Who sponsors Drupal development?

Tue, 06 Sep 2016 17:32:58 +0000

Republished from There exist millions of Open Source projects today, but many of them aren't sustainable. Scaling Open Source projects in a sustainable manner is difficult. A prime example is OpenSSL, which plays a critical role in securing the internet. Despite its importance, the entire OpenSSL development team is relatively small, consisting of 11 people, 10 of whom are volunteers. In 2014, security researchers discovered an important security bug that exposed millions of websites. Like OpenSSL, most Open Source projects fail to scale their resources. Notable exceptions are the Linux kernel, Debian, Apache, Drupal, and WordPress, which have foundations, multiple corporate sponsors and many contributors that help these projects scale. We (Dries Buytaert is the founder and project lead of Drupal and co-founder and Chief Technology Officer of Acquia and Matthew Tift is a Senior Developer at Lullabot and Drupal 8 configuration system co-maintainer) believe that the Drupal community has a shared responsibility to build Drupal and that those who get more from Drupal should consider giving more. We examined commit data to help understand who develops Drupal, how much of that work is sponsored, and where that sponsorship comes from. We will illustrate that the Drupal community is far ahead in understanding how to sustain and scale the project. We will show that the Drupal project is a healthy project with a diverse community of contributors. Nevertheless, in Drupal's spirit of always striving to do better, we will also highlight areas where our community can and should do better. Who is working on Drupal? In the spring of 2015, after proposing ideas about giving credit and discussing various approaches at length, added the ability for people to attribute their work to an organization or customer in the issue queues. Maintainers of Drupal themes and modules can award issues credits to people who help resolve issues with code, comments, design, and more. A screenshot of an issue comment on You can see that jamadar worked on this patch as a volunteer, but also as part of his day job working for TATA Consultancy Services on behalf of their customer, Pfizer.'s credit system captures all the issue activity on This is primarily code contributions, but also includes some (but not all) of the work on design, translations, documentation, etc. It is important to note that contributing in the issues on is not the only way to contribute. There are other activities—for instance, sponsoring events, promoting Drupal, providing help and mentoring—important to the long-term health of the Drupal project. These activities are not currently captured by the credit system. Additionally, we acknowledge that parts of Drupal are developed on GitHub and that credits might get lost when those contributions are moved to For the purposes of this post, however, we looked only at the issue contributions captured by the credit system on What we learned is that in the 12-month period from July 1, 2015 to June 30, 2016 there were 32,711 issue credits—both to Drupal core as well as all the contributed themes and modules—attributed to 5,196 different individual contributors and 659 different organizations. Despite the large number of individual contributors, a relatively small number do the majority of the work. Approximately 51% of the contributors involved got just one credit. The top 30 contributors (or top 0.5% contributors) account for over 21% of the total credits, indicating that these individuals put an incredible amount of time and effort in developing Drupal and its contributed modules: Rank Username[...]

Documentation overhaul

Tue, 30 Aug 2016 16:11:34 +0000

One of the biggest content areas on—and one of the most important assets of any open source project—is documentation. Community-written Drupal documentation consists of about 10,000 pages. Preparations for the complete overhaul of the documentation tools were in the works for quite some time, and in the recent weeks we finally started to roll out the changes on the live site. Background Improving documentation on has been a part of a larger effort to restructure content on the site based on content strategy we developed. The new section comes after a few we launched earlier in the year. It also uses our new visual system, which will slowly expand into other areas. Goals and process The overall goal for the new Documentation section is to increase the quality of the community documentation. On a more tactical level, we want to: Introduce the concept of "maintainers" for distinct parts of documentation Flatten deep documentation hierarchy Split documentation per major Drupal version Notify people about edits or new documentation Make comments more useful To achieve those goals, we went through the following process: First, we wrote a bunch of user stories based on our user research and the story map exercise we went through with the Documentation Working Group members. Those stories cover all kinds of things different types of users do while using documentation tools. We then wireframed our ideas for how the new documentation system should look and work. We ran a number of remote and in person usability testing sessions on those wireframes. Our next step was to incorporate the feedback, update our wireframes, and create actual designs. And then we tested them again, in person, during DrupalCamp London. Incorporated feedback again, and started building. The new system So, how does the new documentation system work exactly? It is based on two new content types: Documentation guide: a container content type. It will group documentation pages on a specific topic, and provide an ability to assign 'maintainers' for this group of pages (similar to maintainers for contributed projects). Additionally, users will be able to follow the guide and receive notifications about new pages added or existing pages edited. Documentation page: a content type for the actual documentation content. These live inside of documentation guides. Example of a new documentation guide All of the documentation is split per major Drupal version, which means every documentation guide or page lives inside of one of a few top level 'buckets', e.g. Drupal 7 documentation, Drupal 8 documentation. It is also possible to connect guides and pages to each other via a 'Related content' field, which should make it easier to discover relevant information. One of our next to-do’s is to provide an easy way to connect documentation guides to projects, enabling 'official' project documentation functionality. More information on various design decisions we made for the new documentation system, and the reasons behind them, can be found in our DrupalCon New Orleans session (slides). Current status Right now, we have the new content types and related tools ready on We are currently migrating existing documentation (all 10,000 pages!) into the new system. The first step is generic documentation (e.g. 'Structure Guide'), with contributed projects documentation to follow later. While working on the migration, we are recruiting maintainers for the new guides. If you are interested in helping out, sign up in the issue. Please only sign up if you actually have some time to work on documentation in the near future. There is a lot of work to be done post-migration (both by guide maintainers and[...]

Upcoming Changes to the Front Page

Wed, 24 Aug 2016 18:22:46 +0000

In recent weeks we've been making several small changes to precursors to bigger things to come. First, we moved the user activity links to a user menu in the header. Next, we're moving the search function from the header to the top navigation. These changes aren't just to recover precious pixels so you can better enjoy those extra long issue summaries—these are the first step towards a new front page on

As the Drupal 8 life-cycle has moved from development, to release, to adoption, we have adapted to support the needs of the project in the moment. And today, the need of the moment is to support the adoption journey.

As we make these changes you'll see echoes of the visual style we used when promoting the release of Drupal 8.

  • The Drupal wordmark region will help to define Drupal, and promote trying a demo.

  • A ribbon will promote contextual CTAs like learning more about Drupal 8.

  • The news feed will be tweaked.

  • DrupalCon will have a permanent home on the front page.

  • Community stats and featured case studies will be carried over(but may evolve).

  • The home page sponsorship format may change.

  • We'll be phasing in a new font throughout the site: Ubuntu - which you've already seen featured in the new Documentation section.

Here's a teaser

… a sneak preview of some new page elements and styles you'll see in the new home page.  


Our first deployment will introduce the new layout and styles. Additional changes will follow as we introduce content to support our turn towards the adoption journey. Drupal evaluators beginning their adoption journey want to know who uses Drupal, and what business needs Drupal can solve. We will begin promoting specific success stories: solutions built in Drupal to meet a concrete need.

What's next?

We're continuing to refine our content model and editorial workflow for the new front page. You'll see updates in the change notifications as we get closer to deployment.

Wondering why we're making these changes now? This turn towards the adoption journey is part of our changing priorities for the next 12 months.

Drupal 8.2, now with more outside-in

Tue, 23 Aug 2016 19:14:41 +0000

Republished from Over the weekend, Drupal 8.2 beta was released. One of the reasons why I'm so excited about this release is that it ships with "more outside-in". In an "outside-in experience", you can click anything on the page, edit its configuration in place without having to navigate to the administration back end, and watch it take effect immediately. This kind of on-the-fly editorial experience could be a game changer for Drupal's usability. When I last discussed turning Drupal outside-in, we were still in the conceptual stages, with mockups illustrating the concepts. Since then, those designs have gone through multiple rounds of feedback from Drupal's usability team and a round of user testing led by Cheppers. This study identified some issues and provided some insights which were incorporated into subsequent designs. Two policy changes we introduced in Drupal 8—semantic versioning and experimental modules—have fundamentally changed Drupal's innovation model starting with Drupal 8. I should write a longer blog post about this, but the net result of those two changes is ongoing improvements with an easy upgrade path. In this case, it enabled us to add outside-in experiences to Drupal 8.2 instead of having to wait for Drupal 9. The authoring experience improvements we made in Drupal 8 are well-received, but that doesn't mean we are done. It's exciting that we can move much faster on making Drupal easier to use. In-place block configuration As you can see from the image below, Drupal 8.2 adds the ability to trigger "Edit" mode, which currently highlights all blocks on the page. Clicking on one — in this case, the block with the site's name — pops out a new tray or sidebar. A content creator can change the site name directly from the tray, without having to navigate through Drupal's administrative interface to theme settings as they would have to in Drupal 7 and Drupal 8.1. Making adjustments to menus In the second image, the pattern is applied to a menu block. You can make adjustments to the menu right from the new tray instead of having to navigate to the back end. Here the content creator changes the order of the menu links (moving "About us" after "Contact") and toggles the "Team" menu item from hidden to visible. In-context block placement In Drupal 8.1 and prior, placing a new block on the page required navigating away from your front end into the administrative back end and noting the available regions. Once you discover where to go to add a block, which can in itself be a challenge, you'll have to learn about the different regions, and some trial and error might be required to place a block exactly where you want it to go. Starting in Drupal 8.2, content creators can now just click "Place block" without navigating to a different page and knowing about available regions ahead of time. Clicking "Place block" will highlight the different possible locations for a block to be placed in. Next steps These improvements are currently tagged "experimental". This means that anyone who downloads Drupal 8.2 can test these changes and provide feedback. It also means that we aren't quite satisfied with these changes yet and that you should expect to see this functionality improve between now and 8.2.0's release, and even after the Drupal 8.2.0 release. As you probably noticed, things still look pretty raw in places; as an example, the forms in the tray are exposing too many visual details. There is more work to do to bring this functionality to the level of the designs. We're focused on improving that, as well as the underlying architecture and accessibility. Once we feel good about how it a[...]

Drupal goes to Rio

Tue, 16 Aug 2016 07:00:00 +0000

Republished from


As the 2016 Summer Olympics in Rio de Janeiro enters its second and final week, it's worth noting that the last time I blogged about Drupal and the Olympics was way back in 2008 when I called attention to the fact that Nike was running its sponsorship site on Drupal 6 and using Drupal's multilingual capabilities to deliver their message in 13 languages.

While watching some track and field events on television, I also spent a lot of time on my laptop with the NBC Olympics website. It is a site that has run on Drupal for several years, and this year I noticed they took it up a notch and did a redesign to enhance the overall visitor experience.

Last week NBC issued a news release that it has streamed over one billion minutes of sports via their site so far. That's a massive number!

I take pride in knowing that an event as far-reaching as the Olympics is being delivered digitally to a massive audience by Drupal. In fact, some of the biggest sporting leagues around the globe run their websites off of Drupal, including NASCAR, the NBA, NFL, MLS, and NCAA. Massive events like the Super Bowl, Kentucky Derby, and the Olympics run on Drupal, making it the chosen platform for global athletic organizations.



What’s new on - July 2016

Fri, 12 Aug 2016 15:49:15 +0000

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community. The Drupal Association engineering team has been continuing to refine our focus for the next 12 months. In July, we worked through the details of setting new priorities for our work, after the organizational changes earlier this summer. As part of this prioritization process, we've set up a technical advisory committee: a collaboration between a few members of the staff, a representative from the board, and two members from the community. This committee will help us refine the roadmap for for the short term—while the Association is focused on fiscal health and sustainability—and will provide strategic vision for the long term, as our fiscal stability improves. As a result of these changes, you'll begin to see our updates in this blog series evolve. Expect a greater focus on: The adoption journey for users evaluating Drupal. Systematic improvements to make maintenance of critical services less labor intensive and more affordable. Community initiatives, where we're working together with community contributors who want to help us improve So without further ado, let's talk about what we did in July. updates User Menu We've moved the user activity links (Login/Register, My Dashboard, My Account, etc.) to a user menu in the top navigation. This change is live on and all of the sub-sites that use the Bluecheese theme. The immediate effects of this change are a better look and feel and more vertical space for content on every page. But these weren’t the primary motivation. The larger reason for making this change is that it’s the first incremental step towards upcoming editorial changes on More incremental changes will follow in August, including accessibility improvements to this new user menu and a new search icon to replace the embedded search box in the header. Better Packaging Behavior One of the basic features of's project hosting is packaging the code committed to our git repositories and providing tar.gz and zip files of releases. The packaging process, while generally reliable, has had its share of infrequent but persistent quirks and race conditions. In July, we fixed several aspects of packaging to eliminate race conditions and reduce the need for human intervention if it runs off the rails. The changes we made were: Storing and using commit file hashes instead of relying on timestamps to find files changed since the last packaging run. Considering the committer date for packaging. Update project release tables immediately when packaging occurs. Taken together, these changes have made packaging faster, more efficient, and less prone to race conditions that require staff time to fix. Supporting Drupal 8.2 Drupal 8.2 is coming soon, scheduled for release on October 5th. The beta period for this point release began on August 3rd, and so towards the end of July we spent some time supporting the Core developers who were trying to get their features ready for inclusion in the beta period. In particular, we updated PhantomJS to version 2.1.1 in our DrupalCI containers, to allow Core developers to test javascript interactions for file uploads—part of the new quick edit features targetted for this point release. Deprecated unstable releases In July, we also deprecated the use of the “unstable” release tag for projects hosted on Per our naming conventions, the unstable tag was intended to represent a releas[...]

City of Boston launches on Drupal

Thu, 21 Jul 2016 17:00:00 +0000

Republished from Yesterday, the City of Boston launched its new website,, on Drupal. Not only is Boston a city well-known around the world, it has also become my home over the past 9 years. That makes it extra exciting to see the city of Boston use Drupal. As a company headquartered in Boston, I'm also extremely proud to have Acquia involved with The site is hosted on Acquia Cloud, and Acquia led a lot of the architecture, development, and coordination. I remember pitching the project in the basement of Boston's City Hall, so seeing the site launched less than a year later is quite exciting. The project was a big undertaking, as the old website was 10 years old and running on Tridion. The city's digital team, Acquia, IDEO, Genuine Interactive, and others all worked together to reimagine how a government can serve its citizens better digitally. It was an ambitious project as the whole website was redesigned from scratch in 11 months; from creating a new identity, to interviewing citizens, to building, testing and launching the new site. Along the way, the project relied heavily on feedback from a wide variety of residents. The openness and transparency of the whole process was refreshing. Even today, the city made its roadmap public at and is actively encouraging citizens to submit suggestions. This open process is one of the many reasons why I think Drupal is such a good fit for More than 20,000 web pages and one million words were rewritten in a more human tone to make the site easier to understand and navigate. For example, rather than organize information primarily by department (as is often the case with government websites), the new site is designed around how residents think about an issue, such as moving, starting a business or owning a car. Content is authored, maintained, and updated by more than 20 content authors across 120 city departments and initiatives. The new is absolutely beautiful, welcoming and usable. And, like any great technology endeavor, it will never stop improving. The City of Boston has only just begun its journey with—I’m excited see how it grows and evolves in the years to come. Go Boston! Last night, there was a launch party to celebrate the launch of It was an honor to give some remarks about this project alongside Boston mayor, Marty Walsh (pictured above), as well as Lauren Lockwood (Chief Digital Officer of the City of Boston) and Jascha Franklin-Hodge (Chief Information Officer of the City of Boston).[...]

Drupal 8.1.7 released

Mon, 18 Jul 2016 14:00:09 +0000

Drupal 8.1.7, a maintenance release which contains fixes for security vulnerabilities, is now available for download.

See the Drupal 8.1.7 release notes for further information.

Download Drupal 8.1.7

Upgrading your existing Drupal 8 sites is strongly recommended. There are no new features nor non-security-related bug fixes in this release. For more information about the Drupal 8.1.x release series, consult the Drupal 8 overview.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 8 includes the built-in Update Manager module, which informs you about important updates to your modules and themes.

Bug reports

Drupal 8.1.x is actively maintained, so more maintenance releases will be made available, according to our monthly release cycle.

Change log

Drupal 8.1.7 is a security release only. For more details, see the 8.1.7 release notes. A complete list of all changes in the stable 8.1.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 8.1.7 was released in response to the discovery of security vulnerabilities. Details can be found in the official security advisories:

To fix the security problem, please upgrade to Drupal 8.1.7.

Update notes

See the 8.1.7 release notes for details on important changes in this release.

Known issues

See the 8.1.7 release notes for known issues.

Drupal Core - Highly Critical - Injection - SA-CORE-2016-003

Mon, 18 Jul 2016 13:53:22 +0000

Advisory ID: DRUPAL-SA-CORE-2016-003 Project: Drupal core Version: 8.x Date: 2016-July-18 Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Proof/TD:Default Vulnerability: Injection Description Drupal 8 uses the third-party PHP library Guzzle for making server-side HTTP requests. An attacker can provide a proxy server that Guzzle will use. The details of this are explained at CVE identifier(s) issued CVE-2016-5385 Versions affected Drupal core 8.x versions prior to 8.1.7 Solution Install the latest version: If you use Drupal 8.x, upgrade to Drupal core 8.1.7 If you use Drupal 7.x, Drupal core is not affected. However you should consider using the mitigation steps at since you might have modules or other software on your server affected by this issue. For example, sites using Apache can add the following code to .htaccess: RequestHeader unset Proxy We also suggest mitigating it as described here: Also see the Drupal core project page. What if I am running Drupal core 8.0.x? Drupal core 8.0.x is no longer supported. Update to 8.1.7 to get the latest security and bug fixes. Why is this being released Monday rather than Wednesday? The Drupal Security Team usually releases Security Advisories on Wednesdays. However, this vulnerability affects more than Drupal, and the authors of Guzzle and reporters of the issue coordinated to make it public Monday. Therefore, we are issuing a core release to update to the secure version of Guzzle today. Contact and More Information The Drupal security team can be reached at security at or via the contact form at Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Follow the Drupal Security Team on Twitter at Front page news: Planet DrupalDrupal version: Drupal 8.x[...]

What’s new on - June 2016

Fri, 15 Jul 2016 15:20:03 +0000

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community. In June the Drupal Association had our annual staff retreat, where the remote team members joined the Portland, OR team for a three day retreat. This year's retreat was particularly important as we found our feet as a smaller, leaner team, and focused on our organizational roadmap for the next twelve months. For the engineering team in particular, our focus will be on maintaining the critical systems that make project successful: issue queues, updates, testing, packaging, etc, while at the same time finding new ways to support and enable Drupal's evolution. These were some heady days, but even as we worked through the best ways to continue serving the Drupal community on a strategic level in June, we also found the time to keep making a better home. updates Documentation Migration A long running initiative this year has been the creation of a new Documentation system for, a topic we've touched on in many prior updates as it has begun to come online. We are very happy to say that we are moving to the next stage of the documentation project: moving from development to migration. In June tvn recruited several volunteers to join our documentation migration team, and to become some of the first maintainers for the new Documentation Guides. General documentation, such as Understanding Drupal, Structure Guide, etc. will be migrated first. Documentation for contributed projects will follow in the coming weeks. Maintainers of contributed projects, who currently have their documentation on, will be added as maintainers to respective documentation guides and are encouraged to clean/tidy up their documentation post-migration. if you are interested in helping, or sign up as a maintainer for some of the new documentation guides. Composer Repositories are now in Beta's Composer repositories allow developers building sites with Drupal to use the Composer command line tool for dependency management. In June we collected feedback from a variety of users, as well as the community volunteers who assisted us with the Composer Community Initiative. We spent the month iterating quickly on the alpha implementation: fixing bugs and rebuilding the meta data to ensure that users get consistent and expected results. Because of those fixes, and after gathering yet more feedback from the community, we were able to move the Composer repositories to beta. We encourage you to begin transitioning your composer based workflows to use's composer facade. Package names are stable, and downtimes will be planned and announced. For more information on how to use's Composer repositories, read our documentation. Better issue credit tools for maintainers The issue credit system is a unique innovation of our community. By allowing users to attribute their contributions as volunteers, to their employers, or to client customers, we have an insight into the contribution ecosystem for Drupal that is unparalleled among open source projects. We've also already seen the impact of incentivizing organizations to give back to Drupal, by using the credit system as the basis for organization rankings in the marketplace. In June we added two new tools for maintainers to improve how they grant credit to users. Firstly, maintainers can now deselect the automa[...]

Drupal contrib - Highly Critical - Remote code execution PSA-2016-001

Tue, 12 Jul 2016 15:18:59 +0000

Update: Release Annoucements

The following modules have security releases that are now available, listed in order of severity. There are no more releases planned for today.


There will be multiple releases of Drupal contributed modules on Wednesday July 13th 2016 16:00 UTC that will fix highly critical remote code execution vulnerabilities (risk scores up to 22/25). These contributed modules are used on between 1,000 and 10,000 sites. The Drupal Security Team urges you to reserve time for module updates at that time because exploits are expected to be developed within hours/days. Release announcements will appear at the standard announcement locations.

Drupal core is not affected. Not all sites will be affected. You should review the published advisories on July 13th 2016 to see if any modules you use are affected.

Contact and More Information

The Drupal security team can be reached at security at or via the contact form at

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at

Edited to add: approximate usage of the modules, links to the final releases, that there are no more releases for today..

Drupal version: 

Drupal 7.50 released

Thu, 07 Jul 2016 18:28:17 +0000

Drupal 7.50, the next release in the Drupal 7 series, is now available for download. It contains a variety of new features, improvements, and bug fixes (no security fixes). Wait... Drupal 7.50? Yes, there is a version jump compared to the previous 7.44 release; this is to indicate that this Drupal 7 point release is a bit larger than past ones and makes a few more changes and new features available than normal. Updating your existing Drupal 7 sites is recommended. Backwards compatibility is still being maintained, although read on to find out about a couple of changes that might need your attention during the update. Download Drupal 7.50 Notable changes There are a variety of new features, performance improvements, security-related enhancements (although no fixes for direct security vulnerabilities) and other notable changes in this release. The release notes provide a comprehensive list, but here are some highlights. New "administer fields" permission added for trusted users The administrative interface for adding and configuring fields has always been something that only trusted users should have access to. To make that easier, there is now a dedicated permission which is required (in addition to other existing administrative permissions) to be able to access the field UI. For example, you can now assign the "administer taxonomy" permission (but withhold the new "administer fields" permission) to allow low-level administrators to manage taxonomy terms but not change their field structure. Read the change record for more information. Protection against clickjacking enabled by default Clickjacking is a technique a malicious site owner can use to attempt attacks on other sites, by embedding the victim's site into an iframe on their own site. To stop this, Drupal will now prevent your site from being embedded in an iframe on another domain. This is the default behavior, but it can be adjusted if necessary; see the change record to find out more. Support for full UTF-8 (emojis, Asian symbols, mathematical symbols) is now possible on MySQL If content creators on your site have been clamoring to use emojis, it's now possible on Drupal sites running MySQL (it was previously possible on PostgreSQL and SQLite). Turning this capability on requires the database to meet certain requirements, plus editing the site's settings.php file and potentially other steps, as described in the change record. Improved support for recent PHP versions, including PHP 7 Drupal core's automated test suite is now fully passing on a variety of environments where there were previously some failures (PHP 5.4, 5.5, 5.6, and 7). We have also fixed several bugs affecting those versions. These PHP versions are officially supported by Drupal 7 and recommended for use where possible. Because PHP 7 is the newest release (and not yet used on many production sites) extra care should still be taken with it, and there are some known bugs, especially in contributed modules (see the discussion for more details). However anecdotal evidence from a variety of users suggests that Drupal 7 can be successfully used on PHP 7, both before and after the 7.50 release. Improved performance (and new PHP warnings) when Drupal is trying to find a file that does not exist When Drupal cannot find a file that it expects to be in the filesystem, it will no longer continually search for it on a large number of page requests (previously, this could significantly hurt [...]

A roadmap for making Drupal more API-first

Thu, 07 Jul 2016 14:06:50 +0000

Republished from In one of my recent blog posts, I articulated a vision for the future of Drupal's web services, and at DrupalCon New Orleans, I announced the API-first initiative for Drupal 8. I believe that there is considerable momentum behind driving the web services initiative. As such, I want to provide a progress report, highlight some of the key people driving the work, and map the proposed vision from the previous blog post onto a rough timeline. Here is a bird's-eye view of the plan for the next twelve months: 8.2 (Q4 2016) 8.3 (Q2 2017) Beyond 8.3 (2017+) New REST API capabilities Waterwheel initial release New REST API capabilities JSON API module GraphQL module? Entity graph iterator? New REST API capabilities Wim Leers (Acquia) and Daniel Wehner (Chapter Three) have produced a comprehensive list of the top priorities for the REST module. We're introducing significant REST API advancements in Drupal 8.2 and 8.3 in order to improve the developer experience and extend the capabilities of the REST API. We've been focused on configuration entity support, simplified REST configuration, translation and file upload support, pagination, and last but not least, support for user login, logout and registration. All this work starts to address differences between core's REST module and various contributed modules like Services and RELAXed Web Services. More details are available in my previous blog post. Many thanks to Wim Leers (Acquia), Daniel Wehner (Chapter Three), Ted Bowman (Acquia),Alex Pott (Chapter Three), and others for their work on Drupal core's REST modules. Though there is considerable momentum behind efforts in core, we could always benefit from new contributors. Please consider taking a look at the REST module issue queue to help! Waterwheel initial release As I mentioned in my previous post, there has been exciting work surrounding Waterwheel, an SDK for JavaScript developers building Drupal-backed applications. If you want to build decoupled applications using a JavaScript framework (e.g. Angular, Ember, React, etc.) that use Drupal as a content repository, stay tuned for Waterwheel's initial release later this year. Waterwheel aims to facilitate the construction of JavaScript applications that communicate with Drupal. Waterwheel's JavaScript library allows JavaScript developers to work with Drupal without needing deep knowledge of how requests should be authenticated against Drupal, what request headers should be included, and how responses are molded into particular data structures. The Waterwheel Drupal module adds a new endpoint to Drupal's REST API allowing Waterwheel to discover entity resources and their fields. In other words, Waterwheel intelligently discovers and seamlessly integrates with the content model defined on any particular Drupal 8 site. A wider ecosystem around Waterwheel is starting to grow as well. Gabe Sullice, creator of the Entity Query API module, has contributed an integration of Waterwheel which opens the door to features such as sorts, conditions and ranges. The Waterwheel team welcomes early adopters as well as those working on other REST modules such as JSON API and RELAXed or using native HTTP clients in JavaScript frameworks to add their own integrations to the mix. Waterwheel is the currently the work of Matt Grill (Acquia) and Preston So (Acquia), who are developing the Ja[...]

Drupal is for ambitious digital experiences

Wed, 29 Jun 2016 07:00:00 +0000

Republished from What feelings does the name Drupal evoke? Perceptions vary from person to person; where one may describe it in positive terms as "powerful" and "flexible," another may describe it negatively as "complex." People describe Drupal differently not only as a result of their professional backgrounds, but also based on what they've heard and learned. If you ask different people what Drupal is for, you'll get many different answers. This isn't a surprise, because over the years the answers to this fundamental question have evolved. Drupal started as a tool for hobbyists building community websites, but over time it's evolved to support large and sophisticated use cases. Perception is everything Perception is everything; it sets expectations and guides actions and inactions. We need to better communicate Drupal's identity, demonstrate its true value, and manage its perceptions and misconceptions. Words do lead to actions. Spending the time to capture what Drupal is for could energize and empower people to make better decisions when adopting, building, and marketing Drupal. Truth be told, I've been reluctant to define what Drupal is for, as it requires making trade-offs. I've feared that we'd make the wrong choice or limit our growth. Over the years, it's become clear that not defining what Drupal is used for leaves more people confused, even within our own community. For example, because Drupal evolved from a simple tool for hobbyists to a more powerful digital experience platform, many people believe that Drupal is now "for the enterprise." While I agree that Drupal is a great fit for the enterprise, I personally never loved that categorization. It's not just large organizations that use Drupal. Individuals, small startups, universities, museums, and non-profits can be equally ambitious in what they'd like to accomplish, and Drupal can be an incredible solution for them. Defining what Drupal is for Rather than using "for the enterprise," I thought "for ambitious digital experiences" was a good phrase to describe what people can build using Drupal. I say "digital experiences" because I don't want to confine this definition to traditional browser-based websites. As I've stated in my Drupalcon New Orleans keynote, Drupal is used to power mobile applications, digital kiosks, conversational user experiences, and more. Today I really wanted to focus on the word "ambitious." "Ambitious" is a good word because it aligns with the flexibility, scalability, speed and creative freedom that Drupal provides. Drupal projects may be ambitious because of the sheer scale (e.g. The Weather Channel), their security requirements (e.g. The White House), the number of sites (e.g. Johnson & Johnson manages thousands of Drupal sites), or specialized requirements of the project (e.g. the New York MTA powering digital kiosks with Drupal). Organizations are turning to Drupal because it gives them greater flexibility, better usability, deeper integrations, and faster innovation. Not all Drupal projects need these features on day one—or needs to know about them—but it is good to have them in case you need them later on. "Ambitious" also aligns with our community's culture. Our industry is in constant change (responsive design, web services, social media, IoT), and we never look away. Drupal 8 was a very ambitious release; a reboot that too[...]

Drupal 8.1.3 and 7.44 released

Wed, 15 Jun 2016 19:32:53 +0000

Drupal 8.1.3 and 7.44, maintenance releases which contain fixes for security vulnerabilities, are now available for download. See the Drupal 8.1.3 and Drupal 7.44 release notes for further information. Download Drupal 8.1.3 Download Drupal 7.44 Upgrading your existing Drupal 8 and 7 sites is strongly recommended. There are no new features or non-security-related bug fixes in these releases. For more information about the Drupal 8.1.x release series, consult the Drupal 8 overview. More information on the Drupal 7.x release series can be found in the Drupal 7.0 release announcement. Security vulnerabilities Drupal 8.1.3 and 7.44 were released in response to the discovery of security vulnerabilities. Details can be found in the official security advisory: Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2016-002 To fix the security vulnerabilities, please upgrade to either Drupal 8.1.3 or Drupal 7.44. Change log Drupal 8.1.3 is a security release only. For more details, see the 8.1.3 release notes. A complete list of all changes in the stable 8.1.x branch can be found in the git commit log. Drupal 7.44 is a security release only. For more details, see the 7.44 release notes. A complete list of all changes in the stable 7.x branch can be found in the git commit log. Update notes See the 8.1.3 and 7.44 release notes for details on important changes in each release. Known issues See the 8.1.3 and 7.44 release notes for details on known issues affecting each release. Security information We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list. Drupal 8 and 7 include the built-in Update Manager module, which informs you about important updates to your modules and themes. Bug reports Both Drupal 8.1.x and 7.x are being maintained, so given enough bug fixes (not just bug reports) more maintenance releases will be made available, according to our monthly release cycle. [...]

DrupalCI: Continuous Integration Testing for

Wed, 08 Jun 2016 22:40:13 +0000

Why test? The goal of automated testing is confidence: confidence in application stability, and confidence that new features work as intended. Continuous integration as a philosophy is about speeding the rate of change while keeping stability. As the number of contributing programmers increase, the need to have automated testing as a means to prove stability increases. This post is focused on how the automated testing infrastructure on works, not actually writing tests. Much more detail about how to write tests during Drupal development can be found in community documentation: Testing (D7 and D8) / SimpleTest (D6) Drupal's implementation of PHPUnit Categories of testing DrupalCI essentially runs two categories of tests: Functional tests (also called blackbox testing) are the most common type of test run on DrupalCI hardware. These tests run assertions that test functionality by installing Drupal with a fresh database and then exercising that installation by inserting data and confirming the assertions complete. Front-end tests and behavior driven tests (BDD) tend to be functional. Upgrade tests are a type of functional tests that run a full installation of Drupal, then run upgrade commands. Unit tests run assertions that test a unit of code and do not require a database installation. This means they execute very quickly. Because of its architecture, Drupal 8 has much more unit test coverage than Drupal 7. These test categories can be broken down further into more specific test types. What testing means at the scale of Drupal Drupal 8, with its 3,000+ core contributors and 7,288 contrib developers (so far), needs testing as a means to comfortably move forward code that everyone can trust to be stable. Between January and May 2016, 90,364 test runs were triggered in DrupalCI. That is about 18,000 test runs requested per month. Maintainers set whether they want tests to run on demand, with every patch submitted, or nightly. They also determine what environments those tests will run on; there are 6 combinations of PHP and database engines available for maintainers to choose from. The majority of these test runs are Drupal 8 tests at this point. (19,599 core tests and 47,713 contrib project tests were run during those 5 months.) Each test costs about 12 cents to run on Amazon Web Services. At the time of writing this post, we averaged around $2,000 per month in testing costs for our community. (Thank you supporters!) An overly simple history of automated testing for Drupal Automated testing first became a thing for Drupal contributed projects during Drupal version 4.5 with the introduction of the SimpleTest module. It was not until Drupal 6 that we started manually building out testbots and running these tests on hardware. In Drupal 7, SimpleTest was brought into Drupal Core. (More information about what that took can be reviewed in the SimpleTest Roadmap for Drupal 7.) In Drupal 8, PHPUnit testing was added to Drupal Core. PHPUnit tests are much faster than a full functional test in SimpleTest—though still triggers a combination of these test types in Drupal 8. The actual implementation of automated testing was much more complicated than this history suggests. The original testbot infrastructure that ran for 7 years on hardware was manually managed by som[...]

Matthew Lechleider Community Spotlight

Tue, 07 Jun 2016 14:38:50 +0000

Matthew Lechleider (Slurpee) has been active in the Drupal community for over a decade, and his hard work has directly led to an incredible amount of community growth. The founder of a Chicago Drupal User Group and our community’s chief advocate for the Google Summer of Code and Google Code-In programs, Matthew has been a key part of growing the Drupal project and our global community. Here's his Drupal story. “In 2005, I was a full-time university student working at an internet service provider so I could put myself through school,” Matthew said. “I was working as a network/systems person, and since I was at an ISP we had a lot of people calling us and asking the same questions over and over. At the time, I knew bit about web development and programming, and I thought, ‘I bet I could make a website that would answer these people’s questions.’ And that’s how I found Drupal. I proposed it to my boss, and the next thing I knew I was working on a full-time project getting paid to work with Drupal 4. I built the website and it was really popular— and we noticed that the phone calls went down. We were tracking our support calls at the 24-hour call center, and when people called for help, we would refer them to the website as a resource. So it really was a big help." After that, the next steps were logical for Matthew. He put together a Drupal meet-up at his Chicago-based company. The group grew quickly each month, and in no time at all, people were asking about training and “Introduction to Drupal” classes. "I started teaching those classes,” Matthew said, "and then next thing you know, people were asking for private trainings and businesses were asking me to come to their offices and train new Drupal developers. When the people I was training came back with advanced questions, I realized how much money they were making, so in 2008 I went from being a network engineer to focusing on Drupal full-time. Since then, I’ve started a Drupal business and worked on some very big projects." "I never thought I would be a web developer, but I fell into Drupal, saw how great and easy it was, and decided it was a good thing to be a part of,” Matthew added. Over his time in Drupal, Matthew has converted a lot of Chicagoan web developers into Drupal users. “It's pretty cool to be part of something bigger than yourself,” Matthew said. “It's like a big tidal wave — I feel like I’ve been riding this Drupal wave for a long time. I didn’t think I’d still be work with Drupal this many years later." Why Slurpee? Many people in the community know Matthew only by his user username, Slurpee. But how did he come by that handle? "I was probably eight or nine years old, learning about computers, and I had some nicknames I was playing around with. But it’s like that movie ‘Hackers’: you have to have your handle, you have to have your identity. It was the middle of a hot July in the summer, and as I was figuring out what I should call myself, I realized I had bout 20 empty slurpee cups surrounding my computer. I really do like slurpees. So that’s where that came from." Drupal 8 As a long-time Drupal user and evangelist, Matthew is incredibly excited for Drupal 8. " I have a traditional programming background in computer science, and Drupal wasn’t always [...]

What’s new on - May 2016

Mon, 06 Jun 2016 20:16:41 +0000

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community. The team is back from New Orleans and thankful for the time we had to spend with the community, attending sessions, presenting sessions of our own, and sprinting with you throughout the Con. As individuals, we’re all members of the community, and as an organization we're proud to hold the home of the community in trust. Because of DrupalCon North America, May is always a busy month for the Association engineering team. We're preparing our sessions, ensuring that the testbots will be running smoothly for DrupalCon sprints, and polishing new features and ideas to share with the community. Here's what's new: updates Composer repositories moving towards stable At the end of April, we launched the Alpha of our Composer façade, providing Composer repository endpoints on for Drupal 8 and Drupal 7. At DrupalCon New Orleans, we gave a presentation on the architecture of the Composer façade, and our plans for next steps. We also received some great feedback from users who helped us test the alpha release, and in May we've focused on moving Composer from an alpha release to a more stable environment suitable for use on production Drupal sites. We'll be following up soon with a more detailed blog post about Composer, when that more stable release is available. If you want to help test the Composer service, you can learn more about's Composer repositories. New documentation content types As previewed in our session at DrupalCon New Orleans, we're modernizing Drupal documentation with two new content types: Guides, and Documentation Pages. Documentation Pages will be organized in Guides, which will be curated by maintainers. We're also bringing a new visual design to documentation, re-organizing documentation by major version of Drupal, and developing a call-outs feature to help highlight key information like best practices or important changes in minor versions. In May, we made an initial deployment of these content types to, though access is presently restricted to administrators while we work with the Documentation Working Group to sort out our initial migration plan. In June, we hope to deploy a migration tool, allowing users to convert existing documentation Book Pages and their children into the new Guides and Documentation Pages. CKEditor We've also deployed CKEditor to The WYSIWYG editor is now available on the Section, Page, and Post content types, as well as the incoming Documentation Guide and Documentation Page types. CKEditor brings a more robust editorial experience to, and as it gets wider use we’ll expand it to additional content types. We also want to allow time for the Dreditor maintainers to update to support the change. As a long-term goal, we hope that some of the features of Dreditor may be reimplemented as CKEditor plugins and directly available to every user without the use of a 3rd party browser extension. Sustaining support and maintenance DrupalCon Dublin full site launched At DrupalCon New Orleans, we launched the full site for DrupalCon Dublin. The call for papers is open now, as is regi[...]