Drupal News

Goodbye Project Applications, Hello Security Advisory Opt-in

  • Any user on Drupal.org who has accepted our Git usage policy may now create full projects with releases. This is a big change in policy for the Drupal project, representing an evolution of the contribution ecosystem in the past half a decade.

    What was the Project Application Process?

    Ever since the days when Drupal's code was hosted in CVS there has been some form of project application process in the Drupal Community. To prevent duplicate, low-quality, insecure, or otherwise undesirable projects from flooding Drupal, users would submit sandbox projects to an application queue to be reviewed by a group of volunteers.

    After resolving any issues raised in this review process, the user would be given the git vetted role, allowing them to promote their sandbox to a full project, claim a namespace, and create releases. Once a user had been vetted for their first project, they would remain vetted and be able to promote any future projects on their own, without submitting an additional application.

    The Problem

    Unfortunately, though the project application process was created with the best of intentions, in the long term it proved not to be sustainable. Drupal grew too fast for a group of volunteer reviewers to keep up with reviewing new projects, and at times there were applications waiting in queue for 6 months to 1 year, or even more. That is much too slow in the world of software development.

    This put Drupal in a difficult situation. After years of subjecting new projects and contributors to a rigorous standard of peer review, Drupal has a well-deserved reputation for code quality and security. Unlike many open source projects, we largely avoided the problem of having many duplicate modules that exist to serve the same purpose. We unified our community’s effort, and kept up a culture of collaboration and peer review. At the same time, many would-be contributors were unable or unwilling to navigate the application process and so simply chose not to contribute.

    The question became, how could we preserve the emphasis on quality while at the same time removing the barrier to contribution that the application process had become?

    Constraints on a solution

    Opening the contribution gates while retaining strong signals about code quality and security was a tricky problem. We established three constraints on a solution:

    1. We need to welcome new contributors, and eliminate the walls that prevent contribution.
    2. We need to continue to send strong signals about security coverage to users evaluating whether to use modules from Drupal.org.
    3. We need to continue our strong emphasis on quality and collaboration through changes to project discovery that will provide new signals about code quality, and by providing incentives and credit for peer review.
    The Solution

    In collaboration with the community, the security team, members of the board, and staff we outlined a solution in four phases:

    Phase 1: Send strong signals about security advisory coverage.
    • We updated project pages to include messaging and a shield icon to indicate whether a project received security advisory coverage from the security team.
    • We now serve security advisory coverage information in the Updates status information provided by Drupal.org, and we're working on a patch to display that information directly on the updates page of users' Drupal sites.

    Here are some examples of what these security signals look like on project pages:

    If a project is not opted in to security advisory coverage, this message will appear at the top of the project page:

    And this one will appear near the download table:

    If a project has opted in, this message will appear near the download table:

    And covered releases will show the coverage icon (note how the stable 7.x release has coverage and the 8.x release candidate does not):

    Phase 2: Set up an opt-in process for security advisory coverage
    • Previously any project with a stable release would receive security advisory coverage from the security team. As we opened the gates for anyone to promote full projects, the security team needed an opt in process so that they could enforce an extra level of vetting on projects that wish to receive advisory coverage.
    • We agreed to repurpose the project application queue to be a queue for vetting users for the ability to opt their projects in to receive security advisory coverage. Now that this process has been decoupled from creating full projects, the security team may revise it in future–in collaboration with staff and the community.
    • Now a project maintainer must opt in their project to receive advisory coverage and make a stable release in order to receive security advisory coverage from the security team.

    Once a maintainer has been vetted by the security advisory opt in process, they can edit their project and use this field set to opt-in:

    Phase 3: Open the gate to allow users to create full projects with releases without project applications.

    This is the milestone we've just reached!

    Phase 4: Provide both automated code quality signals, as well as incentives for peer review of projects - and factor these into project discovery
    • We are working on this phase of the project in the issue queues, and we appreciate your feedback and ideas!
    What is the new process?

    So in the end - what is the new process if you want to make a contribution by hosting a project on Drupal.org?

    1. You must have a Drupal.org account, and you must accept the git terms of service.
    2. You can create a sandbox or a full project
    • Note: We still strongly recommend that project maintainers begin with sandbox projects, until they are sure they will be able to commit to supporting the project as a full project, and until the code is nearly ready for an initial release.
    • That said, you can promote a sandbox project to a full project at any time, to reserve your name space and begin making releases.

    At this point, you will have a full project on Drupal.org, and will be able to make releases that anyone can use on their Drupal site. The project will not receive security advisory coverage, and a warning that the project is not covered will appear on the project page and in the updates information.

    If you want to receive security advisory coverage for your project, you will need to take these additional steps:

    1. You must apply for vetted status in the security advisory coverage queue.
    2. Members of the security team or other volunteers will review your application - and may suggest changes to your project.
    3. Once feedback is resolved, you will be granted the vetted role and be able to opt in this project, and any future projects you create, to receive security advisory coverage.
      • Note: Only *stable* releases receive security advisory coverage, so even after opting your project in you will not receive the advisory coverage shield except on stable releases.
    What comes next?

    Now that the project application process is no more, the gates are open. We are already seeing an uptick in projects created on Drupal.org, and have seen some projects that had migrated to other places (like GitHub) migrate back to Drupal.org. We can expect to see contributions from some great developers who previously felt gate-kept out of the community. We will also see an uptick in contributions that need work, from new developers and others who are still learning Drupal best practices.

    That is why our next focus will be on providing good code quality signals for projects on Drupal.org. We want to provide both automated signals of code quality, and new incentives for peer review from existing members of the community. We're outlining that plan in the issue queues, and we welcome your feedback and contributions.

    We also still have work to do to communicate this well. This is a big change for the Drupal community and so we want to make people aware of this change in every channel that we can.

    Finally, after such a significant change, we're going to need to monitor the contrib ecosystem closely. We're going to learn a lot about the project in the next several months, and it's likely there will be additional follow ups and other changes that we'll need to make.  

    Special Thanks

    There are many, many contributors on Drupal.org who have put in time and effort to help make the contribution process better for new contributors to Drupal - the deepest thanks to all of you for your insight and feedback. We'd also like to specifically thank those who participated in the Project Application Revamp, including:

    3 months 1 week ago

Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-001

  • Drupal 8.2.7, a maintenance release which contains fixes for security vulnerabilities, is now available for download.

    Download Drupal 8.2.7

    Update your existing Drupal 8 sites is strongly recommended. There are no new features nor non-security-related bug fixes in this release. See the 8.2.7 release notes for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release.

    • Advisory ID: DRUPAL-SA-CORE-2017-001
    • Project: Drupal core
    • Version: 8.x
    • Date: 2017-March-15
    Description Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377

    When adding a private file via a configured text editor (like CKEditor), the editor will not correctly check access for the file being attached, resulting in an access bypass.

    Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379

    Some administrative paths did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.

    Remote code execution - Drupal 8 - Remote code execution - Moderately Critical - CVE-2017-6381

    A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution.

    This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed.

    You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you aren’t vulnerable, you can remove the /vendor/phpunit directory from the site root of your production deployments.

    Solution

    Update to Drupal 8.2.7

    Reported by Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377 Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379 Remote code execution - Drupal 8 - Remote code execution - Moderately Critical - CVE-2017-6381 Fixed by Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377 Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379 Remote code execution - Drupal 8 - Remote code execution -Moderately Critical - CVE-2017-6381 Updates

    Updated the above text to link to the correct update directions.

    Contact and More Information

    The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

    Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

    Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

    3 months 2 weeks ago

Making Drupal upgrades easy forever

  • Republished from buytaert.net, please post your comments there.

    One of the key reasons that Drupal has been successful is because we always made big, forward-looking changes. As a result, Drupal is one of very few CMSes that has stayed relevant for 15+ years. The downside is that with every major release of Drupal, we've gone through a lot of pain adjusting to these changes. The learning curve and difficult upgrade path from one major version of Drupal to the next (e.g. from Drupal 7 to Drupal 8) has also held back Drupal's momentum. In an ideal world, we'd be able to innovate fast yet provide a smooth learning curve and upgrade path from Drupal 8 to Drupal 9. We believe we've found a way to do both!

    Upgrading from Drupal 8.2 to Drupal 8.3

    Before we can talk about the upgrade path to Drupal 9, it's important to understand how we do releases in Drupal 8. With the release of Drupal 8, we moved Drupal core to use a continuous innovation model. Rather than having to wait for years to get new features, users now get sizeable advances in functionality every six months. Furthermore, we committed to providing a smooth upgrade for modules, themes, and distributions from one six-month release to the next.

    This new approach is starting to work really well. With the 8.1 and 8.2 updates behind us and 8.3 close to release, we have added some stable improvements like BigPipe and a new status report page, as well as experimental improvements for outside-in, workflowslayouts, and more. We also plan to add important media improvements in 8.4.

    Most importantly, upgrading from 8.2 to 8.3 for these new features is not much more complicated than simply updating for a bugfix or security release.

    Upgrading from Drupal 8 to Drupal 9

    After a lot of discussion among the Drupal core committers and developers, and studying projects like Symfony, we believe that the advantages of Drupal's minor upgrade model (e.g. from Drupal 8.2 to Drupal 8.3) can be translated to major upgrades (e.g. from Drupal 8 to Drupal 9). We see a way to keep innovating while providing a smooth upgrade path and learning curve from Drupal 8 to Drupal 9.

    Here is how we will accomplish this: we will continue to introduce new features and backwards-compatible changes in Drupal 8 releases. In the process, we sometimes have to deprecate the old systems. Instead of removing old systems, we will keep them in place and encourage module maintainers to update to the new systems. This means that modules and custom code will continue to work. The more we innovate, the more deprecated code there will be in Drupal 8. Over time, maintaining backwards compatibility will become increasingly complex. Eventually, we will reach a point where we simply have too much deprecated code in Drupal 8. At that point, we will choose to remove the deprecated systems and release that as Drupal 9.

    This means that Drupal 9.0 should be almost identical to the last Drupal 8 release, minus the deprecated code. It means that when modules take advantage of the latest Drupal 8 APIs and avoid using deprecated code, they should work on Drupal 9. Updating from Drupal 8's latest version to Drupal 9.0.0 should be as easy as updating between minor versions of Drupal 8. It also means that Drupal 9 gives us a clean slate to start innovating more rapidly again.

    Why would you upgrade to Drupal 9 then? For the great new features in 9.1. No more features will be added to Drupal 8 after Drupal 9.0. Instead, they will go into Drupal 9.1, 9.2, and so on.

    To get the most out of this new approach, we need to make two more improvements. We need to change core so that the exact same module can work with Drupal 8 and 9 if the module developer uses the latest APIs. We also need to provide full data migration from Drupal 6, 7 and 8 to any future release. So long as we make these changes before Drupal 9 and contributed or custom modules take advantage of the latest Drupal 8 APIs, up-to-date sites and modules may just begin using 9.0.0 the day it is is released.

    What does this mean for Drupal 7 users?

    If you are one of the more than a million sites successfully running on Drupal 7, you might only have one more big upgrade ahead of you.

    If you are planning to migrate directly from Drupal 7 to Drupal 9, you should reconsider that approach. In this new model, it might be more beneficial to upgrade to Drupal 8. Once you’ve migrated your site to Drupal 8, subsequent upgrades will be much simpler.

    We have more work to do to complete the Drupal 7 to Drupal 8 data migration, but the first Drupal 8 minor release that fully supports it could be 8.4.0, scheduled to be released in October 2017.

    What does this mean for Drupal developers?

    If you are a module or theme developer, you can continually update to the latest APIs each minor release. Avoid using deprecated code and your module will be compatible with Drupal 9 the day Drupal 9 is released. We have plans to make it easy for developers to identify and update deprecated code.

    What does this mean for Drupal core contributors?

    If you are a Drupal core contributor and want to introduce new improvements in Drupal core, Drupal 8 is the place to do it! With backwards compatibility layers, even pretty big changes are possible in Drupal 8.

    When will Drupal 9 will be released?

    We don't know yet, but it shouldn't matter as much either. Innovative Drupal 8 releases will go out on schedule every six months and upgrading to Drupal 9 should become easy. I don't believe we will release Drupal 9 any time soon; we have plenty of features in the works for Drupal 8. Once we know more, we'll follow up with more details.

    Thank you

    Special thanks to Alex Bronstein, Alex Pott, Gábor Hojtsy, Nathaniel Catchpole and Jess (xjm) for their contributions to this post.

    3 months 2 weeks ago

DrupalCon Baltimore: Learn how to delight your customers

  • Join us at DrupalCon Baltimore from April 24-28 for a week of inspiration, networking, and learning. Meet Drupal experts and industry leaders who will share new ways to create digital experiences that delight customers, citizens, students, patients, and more.

    The event offers programming for decision makers (CIO/Director) as well as digital teams (developers, project managers, site builders, content strategists). Be sure to check out these suggested sessions for both audiences.

    Top Five Reasons To Attend DrupalCon
    • Get inspired! Hear Dries Buytaert’s vision for digital transformation and Drupal.
    • Network with peers at 4 industry summits and case study sessions on Bluecross Blueshield, Cornell University, Mass.gov, NBA, Quicken, YMCA, and more.
    • Level up your team's skill with 10 trainings and 161 sessions taught by Drupal masters.
    • Find solution partners. Visit the exhibit hall to meet Drupal’s robust vendor ecosystem.
    • Be Amazed. Meet the open source community that powers Drupal.

    Register today. Prices increase March 24th. Attendees can come for the week or just for a day. Plus, the Baltimore Convention Center is easy to reach - just 30 minutes from Baltimore Washington Airport and 15 minutes from the Amtrak Station.

    We look forward to seeing you at DrupalCon Baltimore!

    3 months 2 weeks ago

What’s new on Drupal.org? - February 2017

  • Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

    Drupal.org updates Industry Pages Launched

    After a great deal of preparation, user research, and content development we've launched the first three 'Drupal in your Industry' pages. These first three pages highlight the power of Drupal in Media and Publishing, Higher Education, and Government. Each of these pages uses geo-targeted content to reach audiences in: the Americas; Europe, the Middle East, and Africa; and the Asia Pacific, Australia and New Zealand regions.

    These pages are targeted at evaluators of Drupal in these specific industries. From our research, we've found that these evaluators typically have Drupal on their short list of technology choices, but are not familiar with how a complete solution is built on Drupal, and they're eager to see success stories from their industry peers.

    We'll be expanding on this initiative with additional industry pages as time goes on.

    Project Application Revamp

    In February we completed phases 1 and 2 of the Project Application Process Revamp. This has meant polishing up the security advisory coverage messages that are provided on project pages, adding a new field for vetted users to opt-in to advisory coverage for their projects, and adding security advisory coverage information to the updates xml served from Drupal.org. With these issues complete we'll be able to move forward with Phase 3 (opening the project promotion gates) and Phase 4 (improving code quality signals and incentivizing peer review) as we roll into March.

    [Author's note] The project application revamp hit a major milestone in early March with the completion of Phase 3. Now, any user who has accepted the git terms of service may now promote sandbox projects to full projects with releases, and the application process has been re-purposed for vetting users who want the ability to opt into security advisory coverage for their projects. Look for more information in our upcoming March post.

    2017 Community Elections are Live

    On February 1 we opened self-nominations for one of the two community-at-large seats on the Drupal Association Board of Directors. At the time of this post, self-nominations have closed and now it's time to vote!.

    Each year we make incremental improvements to the elections process. This year we've allowed each candidate to present a short 'statement of candidacy' video - and we've updated the ballot to allow easy drag-and-drop ranking of candidates.

    Voting closes on March 18th, so make sure to vote soon!

    Documentation polish, and new "call-out" templates

    As the migration of content into the new documentation system continues, we've continued to polish and improve the tools. In February we made a few small improvements including: help text for maintainers and fixes for links to the discuss page in email notifications. We also made one large improvement: Call-out templates for highlighting warning information or version-specific notes within a documentation page. These templates are available using the CKEditor Templates button when editing any documentation page.

    The documentation editor may select from the 'Warning note' template, which will highlight cautionary information in a visually distinct orange section on the page, or the 'Version-specific note' template, which allows users to highlight information that may only be relevant to a specific minor release of Drupal.

    Here are two examples of what the call-outs will look like to a documentation reader.

    DrupalCI Coding standards testing

    DrupalCI continues to accelerate the pace of Drupal development as we make the system more efficient and add new features. In February we enhanced the coding standards testing that was added DrupalCI in January. Using PHPCodeSniffer, ESlint, and CSSlint coding standards results are available in the test results' Build Artifacts directory, including automatically generated patches to fix found issues. We've also begun displaying summary information about coding standards testing on Drupal.org test results. Again we'd like to thank community contributor mile23 for his work on this feature.

    More useful error output

    We also made DrupalCI's error output more detailed, to make it more immediately clear to developers what the issue with a particular patch might be. Developers will now see messages on the test result bubbles, for example a 'patch failed to apply' error rather than a generic 'CI error' message.

    Community Initiatives Contrib Documentation Migration

    We want to continue to encourage Project maintainers to create documentation guides on their projects using the new documentation content types. Maintainers can then migrate their old documentation content into these new guides, or create new documentation pages. For more information about this process, please consult our guide to contrib documentation.

    Help port Dreditor features to Drupal.org

    Are you a Drupal.org power user who relies on Dreditor? Markcarver is currently leading the charge to port Dreditor features to Drupal.org, and invites anyone interested in contributing to join him in #dreditor on freenode IRC or the Dreditor GitHub.

    Infrastructure Special note: Drupal Association seeks Infrastructure Services vendor

    We'd also like to announce a Request for Information. The Drupal Association seeks an infrastructure services vendor to help us manage the underlying infrastructure that supports Drupal.org, our sub-sites, and the services we maintain. Our internal engineering team will continue to manage the sites and services themselves, while this vendor will help us with systems administration, virtual machine management, monitoring and pager responsibilities, disaster recovery, etc.

    For more details about this request for information, please see our post on the Association blog.

    ———

    As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects. If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association. Follow us on Twitter for regular updates: @drupal_org, @drupal_infra

    3 months 3 weeks ago

The full circle of Drupal adoption

  • The Engineering Team provides support to many community members and everyone at the Association. Every day, the team helps people who are at different stages of the Drupal adoption journey. As part of our membership campaign, we're taking a close look at how the team makes an impact throughout this cycle through the work to support a few different Association programs.

    Industry Pages: convincing decision makers to adopt Drupal

    The team played a key role in the Industry Pages project—from conception to execution. The industry pages help decision makers see how Drupal achieves the vision Dries' set forth when he described Drupal as the platform for ambitious digital experiences.

    The first three industry pages for media and publishing, higher education, and government are now on Drupal.org. These pages tell stories of success with Drupal for three verticals with geo-targeted content to show our global audience the solutions that are most meaningful to them. We plan to learn from this project and to expand into new verticals. By highlighting what Drupal can do for you, and connecting decision makers to service providers and industry peers, the industry pages are a powerful tool for leading the way to wider adoption.

    Drupal Jobs: wider adoption leads to more career opportunities

    The team is responsible for Drupal Jobs, the subsite dedicated to helping employers and job seekers connect for Drupal-related opportunities. Ever since Drupal Jobs launched in 2015, it has helped increase awareness of the Drupal project. As the pool of employers grows, so do the career opportunities. When more Drupal jobs are available, our ecosystem grows. Wider Drupal adoption becomes possible.

    DrupalCon: Events site brings us full circle

    DrupalCon unites our global community and people who want to know more about the project. On the Events site, the engineering team supports everyone—event organizers who post content, speakers who submit sessions, and attendees who register using Drupal Commerce and CoD. With a great UX on con sites and fun theme implementation, we show users what Drupal can do for you.

    Around we go, thanks for coming along

    As the adoption journey goes full circle and we see these efforts continue to help maintain and grow a strong ecosystem, we appreciate that you are coming along with us. To help sustain the work of the Drupal Association, join as a member. Thank you!

    3 months 3 weeks ago

It's Time To Vote - Community Elections

  • Voting is now open for the 2017 At-Large Board positions for the Drupal Association!  If you haven't yet, check out the candidate profiles including their short videos found on the profile pages. Get to know your candidates, and then get ready vote.

    Cast Your Vote!

    How does voting work? Voting is open to all individuals who have a Drupal.org account by the time nominations open and who have logged in at least once in the past year.

    To vote, you will rank candidates in order of your preference (1st, 2nd, 3rd, etc.). The results will be calculated using an "instant runoff" method. For an accessible explanation of how instant runoff vote tabulation works, see videos linked in this discussion.

    Elections will be held from 6 March, 2017 through 18 March, 2017. During this period, you can review and comment on the candidate profiles.

    Have questions? Please contact me: Megan Sanicki

    3 months 3 weeks ago

Saving time and money for the Drupal community

  • As you know, we've been highlighting the work of the Drupal Association Engineering Team during our membership campaign. Every day, this small team moves the needle forward so that we all have a better experience as users of Drupal.org. In this post, we explore how the team's recent work results in faster, less expensive Drupal development.  

    Helping Drupal development move faster with DrupalCI

    DrupalCI testbots are the next generation of testing infrastructure for Drupal.org, funded by the Drupal Association and maintained by the Engineering team. For any project on the site, DrupalCI testing can be enabled from the Automated Testing link on the Project page. Every time a contribution to the Drupal project needs to be tested, DrupalCI spins up a testbot on AWS to test those changes. The DrupalCI testbots are helping Drupal contributors to test patches faster than ever before and they are more cost effective than our last generation testbots, both in price-per-test and in expense to maintain.

    In recent months, we've added a number of new features including:

    We're proud to say that our work on DrupalCI has increased the speed of Drupal development, saving time and money!

    We'd also like to thank the volunteers who've helped us to bring this project to life: Mile23, jthorson, nick_schuch, dasrecht, ricardoamaro, mikey_p, chx, shyamala, webchick, and jhedstrom.

    Want to keep up with the engineering team? Subscribe to change notifications so you can see ongoing improvements.

    Making the greatest impact with member and donor funds with a leaner Drupal.org

    Drupal.org is more portable and maintainable because of updates in 2016 that streamline our infrastructure. We've virtualized the majority of the infrastructure and standardized on Debian 8 images. We've also updated our configuration and user management from Puppet 3 + LDAP to Puppet 4 + Hiera. Dev sites are more robust and we can create staging and development environments faster than before.

    All of this makes Drupal.org more cost-effective to run, easier to maintain, and increases our development velocity when we're working on new features to support the community. These efficiencies help to conserve membership and donor funds for other programs to help the Drupal community, like fiscal sponsorship for camps, and Community Cultivation Grants.

    Improving developers' lives by supporting Composer workflows for Drupal

    Composer is the defacto standard for managing dependencies in the PHP world. Over the course of 2016, the Drupal Association Engineering Team developed Composer endpoints for Drupal allowing Drupal developers to use Composer to manage dependencies, and allowing PHP developers at large to manage Drupal as part of their larger PHP projects in this standard workflow.

    Composer is a force multiplier for enterprise site owners and developers within the Drupal community and at large. By supporting Composer, we've further opened Drupal to the wider PHP community, thus bringing new people into the fold to contribute.

    A big thanks to everyone who helped with Composer: seldeak - the creator of Composer and Packagist.org, webflo - the creator and maintainer of http://packagist.drupal-composer.org, timmillwood, dixon_, badjava, cweagans, tstoeckler, mile23, and also Appnovation, who sponsored the initial development of Drupal.org's composer endpoints.

    A more secure home for the Drupal community

    Keeping Drupal.org secure is also the responsibility of the Drupal Association Engineering Team (though we rely on some trusted volunteers to help - thanks, mlhess and basic!). From heartbleed, to dirtycow, to cloudbleed - the team is always ready to respond when a vulnerability is disclosed. But the team is not just reactive - they also take proactive steps to keep Drupal.org and all our users' data safe. From ensuring that most of our servers are only available to each other on a back-end network, to putting in protections against DDOS attacks, to building anti-spam tools to prevent bad actors from registering accounts on the site- the Engineering Team is looking to prevent problems before they happen.

    We'll keep at it, with your support

    Every day, we're on call to keep Drupal.org running and improving. The list of small changes we make to have a big impact on your Drupal.org experience grows by the day. You can help sustain the work of the Drupal Association by joining as a member. Thank you!

    3 months 4 weeks ago

Drupal 8.3.0-rc1 is available for testing

  • The first release candidate for the upcoming Drupal 8.3.0 release is now available for testing. Drupal 8.3.0 is expected to be released April 5.

    Download Drupal-8.3.0-rc1

    8.3.x includes new experimental modules for workflows, layout discovery and field layouts; raises stability of the BigPipe module to stable and the Migrate module to beta; and includes several REST, content moderation, authoring experience, performance, and testing improvements among other things. You can read a detailed list of improvements in the announcements of alpha1 and beta1.

    What does this mean to me? For Drupal 8 site owners

    The final bugfix release of 8.2.x has been released. A final security release window for 8.2.x is scheduled for March 15, but 8.2.x will receive no further releases following 8.3.0, and sites should prepare to update from 8.2.x to 8.3.x in order to continue getting bug and security fixes. Use update.php to update your 8.2.x sites to the 8.3.x series, just as you would to update from (e.g.) 8.2.4 to 8.2.5. You can use this release candidate to test the update. (Always back up your data before updating sites, and do not test updates in production.)

    For module and theme authors

    Drupal 8.3.x is backwards-compatible with 8.2.x. However, it does include internal API changes and API changes to experimental modules, so some minor updates may be required. Review the change records for 8.3.x, and test modules and themes with the release candidate now.

    For translators

    Some text changes were made since Drupal 8.2.0. Localize.drupal.org automatically offers these new and modified strings for translation. Strings are frozen with the release candidate, so translators can now update translations.

    For core developers

    All outstanding issues filed against 8.2.x were automatically migrated to 8.3.x. Future bug reports should be targeted against the 8.3.x branch. 8.4.x will remain open for new development during the 8.3.x release candidate phase. For more information, see the release candidate phase announcement.

    Your bug reports help make Drupal better!

    Release candidates are a chance to identify bugs for the upcoming release, so help us by searching the issue queue for any bugs you find, and filing a new issue if your bug has not been reported yet.

    3 months 4 weeks ago

Meet the Drupal Association At-Large Board Member Candidates

  • Did you know you have a say in who is on the Drupal Association Board? Each year, the Drupal community votes in a member who serves two years on the board. It’s your chance to decide which community voice you want to represent you in discussions that set the strategic direction for the Drupal Association. Go here for more details.

    Voting takes place from March 6 - March 18. Anyone who has a Drupal.org profile page and has logged in to their account in the last year is eligible to vote. This year, there are many candidates from around the world. Now it’s time for you to meet them.

    Meet the candidates

    We just concluded the phase where 13 candidates nominated themselves for the board seat. From now through March 4, 2017 we encourage you to check out each person’s candidate profile, where they explain which board discussion topics they are most passionate about and what perspectives they will bring to the board.

    This year, we asked candidates to include a short video - a statement of candidacy - that summarizes why you should vote for them. Be sure to check them out. Videos are found in the candidate’s profile as well as here:

    What To Consider

    When reviewing the candidates, it is helpful to know what the board is focusing on over the next year or two, so you can decide who can best represent you.

    Here are the key topics the board will focus on.

    • Strengthening Drupal Association’s sustainability. The board discusses how the Association can improve its financial health while expanding its mission work.

    • Understanding what the Project needs to move forward and determine how the Association can help meet those needs through Drupal.org and DrupalCon.

    • Growing Drupal adoption through our own channels and partner channels.

    • Developing the strategic direction for DrupalCon and Drupal.org.

    There are certain duties that a candidate must be able to perform as a board member. The three legal obligations are duty of care, duty of loyalty, and duty of obedience. In addition to these legal obligations, there is a lot of practical work that the board undertakes. These generally fall under the fiduciary responsibilities and include:

    • Overseeing Financial Performance

    • Setting Strategy

    • Setting and Reviewing Legal Policies

    • Fundraising

    • Managing the Executive Director

    Hopefully providing this context gives you a helpful way to assess the candidates as you decide how to vote from March 6 - March 18.

    We encourage you to ask the candidates questions. Use comments to leave a question on their candidate profile page.

    4 months 4 days ago

Pages