6 January 2016 was a memorable day for the Drupal community. Probably for the first time since the Drupalgeddon a vulnerability with potential to affect millions of websites was discovered. The report on the insecure Drupal update process, published by IOActive, got immediate traction and responses from Acquia, Drupal Security Team and major players in the community.
As the updates automation and security is the Drop Guard's only focus and business model, we feel responsible for providing our answer to each of the issues.Issue #1 (part 1): Incorrect update statuses Whenever the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning.
This issue affects the display of the core or contrib update status on the "Available updates" screen, in case the update information is not properly fetched from Drupal.org.
First, Drop Guard users don't need to have the Update module enabled at all (one less module enabled, huh!), as they delegate the heavy lifting updates detection work entirely to Drop Guard.
Second, under the hood Drop Guard uses a combination of the Update Manager code, rewritten to mitigate most common update process issues, our custom update detection logic and manual checks of the modules in question. It happens quite often, when, for example, the security advisory for a module can not be parsed automatically - in this case, our team investigates the issue and adjusts the update status.
Lastly, long before the report from IOActive was published, Drop Guard was smart enough to stop the updates detection process if the update information couldn't be fetched. In the unlikely case of Drupal.org infrastructure issues or general network problems the worst thing which could happen - the update won't be available to a user unless its status will be properly fetched and confirmed.Issue #1 (part 2): CSRF vulnerability The "Check Manually" link can be used to perform a cross-site request forgery (CSRF).
Drop Guard server doesn't use the Update module UI, and don't need it enabled, so there is no risk someone could ever click on the "Check Manually" link at all. We always recommend disabling the Update module on the production sites protected by Drop Guard.Issue #2: Spying on the network traffic An attacker may point a website owner to a backdoored version of Drupal by eavesdropping on the unencrypted network traffic between a website and updates.drupal.org domain.
Drop Guard users never visit the "Available Updates" page on their websites, which mitigates this vulnerability. Besides, all the networking with updates.drupal.org services is performed over the encrypted connection on our side.
And luckily, Drop Guard users never download updates via the Update's module interface. We highly recommend not to use this functionality for any Drupal maintainer and use the proper updates and deployment workflows instead.Issue #3: Unencrypted updates transfer Drupal security updates are transferred unencrypted without checking the authenticity, which could lead to code execution and database access.
As mentioned in the section above, Drop Guard always uses the encrypted connection when fetching updates information from Drupal.org.
The actual update archives from Drupal.org are fetched to our servers via the encrypted connection as well. It's also worth saying that Drupal.org team is working tirelessly to switch infrastructure and update processes to use secure channels, so when trying to access the http://updates.drupal.org/release-history/drupal/7.x for example, you will be redirected to the encrypted version automatically.
So as we can see, the easiest way to ensure that you're not in the risk group (apart from using Drop Guard obviously), is to check if the Update Manager is enabled and if it's used to fetch actual updates to your server.
The latter practice can not be recommended for any beginner or advanced user. You should be using proper development workflows and practices instead.
Do you still use the Update Manager module to update your Drupal installation? Do you think it's a good practice? What's your experience overall? Please do share your thoughts in comments!Security infrastructure Drupal Planet Drop Guard
Continuous integration and automated testing can significantly reduce the odds of regressions, but eventually, every project will fnd themselves facing a feature that used to work and no longer does. When that time comes for you, I recommend git bisect.Barrett Sun, 03/13/2016 - 21:24
Do you have what it takes to be quizmaster at Promet Source's booth during MidCamp? Promet is inviting the community to participate in a friendly round of Drupal trivia during MidCamp activities Friday, March 18 and Saturday, March 19, 2016.
The monthly security release window for Drupal 8 and 7 core will take place on Wednesday, March 16.
This does not mean that a Drupal core security release will necessarily take place on that date for any of the Drupal 8 or 7 branches, only that you should watch for one (and be ready to update your Drupal sites in the event that the Drupal security team decides to make a release).
There will be no bug fix or feature release on this date. The next window for a Drupal core patch (bug fix) release for all branches is Wednesday, April 06. The next scheduled minor (feature) release for Drupal 8 will be on Wednesday, April 20.
Drupal 6 is end-of-life and will not receive further security releases.
The Drupal community is diverse. We're from different places. We speak different languages, code in different languages, and use Drupal in different ways. But the one thing we all have in common is that we care about the fate of Drupal. We invest our time, intellect, and emotions into this project. And we want that investment to make the project successful.
We have a lot to be proud of. In the last few years, Drupal use and community contribution has grown tremendously. Some metrics—like comments and commits created each month—are available at drupal.org/metrics. We share project usage and track BuiltWith statistics. We've also started reflecting company contributions in the marketplace and on organizations list.
The Association's mission is to unite a global open source community to build and promote Drupal. One of its 3-to-5 year goals is to ensure the sustainability of our project and community. To meet that goal, we need to get much better as a community at answering the question: Is Drupal healthy? But that's not an easy question to answer.
In the last board meeting, board members and staff talked about what kinds of metrics show health. In this post, I share some of that thinking, and ask for your ideas. But before we get into recommendations, let’s start at the beginning.What's project health?
Association staff and board members use “project health” as shorthand for project success. "Health" is robust. Think about your own health. You might think first about physical aspects (Do I have a fever?). But you also might think about emotional aspects, like depression or stress. You may even think about social aspects (Do I have the right people around me to support me and keep me focused on the right habits?). Health isn't binary. Health is multi-dimensional.
So, too, is the health of an open source project. It's easy to take the temperature of a project with metrics like usage or number of committers. But to understand the complexity of our project's health, we need broader measurements. In our work on staff, we've defined four dimensions of product health1 we think we need to explore:
- Product: whether the business of the Drupal product (the software) is sound. Examples of areas to explore: marketshare; Drupal businesses' revenue.
- People: whether we have the right kinds of people contributing the right kinds of things. Examples of areas to explore: number of contributors; kinds of contributions; contributors' skills.
- Process: how the way we do things contributes to the project. Examples of areas to explore: ability to meet published release dates; succession planning.
- Systems: whether we use the right tools. Examples of areas to explore: testing times for DrupalCI; amount of documentation edits; responses to posts in forums; issue resolutions; commits and integrated repositories.
There's the ideal, and then there's reality. We know we won't be able to track everything we want to. So, we'll have to make choices. We'll have to choose metrics that give us directional, even if not precise, accuracy. So, what are some of our limitations?The future of the project
Knowing what categories of metrics we need to track is necessary, but not enough. Setting metrics also requires knowing where we want the project to go. Taking your temperature is only helpful if you know what you want it to be (and what it means if it's not).
Tracking project health is an Association priority, but it’s not its only mandate. It has to consider the time and expense invested in DrupalCons and Drupal.org too, for example. Unfortunately, budget limitations mean not hiring analysts or consultants to help. For the most part, they mean working with the (wonderful) people already on staff.
So, for example, measuring contribution only by code or comment attribution isn't enough. People contribute in so many ways. (There's even an issue open on this topic already.) Will measuring contribution expand to include other things? Yes. But will it also likely still not give some contributions the attention they deserve? Unfortunately, yes. Hard choices will mean we'll all have to accept some less than ideal outcomes.Balancing competing frames and other fun factors
Once we know what outcome we want and have found things we can actually measure, we'll still need to do more. Any metric we choose has to also align with the project's mission and our community’s values. We also can't be too dependent on internal metrics. We'll have to measure our success with external indicators too. (See? There's a lot to think about here!)Examples, please
There’s good news and bad news here. The good news is that we are definitely not alone. Many software projects—including open source projects—have worked on these same issues. There are resources all around us. We've created lists of some of them already.Bitergia dashboards
- Symfony Code Stats
- Symfony Contributors
- Estimating the Total Development Cost of Linux Foundation’s Collaborative Projects
- Linux Jobs Report 2015
- Who Writes Linux: Linux Kernel Development: How Fast it is Going, Who is Doing It, What They are Doing, and Who is Sponsoring It
- WordPress Activity
- Ultimate List of WordPress Statistics
- Apache development statistics
- Ruby on Rails contributors
There's a lot to consider when we think about the health of the Drupal project. We've just begun this conversation and want to make sure you're part of it from the beginning. So, now we turn things over to you.
Which metrics are indicative of Drupal project health? Share your ideas in the comments section. We'll include your feedback in a document we'll share with you.
Flickr photo: Thomas Haynie
Quality Assurance (QA) bridges technology and user experience design, giving a big picture and wind angle understanding of systems and projects. It adds value to the development process, not just by ensuring that every project meets our standards of excellence, but also by defining and maintaining the focus of the team through the entire lifecycle.
Yesterday, the White House announced a plan to deepen its commitment to open source. Under this plan, new, custom-developed government software must be made available for use across other federal agencies, and a portion of all projects must be made open source and shared with the public. This plan will make it much easier to share best practices, collaborate, and save money across different government departments.
However, there are still some questions to address. In good open source style, the White House is inviting developers to comment on this policy. As the Drupal community we should take advantage and comment on GitHub within the 30-day feedback window.
The White House has a long open source history with Drupal. In October 2009, WhiteHouse.gov relaunched on Drupal and shortly thereafter started to actively contribute back to Drupal -- both were a first in the history of the White House. White House's contributions to Drupal include the "We the People" petitions platform, which was adopted by other governments and organizations around the world.
This week's policy is big news because it will push open source deeper into the roots of the U.S. government, requiring more government agencies to become active open source contributors. We'll be able to solve problems faster and, together, build better software for citizens across the U.S.
I'm excited to see how this plays out in the coming months!
Preston So, Development Manager, Acquia Labs, front-end developer extrodinaire, speaker of way too many languages joins Mike and Anna to talk about the decoupling Drupal's front-end and the healthy discussion surrounding it. News stories covered include DrupalCon Asia, Community Keynotes, and Drupal Association Board of Directors voting.Interview
- Presentation: Decoupled Drupal and the Front-end.
- Original issue post: [META] Supersede Backbone in core admin UIs with a new client-side framework by Preston So.
- [policy, no patch] Require Node.js for Drupal 9 core and rewrite some of Drupal's UI code from PHP to JS.
- Investigate where and how a frontend framework could be used.
- [META] Dramatically improve Drupal-provided user interactions through perceived performance boosts and optimistic feedback.
- Decapitating Drupal - blog post by Mark Ferree.
- Drupal gets a feature request out of the blue - blog post by Théodore Biadala.
- Should we decouple Drupal with a client-side framework? - blog post by Dries Buytaert.
- Does Drupal need a client-side framework in core? - blog post by Peter Droogmans.
- Should Drupal add (another) JS framework into core? Not in the name of UX. - blog post by Lewis Nyman.
- Turning Drupal outside-in - blog post by Dries Buytaert.
- The next session of the 12-week Drupal Career Online course starts in March, 2016 - visit DrupalEasy.com/dco for all the details.
- DrupalCon Asia: Back from the Future - blog post by Holly Ross.
- Drupal 8.0.4, 8.0.5, and 8.1.0-beta1 released.
- Vote for your Community Keynote - voting ends March 18, 2016.
- Draw fictional maps
- Giving a tech talk in a language other than English
- A koala
Drupal Way - by Marcia Buckingham (vocals, bass and mandolin) and Charlie Poplees (guitar). The lyrics by Marcia Buckingham, music by Kate Wolfe.Subscribe
If you'd like to leave us a voicemail, call 321-396-2340. Please keep in mind that we might play your voicemail during one of our future podcasts. Feel free to call in with suggestions, rants, questions, or corrections. If you'd rather just send us an email, please use our contact page.
A long time ago, I was approached by a publishing company to write a book on Drupal security. That never ended up happening, but I did become a technical reviewer for someone else's book. Along the way, I picked up a domain: DrupalBooks.com. Since it's highly unlikely I'll ever get around to writing a book about Drupal, I'm putting the domain up for sale. If you're interested in acquiring DrupalBooks.com, please send me an email at email@example.com.
CiviCRM Entity is a Drupal module which greatly enhances CiviCRM integration with Drupal. This module exposes many CiviCRM entities as true Drupal entities. That means that almost any module can use Drupal entities. As a result, these modules can access and manipulate CiviCRM data directly from within Drupal via Drupal’s Entity API. This includes many commonly used modules such as Views, Rules, Search API, Entityqueue, Entity Reference, and many more.
CiviCRM Entity was originally developed by Eileen McNaughton from Fuzion. Skvare was an early adopter of version 1.0 where we implemented the Rules integration and quickly realized that this was a powerful and essential tool for most CiviCRM implementations that integrate with Drupal. We reached out and collaborated on the development towards the 2.0 branch, with features that were important to Skvare’s clients.
Released last year, the 2.0 branch of CiviCRM Entity has many new features including:
almost 20 CiviCRM entities, such as Contact, Membership, Event, Contributions, exposed as Drupal entities
Native Drupal create/edit/delete forms for CiviCRM data
Native Drupal view pages of CiviCRM data
Standard Drupal Manage Fields and Manage Display forms
Ability to add Drupal fields to CiviCRM data
Display Suite integration
Skvare is now an active developer and maintainer of the project. We are in the process of coordinating feature requests that will be added to the 3.0 branch.
We use, build, and develop solutions with CiviCRM Entity on most of our client websites, and we’ve gotten a lot of feedback. We also keep our ear to the ground for how other people are using it, and this blog article is part of that. The feedback we’ve gotten is, “this is awesome, can I have more, and better!”
What clients now see, love, and want more of, is the ability to create Drupal native themed, responsive view and edit forms. No more figuring out where to edit that one line of custom css code in a CiviCRM-specific template. No secondary system interface for end-users to learn. It’s as simple as building a Drupal webform and concurrently more powerful than the out-of-the-box CiviCRM features. All accessible as a site-building task without the need for any custom code.
A common client request is for volunteers and employees for a CiviCRM form create or edit CiviCRM data without user access to the CiviCRM backend. Oftentimes these volunteers are updating data such as participant attendance statuses at events, with a mobile phone or a tablet. Similar to the built-in profiles, but with consistent theming, out of the box responsive design, broader data access, and much tighter integration of the underlying business logic.
This year, Skvare is excited about adding more features and further improving the integration between CiviCRM and Drupal. We have many ideas, we have many requests, and as we look into the future, we see this module being one of the most important CiviCRM-related modules for both implementors and end users.
Proposed Features include:
Improve Forms with better validation, widgets and formatters for CiviCRM FK reference fields, improved metadata, inline entity forms for FK reference fields, default layouts
Better custom field support -- be able to edit multivalued groups, and organize them on edit forms and in Rules in their field groups.
Open up more CiviCRM entities, such as Country, CustomValue, and those provided by Extensions, as Drupal entities
Improved Views support -- field, filter, sort, relationship handlers for all entities not exposed by CiviCRM Core
CiviCRM Profile Integration -- make them entities!
Native Drupal Contribution pages
Native Drupal Event registration pages
Native Drupal CiviCRM configuration pages
Deeper Drupal Commerce Integration, allow contributions, memberships, and event registrations to happen with standard Drupal Commerce workflow
We’ve seen the impact and success in real-world implementations. We’re motivated and want to solicit feedback from the community.
Have you used the module before?
In what configuration?
Do you like a specific feature?
Are there specific features you wish the module had?
What ideas for the future do you have?
Give feedback on this blog article.
Join the discussion in the Future Development issue
Develop yourself, fork Eileen’s github repo.
Hire Skvare to add the specific feature you want, now. We’ll put it back into the general release and continue building more functionality. Clients have already committed funds to further extend this project. Those who fund development guide the priorities, milestones, and timelines.
Talk to Mark Hanna, CiviCRM Entity maintainer and new development lead.
Want to see a Drupal 8 version sooner rather than later, contact us to make it happen.
ArchitectureDrupalMake it happenv4.7v4.6v4.5v4.4
Be on the lookout for a set of blog articles showcasing features and site building techniques that Skvare has implemented, and the use cases that we’ve gathered as we aim to further extend this module. We’ll also be presenting on this topic at the upcoming CiviCon 2016.
Have you used the Examples module? What is your favorite example?
Let's talk next Monday at 1PM (GMT -0700)
It's free to attend. You may participate by signing in with your twitter account or you may watch anonymously without signing in at all.
There are some excellent improvements to modeling data in Drupal 8, including a number of new fields. This is going to make it easier to model content in Drupal. Let’s look at the image handling in Drupal 8 and what changes are in store.Tags: acquia drupal planet
The Drupal community welcomed the much anticipated release of Drupal 8 a few months ago. And then the questions began. Should I port my Drupal 6 or Drupal 7 site to D8? What themes are available in Drupal 8?
While there are hundreds of themes available to Drupal developers, so far 93 are Drupal 8 ready. There are some significant differences between D7 and D8 theming. And the number of themes for D8 is only going to grow. Here are our top five favorite Drupal themes now available in D8.Bootstrap
With a pre-release version for D8 now available, this base theme has become one of the most popular HTML, CSS, and JS frontend frameworks in the world for developing responsive, mobile first projects on the web. Bootstrap 3 is out now, and 4 is in development, according to the theme’s home page. This theme is a bridge between the Bootstrap Framework and Drupal.Foundation
Built by Zurb, Foundation is a family of responsive front-end tools you can use to design responsive websites, apps and emails. Foundation is semantic, readable, flexible, and customizable.Bearskin
This D8 friendly theme ships with Bear, a set of modules and base configuration an install profile that minimizes time to start a new Drupal project without sacrificing the quality of the build. Bear Skin comes with a sub-theme, Bear Coat, that contains some basic styling. We built Bear and Bear Skin here at Zivtech.Basic
Everything you need to know is in the name. Basic is simple and flexible and gives front end developers the essential pieces that they need to get a design up and running. Basic has a clean HTML5 structure with extensible CSS classes and IDs for unlimited options. Basic, which uses the Bourbon library of Sass mixins, comes from Vancouver web shop The Jibe.Neato
Built by Velir, Neato theme was created on the Neat grid system. It also incorporates Bourbon for easier grid theming. Bourbon and Neat are Sass libraries. Developers can choose components to use because Neato isn’t stacked with any JS plugins or files.
Check out these themes to preview and download at the official Drupal site.