Planet Drupal

Subscribe to Planet Drupal feed - aggregated feeds in category Planet Drupal
Updated: 21 hours 27 min ago

Drop Guard: Drop Guard response about insecure update process

14 March 2016 - 1:30am
Drop Guard response about insecure update process Igor Kandyba Mon, 14.03.2016 - 09:30

6 January 2016 was a memorable day for the Drupal community. Probably for the first time since the Drupalgeddon a vulnerability with potential to affect millions of websites was discovered. The report on the insecure Drupal update process, published by IOActive, got immediate traction and responses from Acquia, Drupal Security Team and major players in the community.

The analysis of the risks, however, showed the impact is not significant enough and as a result, the patches to fix the issues listed in the report are still "work in progress" (first and second).

As the updates automation and security is the Drop Guard's only focus and business model, we feel responsible for providing our answer to each of the issues. 

Issue #1 (part 1): Incorrect update statuses Whenever the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning.

This issue affects the display of the core or contrib update status on the "Available updates" screen, in case the update information is not properly fetched from

First, Drop Guard users don't need to have the Update module enabled at all (one less module enabled, huh!), as they delegate the heavy lifting updates detection work entirely to Drop Guard. 

Second, under the hood Drop Guard uses a combination of the Update Manager code, rewritten to mitigate most common update process issues, our custom update detection logic and manual checks of the modules in question. It happens quite often, when, for example, the security advisory for a module can not be parsed automatically - in this case, our team investigates the issue and adjusts the update status. 

Lastly, long before the report from IOActive was published, Drop Guard was smart enough to stop the updates detection process if the update information couldn't be fetched. In the unlikely case of infrastructure issues or general network problems the worst thing which could happen - the update won't be available to a user unless its status will be properly fetched and confirmed.

Issue #1 (part 2): CSRF vulnerability The "Check Manually" link can be used to perform a cross-site request forgery (CSRF).

Drop Guard server doesn't use the Update module UI, and don't need it enabled, so there is no risk someone could ever click on the "Check Manually" link at all. We always recommend disabling the Update module on the production sites protected by Drop Guard.

Issue #2: Spying on the network traffic An attacker may point a website owner to a backdoored version of Drupal by eavesdropping on the unencrypted network traffic between a website and domain.

Drop Guard users never visit the "Available Updates" page on their websites, which mitigates this vulnerability. Besides, all the networking with services is performed over the encrypted connection on our side.

And luckily, Drop Guard users never download updates via the Update's module interface. We highly recommend not to use this functionality for any Drupal maintainer and use the proper updates and deployment workflows instead.

Issue #3: Unencrypted updates transfer Drupal security updates are transferred unencrypted without checking the authenticity, which could lead to code execution and database access.

As mentioned in the section above, Drop Guard always uses the encrypted connection when fetching updates information from

The actual update archives from are fetched to our servers via the encrypted connection as well. It's also worth saying that team is working tirelessly to switch infrastructure and update processes to use secure channels, so when trying to access the for example, you will be redirected to the encrypted version automatically.

So as we can see, the easiest way to ensure that you're not in the risk group (apart from using Drop Guard obviously), is to check if the Update Manager is enabled and if it's used to fetch actual updates to your server.

The latter practice can not be recommended for any beginner or advanced user. You should be using proper development workflows and practices instead.

Do you still use the Update Manager module to update your Drupal installation? Do you think it's a good practice? What's your experience overall? Please do share your thoughts in comments!

Security infrastructure Drupal Planet Drop Guard

View the discussion thread.

Categories: Drupal

DataSmith: Git Bisect: The go-to tool for answering the "when did this stop working" question

13 March 2016 - 6:24pm
Git Bisect: The go-to tool for answering the "when did this stop working" question

Continuous integration and automated testing can significantly reduce the odds of regressions, but eventually, every project will fnd themselves facing a feature that used to work and no longer does.  When that time comes for you, I recommend git bisect.

Barrett Sun, 03/13/2016 - 21:24
Categories: Drupal

Promet Source: Think Fast! Playing Drupal Trivia at MidCamp

13 March 2016 - 3:08pm
Time to break out your best Drupal knowledge, Chicago! Demonstrate your Drupal genius at #MidCamp this year.


Do you have what it takes to be quizmaster at Promet Source's booth during MidCamp? Promet is inviting the community to participate in a friendly round of Drupal trivia during MidCamp activities Friday, March 18 and Saturday, March 19, 2016.

Categories: Drupal

Drupal core announcements: Drupal core security release window beginning Wednesday, March 16, 2016

13 March 2016 - 11:02am
Start:  2016-03-16 00:00 - 23:30 UTC Organizers:  xjm catch David_Rothstein Event type:  Online meeting (eg. IRC meeting)

The monthly security release window for Drupal 8 and 7 core will take place on Wednesday, March 16.

This does not mean that a Drupal core security release will necessarily take place on that date for any of the Drupal 8 or 7 branches, only that you should watch for one (and be ready to update your Drupal sites in the event that the Drupal security team decides to make a release).

There will be no bug fix or feature release on this date. The next window for a Drupal core patch (bug fix) release for all branches is Wednesday, April 06. The next scheduled minor (feature) release for Drupal 8 will be on Wednesday, April 20.

Drupal 6 is end-of-life and will not receive further security releases.

For more information on Drupal core release windows, see the documentation on release timing and security releases, and the discussion that led to this policy being implemented.

Categories: Drupal

Drupal Association News: Measuring Drupal's health

11 March 2016 - 1:45pm

The Drupal community is diverse. We're from different places. We speak different languages, code in different languages, and use Drupal in different ways. But the one thing we all have in common is that we care about the fate of Drupal. We invest our time, intellect, and emotions into this project. And we want that investment to make the project successful.

We have a lot to be proud of. In the last few years, Drupal use and community contribution has grown tremendously. Some metrics—like comments and commits created each month—are available at We share project usage and track BuiltWith statistics. We've also started reflecting company contributions in the marketplace and on organizations list.

The Association's mission is to unite a global open source community to build and promote Drupal. One of its 3-to-5 year goals is to ensure the sustainability of our project and community. To meet that goal, we need to get much better as a community at answering the question: Is Drupal healthy? But that's not an easy question to answer.

In the last board meeting, board members and staff talked about what kinds of metrics show health. In this post, I share some of that thinking, and ask for your ideas. But before we get into recommendations, let’s start at the beginning.

What's project health?

Association staff and board members use “project health” as shorthand for project success. "Health" is robust. Think about your own health. You might think first about physical aspects (Do I have a fever?). But you also might think about emotional aspects, like depression or stress. You may even think about social aspects (Do I have the right people around me to support me and keep me focused on the right habits?). Health isn't binary. Health is multi-dimensional.

So, too, is the health of an open source project. It's easy to take the temperature of a project with metrics like usage or number of committers. But to understand the complexity of our project's health, we need broader measurements. In our work on staff, we've defined four dimensions of product health1 we think we need to explore:

  • Product: whether the business of the Drupal product (the software) is sound. Examples of areas to explore: marketshare; Drupal businesses' revenue.
  • People: whether we have the right kinds of people contributing the right kinds of things. Examples of areas to explore: number of contributors; kinds of contributions; contributors' skills.
  • Process: how the way we do things contributes to the project. Examples of areas to explore: ability to meet published release dates; succession planning.
  • Systems: whether we use the right tools. Examples of areas to explore: testing times for DrupalCI; amount of documentation edits; responses to posts in forums; issue resolutions; commits and integrated repositories.
Acknowledging our limitations

There's the ideal, and then there's reality. We know we won't be able to track everything we want to. So, we'll have to make choices. We'll have to choose metrics that give us directional, even if not precise, accuracy. So, what are some of our limitations?

The future of the project

Knowing what categories of metrics we need to track is necessary, but not enough. Setting metrics also requires knowing where we want the project to go. Taking your temperature is only helpful if you know what you want it to be (and what it means if it's not).

This is a challenge Association staff discussed with the board. The Association doesn't set the software's future. It does, though, need to know where the project is going. To support the project's journey, it needs to know its direction. For example, maybe headless Drupal is the future. If so, we might measure “People” success by how many JavaScript developers contribute. But it’s not 100% clear what the future holds for Drupal. We have work to do before we can identify the best metrics.


Tracking project health is an Association priority, but it’s not its only mandate. It has to consider the time and expense invested in DrupalCons and too, for example. Unfortunately, budget limitations mean not hiring analysts or consultants to help. For the most part, they mean working with the (wonderful) people already on staff.

So, for example, measuring contribution only by code or comment attribution isn't enough. People contribute in so many ways. (There's even an issue open on this topic already.) Will measuring contribution expand to include other things? Yes. But will it also likely still not give some contributions the attention they deserve? Unfortunately, yes. Hard choices will mean we'll all have to accept some less than ideal outcomes.

Balancing competing frames and other fun factors

Once we know what outcome we want and have found things we can actually measure, we'll still need to do more. Any metric we choose has to also align with the project's mission and our community’s values. We also can't be too dependent on internal metrics. We'll have to measure our success with external indicators too. (See? There's a lot to think about here!)

Examples, please

There’s good news and bad news here. The good news is that we are definitely not alone. Many software projects—including open source projects—have worked on these same issues. There are resources all around us. We've created lists of some of them already.

Bitergia dashboards Open source projects on GitHub Project-run dashboards So what should we track?

There's a lot to consider when we think about the health of the Drupal project. We've just begun this conversation and want to make sure you're part of it from the beginning. So, now we turn things over to you.

Which metrics are indicative of Drupal project health? Share your ideas in the comments section. We'll include your feedback in a document we'll share with you.

1 We borrowed these concepts from Product Lifecycle Management.

Flickr photo: Thomas Haynie

Categories: Drupal

ImageX Media: QA: What Does It Mean to ImageX and Our Clients?

11 March 2016 - 11:53am

Quality Assurance (QA) bridges technology and user experience design, giving a big picture and wind angle understanding of systems and projects. It adds value to the development process, not just by ensuring that every project meets our standards of excellence, but also by defining and maintaining the focus of the team through the entire lifecycle.

Categories: Drupal

Dries Buytaert: White House deepens its commitment to Open Source

11 March 2016 - 10:09am

Yesterday, the White House announced a plan to deepen its commitment to open source. Under this plan, new, custom-developed government software must be made available for use across other federal agencies, and a portion of all projects must be made open source and shared with the public. This plan will make it much easier to share best practices, collaborate, and save money across different government departments.

However, there are still some questions to address. In good open source style, the White House is inviting developers to comment on this policy. As the Drupal community we should take advantage and comment on GitHub within the 30-day feedback window.

The White House has a long open source history with Drupal. In October 2009, relaunched on Drupal and shortly thereafter started to actively contribute back to Drupal -- both were a first in the history of the White House. White House's contributions to Drupal include the "We the People" petitions platform, which was adopted by other governments and organizations around the world.

This week's policy is big news because it will push open source deeper into the roots of the U.S. government, requiring more government agencies to become active open source contributors. We'll be able to solve problems faster and, together, build better software for citizens across the U.S.

I'm excited to see how this plays out in the coming months!

Categories: Drupal

DrupalEasy: DrupalEasy Podcast 171 - BoF Roadshow (Preston So - Front-end Decoupling)

11 March 2016 - 7:16am

Direct .mp3 file download.

Preston So, Development Manager, Acquia Labs, front-end developer extrodinaire, speaker of way too many languages joins Mike and Anna to talk about the decoupling Drupal's front-end and the healthy discussion surrounding it. News stories covered include DrupalCon Asia, Community Keynotes, and Drupal Association Board of Directors voting.

Interview DrupalEasy News
  • The next session of the 12-week Drupal Career Online course starts in March, 2016 - visit for all the details.
Three Stories Sponsors Upcoming Events Follow us on Twitter Five Questions (answers only)
  1. Draw fictional maps
  2. OmniGraffle
  3. Giving a tech talk in a language other than English
  4. A koala
  5. Garland
Intro Music

Drupal Way - by Marcia Buckingham (vocals, bass and mandolin) and Charlie Poplees (guitar). The lyrics by Marcia Buckingham, music by Kate Wolfe.


Subscribe to our podcast on iTunes or Miro. Listen to our podcast on Stitcher.

If you'd like to leave us a voicemail, call 321-396-2340. Please keep in mind that we might play your voicemail during one of our future podcasts. Feel free to call in with suggestions, rants, questions, or corrections. If you'd rather just send us an email, please use our contact page.

Categories: Drupal

John Forsythe: for sale

10 March 2016 - 8:59pm

A long time ago, I was approached by a publishing company to write a book on Drupal security. That never ended up happening, but I did become a technical reviewer for someone else's book. Along the way, I picked up a domain: Since it's highly unlikely I'll ever get around to writing a book about Drupal, I'm putting the domain up for sale. If you're interested in acquiring, please send me an email at

Categories: Drupal

CiviCRM Blog: CiviCRM Entity -- Upcoming and Future Development

10 March 2016 - 3:49pm

CiviCRM Entity is a Drupal module which greatly enhances CiviCRM integration with Drupal. This module exposes many CiviCRM entities as true Drupal entities. That means that almost any module can use Drupal entities. As a result, these modules can access and manipulate CiviCRM data directly from within Drupal via Drupal’s Entity API. This includes many commonly used modules such as Views, Rules, Search API, Entityqueue, Entity Reference, and many more.

CiviCRM Entity was originally developed by Eileen McNaughton from Fuzion. Skvare was an early adopter of version 1.0 where we implemented the Rules integration and quickly realized that this was a powerful and essential tool for most CiviCRM implementations that integrate with Drupal. We reached out and collaborated on the development towards the 2.0 branch, with features that were important to Skvare’s clients.

Released last year, the 2.0 branch of CiviCRM Entity has many new features including:

  • almost 20 CiviCRM entities, such as Contact, Membership, Event, Contributions, exposed as Drupal entities

  • Native Drupal create/edit/delete forms for CiviCRM data

  • Native Drupal view pages of CiviCRM data

  • Standard Drupal Manage Fields and Manage Display forms

  • Ability to add Drupal fields to CiviCRM data

  • Display Suite integration

Many of the CiviCRM Entity features are being actively used with large-scale CiviCRM deployments such as the Salvation Army Echelon or the University of Minnesota Crowdfunding Platform.

Future Development

Skvare is now an active developer and maintainer of the project. We are in the process of coordinating feature requests that will be added to the 3.0 branch.

We use, build, and develop solutions with CiviCRM Entity on most of our client websites, and we’ve gotten a lot of feedback. We also keep our ear to the ground for how other people are using it, and this blog article is part of that. The feedback we’ve gotten is, “this is awesome, can I have more, and better!”

What clients now see, love, and want more of, is the ability to create Drupal native themed, responsive view and edit forms. No more figuring out where to edit that one line of custom css code in a CiviCRM-specific template. No secondary system interface for end-users to learn. It’s as simple as building a Drupal webform and concurrently more powerful than the out-of-the-box CiviCRM features. All accessible as a site-building task without the need for any custom code.

A common client request is for volunteers and employees for a CiviCRM form create or edit CiviCRM data without user access to the CiviCRM backend. Oftentimes these volunteers are updating data such as participant attendance statuses at events, with a mobile phone or a tablet. Similar to the built-in profiles, but with consistent theming, out of the box responsive design, broader data access, and much tighter integration of the underlying business logic.

This year, Skvare is excited about adding more features and further improving the integration between CiviCRM and Drupal.  We have many ideas, we have many requests, and as we look into the future, we see this module being one of the most important CiviCRM-related modules for both implementors and end users.

Proposed Features include:

  • Improve Forms with better validation, widgets and formatters for CiviCRM FK reference fields, improved metadata, inline entity forms for FK reference fields, default layouts

  • Better custom field support -- be able to edit multivalued groups, and organize them on edit forms and in Rules in their field groups.

  • Open up more CiviCRM entities, such as Country, CustomValue, and those provided by Extensions, as Drupal entities

  • Improved Views support -- field, filter, sort, relationship handlers for all entities not exposed by CiviCRM Core

  • CiviCRM Profile Integration -- make them entities!

  • Native Drupal Contribution pages

  • Native Drupal Event registration pages

  • Native Drupal CiviCRM configuration pages

  • Deeper Drupal Commerce Integration, allow contributions, memberships, and event registrations to happen with standard Drupal Commerce workflow

We’ve seen the impact and success in real-world implementations. We’re motivated and  want to solicit feedback from the community.

  • Have you used the module before?

  • In what configuration?

  • Do you like a specific feature?

  • Are there specific features you wish the module had?

  • What ideas for the future do you have?

How can you help?

Try it out.

Give feedback on this blog article.

Join the discussion in the Future Development issue

Develop yourself, fork Eileen’s github repo.

Hire Skvare to add the specific feature you want, now. We’ll put it back into the general release and continue building more functionality. Clients have already committed funds to further extend this project. Those who fund development guide the priorities, milestones, and timelines.

Talk to Mark Hanna, CiviCRM Entity maintainer and new development lead.

Want to see a Drupal 8 version sooner rather than later, contact us to make it happen.

Be on the lookout for a set of blog articles showcasing features and site building techniques that Skvare has implemented, and the use cases that we’ve gathered as we aim to further extend this module. We’ll also be presenting on this topic at the upcoming CiviCon 2016.

ArchitectureDrupalMake it happenv4.7v4.6v4.5v4.4
Categories: Drupal

Another Drop in the Drupal Sea: Drupal Chat: The Examples Module

10 March 2016 - 1:48pm

Have you used the Examples module? What is your favorite example?

Let's talk next Monday at 1PM (GMT -0700)

It's free to attend. You may participate by signing in with your twitter account or you may watch anonymously without signing in at all.

Categories: Drupal

Acquia Developer Center Blog: Tutorial: Drupal 8 WYSIWYG, Inline and Responsive Images

10 March 2016 - 1:25pm

There are some excellent improvements to modeling data in Drupal 8, including a number of new fields. This is going to make it easier to model content in Drupal. Let’s look at the image handling in Drupal 8 and what changes are in store.

Tags: acquia drupal planet
Categories: Drupal

Lullabot: Tugboat: A Visual Website QA Tool for Enterprise Teams

10 March 2016 - 1:00pm
Matt and Mike sit down with a number of Lullabots to talk about Tugboat, which allows you to "review every feature or bug fix with automatic builds." In developer-speak, it's an easy-to-use, multi-platform pull-request environment generation tool. Tugboat is one of the ingredients of Lullabot's secret sauce, and it's awesome!
Categories: Drupal

Zivtech: Top Five Drupal 8 Ready Themes

10 March 2016 - 11:50am

The Drupal community welcomed the much anticipated release of Drupal 8 a few months ago. And then the questions began. Should I port my Drupal 6 or Drupal 7 site to D8? What themes are available in Drupal 8?

While there are hundreds of themes available to Drupal developers, so far 93 are Drupal 8 ready. There are some significant differences between D7 and D8 theming. And the number of themes for D8 is only going to grow. Here are our top five favorite Drupal themes now available in D8.


With a pre-release version for D8 now available, this base theme has become one of the most popular HTML, CSS, and JS frontend frameworks in the world for developing responsive, mobile first projects on the web. Bootstrap 3 is out now, and 4 is in development, according to the theme’s home page. This theme is a bridge between the Bootstrap Framework and Drupal.


Built by Zurb, Foundation is a family of responsive front-end tools you can use to design responsive websites, apps and emails. Foundation is semantic, readable, flexible, and customizable.


This D8 friendly theme ships with Bear, a set of modules and base configuration an install profile that minimizes time to start a new Drupal project without sacrificing the quality of the build. Bear Skin comes with a sub-theme, Bear Coat, that contains some basic styling. We built Bear and Bear Skin here at Zivtech.


​Everything you need to know is in the name. Basic is simple and flexible and gives front end developers the essential pieces that they need to get a design up and running. Basic has a clean HTML5 structure with extensible CSS classes and IDs for unlimited options. Basic, which uses the Bourbon library of Sass mixins, comes from Vancouver web shop The Jibe.


Built by Velir, Neato theme was created on the Neat grid system. It also incorporates Bourbon for easier grid theming. Bourbon and Neat are Sass libraries. Developers can choose components to use because Neato isn’t stacked with any JS plugins or files.

Check out these themes to preview and download at the official Drupal site.

Categories: Drupal