While the Syfy network was busy creating compelling new worlds with shows like 12 Monkeys and Helix, their website was worlds behind. It was not responsive, not beautiful, and, in the words of Matthew Chiavelli, VP of Digital Media and Strategy, "put together with duct tape and baling wire". Syfy needed a scalable, cinematic full-screen experience that would look great on any device and be commensurate to their original content.
This blog has been re-posted and edited with permission from Dries Buytaert's blog. Please leave your comments on the original post.
© Yes Moon
Last week, I shared my State of Drupal presentation at Drupalcon Nashville. In addition to sharing my slides, I wanted to provide more information on how you can participate in the various initiatives presented in my keynote, such as growing Drupal adoption or evolving our community values and principles.Drupal 8 update
During the first portion of my presentation, I provided an overview of Drupal 8 updates. Last month, the Drupal community celebrated an important milestone with the successful release of Drupal 8.5, which ships with improved features for content creators, site builders, and developers.
Drupal 8 continues to gain momentum, as the number of Drupal 8 sites has grown 51 percent year-over-year:
This graph depicts the number of Drupal 8 sites built since April 2015. Last year there were 159,000 sites and this year there are 241,000 sites, representing a 51% increase year-over-year.
Drupal 8's module ecosystem is also maturing quickly, as 81 percent more Drupal 8 modules have become stable in the past year:
This graph depicts the number of modules now stable since January 2016. This time last year there were 1,028 stable projects and this year there are 1,860 stable projects, representing an 81% increase year-over-year.
As you can see from the Drupal 8 roadmap, improving the ease of use for content creators remains our top priority:
This roadmap depicts Drupal 8.5, 8.6, and 8.7+, along with a column for "wishlist" items that are not yet formally slotted. The contents of this roadmap can be found at https://www.drupal.org/core/roadmap.Four ways to grow Drupal adoption
Drupal 8 was released at the end of 2015, which means our community has had over two years of real-world experience with Drupal 8. It was time to take a step back and assess additional growth initiatives based on what we have learned so far.
In an effort to better understand the biggest hurdles facing Drupal adoption, we interviewed over 150 individuals around the world that hold different roles within the community. We talked to Drupal front-end and back-end developers, contributors, trainers, agency owners, vendors that sell Drupal to customers, end users, and more. Based on their feedback, we established four goals to help accelerate Drupal adoption.Goal 1: Improve the technical evaluation process
Matthew Grasmick recently completed an exercise in which he assessed the technical evaluator experience of four different PHP frameworks, and discovered that Drupal required the most steps to install. Having a good technical evaluator experience is critical, as it has a direct impact on adoption rates.
To improve the Drupal evaluation process, we've proposed the following initiatives:Initiative Issue link Stakeholders Initiative coordinator Status Better discovery experience on Drupal.org Drupal.org roadmap Drupal Association hestenet Under active development Better "getting started" documentation #2956879 Documentation Working Group grasmash In planning More modern administration experience #2957457 Core contributors ckrina and yoroy Under active development
To become involved with one of these initiatives, click on its "Issue link" in the table above. This will take you to Drupal.org, where you can contribute by sharing your ideas or lending your expertise to move an initiative forward.Goal 2: Improve the content creator experience
Throughout the interview process, it became clear that ease of use is a feature now expected of all technology. For Drupal, this means improving the content creator experience through a modern administration user interface, drag-and-drop media management and page building, and improved site preview functionality.
Most of these initiative teams meet weekly on Drupal Slack (see the meetings calendar), which gives community members an opportunity to meet team members, receive information on current goals and priorities, and volunteer to contribute code, testing, design, communications, and more.Goal 3: Improve the site builder experience
Our research also showed that to improve the site builder experience, we should focus on improving the three following areas:
- The configuration management capabilities in core need to support more common use cases out-of-the-box.
- Composer and Drupal core should be better integrated to empower site builders to manage dependencies and keep Drupal sites up-to-date.
- We should provide a longer grace period between required core updates so development teams have more time to prepare, test, and upgrade their Drupal sites after each new minor Drupal release.
We plan to make all of these aspects easier for site builders through the following initiatives:Initiative Issue link Stakeholders Initiative coordinator Status Composer & Core #2958021 Core contributors + Drupal Association Coordinator needed! Proposed Config Management 2.0 #2957423 Core contributors Coordinator needed! Proposed Security LTS 2909665 Core committers + Drupal Security Team + Drupal Association Core committers and Security team Proposed, under discussion Goal 4: Promote Drupal to non-technical decision makers
The fourth initiative is unique as it will help our community to better communicate the value of Drupal to the non-technical decision makers. Today, marketing executives and content creators often influence the decision behind what CMS an organization will use. However, many of these individuals are not familiar with Drupal or are discouraged by the misconception that Drupal is primarily for developers.
With these challenges in mind, the Drupal Association has launched the Promote Drupal Initiative. This initiative will include building stronger marketing and branding, demos, events, and public relations resources that digital agencies and local associations can use to promote Drupal. The Drupal Association has set a goal of fundraising $100,000 to support this initiative, including the hiring of a marketing coordinator.
Megan Sanicki and her team have already raised $54,000 from over 30 agencies and 5 individual sponsors in only 4 days. Clearly this initiative resonates with Drupal agencies. Please consider how you or your organization can contribute.Fostering community with values and principles
This year at DrupalCon Nashville, over 3,000 people traveled to the Music City to collaborate, learn, and connect with one another. It's at events like DrupalCon where the impact of our community becomes tangible for many. It also serves as an important reminder that while Drupal has grown a great deal since the early days, the work needed to scale our community is never done.
Prompted by feedback from our community, I have spent the past five months trying to better establish the Drupal community's principles and values. I have shared an "alpha" version of Drupal's values and principles at https://www.drupal.org/about/values-and-principles. As a next step, I will be drafting a charter for a new working group that will be responsible for maintaining and improving our values and principles. In the meantime, I invite every community member to provide feedback in the issue queue of the Drupal governance project.
An overview of Drupal's values with supporting principles.
I believe that taking time to highlight community members that exemplify each principle can make the proposed framework more accessible. That is why it was very meaningful for me to spotlight three Drupal community members that demonstrate these principles.Principle 1: Optimize for Impact - Rebecca Pilcher
Rebecca shares a remarkable story about Drupal's impact on her Type 1 diabetes diagnosis:Principle 5: Everyone has something to contribute - Mike Lamb
Mike explains why Pfizer contributes millions to Drupal:Principle 6: Choose to Lead - Mark Conroy
Mark tells the story of his own Drupal journey, and how his experience inspired him to help other community members:Watch the keynote or download my slides
Chances are if you've attended any of the Drupal camps in North America you've run into Kevin Thull. He's the fellow that is dashing from room to room before the first session begins to set up the AV equipment and checking in with presenters making sure they all "push the red button". Because of him, we are all able attend the sessions we miss while busy elsewhere. He is personally responsible for recording over 800 sessions and donating countless hours of his time.
Not only does he record sessions at camps, he also helps organize Midwest Drupal Camp. For this next year he has been charged as their fearless leader. He will be working on their web team, arranging catering, organizing the venue, as well as doing all the audio visual.
This year at DrupalCon Nashville the Drupal Community awarded Kevin the Aaron Winborn award. The Aaron Winborn award is presented annually to an individual who demonstrates personal integrity, kindness, and above-and-beyond commitment to the Drupal community. Kevin's commitment to capturing knowledge to share with the whole community is truly inspirational. He has provided a platform that helps tie local Drupal Communities together.
The Drupal Community Spotlight Committee's AmyJune sat with Kevin before Nashville and asked him some questions about contributing to the Drupal Community.
Ironically, AmyJune had chosen to write this spotlight on Kevin a few weeks before DrupalCon. AmyJune had asked him if he was coming to Nashville and he relayed that he had a prior commitment to attend another conference for his job. Unbeknownst to us, during the interview Kevin knew he had been awarded the honor and managed to keep it a secret. While he did mention that the marketing conference only ran through Wednesday, AmyJune was pleasantly surprised to see him take the stage.
Well, not too surprised, after all he truly deserves the honor.
How long have you been involved in the Drupal community?
I’m not involved with Drupal through my employer, I work in Marketing, but I got into Drupal through freelance.
My first meet up was when the Using Drupal 6 book first came out. I would say that is when I first started getting involved in the community. So, that's close to 10 years now.
I started recording Drupal Camps back in 2013. The official Chicago Camp was having issues and so we as a far western Suburban group decided to have our own camp. I thought I could do some of the logistics and session recordings since that's what I do for work. I had the same setup with video cameras in the back of the room and I spent countless hours rebuilding these presentations. It's a similar process, but it's a very a different presentation between a marketer and someone from the Drupal community giving a presentation on diversity. A marketer might have 20 slides, but a Drupal talk may have 104.
Everybody at the time was telling me I was insane for doing this, but my response was, "Nope, it's important."
In 2014 was the first MIDCamp and we were able to get the DA recording kits. But that was not great either. There was a lot of setup, they were expensive to ship them back and forth, they didn't work terribly well, so that's when Avi Schwab ( https://www.drupal.org/u/froboy) and I started collaborating. He did all the setup for the laptops and I did all the running around from room to room and post production. We brainstormed and I started doing research. The next Suburban Camp is when I had my first test kit for what I am using today.
I saw that you recorded Pacific Northwest Drupal Summit remotely this year? Can you share that experience with us?
That's a funny story. It was the same weekend as Jersey Camp and I tend to favor camps I have already recorded. They had committed before Pacific Northwest Drupal Summit and when Amber Matz saw me at BADCAmp, I explained the conflict. I told her I had started working on the next step and would be shipping the kits to camps. I sat with her and showed her how the kit worked and she said it didn't seem too difficult, and we said "Let's do this".
I got a new case, sent 5 kits to them. It's funny how talking with the organizers of camps helps all of this come together. Because later at New England Camp, I was explaining to one of their organizers how I was shipping kits and he suggested labeling the cables. I thought that was brilliant so I got a label maker and labeled all the cables. I wrote out more a detailed instruction guide, and all these things were things I had been meaning to do.
I sent 5 kits, insured FedEx for around $50, whereas the DA sends this giant pelican case that must cost hundreds of dollars. That was part of the plan originally; we wanted something lightweight and easy to use. I heard they had an 84% capture rate which is a great start. The issue is that non-Macs recordings have no sound and so I have to lay up the backup recording into the video. A lot of times that back up recorder gets turned off or stopped for some reason.
While I was in Florida I started working on pinpointing why non-Mac machines don't have audio. Later, I had mixed success at MIDCamp, I captured a couple, some didn't work, one being an Ubuntu build. At lunch I worked with that presenter to test various setups and we found a setup that worked. Once I can crack that nut, then shipping with even more instructions will increase the capture rates.
Now that you're capturing some camps remote, how does that cut into how much you like to travel?
I do like to travel, but there are a couple of issues. A) I can't be everywhere. B) I am potentially doing 13 or 14 camps this year. Which is cool now, but it may not be cool in couple of years. And C) I don't do Drupal at work and when I first starting doing this I was using all my PTO. I don’t do any Drupal at work, but I brought back all kinds of information and my boss recognized that. She said I could count those as remote days, but of course there's a limit.
There is a balance to be found between visiting the camps and sending the kits remotely.
What are some of your favorite camps?
Everybody asks me that, that question is not fair. I like them all. It's generally the places I know the most people and/or I go ahead of time to play before camp starts. I am not a solo traveller, so if I know a lot of people at the camp I tend to like those: Badcamp, Twin Cities, St. Louis, Texas (cuz of Austin), and Montreal.
What are the things you like to do before a camp that makes it more fun?
HaHaHa, eat and drink all the things. Bar Crawls, Food Crawls, you name it.
Have you given any thought to helping with camps outside the States?
I would like to, but it’s a time and cost issue. The camps now reimburse my travel expenses. To fly to a European camp - I don’t know if that would be in their budget.
It’s interesting, Mauricio Dinarte tailed me for a few camps and he wanted, and he did, get some kits to start recording Nicaragua. One day he tweeted that he saw my kits at Drupal Camp Antwerp. It’s cool to see how these things grow organically. There’s not a camp that goes by where someone from the community doesn’t ask me about how everything works.Congratulations Kevin!
Kevin’s not just the guy who reminds us all to push the red button. He is the guy who loans out his phone when a presenter is doing a live demo and needs an internet hotspot. He is the guy spending hours during and after Drupal Camps piecing together audio and video for maximum quality. The Drupal Community has so much to thank him for, the Aaron Winborn award couldn’t have been awarded to anyone more deserving.
“It has become a no-brainer to invite Kevin to Florida DrupalCamp and have him record and post all of our sessions online. He makes it easy for us to share our great content with a world-wide audience by coming prepared, making it easy for presenters, and uploading the video almost immediately. He’s a true asset to the community.” - Mike Anello (Florida Camp)
"His never-ending abundance of energy and positive contributions in the form of Drupal Camp video services in the US is unmatched. At the camps where I’ve spoken or helped organize he has been a great person to work with through the whole process - helpful and organized across the board." - Aimee Degnan Hannaford (BADCamp)
“We appreciated Kevin’s willingness to send recording equipment and documentation to our event so that we could record sessions, even though he couldn’t be there. He was encouraging and helpful all along the way.” Amber Matz (PNWDS Portland)
Thank you Kevin for your contribution to community, for sharing your story with us, and for being a most excellent secret keeper! And thank you to the hundreds of volunteers that make Drupal Camps, Cons, meetups and picnics a success every year. And thank you AmyJune for this most excellent Drupal Community Spotlight article!
Top image credit: Image by Jordana F
We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window.Solution:
- If you are using Drupal 8, update to Drupal 8.5.2 or Drupal 8.4.7.
- The Drupal 7.x CKEditor contributed module is not affected if you are running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable.
More and more developers are choosing content-as-a-service solutions known as decoupled CMSes, and due to this trend, people are asking whether decoupled CMSes are challenging the market for traditional CMSes.
By nature, decoupled CMSes lack end-user front ends, provide few to no editorial tools for display and layout, and as such leave presentational concerns almost entirely up to the front-end developer. Luckily, Drupal has one crucial advantage that propels it beyond these concerns of emerging decoupled competitors.
Join Dries Buytaert, founder of Drupal and CTO at Acquia, as he shares his knowledge on how Drupal has an advantage over competitors, and discusses his point-of-view on why, when, and how you should implement decoupled Drupal.
Dries will touch on:
- His thoughts on decoupled CMSes - where is the CMS market headed and when?
- His opinion on whether decoupled CMSes will replace traditional CMSes
- The advantages of decoupled Drupal vs. emerging decoupled competitors
- Considerations when determining if decoupled Drupal is right for your project
CHAIRMAN, CHIEF TECHNOLOGY OFFICERACQUIA, INC.
Dries Buytaert is an open source developer and technology executive. He is the original creator and project lead for Drupal, an open source platform for building websites and digital experiences. Buytaert is also co-founder and chief technology officer of Acquia, a venture-backed technology company. Acquia provides an open cloud platform to many large organizations, which helps them build, deliver and optimize digital experiences. A Young Global Leader at the World Economic Forum, he holds a PhD in computer science and engineering from Ghent University and a Licentiate Computer Science (MsC) from the University of Antwerp. He was named CTO of the Year by the Massachusetts Technology Leadership Council, New England Entrepreneur of the Year by Ernst & Young, and a Young Innovator by MIT Technology Review. He blogs frequently on Drupal, open source, startups, business, and the future at dri.es.
The rapid evolution of diverse end-user clients and applications has given rise to a dizzying array of digital channels to support.
Websites in the past were built from monolithic architectures utilizing web content management solutions that deliver content through a templating solution tightly “coupled” with the content management system on the back-end.
Agile organizations crave flexibility, and strive to manage structured content across different presentation layers consistently in a way that’s scalable.
Accomplishing this efficiently requires that teams have flexibility in the front-end frameworks that dominate the modern digital landscape. That’s why decoupled and headless CMS is taking off. That’s why you’re here. But now you need the right technology to support the next phase of the web and beyond.Download this eBook on headless and decoupled CMS
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.
The security team has written an FAQ about this issue.Solution:
Upgrade to the most recent version of Drupal 7 or 8 core.
- If you are running 7.x, upgrade to Drupal 7.58. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
- If you are running 8.5.x, upgrade to Drupal 8.5.1. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
Drupal 8.3.x and 8.4.x are no longer supported and we don't normally provide security releases for unsupported minor releases. However, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.
Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x. Please take the time to update to a supported version after installing this security update.
- If you are running 8.3.x, upgrade to Drupal 8.3.9 or apply this patch.
- If you are running 8.4.x, upgrade to Drupal 8.4.6 or apply this patch.
This issue also affects Drupal 8.2.x and earlier, which are no longer supported. If you are running any of these versions of Drupal 8, update to a more recent release and then follow the instructions above.
This issue also affects Drupal 6. Drupal 6 is End of Life. For more information on Drupal 6 support please contact a D6LTS vendor.Reported By:
- Jasper Mattsson
- Samuel Mortenson Provisional Drupal Security Team member
- David Rothstein of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
- Michael Hess of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Peter Wolanin of the Drupal Security Team
- Alex Pott of the Drupal Security Team
- David Snopek of the Drupal Security Team
- Pere Orga of the Drupal Security Team
- Neil Drumm of the Drupal Security Team
- Cash Williams of the Drupal Security Team
- Daniel Wehner
- Tim Plunkett
The Drupal security team can be reached by email at security at drupal.org or via the contact form.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Thunder is proud sponsor of the Media and Publishing Summit ahead of the DrupalCon in Nashville. Meet us on 9th April and during the DrupalCon to learn more about Thunder and how it is used in professional publishing.https://thunder.org/
Thunder is the Drupal 8 distribution for professional publishing. Thunder was designed by Hubert Burda Media and released as open-source software under the GNU General Public License in 2016. As members of the Thunder community, publishers, partners, and developers build custom extensions and share them with the community to further enhance Thunder.
Thunder consists of the current Drupal 8 functionality, lots of handpicked publisher-centric modules with custom enhancements (our own Thunder Admin Theme, the Paragraphs module, the Media Entity module, the Entity Browser module, and lots more), and an environment which makes it easy to install, deploy and add new functionality (e.g. the Thunder Updater).
To learn more about Thunder projects, read these case studies: German magazine Mein Schöner Garten (Gardening Magazine for Hubert Burda Media), US magazine American Heritage (American Heritage Magazine Migration – Drupal 8), and Serbian television and radio station PannonRTV (News portal for media house – PannonRTV).About the idea:
We at the Thunder Core Team believe that publishers do not compete with each other through technology, but rather through content and brands. That is why the German publisher Hubert Burda Media established the Thunder community which aims to join forces among media companies by sharing code and innovation power. The goal is to innovate faster and spend less money overall by working together.
The Thunder community’s core product is the open-source content management system Thunder. Community members develop useful modules, use them for their own purposes and share them with the community by publishing them under the GNU General Public License. Neither Hubert Burda Media nor the other publishers in the community charge anyone for their contributions.
Any company publishing content professionally is welcome as a member of the Thunder community - both as user and as contributor. Anyone can join by contributing to the distribution. The usefulness and richness of Thunder’s functionality directly benefit from the number of contributors.Why Drupal was chosen:
For Burda, Drupal is the content management platform of choice. It is a free and open-source content-management framework written in PHP and distributed under the GNU General Public License.
The standard Drupal core already provides the essential features, e.g. user management, menu management, RSS feeds, taxonomy, page layout customization, and system administration. It is easily adaptable and extensible with thousands of modules provided by a global community of users and developers. In addition, developers at Hubert Burda Media have had previous good experiences with Drupal. Drupal is therefore a tried and tested basis and has become even better with Drupal 8.Describe the project (goals, requirements and outcome):
Thunder started as a way to share innovation and synergies among the many different brands and products within the Burda Corporation to save costs and speed up the time to market. It did not take long until we realized that the model that worked within the very diverse Burda universe would be useful for almost all digital publishers. That was when we decided to open source the distribution.
Due to its open source basis on Drupal 8, all features and functionality within Thunder are available to anyone wishing to benefit from Burda’s industry experience. Individual brands can add modules to tailor the system to their specific needs. Many of those “specific” customizations will prove to be valuable to more than just the organizations they originated from. We therefore designed Thunder in a way that we can easily incorporate those add-ons into the main distribution and share the features among all brands.Goals:
We aim at becoming the best open-source content management system for professional publishing. In this, we focus on the creation of content. We want to help editors to create articles, to add media, to build landing pages, in short, to share their stories with the world.
We want Thunder to be a CMS jointly developed by its users and are therefore working towards building a community of publishers, IT agencies, and anyone else who shares our ideas and contributes to Thunder.
Our aim in doing so is to stay very close to the Drupal community and the Drupal core instead of creating a Thunder fork. Whenever we want to implement a new functionality or solve a problem, we try to do this in Drupal core or in the modules Thunder uses instead of fixing things in the distribution.Time spent:
It’s difficult to measure the time spent on the development of Thunder, as this is an ongoing process. Currently, there are four developers employed by Hubert Burda Media working on the distribution full-time, plus several external developers. They focus on the advancement of Thunder as well as Drupal core and the contrib modules used in the distribution. A community manager is working on coordinating and growing the Thunder community of publishers, developers, and other partners.Timeline and Milestones:
- 30th August 2015: Repository and first commits for Thunder
- September 2015: playboy.de – the first website running on Thunder
- November 2015: instyle.de – the second website running on Thunder as well as proof of concept of the sharing model
- 17th March 2016: Official press release about Thunder
- October 2016: produceretailer.com is the first professional non-Burda website running on Thunder
- 30th January 2017: Release of Thunder 1.0
- March 2016: One year after the official launch of the Thunder initiative, 15 websites (we know of) are running on Thunder.
- 1st June 2017: Release of Thunder 2.0
- 20th July 2017: Release of Thunder Admin Theme
- 20th November 2017: First community event, the Thunder Day in Hamburg
We released Thunder 1.0 in January 2017. One year later, at least 60 professional websites that we know of now run on Thunder. In the meantime, we have also released Thunder 2.0 and the Thunder Admin Theme.
Publishing houses grabbed the idea of working together. The Austrian publisher kurier.at, for example, contributed to the liveblog module used in Thunder and developed a new functionality to split text paragraphs.
In community matters, we talked to more than 300 companies worldwide. We established the “Certified Thunder Integrator” program to help publishers to find IT agencies as well as IT agencies to find customers. As of now, there are more than 20 companies certified or in the certification process.
We aim at bringing people together to share experiences. For this purpose, we introduced a Slack team for the Thunder community as well as several social media accounts. Furthermore, we organized the first community event – the Thunder Day – with around 120 participants in November 2017.Challenges and how we resolved them: Updating:
Distributions such as Thunder face the problem of losing control after the installation. How should a distribution actually deliver features and updates? We thought a lot about this problem and introduced the Thunder Updater, the “Thunder way to keep your site up to date”. Thunder checks if installed configurations have been changed – if not, they can be updated. Otherwise, you will get a message telling you there’s an update pending and what to do if you wish to have it. This functionality is currently an integral part of the distribution but we plan to detach it and publish it as a module on drupal.org soon so that everybody can use it.Testing:
Writing an Admin Theme is very difficult because Drupal offers so many possibilities to adapt things: If you change something it can have unexpected effects in unexpected places. To avoid surprises, we developed Sharpeye, a visual regression tool. It takes screenshots and compares them in automated tests. This gives us a good overview. We open sourced the tool and you can download it here: github.com/BurdaMagazinOrg/sharpeyeTechnical details, tips, and tricks: Tooling:
We invested a lot of time into automated testing but it was well worth the effort, not only for Thunder but also for Drupal core and the contrib modules we use since we discovered a lot of bugs there too.Development process:
We don’t use a closed issue tracker but publish our tickets on drupal.org, thereby creating transparency. We use Github rather than drupal.org for the development because the developer experience is much better.Organizations involved:
Modules/Themes/DistributionsKey modules/theme/distribution used:
In professional publishing, it’s all about the story. It has to be easy to create a story, to extend it, to change its narrative strand, and to enrich it with multimedia content. We use the Paragraphs module for this. Instead of putting all their content in one WYSIWYG body field including images and videos, end-users can now choose on the fly between pre-defined Paragraph Types independent from one another. Paragraph Types can be anything you want from a simple text block or image to a complex and configurable slideshow. This allows editors to structure an article into sub-elements which can easily be created, edited, and reorganized.Media Handling
Editors want to enrich their articles with pictures, videos, content from social media, and whatever else you might think of. Paragraphs are one part of this, the other is the combination of the Media Entity module and the Entity Browser module. With those modules, editors can easily upload new content but also find and reuse existing entities.SEO
Search engine optimization plays a major role in every editor’s life. Thunder therefore gas a plethora of different adjusting screws, from several meta tags for Facebook, Twitter, and Open Graph up to the simple XML sitemap.Scheduled Publishing
The editor’s daily life is a lot about planning. With Thunder, you can schedule articles, ensuring they will be published at a given date and time. Even more importantly, you can also schedule the time at which an article or a picture should not be shown on the website anymore, e.g. if the contract period for a photograph has ended or an event announcement isn’t useful anymore.Improved Authoring Experience
Our primary focus is making the editors’ work with Thunder as easy as possible. In order to achieve this, we created the Thunder Admin Theme based on findings of user tests and a survey conducted with editors working with Thunder.Detailed Module List
Find a detailed list of the modules we use in Thunder here: burdamagazinorg.github.io/thunder-documentation/modulesCommunity contributions:
Since we get a lot from the Drupal community, we give our best to contribute back, e.g. by fixing the bugs we find through automated tests and by supporting Drupal events and code sprints with developer time, talks, and sponsoring. Christian Fritsch, a member of the Thunder Core Team, contributed a lot of his time to the media initiative. Ingo Rübe, the initiator of Thunder, is a member of the Drupal Association’s Board of Directors.Project team:
- Daniel Bosen - Lead Developer
- Christian Fritsch - Senior Developer
- Mladen Todorovic - Senior Developer
- Volker Killesreiter - Senior Developer
- Julia Pradel - Community Manager
- Ingo Rübe - Initiator of Thunder
- Collin Müller - Head of Strategic Development
- Advisory ID: DRUPAL-PSA-2018-001
- Project: Drupal Core
- Version: 7.x, 8.x
- Date: 2018-March-21
There will be a security release of Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28th 2018 between 18:00 - 19:30 UTC, one week from the publication of this document, that will fix a highly critical security vulnerability. The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page.
While Drupal 8.3.x and 8.4.x are no longer supported and we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that include the fix for sites which have not yet had a chance to update to 8.5.0. The Drupal security team strongly recommends the following:
- Sites on 8.3.x should immediately update to the 8.3.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
- Sites on 8.4.x should immediately update to the 8.4.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
- Sites on 7.x or 8.5.x can immediately update when the advisory is released using the normal procedure.
The security advisory will list the appropriate version numbers for all three Drupal 8 branches. Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x, but temporarily updating to the provided backport for your site's current version will ensure you can update quickly without the possible side effects of a minor version update.
This will not require a database update.
Patches for Drupal 7.x and 8.3.x, 8.4.x, 8.5.x and 8.6.x will be provided.
The CVE for this issue is CVE-2018-7600. The Drupal-specific identifier for the issue is SA-CORE-2018-002.
The Security Team or any other party is not able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.drupal.org/security, over Twitter, and in email for those who have subscribed to our email list. To subscribe to the email list: log in on drupal.org, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.
Journalists interested in covering the story are encouraged to email email@example.com to be sure they will get a copy of the journalist-focused release. The Security Team will release a journalist-focused summary email at the same time as the new code release and advisory.
If you find a security issue, please report it at https://www.drupal.org/security-team/report-issue.
updated 2018-03-22: Added information about database updates
updated 2018-03-27: Added information about patches
updated 2018-03-28: Added information about CVE and identifiers
This new version makes Media module available for all, improves migrations significantly, stabilizes the Content Moderation and Settings Tray modules, serves dynamic pages faster with BigPipe enabled by default, and introduces a new experimental entity layout user interface. The release includes several very important fixes for workflows of content translations and supports running on PHP 7.2.
In Drupal 8.4, we added a Media API to core that drew on work from the contributed Media Entity module, but the module was hidden from the user interface due to user experience issues. In Drupal 8.5, many of the usability issues have been addressed, and the module now can be enabled normally. Media in Drupal 8.5 supports uploading and playing audio and video files, as well as listing and reusing media.
For an optimal user experience, we suggest enhancing the core feature set with the rich ecosystem of contributed modules that extends the core Media module. In future releases, we will improve the core user experience with a media library and other tools, add WYSIWYG integration, add support for remote media types like YouTube videos, and provide an upgrade path for existing basic File and Image field data on existing sites.Settings Tray and Content Moderation now stable
Two experimental modules originally added with Drupal 8.2.0 have been steadily improving in past releases and are now stable. The Settings Tray module provides a quick solution to manage settings in context, such as moving items around in a menu block. The Content Moderation module allows defining content workflow states such as Draft, Archived, and Published, as well as which roles have the ability to move content between states. Drupal 8.5.0 also adds support for translations to be moderated independently.New experimental Layout Builder module
The new experimental Layout Builder module provides display layout capabilities for articles, pages, user profiles, and other entity displays. Layout Builder uses the same "outside-in" user interface that Settings Tray module does, allowing site builders to edit their layouts on the actual page (rather than having to go to a separate form on the backend). The current user interface is a basic implementation but we expect it will improve significantly in the coming months.Big steps for migrations
After over four years of work, this release marks the Migrate system's architecture stable. The Drupal Migrate and Drupal Migrate UI modules are also considered stable for upgrading monolingual sites. (Multilingual site upgrades are still not fully supported.) Support for incremental migrations is also included in this release. See the migrate announcement for further details on migrating to Drupal 8.BigPipe by default
The BigPipe module provides an advanced implementation of Facebook's BigPipe page rendering strategy for greatly improved perceived performance for pages with dynamic, personalized, or uncacheable content. The module was added in Drupal 8.1.0 experimentally and became stable in Drupal 8.3.0. Following real-world testing, Big Pipe is now included as part of Drupal 8.5.0's Standard installation profile, so that all Drupal 8 sites will be faster by default. BigPipe is also the first new Drupal 8 feature to mature from an experimental prototype all the way to being part of a standard installation!Groundwork for a Drupal 8 "Out of the Box" demo
Drupal 8.5.0 includes the groundwork for a new demo profile and theme from the Out of the Box Initiative, which will be a beautiful, modern demonstration of Drupal's capabilities. This will allow us to provide the demo experimentally, possibly in a future Drupal 8.5 release. (The demo profile and theme should not be used on actual production or development sites since no backwards compatibility or upgrade paths are provided.) If you'd like to see this demo in action, you can also see it in the 8.6.x development version.PHP 7.2 now supported
Drupal 8.5.0 now runs on PHP 7.2, which comes with new features and improves performance over PHP 7.1. PHP 7.2 is now the recommended PHP version to use with Drupal 8.What does this mean for me? Drupal 8 site owners
Update to 8.5.0 to continue receiving bug and security fixes. The next bugfix release (8.5.1) is scheduled for April 4, 2018.
Updating your site from 8.4.5 to 8.5.0 with update.php is exactly the same as updating from 8.4.4 to 8.4.5. Drupal 8.5.0 also has updates to several dependencies, including a backwards-compatible update to a Symfony long-term-support release (which will be supported for many years). Modules, themes, and translations may need updates for these and other changes in this minor release, so test the update carefully before updating your production site.
Note that Drupal 8 will require PHP 7 starting in March 2019, one year from now. If your site is hosted on PHP 5.5 or 5.6, you should begin planning to upgrade (and consider upgrading to PHP 7.2 now that it is supported). See the Drupal core announcement about the PHP 5 end-of-life for more information.Drupal 6 and 7 site owners
Drupal 7 is still fully supported and will continue to receive bug and security fixes throughout all minor releases of Drupal 8. Drupal 6 is no longer supported. See the migrate announcement for further details on migrating to Drupal 8.Translation, module, and theme contributors
Minor releases like Drupal 8.5.0 include backwards-compatible API additions for developers as well as new features. Read the 8.5.0 release notes for more details on the improvements for developers in this release.
Since minor releases are backwards-compatible, modules, themes, and translations that supported Drupal 8.4.x and earlier will be compatible with 8.5.x as well. However, the new version does include some changes to strings, user interfaces, internal APIs and API deprecations. This means that some small updates may be required for your translations, modules, and themes. See the announcement of the 8.5.0 release candidate for more background information.
After over four years of work with over 570 contributors and 1300+ closed issues, Drupal 8.5.0 releases the Migrate system's architecture as fully stable. This means that developers can write migration paths without worrying for stability of the underlying system.
On top of that the Migrate Drupal and Migrate Drupal UI modules (providing Drupal 6 and 7 to Drupal 8 migrations) are considered stable for upgrading monolingual sites. All of the remaining critical issues for the Migrate Drupal module's upgrade paths and stability are related to multilingual migration support (so multilingual site upgrades are still not fully supported).
Support for incremental migrations is now also available, which means that site owners can work gradually on their new Drupal 8 site while content is still being added to the old site. When migrations (including incremental migrations) are run through the user interface, site owners will now see a warning if some data on the Drupal 8 site might be overwritten. (A similar fix for Drush is not yet available, so be careful not to overwrite data if you run a migration on the command line.)
Upgrade instructions for Drupal 6 and Drupal 7 sites can be found in the Upgrading to Drupal 8 handbook. Your old site can still remain up and running while you test migrating your data into your new Drupal 8 site. If you happen to find a bug, that is not a known migrate issue, your detailed bug report with steps to reproduce is a big help!
Unlike previous versions, Drupal 8 stores translated content as single entities. Multilingual sites with reference fields (node_reference, entity_reference) or multilingual menus can upgrade to Drupal 8 using Drush, executing the desired migrations one by one. In this process you need to create and run a series of additional custom migrations to reflect the new entity identifiers assigned during earlier migrations. There is no automation implemented for this process yet.
Data can be migrated to Drupal 8 also from non-Drupal sources such as CSV, XML, JSON, or directly from 3rd party systems' databases. For instructions and examples, refer to Migrate API handbook.
Huge thanks again to all the contributors who made this possible.
The first release candidate for the upcoming Drupal 8.5.0 release is now available for testing. Drupal 8.5.0 is expected to be released March 7.Download Drupal-8.5.0-rc1
8.5.x makes the Media module available for all, improves migrations significantly, stabilizes the Content Moderation and Settings Tray modules, serves dynamic pages faster with BigPipe enabled by default, and introduces the new experimental Layout Builder module. The release includes several very important fixes for workflows of content translations and supports PHP 7.2. Finally, 8.5.0-rc1 also includes the same security updates that are provided in 8.4.5.What does this mean to me? For Drupal 8 site owners
Drupal 8.4.5, a security update and the final release of the 8.4.x series, has also been released this week. 8.4.x sites should update immediately to 8.4.5, but going forward, 8.4.x will receive no further releases following 8.5.0's release date, and sites should prepare to update from 8.4.x to 8.5.x in order to continue getting bug and security fixes. Use update.php to update your 8.4.x sites to the 8.5.x series, just as you would to update from (e.g.) 8.4.2 to 8.4.3. You can use this release candidate to test the update. (Always back up your data before updating sites, and do not test updates in production.)
If you're an early tester who is already running 8.5.0-alpha1 or 8.5.0-beta1, you should update to 8.5.0-rc1 immediately. 8.5.0-rc1 includes security fixes (the same fixes that were released in Drupal 8.4.5).
Site owners should also take note of the fact that Drupal 8's support for PHP 5 will end in one year, in March 2019. PHP 7.2 is now the best recommended PHP version to use with Drupal 8.For module and theme authors
Drupal 8.5.x is backwards-compatible with 8.4.x. However, it does include internal API changes and API changes to experimental modules, so some minor updates may be required. Review the change records for 8.5.x, and test modules and themes with the release candidate now.For translators
Some text changes were made since Drupal 8.4.0. Localize.drupal.org automatically offers these new and modified strings for translation. Strings are frozen with the release candidate, so translators can now update translations.For core developers
All outstanding issues filed against 8.4.x were automatically migrated to 8.5.x. Future bug reports should be targeted against the 8.5.x branch. 8.6.x will remain open for new development during the 8.5.x release candidate phase. The 8.5.x branch will be subject to release candidate restrictions, with only critical fixes and certain other limited changes allowed.Your bug reports help make Drupal better!
Release candidates are a chance to identify bugs for the upcoming release, so help us by searching the issue queue for any bugs you find, and filing a new issue if your bug has not been reported yet.
In 2017 we saw the passing of J-P, community friend, mentor, leader, and contributor. Within the community J-P's was known for his passions: Drupal, programming culture, gardening, cycling and the environment. We invited people to share their memories of J-P and his impact; we share them with you now in memoriam. This is a moving tribute and a celebration of his life.
We invite you to also share your tributes in the comments section.
J-P Stacey on the Tour de Drupal 2016 Photo by Christian Ziegler
J-P was a bright intelligent, quirky chap, ADORED animals, he would melt at the mention of our pets names, he would happily spend hours cooing over stories of his beloved cat Indie, he'd oblige you in hours and hours of stories about your beloved animals - kae76
Whenever I was with JP he was always smiling. He was always there to help and it was always a pleasure to see JP at Drupal events and chat to him on IRC - aburrows
Nice. My overriding memory of J-P is how nice he was. When he moved up to Sheffield and started attending the Yorkshire meetups he fitted right in straight away. He always found time to ask how people were doing and genuinely cared what they were saying. He was always patient, positive and happy to help others - kmbremner
I remember first meeting J-P at DrupalCamp Oxford in 2012, when I had just started out running a small business and I remember thinking how much of a mad professor he looked, and discussing different parts of Oxford with him. The last time I saw J-P was sharing a meal with at DrupalCamp London 2017 near Euston. Both times J-P was actively seeking to engage people from the edges of the community (all the other Drupalists at the meal were freelancers or small businesses) and I know that was something he was highly instrumental at working with. I actually went back to that restaurant recently, and it seems slightly strange that I won't see J-P at another event - willhallonline
J-P being present just simply makes you happy, such an open genuine chap. Always disappointment around if he can't attend a catch-up, and anticipation if you know he will be there. J-P, always the gentleman, honoured my poor jokes with a titter or a laugh, even if it first met with an understandable groan - waako
I knew J-P, in that we participated together every year as mentors at the Friday Core Sprints at Drupalcon. Last year at Drupalcon Dublin, I asked J-P to be my "mentor mentor" because I was so impressed by his gentle and unruffled style. He organized the team at his table with exemplary grace and good humour. I was particularly struck by how quickly he gathered a group of enthusiastic people around him. Bye J-P, it was a true honour to have known you, if only once a year, in this particular context - michaellenahan
He was *always* cheerful! - greg.harvey
JP always took the time to talk to people and explain things to people who needed help. It's safe to say that helping people was a passion for JP - Ikit-claw
I recall the Friday evening of Drupalcamp London 2017, J-P and I met at Old Street Station and travelled to Kings Cross to meet up with fellow Drupalists for a meal at the Diwana Bhel Poori house for a meal. The trip and the hour long wait there for the rest to join us was filled with fun and interesting conversation. We realised how much we had in common and made each other laugh. That plus stimulating conversation over great food I will remember for a long while - TechnoTim2010
The thing I will always remember best about J-P his determination to stick to his principles; be they in code, in process, in environmental matters or even his house and garden! It was so sweet on occasion to see him struggle when pragmatism meant they couldn’t always be followed but it constantly reminded me to try harder myself. I miss J-P but I know I’ll be a better person for knowing him and looking up to him - rachel_norfolk
I met him via tour de drupal Amsterdam and Barcelona. J-P was cycling a long way alone, Criz and I would cycle the Pyrenees for 2 days and then we met for the final leg to Barcelona and had a really good time. I didn't get to know Stacey too much but felt he was a very calm, positive, free person - dasjo
Working on a project with J-P with him as lead developer and me acting as project manager, what I loved was the fact he would always push back on every story, but as we chatted about options, he'd end up getting excited and committing to even more than I expected to get in the first place - stevecowie
J-P was a brilliant companion on various Tour de Drupal cycle rides from the UK to wherever Drupalcon was being held. His great sense of humour, adventure and unflappable flexibility made him an excellent person to cycle with, and he was great at drawing people in, involving them and making everyone feel at ease. These same characteristics made him great fun to be around at a conference; I remember the "I'll do it if you will" approach that got us into talking at a Drupal unconference, with just a few minutes' notice in his case. He cared about others, and his strong sense of fairness and inclusion as well as pragmatism were of great value when there were difficult decisions to be made - martin_q
JP was involved with the modern web development apprentices (a.k.a. Drupal apprentices) programme in the UK. The last time I met JP was shortly before his holiday trip to Spain. We were scoping out some training days for the apprentices programme, as budget had become available to run 1-day topic-focussed trainings with external specialists. He was looking forward to training apprentices on test-driven development after his holiday - andrewmacpherson
#drupal #sprintweekend Sheffield 2016 Shared on twitter by @rivimey
The Drupaller & mentor
I was aware how deeply knowledgeable he was, and his ability to make that knowledge accessible to others, and his nature to always hear others out, always assuming he hadn't got the answer. He wasn't shy to press someone about a topic which he believed was being overlooked, or underrepresented - kae76
He was excellent at explaining and helping others - aburrows
I remember J-P presenting about Drush Make at DrupalCamp North West 2013. It really opened my eyes to how there was a more efficient way of doing things than I had known before. Years later he was a strong advocate for Composer evangelising the benefits to the local community and beyond - kmbremner
The thing I will remember most about J-P was his passion around open-source software. He was committed to Drupal and passionate about the community. It always seemed that he really cared about the *little* guy. The person starting up, or the newcomer to the community - willhallonline
He was always interested in problem solving, beyond that he was interested in understanding the problem, not solving it for you. He could explain code, like super-intelligent physics jokes, in the most clear manner and help you find direction. He would ask all the right questions about what you needed to achieve - waako
He totally "got" contrib, always looking for the pragmatic solution, always looking to use and/or improve existing code - greg.harvey
JP would take the time to help people learn code and point them in the right direction you could take to him on slack or irc and he would take the time to help you - Ikit-claw
J-P was always willing, if he had time, to help with any coding issues on IRC. He was busy much of the time. I would loved to have collaborated on a project with him, sadly never to be - TechnoTim2010
I’ve learned so much from J-P’s blog posts and always enjoyed our encounters at various events over the years. Highly technically competent and willing to spend time to share skills and knowledge, I saw J-P as part of the very fabric of what makes Drupal Drupal, the reason why I’ve hung around for so long - Steve Purkiss
Time. It didn’t matter how long it took for J-P to work with someone until they understood something - he’d see it through - rachel_norfolk
J-P was the alternative to Drupal stack exchange - stevecowie
JP shared his own learning very freely. After D8 came out JP set about learning the new API - he published what he learned on his blog, and those are some of the best D8 tutorials I've seen. "Did JP figure this out yet?" was often my first question, before approaching the official docs - andrewmacphersonThe future: what would J-P would want us to remember?
J-P would want us to remember the people behind the code; to spend the time helping new members of the community and making them feel welcome. To have a beer and get to know each other on a personal level - kmbremner
Documentation! Joking aside ... I honestly not sure how to answer this, fundamentally the J-P we all knew - cared about a lot of things, the environment, equal rights, good clean code, great clear documentation, meaningful social interactions and impact. But my everlasting memory is how much he held his family and friends in focussed concern - listening and hearing - sharing daft jokes and I personally honor him for his vulnerability he was an open book. This is the lesson I will learn and keep learning from J-P; listening and HEARING the ones you love, open honest vulnerability and there is never a bad time for a cat pun - kae76
Be kind to each other and get involved in the Drupal eco-system - aburrows
I think that the enduring message is that it is not about code. Code is far more ephemeral than community. People's enduring care for the Drupal community is what makes it powerful. And I feel that J-P knew that - willhallonline
He would want us to grow things, to experiment, cycle and to listen & engage with each other - waako
The planet - greg.harvey
I think he would want us to pay forward all the kind gestures he had done for others. If JP ever took the time to help you and see someone stuck who you could help I think he would want people to take 30 minutes to help someone else and encourage them - Ikit-claw
J-P was passionate about Drupal and would want us to share that passion, and help our fellow Drupalists. He was also passionate about Green issues and protecting and improving the environment, I am sure he would be happy I created a Drupal 8 site to support a campaign not to concrete over beautiful countryside, but instead push cycling and other non-destructive solutions -
We should consider our own green credentials and do anything we can for our local environment - TechnoTim2010
Learn, then teach - Steve Purkiss
His garden - rachel_norfolk
Go by your own pace - dasjo
From left to right: Christian, Youri, J-P, Stephen, Martin (Photo by Conor Cahill)
Reflections on Tour de Drupal 2016 Shared by MegaChriz - An evening in Belfast
On a cold Friday evening in Belfast - late September 2016 - J-P, Martin and Stephen arranged to meet me and Christian at a small restaurant in town. The streets were empty - as if everybody was either out of town or at home. But the restaurant was full till the brim - there was no more room inside. J-P, Martin and Stephen were sitting outside on the terrace of the restaurant when I and Christian arrived, having a drink and presumably trying to ignore the cold. Despite the cold, we had to wait for a table to become free inside before we could order some food (outside the ordered food would become cold in minutes, maybe even in seconds). So we sat there for about an hour and still no one came out to make room for us.
J-P had a hard time fighting his hunger and finally said "Maybe I should just go inside and stare at people to make them want to go away". J-P spread his eyes wide-open, pretend to be staring at us. That was one of the funniest moments I had with J-P.
J-P didn't go inside to stare people away, after some more time waiting there finally came room for us and together with Martin and Stephen, J-P ordered a 22 inch pizza.Tour de Drupal 2016
The next two days we cycled together from Belfast to Dublin. It was a great ride with mostly flat land and sometimes lots of rain! There were also some hills and J-P had a hard time cycling these on his Brompton.
We hadn't arranged a overnight stay between the first and second cycle day, so on the first day J-P and Stephen had to make calls to several guest houses, bed and breakfasts, airbnb's, etc. to find a place for us to sleep. "Next time, I'll book an overnight beforehand," J-P said, "This was way too stressful."
The second day was more windy and because we seemed to be running out of time to get to Dublin the same day we took a shortcut. This was alongside a road where traffic was allowed to reach speeds of 100 km/hour. This was the part of the tour I didn't like much. One time I got blown to the berm, nearly falling off my bike! With time still running out I only got to Skerries as couldn't reach a higher speed (I took the rest by train). Despite that, I'm glad I have been able to cycle with this group.
It was our Tour de Drupal!
The Five Bikers Staring to the Sea. From left to right: Youri, Christian, Stephen, J-P, Martin. (Photo by Martin Quested)
AttachmentSize JP_bike_web_use.jpg84.89 KB
This security advisory fixes multiple vulnerabilities in both Drupal 7 and Drupal 8. See below for a list.Comment reply form allows access to restricted content - Critical - Drupal 8 - CVE-2017-6926
Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content.
The PHP functions which Drupal provides for HTML escaping are not affected.Private file access bypass - Moderately Critical - Drupal 7 - CVE-2017-6928
When using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.
This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.jQuery vulnerability with untrusted domains - Moderately Critical - Drupal 7 - CVE-2017-6929
A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit.
For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.Language fallback can be incorrect on multilingual sites with node access restrictions - Moderately Critical - Drupal 8 - CVE-2017-6930
When using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability.
This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hook_node_access_records().
Note that the update will mark the node access tables as needing a rebuild, which will take a long time on sites with a large number of nodes.Settings Tray access bypass - Moderately Critical - Drupal 8 - CVE-2017-6931
The Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for.
If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses.
This vulnerability can be mitigated by disabling the Settings Tray module.External link injection on 404 pages when linking to the current page - Less Critical - Drupal 7 - CVE-2017-6932
Drupal core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.Solution:
Install the latest version:
- If you are using Drupal 8 , upgrade to Drupal 8.4.5
- If you are using Drupal 7 , upgrade to Drupal 7.57
- Comment reply form allows access to restricted content - Critical - Drupal 8
- Private file access bypass - Moderately Critical - Drupal 7
- jQuery vulnerability with untrusted domains - Moderately Critical - Drupal 7
- Language fallback can be incorrect on multilingual sites with node access restrictions - Moderately Critical - Drupal 8
- Settings Tray access bypass - Moderately Critical - Drupal 8
External link injection on 404 pages when linking to the current page - Less Critical - Drupal 7
- David Rothstein of the Drupal Security Team
- Comment reply form allows access to restricted content - Critical - Drupal 8
- Private file access bypass - Moderately Critical - Drupal 7
- jQuery vulnerability with untrusted domains - Moderately Critical - Drupal 7
- Language fallback can be incorrect on multilingual sites with node access restrictions - Moderately Critical - Drupal 8
- Settings Tray access bypass - Moderately Critical - Drupal 8
- External link injection on 404 pages when linking to the current page - Less Critical - Drupal 7
The following blog was written by Drupal Association Premium Supporting Partner, DrupalCamp London.
The people surrounding Drupal have always been one of its strongest selling points; hence the motto “Come for the code, stay for the community”. We bring individuals from a multitude of backgrounds and skill sets together to push forward towards a common goal whilst supporting and helping each other. Within the community, there are a number of ways to connect to each other; both online and in person. A good way to meet in person is by attending DrupalCons and DrupalCamps.DrupalCamps
A DrupalCamp can be similar to a DrupalCon but is on a much smaller scale. Where a ‘Con has 1,600+ attendees a ‘Camp ranges anywhere from 50-600 people. In Europe alone there were over 50 camps in 2017, including DrupalCamp London.DrupalCamp London
DrupalCamp London brings together hundreds of people from across the globe who use, develop, design, and support the Drupal platform. It’s a chance for Drupalers from all backgrounds to meet, discuss, and engage in the Drupal community and project. DrupalCamp London is the biggest camp in Europe (followed very closely by Kiev), at ~600 people over three days. Due to its size and location, we’re able to run a wide range of sessions, keynotes, BoFs, Sprints, and activities to take part in.What happens over the three days? Friday (CxO day)
Friday (CxO day) is primarily aimed at business leaders who provide or make use of Drupal services (i.e web development agencies, training companies, clients etc), but naturally, everyone is welcome. Throughout the day we'll have speakers talking about their experiences working with Drupal and Open Source technologies in their sector(s) or personal life. With a hot food buffet for lunch and a free drinks reception at the end of the day, you'll also have ample time to network with the other attendees.Benefits of attending
Benefits for CTOs, CMOs, COOs, CEOs, Technical Directors, Marketing Directors and Senior Decision Makers:
- Understand how leading organisations leverage the many benefits of Drupal
- Network with similar organisations in your sector
- Learn directly from thought leaders via specific case studies
Over the weekend, we have 3 Keynote speakers, a choice of over 40 sessions to attend, BoF (Birds of a Feather) talks, Sprints, great lunch provided (both days) and a Saturday social. With all the activity there is something for everyone to get involved in.
Benefits of attending
Over 500 people attended the weekend event last year and we are expecting it to grow even more this year. Not all attendees are devs either, with a fair share of managers, designers, C-Level, and UX leads there's a great opportunity for all skill sets to interact with each other. Big brands use Drupal (MTV, Visit England, Royal.gov, Guardian, Twitter, Disney) and this is a chance to meet with people from those companies to compare notes, and learn from each other.
As above, the chance to meet so many people from various skill sets is a great way to line up potential interviews and hires for any aspect of your business. At the very least you'll be able to meet interesting people for any future potential hires.
Marketing & Raising company profile
Attending an event with a huge turnout is a great way to meet people and talk to them about what you and your company do. Embedding your name within the tight-knit Drupal community can attract the attention of other companies. Sponsoring the camp means that your logo and additional information can be seen around the camp, in tote bags given to attendees, and online. The social and sponsors stands are the perfect chance to talk to other companies and people attending DrupalCamp, to find out how they use Drupal for their benefit.
DrupalCamp isn't just for Devs, over the weekend there are sessions on a broad range of topics including community & business, UX, and general site building/using Drupal. The technical topics aren’t just Drupal specific either, this gives developers (and others) the ability to learn more about general core coding concepts and methodologies. The methods and techniques learnt help with day to day development and long-term work. In addition to the planned sessions, BoF (birds of a feather) sessions, there are ad-hoc get-togethers where people can talk on any topic, allowing a free discussion to share ideas.
Warm fuzzy feeling/giving back
Drupal (like any open source software) wouldn't survive without the community. Camps and other events allow the members to come together and see ‘first hand’ that they’re giving back to a community that helps power their tech, maintains their interests, and enables them to make a living.How to get involved?
We have had a tradition since 2005. Every new year we have a posting on the predictions for the year ahead for our beloved open source CMS and community. Sometimes this posting went up in december, sometimes in January. But never in February.
Time to start a new tradition, predict the year ahead from February on :-)
Leave a comment if you do think that blogging will get hip again, RSS will gain new ground. What will the roll of the Drupal Association be in the new year? Where will the next DrupalCon be? Will the community grow and in what direction? API first, customer first, mobile first?
Polish your crystal ball and tell us what the future of Drupal wil be.
And yes, this posting was once month late. Apologies. Feel free to predict when the new prediction posting will go up on d.o :-)
The following blog was written by Drupal Association Signature Supporting Partner, Open Social by GoalGorilla.
A living style guide - a way to control markup or CSS - has been making a name for itself. And for a good reason; they’re an important tool for web development. They keep developers in sync, communicate design standards, and help organize complex interfaces. In this post, I want to discuss how and why living style guides are important and how to implement one for Open Social using Drupal for software.
We're using a living style guide because it serves as a valuable internal resource for development; we’re able to write reusable and consistent code that's easy to maintain. And it’s a great external resource for client deliverables. Ready to see how to make a living style guide work with Drupal software? Let’s go!Moving From Static to Dynamic
We didn’t always rely on a living style guide. Open Social was built and maintained using different strategies such as component libraries and atomic designs. These strategies have advantages, such as reusability, facilitating collaboration within the team, and ensuring design consistency. There were, however, disadvantages to a static style of working.
In the past, a component library or style guide was usually graphic-based. The designer would create a visual representation of a component (in PS or Sketch, for example) and then the front-end developer would transfer these visuals to HTML and CSS. This immediately meant double maintenance; for instance, if the markup or CSS changes, the graphics style guide would need to be updated to reflect this change and vice-versa. In our experience, the shelf life of these “static” systems is only a few iterations before the graphic version gets left behind and forgotten due to too much maintenance and not enough return. Yikes.
This is why we decided that it was time for a change. What we needed what a more dynamic system: a living style guide.A Living Style Guide Is the Best
Any style guide is better than none but a living style guide is the best.
- Sharing design capabilities. Our team easily shares design capabilities between designers and front-end developers, which also benefits the backend developers and project managers who work with us.
- Less reliance on other team members. The developers refer to the style guide and reuse components for new features without being heavily reliant on the designers and front-end developers for implementation.
- Most importantly, the client benefits. The project manager offers new feature ideas and lower-cost solutions to the client, based on reusing and recombining existing components. Inevitably our clients benefit from this, especially when they begin thinking this way themselves.
While this blog post focuses on how we work on Open Social enterprise projects, it is also an accurate reflection of working in the Drupal frontend nowadays. A quick google for “Drupal Living Style Guide” can give you some ideas about the current popularity, challenges, and general atmosphere surrounding the subject. In the next section of the blog, I will take you through the steps of setting up a living style guide with Open Social.Creating the Living Style Guide
It’s important to note that this section assumes you have a copy of the Open Social distribution running locally on your development machine (here’s where you can install the Open Social distro if you’re looking for it).
This demonstration uses a copy of the Social Blue theme, but you can implement the style guide using any custom theme. The Social Blue theme ships with the KSS style guide. Once we have the style guide up and running, the final result will look like this. Here we go!
Side note: refer to this GitHub repo for an example of a component library within a Drupal theme folder structure, and package.json with dependencies, gulpfile.js for run KSSnode style guide and generate assets for the Drupal theme.The Drupal Component Library Module and Twig Namespaces
The living style guide firstly requires the Component Library Drupal module to get up and running. The Drupal components library allows us to create custom twig namespaced paths. This means we are not limited to placing our components in the Drupal theme templates folder (as the current Drupal 8 architecture dictates).
The KSS style guide lives in our theme directory but has no knowledge of Drupal. This is what makes it so flexible. In theory, we can copy the component library directory and use it in other (non-Drupal) projects. A big thanks to John Albin, the maintainer of Zen Theme and KSS node, for paving the way for us to implement our theme and style guide.
In this demonstration, a namespace was created in the theme’s .info.yml file, just like this:
(More documentation is available on the module’s drupal.org project page)
Once the namespace has been defined, you can include and extend twig templates from the component library, Drupal’s template override files and other components (like in an atomic design approach) by simply referring to the files like this:
Social Blue comes with the style guide ready to go (read the Social Blue readme and follow the instructions on how to create a custom theme from it). However, because we have copied this to our custom theme folder, the gulpfile that runs the different tasks needs to be updated to reflect the new location in relation to the base theme (socialbase).
Read the Social Blue readme and follow the instructions to create your own custom theme. Once you have updated the package.json file and the gulpfile.js with those provided in Lisa's demo repo, refer to the Social Blue readme again, and follow instructions under the heading “Working with Gulp”. These steps will install the theme’s dependencies.Compiling the Style Guide
Basically, most of the action happens in the gulpfile. Spending some time reading its comments and exploring it really helps you understand the dynamics of linking a Drupal theme with a living style guide.
If we refer to the package.json, we will see which packages we have installed, and by examining the gulp tasks and configuration, we can get a sense of how the style guide is compiled from our component library and theme files.The Theory
We are relying on Drupal's theme layer to render the twig files from our components and attach the libraries (our CSS and js). We also rely on the component module to create the namespace allowing us to map Drupal variables with the json variables in our style guide.
The style guide copies Drupal’s theme assets (CSS and js) and has its own twig compiler (see os-builder folder).
The end result is the style guide made up of CSS/js copied from the base theme’s assets folder, our theme’s assets folder, and HTML generated from the twig and json, from our component library. The CSS/js copied from the assets folders need to be included in the gulpfile to be copied into your style guide.
(Side note: a nice little improvement is to have a designated folder, therefore avoiding the need to list each file.)
The Drupal HTML pages and the style guides are not shared. This is important to point out because caching might affect each differently.
Conceptually, we are dealing with 3 layers.
- Drupal core
- SocialBase component library (as CSS/js already compiled) and Drupal templates (handled by Drupal’s theme layer)
- Custom theme extending base component library and drupal template
Diagram of how a component library, KSSNode style guide, and Drupal theme work together to make a living style guide
For front-end developers and designers, a living style guide is becoming an essential part of the web developer’s toolkit.
We are able to focus on the implementation of design components while the backend is being built, thus working in parallel with our team members instead of relying on others to finish before we can start.
We can do browser and accessibility tests on a component level, thus improving the quality of features (current and future). Another benefit (one that deserves a blog post on its own) is implementing visual regression testing on the living style guide to help spot changes in HTML or CSS negatively affecting existing elements.
The time investment needed, especially for a complex project, is nothing compared to the peace of mind knowing adding new elements does not break others.
What you need to know:Lisa Corcoran