This guest blog post is from Drupal Moldova's Association (not affiliated with Drupal Association). Get a glimpse of what is happening in Moldova's community and how you can get involved.
Drupal Moldova Association’s mission is to promote Drupal CMS and Open Source technologies in Moldova, and to grow and sustain the local community by organising Events, Camps, Schools, Drupal meetups and various Drupal and Open Source related trainings, and by establishing partnerships with Companies, the Government, and NGO’s.
Come and share your expertise in Moldova at our events! We're looking for international speakers to speak about Drupal and open source.
Among DMA’s (short for Drupal Moldova Association) numerous commitments, the following are of special importance:
to gather the community around Drupal and Open Source technologies;
to train students and professionals who want to learn and work with Drupal;
to organise events to keep the community engaged and motivated to improve, learn, and share experience;
to make sure Drupal is accessible to everyone by offering scholarships to those who can't afford our programs;
to elaborate a well defined program that helps students learn Drupal, acquire enough knowledge to get accepted for internships by IT companies, and be able to build Drupal powered websites;
to assist new IT companies in establishing a local office, promote themselves, collaborate with other companies, and connect with the local Drupal community by giving them the opportunity to support our projects.
Over the last 5 years, we have been dedicated to achieving our goals! DMA have organized over 20 projects and events, including Drupal Global Training Days, Drupal Schools, and the regional DrupalCamp -- Moldcamp. Our projects have gathered over 700 local and international participants and speakers, and more than 15 International Companies that have supported us during these years (FFW, Adyax, IP Group, Intellix, Endava and many others).
Moldova is rich in great developers and people driven to take initiative and to grow and place the country on the world map. We are aiming to go beyond our limits and have a bigger impact in the year (‘17-’18), therefore we have created a yearly plan that contains projects similar to those we have done in the past years, as well as new and exciting ones:
Drupal School (3 step program), starting with Drupal School 8 plus PHP (step 1): Drupal School is an educational program - split into 2 months, 25 courses of different levels (Beginner, Intermediate, Advanced).Drupal School aims to introduce people to Drupal 8 and PHP, and help them become Drupal professionals;
Moldcamp 2017: Sep - Oct 2017. A regional DrupalCamp that gathers around 150 Drupal professionals, enthusiasts, beginners and any-Drupal-related-folk in one place for knowledge-sharing, presentations, networking, etc. We will announce the event soon and allow speaker registration. Please follow us and don’t miss out on the opportunity;
Drupal Global Training Day: Dec 1-2. A one-day workshop that has the purpose of introducing people to Drupal, both code and community.
Drupal Meetups: These are organized each month and they allow our community to be active and share knowledge.
Tech Pizza: - Jun, Aug, Oct, Dec. A bi-monthly event, where the ICT community can gather in a casual and an informal environment around a pizza and soda and discuss the latest IT trends and news. The core of this event is a speaker / invitee from abroad with a domain of expertise;
The proposed program “Drupal and Open Source in Moldova 2017 - 2018” is made possible through the support of USAID and the Swedish Government. Thanks to these organizations we can focus on the quality of our projects make sure they happen as planned. Also, we have a very important partnership with Tekwill / Tekwill Academy, which helps us even more in our quests.
We start with School of Drupal 8 plus PHP program, which will be held on 19th of June 2017. So far we have 3 sponsors--IPGroup, Adyax and Intellix--and two trainers.
We, The DMA, believe in pushing the limits! Our long term goal is to build and maintain big an active Open Source community by attracting more local and International participants to our Projects and Events, and continuously improve our sessions. This will make our presence felt in the global Drupal and Open Source communities and markets. Find us on Twitter @drupalmoldova, or on our Facebook page. If you are interested in speaking in Moldova, contact us at firstname.lastname@example.org.
Remember how we are making changes to DrupalCon Europe? These were hard decisions and some things we love we found just weren’t financially viable. Like free t-shirts. But one thing we heard a lot was “please don’t take away the t-shirts!”
We heard you. And while it doesn’t make financial sense to give free t-shirts to all attendees, we still want to be able to continue to offer them. So we’ve come up with a plan.
At DrupalCon Vienna, t-shirts will be offered to the following groups:
Individual Drupal Association members who register for DrupalCon Vienna between 5 - 16 June 2017. You must register in this two week window AND be an individual member of the Drupal Association.
Volunteers who work at least four (4) hours onsite in Vienna 26 - 29 September. You must check the volunteer box during registration and must show up on site to volunteer for four (4) hours or until released by event staff.
Volunteers as part of the DrupalCon Program Team
I’m already a member, how do I make sure that I'll get a shirt?
If you are already an individual member, you get a t-shirt! BUT you MUST register in the first two weeks of ticket sales. Registrations after 16 June will not receive a t-shirt, member or not.
I’m not a member, can I do that during registration and still get a shirt?
Yes. If you are not a member you can become an individual member during your conference registration. You will be presented with a page during check-out that gives you the option to become a member.
I already registered but JUST saw this post! What do I do?
If you are a true early bird and register in the two weeks, but somehow missed this news post until after registering - that’s ok. As long as you become a member before the end of 16 June and you’ll still get a t-shirt.
The registration didn’t say anything about t-shirts or ask for my t-shirt size? What’s up?
After the 16 June cut-off date, eligible registrants will receive an email confirming their t-shirt along with a link to select their t-shirt size.
You got a session selected? Great!
We’ll refund your registration amount (but not your membership) and you get to keep the t-shirt. Our regular no-refund policy applies to all other sales.
You’re part of an organization that is buying a bulk amount of tickets for employees? Lucky you.
Your organization should provide you with an individual redemption code. You’ll need to redeem your individual registration before 16 June AND also be an individual member of the Drupal Association in order to get a t-shirt.
Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.
At the end of April we joined the community at DrupalCon Baltimore. We met with many of you there, gave our update at the public board meeting, and hosted a panel detailing the last 6 months worth of changes on Drupal.org. If you weren't able to join us for this con, we hope to see you in Vienna!Drupal.org updates DrupalCon Vienna Full Site Launched!
Speaking of Vienna, in April we launched the full site for DrupalCon Vienna which will take place from September 26-29th, 2017. If you're going to join us in Europe you can book your hotel now, or submit a session. Registration for the event will be opening soon!DrupalCon Nashville Announced with new DrupalCon Brand
Each year at DrupalCon the location of the next conference is held as closely guarded secret; the topic of speculation, friendly bets, and web crawlers looking for 403 pages. Per tradition, at the closing session we unveiled the next location for DrupalCon North America - Nashville, TN taking place from April 9-13th in 2018. But this year there was an extra surprise.
We've unveiled the new brand for DrupalCon, which you will begin to see as the new consistent identity for the event from city to city and year to year. You'll still see the unique character of the city highlighted for each regional event, but with an overarching brand that creates a consistent voice for the event.Starring Projects
Users on Drupal.org may now star their favorite projects - making it easier to find favorite modules and themes for future projects, and giving maintainers a new dimension of feedback to judge their project's popularity. Users can find a list of the projects they've starred on the user profile. Over time we'll begin to factor the number of star's into a project's ranking in search results.
At the same time that we made this change, we've also added a quick configuration for managing notification settings on a per-project basis. Users can opt to be notified of all issues for a project, only issues they've followed, or no issues. While these notification options have existed for some time, this new UI makes it easier than ever to control issue notifications in your inbox.Project Browsing Improvements
One of the important functions of Drupal.org is to help Drupal site builders find the distributions, modules, and themes, that are the best fit for their needs. In April, we spent some time improving project browsing and discovery.
Search is now weighted by project usage so the most widely used modules for a given search phrase will be more likely to be the top result.
We've also added a filter to the project browsing pages to allow you to filter results by the presence of a supported, stable release. This should make it easier for site builders to sort out mature modules from those still in initial development.Better visual separation of Documentation Guide description and contents
In response to user feedback, we've updated the visual display of Documentation Guides, to create a clearer distinction between the guide description text and the teaser text for the content within the guides.Promoting hosting listings on the Download & Extend page
To leverage Drupal to the fullest requires a good hosting partner, and so we've begun promoting our hosting listings on the Download and Extend page. We want Drupal.org to provide every Drupal evaluator with all of the tools they need to achieve success—from the code itself, to professional services, to hosting, and more.Composer Sub-tree splits of Drupal are now available
For developers using Composer to manage their projects, sub-tree splits of Drupal Core and Components are now available. This allows php developers to use components of Drupal in their projects, without having to depend on Drupal in its entirety.DrupalCI Automatic Requeuing of Tests in the event of a CI Error
In the past, if the DrupalCI system encountered an error when attempting to run a test, the test would simply return a "CI error" message, and the user who submitted the test had to manually submit a new test. These errors would also cause the issues to be marked as 'Needs work' - potentially resetting the status of an otherwise RTBC issue.
We have updated Drupal.org's integration with DrupalCI so that instead of marking issues as needs work in the event of a CI Error, Drupal.org will instead automatically queue a retest.Bugfix: Only retest one environment when running automatic RTBC retests
Finally, we've fixed a bug with the DrupalCI's automatic RTBC retest system. When Drupal HEAD changes, any RTBC patches are automatically retested to ensure that they still apply. It is only necessary to retest against the default or last-used test environment to ensure that the patch will work, but the automatic retests were being tested against every configured environment. We've fixed this issue, shortening queue times during a string of automatic retests and saving testing resources for the project.
As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects. In particular we want to thank:
- Last Call Media - Renewing Supporting Partner
- Message Agency - *NEW* Premium Supporting Partner
- Axelerant - Renewing Supporting Partner
- Digital Echidna - Renewing Supporting Partner
- ImageX Media - Renewing Supporting Partner
- Unleashed Technologies - Renewing Supporting Partner
- OPIN - *NEW* Signature Supporting Partner
- Synetic - *NEW* Supporting Partner
- Tata Consultancy Services - Renewing Supporting Partner
- Translations.com - Renewing Technology Partner
If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.
There comes a time when we must all recognize that what got us here won't get us there. Now is that time for Drupal. The governance models that were put in place to support the needs of the community years ago are no longer working as well as they should. The Drupal community has reached a level of maturity that requires greater clarity, integrity, and resilience.
An effort is underway to evolve Drupal’s community governance. The Drupal community is in the driver’s seat. The Drupal Association is helping navigate and get the community where it wants to go by providing the structure, support, and resources that are desperately needed to make progress. I, Whitney Hess, have been engaged to be a neutral facilitator of this process.
We are proposing a multi-phase approach to redesign Drupal’s community governance models, management, and decision-making practices: Discover > Plan > Build > Iterate. In this first phase, our goal is to gain a deeper understanding of the needs of the Drupal community. We are conducting this research through a variety of methods: one-on-one interviews with select individuals; mediated group discussions; surveys and feedback forms.
We held seven hour-long Community Discussions over three days of DrupalCon. There were 6-10 participants per session. Though every session had its own energy and topics varied, all discussions were fruitful and impactful. Many participants said they left feeling better than when they arrived.
While there was some discussion about recent events in the sessions, the focus quickly shifted to brainstorming ideas for how to improve Drupal’s community governance. As mediator, it is my role to help people articulate their needs, and to support the community in devising strategies to better get those needs met. Please read the meeting summaries if you would like to get a sense of what was discussed.
There are currently seven online sessions scheduled over the next two weeks at a variety of times for the global community to participate in these facilitated discussions, and more will be scheduled if needed. If you want your voice heard, I strongly encourage you to join us. If you have questions or concerns about the sessions, you’re welcome to contact me directly at email@example.com.
Once these sessions are completed, we will be conducting a short survey and other types of feedback forms to have the widest possible reach. We want to ensure that people have a variety of ways to constructively contribute to making Drupal the best it can be. We expect to launch these in late-May.
At the conclusion of the Discovery phase, we will move into Planning. We are at the earliest stages of conceiving a Governance Summit over 1-2 days in June to take all of the learnings from Discovery, and craft a strategy for specifically how to change Drupal’s community management and governance. As of today, we do not yet have dates, location, or participant information. We are waiting to see what comes out of Discovery before we devise any framework for how this can be achieved effectively and equitably. Again, the Drupal Association’s role here is to be a support, and to create space for the community to decide how it wants its governance to change.
I have very clearly heard a need for greater transparency into this process and how decisions are being made. I take that responsibility seriously, and will continue to share our progress along the way. Next up, please look out for a summary of our Discovery findings, to be shared in late-May/early-June.
TL;DR: Both the community and Dries Buytaert, Project Lead, see a need to evolve Drupal community governance. The Drupal Association can help in a support role. We will start by hosting mediated community discussions so everyone around the world can participate, be heard and understood, and share their ideas. Creating a new governance model will take many months and will require an agile approach as we all feel our way through the proper steps. The Drupal Association will continue to find ways to support this process as we all move through it together.
Over the last several weeks, the Drupal Association has been in listening mode — and we still are. We’re hearing community members say they need clarity and understanding, and that our community governance needs to change. As we process what we’re hearing, we want to find the best way to help the community address the issues being raised, within the boundaries of the Drupal Association charter.
The Drupal Association’s mission is to unite the global community to help build and promote the software. We do that in two very specific ways: DrupalCon and Drupal.org. We’re determining how best to meet the community’s needs as it relates to these two key community homes. In the near future, I will publish blogs with ideas on how we might address the various needs we are hearing.Evolving Community Governance
There is one need that we hear loud and clear that we can address today: The community needs support to evolve community governance structures and processes. Both the community at large, and Dries Buytaert, Project Lead, have expressed this need, and we are glad to see this alignment.
It’s important to note that the Drupal Association has a very limited role in community governance. Our only role in governance stems directly from our charter to manage DrupalCon and Drupal.org.
It’s not within our charter to oversee community governance or drive its evolution. The last thing the Drupal Association wants is to step outside of our charter or accidentally take away the community’s agency in self-organizing to create the new community governance model. However, we do want to facilitate forward movement. And so, we can take a support role.
We hear that many in the community want to come together to talk. We can support this by providing a meeting place (both in person and online), and a mediator for community discussions.
We have asked Whitney Hess, a coach who has worked with the Drupal community before, to facilitate and mediate community discussions, where people can come together to talk about current community issues and explore ideas for improved governance. These discussions will start at DrupalCon Baltimore and continue in a series of online meetings, scheduled at different times so members around the world can participate. [see more details below]
To provide transparency for those who cannot attend the discussion sessions, we will post meeting minutes and summaries from each community discussion here: https://drupal.org/community/discussions.
As facilitator of these community discussions, Whitney Hess will provide a summary to give us a broad perspective on the “voice of the community.” We hope these conversations will ground the community as it begins architecting its new governance model.
Once we have had these discussions we can decide together on the appropriate next steps, and how the Association can help the community continue to move forward, together.Join Community Discussions
We hope you'll join the conversation as these discussions begin. Again, our overarching aim is to support the community so it can be healthy and continue to thrive. We believe that open conversation is essential to the wellbeing of any community and we look forward to hosting Community Discussions mediated by Whitney Hess. Please join fellow community members to talk through recent community issues and to be part of co-creating Drupal’s new governance model.
Here are the discussions you can join. Please note the ground rules below:At DrupalCon Baltimore
Location: Pratt Street Show Office
Tuesday, 12-1pm, max 45 participants
Tuesday, 2:15-3:15pm, max 15
Tuesday, 5-6pm, max 15
Wednesday, 2:15-3:15pm, max 15
Wednesday, 3:45-4:45pm, max 15
Thursday, 10:45-11:45am, max 15
Thursday, 1-2pm, max 45
Sign Up Here: https://events.drupal.org/virtual/community-discussions
Tuesday, May 9: 4pm EDT / 1pm PDT / 9pm BST / 10pm CEST / 6am +1 AEST
Wednesday, May 10: 8am EDT / 1pm BST / 2pm CEST / 5:30pm IST / 10pm AEST
Thursday, May 11: 9:30am EDT / 2:30pm BST / 3:30pm CEST / 7pm IST / 11:30pm AEST
Friday, May 12: 2pm EDT / 11am PDT / 7pm BST / 8pm CEST / 11:30pm IST
Tuesday, May 16: 8pm EDT / 5pm PDT / 10am AEST
Wednesday, May 17: 12pm EDT / 9am PDT / 5pm BST / 6pm CEST / 9:30pm IST
Thursday, May 18: 3pm EDT / 12pm PDT / 8pm BST / 9pm CEST
Key Principles of Nonviolent Communication
Responsibility for Our Feelings: We aim to move away from blame, shame, judgment, and criticism by connecting our feelings to our own needs. This recognition empowers us to take action to meet our needs instead of waiting for others to change.
Responsibility for Our Actions: We aim to recognize our choice in each moment, and take action based on seeing how it would meet our needs to do so; we aim to move away from taking action based on fear, guilt, shame, the desire for reward, or any “should” or “have to.”
Prioritizing Connection: We aim to focus on connection instead of immediate solutions, and to trust that connecting with our own and others’ needs is more likely to lead to creating solutions that meet everyone’s needs.
Equal Care for Everyone’s Needs: We aim to make requests and not demands; when hearing disagreement with our request, or when disagreeing with another’s request, we aim to work towards solutions that meet everyone’s needs, not just our own, and not just the other person’s.
Self-Expression: When expressing ourselves, we aim to speak from the heart, expressing our feelings and needs, and making specific, doable requests rather than demands.
Empathic Hearing: When we hear others, we aim to hear the feelings and needs behind the expressions, even when they express judgments or demands.
Protective Use of Force: We aim to use force only to protect, not to punish others or get our way without the other’s agreement, and only in situations where the principles above were not sufficient to meet immediate needs for safety. We aim to return to dialogue as soon as safety is re-established
How These Ground Rules Work
Ground rules will be stated at the beginning of each session.
If you are not in agreement with the ground rules, please do not participate in the session.
- If a participant is repeatedly disruptive of respectful, productive discussion, they will be asked to leave; if they do not leave, the session will be terminated immediately.
- Advisory ID: DRUPAL-SA-CORE-2017-002
- Project: Drupal core
- Version: 8.x
- Date: 2017-April-19
- CVEID: CVE-2017-6919
- Security risk: 17/25 ( Critical) AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default
- Vulnerability: Access bypass
This is a critical access bypass vulnerability. A site is only affected by this if all of the following conditions are met:
- The site has the RESTful Web Services (rest) module enabled.
- The site allows PATCH requests.
- An attacker can get or register a user account on the site.
While we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we have also provided an 8.2.x release to ensure that sites that have not had a chance to update to 8.3.0 can update safely.
- Drupal 8 prior to 8.2.8 and 8.3.1.
- Drupal 7.x is not affected.
- If the site is running Drupal 8.2.7 or earlier, upgrade to 8.2.8.
- If the site is running Drupal 8.3.0, upgrade to 8.3.1.
Also see the Drupal core project page.Reported by
- Alex Pott of the Drupal Security Team
- xjm of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Wim Leers
- Sascha Grossenbacher
- Daniel Wehner
- Tobias Stöckler
- Nathaniel Catchpole of the Drupal Security Team
- The Drupal Security team
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.
The Drupal Association team is gearing up for DrupalCon Baltimore. We're excited to see you there and we'll presenting a panel giving an update on our work since Dublin, and our plans for the coming months.Drupal.org updates Project application revamp
As we announced in mid-March, new contributors on Drupal.org can now create full projects and releases! Contributors no longer have to wait in the project application queue for a manual review before they are able to contribute projects.
This is a very significant change in the Drupal contribution landscape, and it's something we approached carefully and will continue to monitor over the coming months. Drupal has always had a reputation for a high quality code, and we want to make sure that reputation is preserved with good security signals, project quality signals, and continued incentives for peer code review.
That said, we're very excited to see how this change opens up Drupal to a wider audience of contributors.
Please note that the removal of project applications to create full projects and releases means a change in the security advisory policy (see below for details).Security Advisory Opt-in and new Security Signals for Projects Are you responsible for the security of your clients' Drupal sites?
Please note that Drupal's security advisory coverage policy has changed. Security advisory coverage for contributed projects is now only available for projects that have both opted in to receive coverage and made a stable release. You can see which projects have opted in by checking their project pages. If you have questions, please contact firstname.lastname@example.org.
Because users may now create full projects and releases without opting in to security advisory coverage, it's critically important that we provide good security signals to users evaluating projects on Drupal.org. This is why we've added a security coverage warning to projects that aren't opted in to coverage.
- Opened up the opt-in process, allowing any maintainer of a project (not just the node author) to opt in to receive security advisory coverage
- Added a confirmation step when a user goes to make a stable release - this encourages users to be sure the project is ready for a release, and to opt-in to coverage if they haven't already
- Blocked security advisory opt-in if a project has an open, public security issue
- Started displaying info about public security issues on project pages that haven't opted into advisory coverage
- Added a filter to project browsing pages to make it easier to find projects with supported stable releases
The 2017 elections for the community-at-large seat on the board were held successfully in March. Drupal Association community board elections are conducted with the Instant Runoff Voting system. This voting methodology requires that voters rank their preferred candidates on their ballot, and we've heard that this system has been somewhat unwieldy in the past.
Each year we try to improve the voter experience and so this year we deployed a new drag-and-drop ballot.
Finally, we want to congratulate our newest board member Ryan Szrama!Better international datetime support throughout Drupal.org
Drupal.org has grown organically over the course of more than a decade, and as features have been built out they were not always consistent in their display of datetime information. While it sometimes makes sense to have a few different formats for displaying date and time, many of the formats in use were simply arbitrary historical decisions.
As a quality of life improvement, especially for users outside of the USA, we've standardized the datetime format used on Drupal.org. That format is: DD MMM YYYY - hh:mm (UTC±h). For example: 11 Aug 2016 - 16:42 (UTC+8)DrupalCI CSS Lint check style results
When we implemented coding standards testing in DrupalCI in February we were not able to add CSS Lint testing until the CSSLint configuration file in core was fixed. That issue was fixed in late February and so we added CSSLint to support coding standards testing for CSS at the beginning of March.Cleaning up coding standards results
The addition of coding standards results to DrupalCI means that Drupal.org is now storing even more test data about the code we test on Drupal.org. Our initial implementation of coding standards testing did not include clean up of older results, and so to preserve database space and testing resources, we implemented some clean-up routines in March. In particular we are now:
- Cleaning up all results for closed issues
- For custom one-off tests, keeping results for 30 days to match what is shown on project’s automated testing tab
- For tests triggered on a schedule or commit, keeping the most recent per-environment per-branch, and keeping anything less than 24h old
We experienced some minor Git outages in March, due to malicious authentication attempts. To mitigate these issues in the future, we've implemented fail2ban rules to protect Git authentication. This should improve the stability and uptime of Git services for all developers on Drupal.org.
We want to thank Drupal.org infrastructure volunteer mlhess for his assistance with this.Community Initiatives Contrib Documentation Migration
New tools for Documentation have been available on Drupal.org for more than half a year. While most of the core documentation has been migrated to the new system, we are still encouraging Contrib maintainers to migrate their docs.
To make it easier for contrib project maintainers to migrate their documentation to the new documentation tools, we've made two improvements:
- Maintainers may now attach Documentation guides directly to their project pages.
- The Documentation Guides that a user maintains are now listed on their user profile.
As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects. In particular we want to thank:
- CivicActions - *NEW* Supporting Partner
- HS2 Solutions - *NEW* Supporting Partner
- Cheeky Monkey Media - Renewing Supporting Partner
- Cybage Software - Renewing Supporting Partner
- Digital Circus - Renewing Supporting Partner
- Message Agency - Renewing Supporting Partner
- QED42 - Renewing Supporting Partner
- Srijan Technologies - Renewing Supporting Partner
- Evolving Web - Renewing Supporting Partner
- Brightcove - *NEW* Technology Supporter Partner
- SiteGround - Renewing Hosting Supporter Partner
- Smartling - *NEW* Technology Supporter Partner
- Sevaa Group - *NEW* Technology Supporter Partner
If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.
- Advisory ID: DRUPAL-PSA-2017-001
- Project: Drupal core
- Version: 8.x
- Date: 2017-Apr-17
There will be a security release of Drupal 8.3.x and 8.2.x on April 19th 2017 between
17:00 - 18:00 UTC that will fix a critical vulnerability. While we don't normally provide security releases for unsupported minor releases, given the potential severity, we will provide an 8.2.x release that includes the fix for sites which have not had a chance to update to 8.3.0. The Drupal Security Team urges you to reserve time for core updates at that time because exploits are expected to be developed within hours or days. Security release announcements will appear at the standard announcement locations.
This vulnerability does not affect all Drupal 8 sites; it only affects sites with certain configurations. It requires authenticated user access to exploit. The security release announcement on April 19th 2017 will make it clear which configurations are affected. If this vulnerability affects your site, you will need to update. Please set aside time on Wednesday to look into this update.
Neither the Security Team, nor Security Team members, nor any Drupal-related company are able to release any more information about this vulnerability until the announcement is made in accordance with our security policies and responsible disclosure best practices.
We provide pre-release warnings when we believe the security risk is high and the steps to exploit are scriptable.Drupal 7 core is not affected by this issue. Contact and More Information
The Drupal security team can be reached at security at Drupal.org or via the contact form at https://www.drupal.org/contact.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity.
In October of last year the Technical Advisory Committee was formed to evaluate options for the developer tools we use on Drupal.org. The TAC consists of Angie Byron, Moshe Weitzman, and Steve Francia, acting as advisors to Megan Sanicki, the Executive Director of the Drupal Association.
The TAC's mandate is to recommend a direction for the future of our tools on Drupal.org. Megan will evaluate this recommendation, make a decision, and prioritize that work in the development roadmap of the Drupal Association engineering team.What is the motivation behind looking at our developer tools now?
Close followers of the Drupal project will have noticed a trend in the last several months. From Dries' announcement of easy upgrades forever, to the revamp of the project application process, to the discussion about making tools for site builders— there is a unifying theme: broadening the reach of Drupal.
This is the same motivation that underlies this evaluation of our developer tools, and defines the goals and constraints of this initiative:
- Adopt a developer workflow that will be familiar to the millions of developers outside our community
- Preserve those unique elements of how we collaborate that have made the Drupal project so successful
- If possible, leverage an expert partner who will help keeping our tooling up to date as open source collaboration tools continue to evolve
This means looking at a number of elements of the Drupal.org developer tool stack:
- The underlying git service
- How we tag and package releases
- The contribution workflow (patch vs. pull request)
- Project management workflows (the issue queues and tags)
- CI integration
- Project pages
If this looks like a tremendous undertaking - that's because it is. But there are some things we already know:
- Drupal.org should continue to be the home of project pages
- We should adopt a pull request workflow (and ideally we want to be able continue to accept patches as well, at least in the interim)
- We should move contrib projects to semver, following core's lead
- We want to preserve our familiar understanding of maintainership
- We want to avoid forked code and forked conversation
- We want to ensure the security team still has the tools they need to provide their service to the community
We also know that whatever decision is made, these changes cannot happen all at once. We'll need to take a progressive approach to the implementation, and focus on the parts of the stack that need to change together, so that we don't bite off more than we can chew.What options are being considered?
At this time, the technical advisory committee is considering three options as they prepare to make their recommendation. The options are: GitLab, which offers both self-hosted and SaaS options; GitHub, which has recently been adding long-requested new features; or continuing to evolve our custom-built tooling, perhaps via issue workspaces.GitLab
GitLab is the up-and-comer among Git hosts. GitLab can be self hosted using either their community or enterprise editions, or repositories can be hosted at GitLab.com. Though they recently stumbled, they have been notably open and transparent about their efforts to build a leading collaboration platform.
Gitlab is itself open-source, and has just released its 9.0 edition. GitLab has aggressively pursued the latest in development tools and workflow features, including project management tools, a ui for merge conflict resolution with in-line commenting and cherry-picking, docker registries for projects, integration with CI tools, and even Gitter, an IRC alternative for real-time collaboration.GitHub
For quite some time, GitHub was the only real player in git repository hosting outside of rolling a custom solution (as we did for Drupal.org). Over the years it has become the home of many open source projects, and while most of those don't match the sheer scale of Drupal in terms of codebase size and number of contributors, there are certainly other major projects that have made their home there.
However, for all of its presence and longevity in the open source world, there are very few options for customizing its toolset for our needs, and we could no longer self-host our canonical repositories. The Drupal project would need to adapt to GitHub, rather than the other way around.
That said, in recent months, GitHub has been putting a strong focus on feature development, adding a number of new features including: automated licensing information, protected branches, and review requests.Custom tooling
We also must consider that the tools we have now are what built Drupal into what it is today. A great deal of work has gone into our existing developer tools over the years, and we have some unique workflows that would have to be given up if we switched over to a tooling partner. An idea like the issue workspaces proposal would allow us to achieve the goal of modernizing our tools, and likely do so in a way that is better tailored to those unique things about the Drupal workflow that we may want to preserve. However, doubling down on building our own tooling would come at a cost of continuing to be unfamiliar to the outside development community, and dependent on an internal team's ability to keep up with the featureset of these larger players.
Each of these three options would be a compromise between reaching outward and creating familiarity, and looking inward to preserve the Drupal specific workflows that have brought the project to where it is today.What have we learned so far?
The TAC has conducted their own internal evaluation of the options as well as worked with Drupal Association staff in a two day exploratory session at the end of last year. The primary focus was to identify and triage gaps between the different toolsets in the following areas:
- Migration effort
- Project management
- Code workflow
- Project handling
- Git Back-end/Packaging
- Integrations beyond tools
This initial study also looked at the impact of each option on Drupal community values, and some key risks associated with each.What comes next?
The next step for the TAC is to make their formal recommendation to the Executive Director of the Drupal Association. At that point, she will direct staff to validate the recommendation by prototyping the recommended solution. Once the recommendation has been validated, Megan will make a final decision and prioritize the work to fully implement this option, relative to other Drupal Association imperatives.
In the comments below, we would love to hear from the community:
What aspects of the way the Drupal community collaborates are the most important to you? What workflow elements do you feel need to be preserved in the transition to any new tooling option?
Drupal 8.3.0, the third minor release of Drupal 8, is now available. With Drupal 8, we made significant changes in our release process, adopting semantic versioning and scheduled feature releases. This allows us to make extensive improvements to Drupal 8 in a timely fashion while still providing backwards compatibility.
Update: Drupal 8.3.1 is available and fixes a security vulnerability. You should update directly to 8.3.1 instead of 8.3.0.What's new in Drupal 8.3.0?
This new version includes improvements to authoring experience, site administration, REST support, and a stable version of the BigPipe module. It also includes new experimental modules to abstract workflow functionality, to lay out content types differently (e.g. articles are two column vs. press releases are three column), and to provide a general layout API for contributed modules. Many smaller improvements for the experimental Content Moderation module are included as well. (Experimental modules are provided with Drupal core for testing purposes, but are not yet fully supported.)
Drupal 8.3 ships with the updated CKEditor 4.6, which contains a host of improvements, including better paste from Word, and a new default skin that better matches Drupal's Seven administration theme. We've also added the AutoGrow plugin, to better utilize larger screen sizes.
Quick editing images now supports drag and drop.Site building and administrative improvements
Drupal 8.3 ships with a redesigned admin status report, to better surface important status messages for your site.
Other incremental enhancements include:
- The Views listing page is now standardized with other administrative listings.
- The "Allowed HTML tags" input has been converted to a textarea, which significantly improves the usability of HTML filter configuration (and thereby makes it easier to configure filters securely.)
- The Content and People overview pages' Views filters have been rearranged to match the column order of the listing, for more intuitive filtering.
- Image fields are now limited to only accepting images, so that users on mobile clients are not offered a confusing and non-functional video upload option.
The Drupal 8 BigPipe module (now stable!) provides an advanced implementation of Facebook's BigPipe page rendering strategy, leading to greatly improved perceived performance for pages with dynamic, personalized, or uncacheable content. See the BigPipe documentation.
The core BigPipe improvements introduced in 8.3.0 are also utilized by the Sessionless BigPipe contributed module to use the same technique for serving the first (yet uncached) response to anonymous visitors.Platform features for web services
Drupal 8.3 continues to expand Drupal's support for web services that benefit decoupled sites and applications, with bug fixes, improved responses, and new features. It is now possible to register users from the REST API, 403 responses now return a reason why access was denied, for greatly improved developer experience, and anonymous REST API performance has been increased by 60% when utilizing the internal page cache. The REST API also got a massive overhaul of its test coverage.Experimental: Choose different form and view display layouts for your entity types
The new experimental Field Layout module provides the ability for site builders to rearrange fields on content types, block types, etc. into new regions, for both the form and display, on the same forms provided by the normal field user interface.
Field Layout also uses the new the Layout Discovery module, which provides an API for modules or themes to register layouts as well as five common default layouts. By providing this API in core, we help make it possible for core and contributed layout solutions to be compatible with each other. The following contributed modules already have development versions that support the new API:
- Display Suite 8.3.x (beta version available).
- Panels 8.4.x (in development).
- Panelizer 8.4.x (beta version available).
The Content Moderation module included with Drupal 8.2.x is now accompanied by a more abstract Workflows module that took over the underlying workflow functionality and API. This allows additional modules to apply workflows that do not deal with content publication, such as for users or products. The Workflows module provides a user interface to package states with their transitions in a workflow, which Content Moderation can then apply to content, making configuration much easier.
There are several other smaller improvements. It is now possible to moderate non-translatable entity types, entity types without bundles, and any entity type that supports publishing (not just nodes). Moderation states are also reverted when revisions are reverted.What does this mean to me? Drupal 8 site owners
Update to 8.3.0 to continue receiving bug and security fixes. The next bugfix release (8.3.1) is scheduled for May 3, 2017.
Updating your site from 8.2.7 to 8.3.0 with update.php is exactly the same as updating from 8.2.6 to 8.2.7. Modules, themes, and translations may need small changes for this minor release, so test the update carefully before updating your production site.Drupal 7 site owners
Drupal 7 is still fully supported and will continue to receive bug and security fixes throughout all minor releases of Drupal 8.
Most high-priority migrations from Drupal 7 to 8 are now available, but the migration path is still not complete, especially for multilingual sites, so you may encounter errors or missing migrations when you try to migrate. That said, since your Drupal 7 site can remain up and running while you test migrating into a new Drupal 8 site, you can help us stabilize the Drupal 7 to Drupal 8 migration path! Testing and bug reports from your real-world Drupal 7 sites will help us stabilize this functionality sooner for everyone. (Search the known issues.)Drupal 6 site owners
Drupal 6 is not supported anymore. Create a Drupal 8 site and try migrating your data into it as soon as possible. Your Drupal 6 site can still remain up and running while you test migrating your Drupal 6 data into your new Drupal 8 site. Core now provides migrations for most Drupal 6 data, but the migrations of multilingual functionality, references, and dates in particular are not complete. If you find a new bug not covered by the known issues with the experimental Migrate module suite, your detailed bug report with steps to reproduce is a big help!Translation, module, and theme contributors
Minor releases like Drupal 8.3.0 include backwards-compatible API additions for developers as well as new features. Read the 8.3.0 release notes for more details on the improvements for developers in this release.
Since minor releases are backwards-compatible, modules, themes, and translations that supported Drupal 8.2.x and Drupal 8.1.x will be compatible with 8.3.x as well. However, the new version does include some changes to strings, user interfaces, and internal APIs (as well as more significant changes to experimental modules). This means that some small updates may be required for your translations, modules, and themes. See the announcement of the 8.3.0 release candidate for more background information.
A new statement on this topic was posted on July 14, 2017 and can be found here.
This is a joint statement from project lead Dries Buytaert and Megan Sanicki, Drupal Association Executive Director.
Over the last week, the Drupal community has been in a debate over the various decisions made by us in relation to long-time Drupal developer Larry Garfield. As with any such decisions, and especially due to the circumstances of this one, there has been controversy, misinformation and rumors, as well as healthy conversation and debate. Many people feel hurt, worried, and confused. The fact that this matter became very public and divisive greatly saddens all of us involved, especially as we can see the pain it has caused many.
First off, we want to apologize for not responding sooner. We had to take a pause to process the community’s reaction. We also wanted to take the time to talk to community members to make sure all of the concerns were heard and understood. This was further complicated by the fact that we don't have a playbook for how to respond in unusual situations like this. We also want to acknowledge that our communication has not been as clear as it should be on this matter, and we are sorry for the added confusion.
We want to thank all of the community members who stepped in to help. Many spent days helping other community members by listening, hosting discussions to foster healthy, respectful conversations, and more. You have helped many people and your caring acts reminded us once again why we love to serve the community and why it is so special.
Over the last week, we talked to many people and read hundreds of posts in various channels. These are some of the things that we heard:
People are afraid that they will be asked to leave the community because of their beliefs or sexual lifestyles.
There are concerns about Drupal leadership playing "thought police" on what are and are not acceptable viewpoints to hold.
People want to hear more about the timeline, information gathered, and how decisions were made.
People don't understand why there weren’t any ramifications for those who participated in gathering information about Larry's private life.
People believe Dries has too much authority.
People believe that a decision this complex should not be made by a single individual.
And we heard much more.
We know this has been difficult for all involved. There is no quick solution to the current situation; it will take time to heal, but we want to make a start today by providing better insight into our decision-making process, answering questions with the FAQ found below, and by placing a call for improvements in our governance, conflict-resolution processes, and communication.Addressing community questions and concerns
One of the main concerns that has been voiced is that a long-standing member of the Drupal community was removed, based solely on his beliefs being outside the "norm". We feel this is not representative of the situation.
We want to strongly emphasize that Drupal is an open-minded and inclusive community, and we welcome people of all backgrounds. Our community’s diversity is something to cherish and celebrate as well as protect. We apologize for any anxiety we caused you and reiterate that our decision was not based on anyone’s sexual practices.
Dries and Megan based their decisions on information from a variety of sources, including the Community Working Group and Larry himself. This information included:
(a) reports, both formal and informal
(b) some of Larry's online interactions, both on and off Drupal.org
(c) information provided by Larry during subsequent discussions to get clarity
(d) information from one or more members-only sites.
It should be strongly noted that we do not condone the manner in which this last source of information was gathered by members of our community.
Insights from this collection of information caused us to take action, particularly given Larry's prominent leadership role in the community, which leads to a much greater impact of his words and actions.
We heard that many would like to better understand the timeline, information gathered, and how decisions were made. While the news of last week was a complete surprise to most, it is important to note that this has been a careful, and deliberate process that has been going on since October 2016. Following the Drupal community's governance, the Community Working Group attempted to provide conflict resolution. When it became clear that some of the issues raised went beyond the scope of their charter, they determined that it was appropriate for the matter to be escalated to Dries, as project lead. This was consistent with their existing policy and process.
Dries discussed the information from the Community Working Group with Megan and some board members. Dries, as project lead, made the decision about Larry’s role in the project during this discussion.
Some have asked why Larry was removed from the community and not just from his leadership roles. The answer is that Larry had indicated on several occasions that he was drawing down his involvement in the Drupal project, and that context helped inform Dries’ decision.
Dries, with the support of the Community Working Group, had the first of what was intended to be a number of conversations to resolve any remaining concerns.
Megan was informed about Dries’ decision, and also reviewed the information provided by the Community Working Group. Based on that information, Megan made the operational decision to remove Larry’s DrupalCon session and concluded his track chair role.
Larry appealed Megan’s decision to the board, which only has oversight of the Drupal Association. They reviewed the Community Working Group information and Larry’s personal statements, met in a special Executive Session attended by all board members, and upheld Megan’s decision. Dries recused himself from this vote, so the board could make its decision independently.
After the appeal process, Larry chose to publish his own account of what happened, effectively ending the process in the middle of what we expected to be a series of constructive discussions. This resulted in several loose ends.
After Larry’s second blog post, on Tuesday, March 28th, he reached out privately to Dries to discuss how to resolve matters and find the best way forward.
We remain committed to working on closure for this situation with care and respect for everyone involved. Dries and the Community Working Group hope to have a private discussion with Larry in the coming weeks.
Many have also expressed anger over how the information about Larry came to light, and whether there will be consequences for those who participated in gathering information about his private life. The Community Working Group is currently handling this situation through their standard process.What needs to change
We are fortunate that we do have governance in place. We have never encountered a situation like this before, where a decision this complex had to be escalated and made. This extraordinary situation highlighted areas that we need to improve. From our own observations and what we heard from the community, we identified some specific areas of improvement (but by no means all):
Diversity, equality, and inclusivity issues are complex and require new perspectives and approaches, especially as we assess and improve our Code of Conduct.
It is not healthy or wise to escalate difficult decisions about code of conduct or community membership solely to the project lead.
We need to clearly define our values so that everyone knows and agrees to the context in which the community works together.
We need to figure out how to balance transparency with the need to maintain a safe space and provide confidentiality for individuals in order to resolve conflicts in a way that causes minimal disruption to our community.
There is a lot to address. We will launch several initiatives to find solutions to the problems above. We want to collaborate with the community, the Drupal Association, and outside experts on these efforts. It is important that we take these steps. We value our special community and we want to make sure that it has the right structure and sound governance to remain healthy and vibrant.
We want to begin healing to start right away and that starts with us talking more with the community. We will host online meetings and a meeting at DrupalCon Baltimore on these topics where we can have a healthy dialogue. This will provide community members the opportunity to talk directly with the Community Working Group, Megan, and Dries to propose solutions to some of the governance challenges that brought us here.
Finally, we want to acknowledge this has been a very difficult and unprecedented situation. We realize not everyone will agree with our decisions, but we hope all can understand the care we took in deliberating and the intention behind our actions. We appreciate the community’s patience on this matter, and we look forward to taking these steps in collaboration with you.
When did the conflict resolution process start?
October of 2016.
Who is responsible for what decision?
Dries, as project lead, made the decision about Larry’s role in the project after the Community Working Group escalated to him when they felt they could not resolve the issues surrounding this matter.
Executive Director of the Drupal Association Megan Sanicki made the decision to to remove Larry’s speaking and track chairmanship at DrupalCon.
Larry appealed the DrupalCon decision, which then went to the Drupal Association board who reviewed material provided by the Community Working Group along with Larry’s statements. They upheld Megan’s decision. Dries recused himself from this vote.
What was the process followed for each decision?
The Community Working Group, which is part of Drupal’s governance structure, provided conflict resolution. When it became clear that some of the issues raised went beyond the scope of their charter, they determined that it was appropriate for the matter to be escalated to Dries. This is consistent with their existing policy and process.
Dries discussed the information from the Community Working Group with Megan, and some board members. Dries also met with Larry. Larry had indicated on several occasions that he was drawing down his involvement in the Drupal project. That context informed Dries' decision. It is also important to note that Dries intended to have more discussions with Larry to determine what the decision looked like, but those conversations ended when Larry chose to post publicly.
Megan was informed about Dries’ decision and also reviewed the information provided by the Community Working Group. Based on Dries’ decision and information learned from the Community Working Group materials, Megan made the operational decision to remove Larry’s DrupalCon session and concluded his track chair role.
Larry appealed Megan’s decision to the board, who only have oversight of Drupal Association. They reviewed the Community Working Group information and Larry’s personal statements and upheld Megan’s decision. Note: Dries recused himself.
What information was used to inform the decisions?
(a) reports, both formal and informal, (b) some of Larry's online interactions, both on and off Drupal.org, (c) information provided by Larry during subsequent discussions to get clarity, and (d) information from one or more members-only sites. It should be strongly noted that we do not condone the manner in which this last source of information was gathered by members of our community.
Did Dries overrule the Community Working Group?
No, he did not. The process is designed so that the Community Working Group can escalate issues to Dries if they cannot be resolved. This process was followed.
Is the Drupal project “against” people who practice BDSM or other non-mainstream sexual practices?
Absolutely not. We are an open-minded and inclusive community.
Will there be repercussions for the conduct of the community member who exposed information from members-only sites? [Edit: we have removed this community member's name while the CWG issue is being addressed]
The Community Working Group is handling this situation through their standard process.