Drupal.org nieuws

Subscribe to Drupal.org nieuws feed
Come for the software, stay for the community Drupal is an open source content management platform powering millions of websites and applications. It’s built, used, and supported by an active and diverse community of people around the world.
Updated: 3 hours 41 min ago

Plan for Drupal 9

Wed, 12/12/2018 - 19:38

This blog has been re-posted and edited with permission from Dries Buytaert's blog. Please leave your comments on the original post.

At Drupal Europe, I announced that Drupal 9 will be released in 2020. Although I explained why we plan to release in 2020, I wasn't very specific about when we plan to release Drupal 9 in 2020. Given that 2020 is less than thirteen months away (gasp!), it's time to be more specific.

Shifting Drupal's six month release cycle

We shifted Drupal 8's minor release windows so we can adopt Symfony's releases faster.

Before I talk about the Drupal 9 release date, I want to explain another change we made, which has a minor impact on the Drupal 9 release date.

As announced over two years ago, Drupal 8 adopted a 6-month release cycle (two releases a year). Symfony, a PHP framework which Drupal depends on, uses a similar release schedule. Unfortunately the timing of Drupal's releases has historically occurred 1-2 months before Symfony's releases, which forces us to wait six months to adopt the latest Symfony release. To be able to adopt the latest Symfony releases faster, we are moving Drupal's minor releases to June and December. This will allow us to adopt the latest Symfony releases within one month. For example, Drupal 8.8.0 is now scheduled for December 2019.

We hope to release Drupal 9 on June 3, 2020

Drupal 8's biggest dependency is Symfony 3, which has an end-of-life date in November 2021. This means that after November 2021, security bugs in Symfony 3 will not get fixed. Therefore, we have to end-of-life Drupal 8 no later than November 2021. Or put differently, by November 2021, everyone should be on Drupal 9.

Working backwards from November 2021, we'd like to give site owners at least one year to upgrade from Drupal 8 to Drupal 9. While we could release Drupal 9 in December 2020, we decided it was better to try to release Drupal 9 on June 3, 2020. This gives site owners 18 months to upgrade. Plus, it also gives the Drupal core contributors an extra buffer in case we can't finish Drupal 9 in time for a summer release.

Planned Drupal 8 and 9 minor release dates.

We are building Drupal 9 in Drupal 8

Instead of working on Drupal 9 in a separate codebase, we are building Drupal 9 in Drupal 8. This means that we are adding new functionality as backwards-compatible code and experimental features. Once the code becomes stable, we deprecate any old functionality.

Let's look at an example. As mentioned, Drupal 8 currently depends on Symfony 3. Our plan is to release Drupal 9 with Symfony 4 or 5. Symfony 5's release is less than one year away, while Symfony 4 was released a year ago. Ideally Drupal 9 would ship with Symfony 5, both for the latest Symfony improvements and for longer support. However, Symfony 5 hasn't been released yet, so we don't know the scope of its changes, and we will have limited time to try to adopt it before Symfony 3's end-of-life.

We are currently working on making it possible to run Drupal 8 with Symfony 4 (without requiring it). Supporting Symfony 4 is a valuable stepping stone to Symfony 5 as it brings new capabilities for sites that choose to use it, and it eases the amount of Symfony 5 upgrade work to do for Drupal core developers. In the end, our goal is for Drupal 8 to work with Symfony 3, 4 or 5 so we can identify and fix any issues before we start requiring Symfony 4 or 5 in Drupal 9.

Another example is our support for reusable media. Drupal 8.0.0 launched without a media library. We are currently working on adding a media library to Drupal 8 so content authors can select pre-existing media from a library and easily embed them in their posts. Once the media library becomes stable, we can deprecate the use of the old file upload functionality and make the new media library the default experience.

The upgrade to Drupal 9 will be easy

Because we are building Drupal 9 in Drupal 8, the technology in Drupal 9 will have been battle-tested in Drupal 8.

For Drupal core contributors, this means that we have a limited set of tasks to do in Drupal 9 itself before we can release it. Releasing Drupal 9 will only depend on removing deprecated functionality and upgrading Drupal's dependencies, such as Symfony. This will make the release timing more predictable and the release quality more robust.

For contributed module authors, it means they already have the new technology at their service, so they can work on Drupal 9 compatibility earlier (e.g. they can start updating their media modules to use the new media library before Drupal 9 is released). Finally, their Drupal 8 know-how will remain highly relevant in Drupal 9, as there will not be a dramatic change in how Drupal is built.

But most importantly, for Drupal site owners, this means that it should be much easier to upgrade to Drupal 9 than it was to upgrade to Drupal 8. Drupal 9 will simply be the last version of Drupal 8, with its deprecations removed. This means we will not introduce new, backwards-compatibility breaking APIs or features in Drupal 9 except for our dependency updates. As long as modules and themes stay up-to-date with the latest Drupal 8 APIs, the upgrade to Drupal 9 should be easy. Therefore, we believe that a 12- to 18-month upgrade period should suffice.

So what is the big deal about Drupal 9, then?

The big deal about Drupal 9 is … that it should not be a big deal. The best way to be ready for Drupal 9 is to keep up with Drupal 8 updates. Make sure you are not using deprecated modules and APIs, and where possible, use the latest versions of dependencies. If you do that, your upgrade experience will be smooth, and that is a big deal for us.

Special thanks to Gábor Hojtsy (Acquia), Angie Byron (Acquia), xjm(Acquia), and catch for their input in this blog post.

Drupal's commitment to accessibility

Wed, 12/05/2018 - 20:58

This blog has been re-posted and edited with permission from Dries Buytaert's blog. Please leave your comments on the original post.

Last week, WordPress Tavern picked up my blog post about Drupal 8's upcoming Layout Builder.

While I'm grateful that WordPress Tavern covered Drupal's Layout Builder, it is not surprising that the majority of WordPress Tavern's blog post alludes to the potential challenges with accessibility. After all, Gutenberg's lack of accessibility has been a big topic of debate, and a point of frustration in the WordPress community.

I understand why organizations might be tempted to de-prioritize accessibility. Making a complex web application accessible can be a lot of work, and the pressure to ship early can be high.

In the past, I've been tempted to skip accessibility features myself. I believed that because accessibility features benefited a small group of people only, they could come in a follow-up release.

Today, I've come to believe that accessibility is not something you do for a small group of people. Accessibility is about promoting inclusion. When the product you use daily is accessible, it means that we all get to work with a greater number and a greater variety of colleagues. Accessibility benefits everyone.

As you can see in Drupal's Values and Principles, we are committed to building software that everyone can use. Accessibility should always be a priority. Making capabilities like the Layout Builder accessible is core to Drupal's DNA.

Drupal's Values and Principles translate into our development process, as what we call an accessibility gate, where we set a clearly defined "must-have bar." Prioritizing accessibility also means that we commit to trying to iteratively improve accessibility beyond that minimum over time.

Together with the accessibility maintainers, we jointly agreed that:

  1. Our first priority is WCAG 2.0 AA conformance. This means that in order to be released as a stable system, the Layout Builder must reach Level AA conformance with WCAG. Without WCAG 2.0 AA conformance, we won't release a stable version of Layout Builder.
  2. Our next priority is WCAG 2.1 AA conformance. We're thrilled at the greater inclusion provided by these new guidelines, and will strive to achieve as much of it as we can before release. Because these guidelines are still new (formally approved in June 2018), we won't hold up releasing the stable version of Layout Builder on them, but are committed to implementing them as quickly as we're able to, even if some of the items are after initial release.
  3. While WCAG AAA conformance is not something currently being pursued, there are aspects of AAA that we are discussing adopting in the future. For example, the new 2.1 AAA "Animations from Interactions", which can be framed as an achievable design constraint: anywhere an animation is used, we must ensure designs are understandable/operable for those who cannot or choose not to use animations.

Drupal's commitment to accessibility is one of the things that makes Drupal's upcoming Layout Builder special: it will not only bring tremendous and new capabilities to Drupal, it will also do so without excluding a large portion of current and potential users. We all benefit from that!

Gewerbe-Service-Portal.NRW

Mon, 09/03/2018 - 18:46
Completed Drupal site or project URL: https://gewerbe.nrw/Digital business registration in North Rhine-Westphalia

Since the 1st of July 2018, the new "Gewerbe-Service-Portal.NRW" has been providing citizen-friendly eGovernment by allowing company founders in the German federal state North Rhine-Westphalia (NRW) to electronically register a business from home. The implementation was carried out by publicplan GmbH on behalf of d-NRW AöR. With the aid of a clearly arranged online form, commercial registration can be transmitted to the responsible public authorities with just a few clicks. Furthermore, an integrated chatbot helps the user with questions.

Service portal

In addition to the business registration, the portal offers information to the topic “foundation of an enterprise”. Furthermore, users have access to all service providers of the "Einheitliche Ansprechpartner NRW" (EA NRW). The online service supports specialised staff in taking up a service occupation or professional authentification. The search for a competent trading supervision department can also occur via the “Verwaltungssuchmaschine” (VSM) that was developed by d-NRW and publicplan GmbH on behalf of the “Ministerium für Wirtschaft, Innovation, Digitalisierung und Energie NRW” (MWIDE). The VSM is a search engine specialized for information about the public sector.

Business registration together with Chatbot “Guido“

"Guido" is a smart dialogue assistant for questions. He ensures automatic retrievability of information in plain language and is also able to identify each business type by a key. The chatbot determines every suitable business type by approaching the key through request of information. After successful determination, it is automatically transmitted to the form. Therefore, “Guido” saves the complicated search for many similar types of business. The director of publicplan GmbH, Dr. Christian Knebel says: "Thanks to our numerous eGovernment projects, we can draw on a wealth of experience in order to implement such a comprehensive portal. publicplan's integrated chatbot technology is the perfect complement to a contemporary citizen service."

American Councils for International Education

Fri, 07/27/2018 - 15:11
Completed Drupal site or project URL: https://www.americancouncils.org

Since 1974, American Councils for International Education (ACIE) has been making international education accessible for all. And today, the organization has built a global community of 85 countries and 89,000 alumni through cultural and academic exchanges, research assessments, language immersion programs, and professional development. ACIE’s alumni include everyone from high school students to professionals, national leaders, ministers, members of parliament, ambassadors, and CEOs.

In an effort to improve national security, prosperity, and peace, ACIE’s goal for its members is to prepare them to succeed in our increasingly interconnected and rapidly changing world. But ACIE most recently created a whole new set of strategic goals, and brought in Threespot, a digital communications agency, for a website redesign to expand its global impact, strengthen its financial standing, and build a stronger understanding of who they are. Threespot partnered with Inclind, ACIE’s ongoing Drupal development partner to implement the new design and upgrade the website's functionality.

DC-based Threespot provides digital strategy, creative, and development services exclusively for organizations and ideas that align with their progressive values. Known for strong collaborative capabilities, Inclind brings to the table nearly 20 years of experience developing, designing, supporting and maintaining web content management systems. With ACIE's mission to prepare tomorrow's leaders for an ever-changing world and its need for a more modern and sophisticated Drupal site, a collaboration among the three organizations was a no-brainer.

“We’ve worked with Inclind in the past and they’re a trusted partner,” says Liz Ott, Director of Client Engagement with Threespot. “With collaborative projects like this, there’s a real value in leveraging partner agencies for their strengths. Our track record working strategically with progressive nonprofits dovetailed nicely with Inclind’s strengths as Drupal developers, giving ACIE the best of both worlds.”

LUSH

Tue, 05/08/2018 - 21:54
Completed Drupal site or project URL: http://lush.comIntroducing the biggest e-commerce platform built on top of Drupal Commerce.

LUSH, a British cosmetics company, worked with FFW to build a digital space that would inspire the same loyalty that their physical shops enjoyed all around the globe. LUSH is a vegetarian and vegan beauty and cosmetics company based out of England. The company has a core group of dedicated customers worldwide, most of whom purchase their products at LUSH’s retail shops.

With LUSH’s in-store sales far outweighing those online, LUSH wanted to create a digital experience that would perform scalably and reliably during huge sales while showcasing the best of the LUSH brand. As an ecologically aware, community-focused business, they knew their values aligned well with the values of many open source communities, such as Drupal. And when one of LUSH's partners referred them to FFW, everything clicked.

After the launch, the new LUSH website realized dramatic spikes in both web traffic and online sales. Website sessions increased by 75%, digital orders increased by a whopping 64%, and shopping cart abandonment decreased by 16%.

"Massive thanks for all your efforts in getting the project over the line and the late nights - you've been phenomenal throughout. From me and the LUSH development team, thank you."
-
Ryan Kerry, Global Head of Development at LUSH

Autodesk Design Academy

Tue, 05/08/2018 - 21:04
Completed Drupal site or project URL: https://academy.autodesk.com/

Autodesk is a leader in 3D design, engineering and entertainment software. To help drive the future of innovation, Autodesk gives their software away to students and educators around the world. The Autodesk Design Academy platform supports this initiative by providing a space where users can create, share, and collaborate on content.

Syfy.com

Mon, 05/07/2018 - 23:16
Completed Drupal site or project URL: http://www.syfy.com/

While the Syfy network was busy creating compelling new worlds with shows like 12 Monkeys and Helix, their website was worlds behind. It was not responsive, not beautiful, and, in the words of Matthew Chiavelli, VP of Digital Media and Strategy, "put together with duct tape and baling wire". Syfy needed a scalable, cinematic full-screen experience that would look great on any device and be commensurate to their original content.

State of Drupal presentation (April 2018)

Tue, 04/24/2018 - 18:11

This blog has been re-posted and edited with permission from Dries Buytaert's blog. Please leave your comments on the original post.

© Yes Moon

Last week, I shared my State of Drupal presentation at Drupalcon Nashville. In addition to sharing my slides, I wanted to provide more information on how you can participate in the various initiatives presented in my keynote, such as growing Drupal adoption or evolving our community values and principles.

Drupal 8 update

During the first portion of my presentation, I provided an overview of Drupal 8 updates. Last month, the Drupal community celebrated an important milestone with the successful release of Drupal 8.5, which ships with improved features for content creators, site builders, and developers.

Drupal 8 continues to gain momentum, as the number of Drupal 8 sites has grown 51 percent year-over-year:

This graph depicts the number of Drupal 8 sites built since April 2015. Last year there were 159,000 sites and this year there are 241,000 sites, representing a 51% increase year-over-year.

Drupal 8's module ecosystem is also maturing quickly, as 81 percent more Drupal 8 modules have become stable in the past year:

This graph depicts the number of modules now stable since January 2016. This time last year there were 1,028 stable projects and this year there are 1,860 stable projects, representing an 81% increase year-over-year.

As you can see from the Drupal 8 roadmap, improving the ease of use for content creators remains our top priority:

This roadmap depicts Drupal 8.5, 8.6, and 8.7+, along with a column for "wishlist" items that are not yet formally slotted. The contents of this roadmap can be found at https://www.drupal.org/core/roadmap.

Four ways to grow Drupal adoption

Drupal 8 was released at the end of 2015, which means our community has had over two years of real-world experience with Drupal 8. It was time to take a step back and assess additional growth initiatives based on what we have learned so far.

In an effort to better understand the biggest hurdles facing Drupal adoption, we interviewed over 150 individuals around the world that hold different roles within the community. We talked to Drupal front-end and back-end developers, contributors, trainers, agency owners, vendors that sell Drupal to customers, end users, and more. Based on their feedback, we established four goals to help accelerate Drupal adoption.

Goal 1: Improve the technical evaluation process

Matthew Grasmick recently completed an exercise in which he assessed the technical evaluator experience of four different PHP frameworks, and discovered that Drupal required the most steps to install. Having a good technical evaluator experience is critical, as it has a direct impact on adoption rates.

To improve the Drupal evaluation process, we've proposed the following initiatives:

Initiative Issue link Stakeholders Initiative coordinator Status Better discovery experience on Drupal.org Drupal.org roadmap Drupal Association hestenet Under active development Better "getting started" documentation #2956879 Documentation Working Group grasmash In planning More modern administration experience #2957457 Core contributors ckrina and yoroy Under active development

To become involved with one of these initiatives, click on its "Issue link" in the table above. This will take you to Drupal.org, where you can contribute by sharing your ideas or lending your expertise to move an initiative forward.

Goal 2: Improve the content creator experience

Throughout the interview process, it became clear that ease of use is a feature now expected of all technology. For Drupal, this means improving the content creator experience through a modern administration user interface, drag-and-drop media management and page building, and improved site preview functionality.

The good news is that all of these features are already under development through the Media, Workflow, Layout and JavaScript Modernization initiatives.

Most of these initiative teams meet weekly on Drupal Slack (see the meetings calendar), which gives community members an opportunity to meet team members, receive information on current goals and priorities, and volunteer to contribute code, testing, design, communications, and more.

Goal 3: Improve the site builder experience

Our research also showed that to improve the site builder experience, we should focus on improving the three following areas:

  • The configuration management capabilities in core need to support more common use cases out-of-the-box.
  • Composer and Drupal core should be better integrated to empower site builders to manage dependencies and keep Drupal sites up-to-date.
  • We should provide a longer grace period between required core updates so development teams have more time to prepare, test, and upgrade their Drupal sites after each new minor Drupal release.

We plan to make all of these aspects easier for site builders through the following initiatives:

Initiative Issue link Stakeholders Initiative coordinator Status Composer & Core #2958021 Core contributors + Drupal Association Coordinator needed! Proposed Config Management 2.0 #2957423 Core contributors Coordinator needed! Proposed Security LTS 2909665 Core committers + Drupal Security Team + Drupal Association Core committers and Security team Proposed, under discussion Goal 4: Promote Drupal to non-technical decision makers

The fourth initiative is unique as it will help our community to better communicate the value of Drupal to the non-technical decision makers. Today, marketing executives and content creators often influence the decision behind what CMS an organization will use. However, many of these individuals are not familiar with Drupal or are discouraged by the misconception that Drupal is primarily for developers.

With these challenges in mind, the Drupal Association has launched the Promote Drupal Initiative. This initiative will include building stronger marketing and branding, demos, events, and public relations resources that digital agencies and local associations can use to promote Drupal. The Drupal Association has set a goal of fundraising $100,000 to support this initiative, including the hiring of a marketing coordinator.

Megan Sanicki and her team have already raised $54,000 from over 30 agencies and 5 individual sponsors in only 4 days. Clearly this initiative resonates with Drupal agencies. Please consider how you or your organization can contribute.

Fostering community with values and principles

This year at DrupalCon Nashville, over 3,000 people traveled to the Music City to collaborate, learn, and connect with one another. It's at events like DrupalCon where the impact of our community becomes tangible for many. It also serves as an important reminder that while Drupal has grown a great deal since the early days, the work needed to scale our community is never done.

Prompted by feedback from our community, I have spent the past five months trying to better establish the Drupal community's principles and values. I have shared an "alpha" version of Drupal's values and principles at https://www.drupal.org/about/values-and-principles. As a next step, I will be drafting a charter for a new working group that will be responsible for maintaining and improving our values and principles. In the meantime, I invite every community member to provide feedback in the issue queue of the Drupal governance project.

An overview of Drupal's values with supporting principles.

I believe that taking time to highlight community members that exemplify each principle can make the proposed framework more accessible. That is why it was very meaningful for me to spotlight three Drupal community members that demonstrate these principles.

Principle 1: Optimize for Impact - Rebecca Pilcher

Rebecca shares a remarkable story about Drupal's impact on her Type 1 diabetes diagnosis:

Principle 5: Everyone has something to contribute - Mike Lamb

Mike explains why Pfizer contributes millions to Drupal:

Principle 6: Choose to Lead - Mark Conroy

Mark tells the story of his own Drupal journey, and how his experience inspired him to help other community members:

Watch the keynote or download my slides

In addition to the community spotlights, you can also watch a recording of my keynote (starting at 19:25), or you can download a copy of my slides (164 MB).

Kevin Thull, from behind the camera

Tue, 04/24/2018 - 15:17

Chances are if you've attended any of the Drupal camps in North America you've run into Kevin Thull. He's the fellow that is dashing from room to room before the first session begins to set up the AV equipment and checking in with presenters making sure they all "push the red button". Because of him, we are all able attend the sessions we miss while busy elsewhere. He is personally responsible for recording over 800 sessions and donating countless hours of his time.

Not only does he record sessions at camps, he also helps organize Midwest Drupal Camp. For this next year he has been charged as their fearless leader. He will be working on their web team, arranging catering, organizing the venue, as well as doing all the audio visual.

This year at DrupalCon Nashville the Drupal Community awarded Kevin the Aaron Winborn award. The Aaron Winborn award is presented annually to an individual who demonstrates personal integrity, kindness, and above-and-beyond commitment to the Drupal community. Kevin's commitment to capturing knowledge to share with the whole community is truly inspirational. He has provided a platform that helps tie local Drupal Communities together.

The Drupal Community Spotlight Committee's AmyJune sat with Kevin before Nashville and asked him some questions about contributing to the Drupal Community.

Ironically, AmyJune had chosen to write this spotlight on Kevin a few weeks before DrupalCon. AmyJune had asked him if he was coming to Nashville and he relayed that he had a prior commitment to attend another conference for his job. Unbeknownst to us, during the interview Kevin knew he had been awarded the honor and managed to keep it a secret. While he did mention that the marketing conference only ran through Wednesday, AmyJune was pleasantly surprised to see him take the stage.

Well, not too surprised, after all he truly deserves the honor.

How long have you been involved in the Drupal community?

I’m not involved with Drupal through my employer, I work in Marketing, but I got into Drupal through freelance.

My first meet up was when the Using Drupal 6 book first came out. I would say that is when I first started getting involved in the community. So, that's close to 10 years now.

I started recording Drupal Camps back in 2013. The official Chicago Camp was having issues and so we as a far western Suburban group decided to have our own camp. I thought I could do some of the logistics and session recordings since that's what I do for work. I had the same setup with video cameras in the back of the room and I spent countless hours rebuilding these presentations. It's a similar process, but it's a very a different presentation between a marketer and someone from the Drupal community giving a presentation on diversity. A marketer might have 20 slides, but a Drupal talk may have 104.

Everybody at the time was telling me I was insane for doing this, but my response was, "Nope, it's important."

In 2014 was the first MIDCamp and we were able to get the DA recording kits. But that was not great either. There was a lot of setup, they were expensive to ship them back and forth, they didn't work terribly well, so that's when Avi Schwab ( https://www.drupal.org/u/froboy) and I started collaborating. He did all the setup for the laptops and I did all the running around from room to room and post production. We brainstormed and I started doing research. The next Suburban Camp is when I had my first test kit for what I am using today.

I saw that you recorded Pacific Northwest Drupal Summit remotely this year? Can you share that experience with us?

That's a funny story. It was the same weekend as Jersey Camp and I tend to favor camps I have already recorded. They had committed before Pacific Northwest Drupal Summit and when Amber Matz saw me at BADCAmp, I explained the conflict. I told her I had started working on the next step and would be shipping the kits to camps. I sat with her and showed her how the kit worked and she said it didn't seem too difficult, and we said "Let's do this".

I got a new case, sent 5 kits to them. It's funny how talking with the organizers of camps helps all of this come together. Because later at New England Camp, I was explaining to one of their organizers how I was shipping kits and he suggested labeling the cables. I thought that was brilliant so I got a label maker and labeled all the cables. I wrote out more a detailed instruction guide, and all these things were things I had been meaning to do.

I sent 5 kits, insured FedEx for around $50, whereas the DA sends this giant pelican case that must cost hundreds of dollars. That was part of the plan originally; we wanted something lightweight and easy to use. I heard they had an 84% capture rate which is a great start. The issue is that non-Macs recordings have no sound and so I have to lay up the backup recording into the video. A lot of times that back up recorder gets turned off or stopped for some reason.

While I was in Florida I started working on pinpointing why non-Mac machines don't have audio. Later, I had mixed success at MIDCamp, I captured a couple, some didn't work, one being an Ubuntu build. At lunch I worked with that presenter to test various setups and we found a setup that worked. Once I can crack that nut, then shipping with even more instructions will increase the capture rates.

Now that you're capturing some camps remote, how does that cut into how much you like to travel?

I do like to travel, but there are a couple of issues. A) I can't be everywhere. B) I am potentially doing 13 or 14 camps this year. Which is cool now, but it may not be cool in couple of years. And C) I don't do Drupal at work and when I first starting doing this I was using all my PTO. I don’t do any Drupal at work, but I brought back all kinds of information and my boss recognized that. She said I could count those as remote days, but of course there's a limit.

There is a balance to be found between visiting the camps and sending the kits remotely.

What are some of your favorite camps?

Everybody asks me that, that question is not fair. I like them all. It's generally the places I know the most people and/or I go ahead of time to play before camp starts. I am not a solo traveller, so if I know a lot of people at the camp I tend to like those: Badcamp, Twin Cities, St. Louis, Texas (cuz of Austin), and Montreal.

What are the things you like to do before a camp that makes it more fun?

HaHaHa, eat and drink all the things. Bar Crawls, Food Crawls, you name it.

Have you given any thought to helping with camps outside the States?

I would like to, but it’s a time and cost issue. The camps now reimburse my travel expenses. To fly to a European camp - I don’t know if that would be in their budget.

It’s interesting, Mauricio Dinarte tailed me for a few camps and he wanted, and he did, get some kits to start recording Nicaragua. One day he tweeted that he saw my kits at Drupal Camp Antwerp. It’s cool to see how these things grow organically. There’s not a camp that goes by where someone from the community doesn’t ask me about how everything works.

Congratulations Kevin!

Kevin’s not just the guy who reminds us all to push the red button. He is the guy who loans out his phone when a presenter is doing a live demo and needs an internet hotspot. He is the guy spending hours during and after Drupal Camps piecing together audio and video for maximum quality. The Drupal Community has so much to thank him for, the Aaron Winborn award couldn’t have been awarded to anyone more deserving.

Link to Kevin Thull Youtube acceptance

On Kevin, from the community:

“It has become a no-brainer to invite Kevin to Florida DrupalCamp and have him record and post all of our sessions online. He makes it easy for us to share our great content with a world-wide audience by coming prepared, making it easy for presenters, and uploading the video almost immediately. He’s a true asset to the community.”  - Mike Anello (Florida Camp)

"His never-ending abundance of energy and positive contributions in the form of Drupal Camp video services in the US is unmatched. At the camps where I’ve spoken or helped organize he has been a great person to work with through the whole process - helpful and organized across the board." - Aimee Degnan Hannaford (BADCamp)

“We appreciated Kevin’s willingness to send recording equipment and documentation to our event so that we could record sessions, even though he couldn’t be there. He was encouraging and helpful all along the way.” Amber Matz (PNWDS Portland)

Thank you Kevin for your contribution to community, for sharing your story with us, and for being a most excellent secret keeper! And thank you to the hundreds of volunteers that make Drupal Camps, Cons, meetups and picnics a success every year. And thank you AmyJune for this most excellent Drupal Community Spotlight article!

Top image credit: Image by Jordana F

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2018-003

Wed, 04/18/2018 - 17:34
Project: Drupal coreDate: 2018-April-18Security risk: Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses).

We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window.

Solution: 
  • If you are using Drupal 8, update to Drupal 8.5.2 or Drupal 8.4.7.
  • The Drupal 7.x CKEditor contributed module is not affected if you are running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable.
  • If you installed CKEditor in Drupal 7 using another method (for example with the WYSIWYG module or the CKEditor module with CKEditor locally) and you’re using a version of CKEditor from 4.5.11 up to 4.9.1, update the third-party JavaScript library by downloading CKEditor 4.9.2 from CKEditor's site.
Reported By: Fixed By: 

Imperial War Museums

Thu, 04/12/2018 - 15:17
Completed Drupal site or project URL: https://www.iwm.org.uk/

Deeson designed and built a powerful digital platform to harness Imperial War Museums' collection and drive deeper engagement with their events.

The brief.

Deeson was asked to support Imperial War Museums (IWM) in evaluating the effectiveness of their existing digital presence in helping them meet their strategic goals. After a strategic and technical audit, IWM elected to rebuild their website.

They tasked us with launching their new website as a groundbreaking "sixth site" to sit alongside the museum's five physical branches. The site needed to showcase the museum's rich content in compelling new ways.

The results.

We created a bold new website powered by Drupal 8 that is a confident declaration of what Imperial War Museums represents, and reflects the urgency and importance of the subject matter.

The visually arresting design brings to life IWM's collection, branches, and the rich variety of their public programme of events and exhibitions, enabling them to tell the fascinating stories formerly buried deep within their collection.

Implementation Guide on Headless and Decoupled CMS

Mon, 04/02/2018 - 23:03

The following blog was written by Drupal Association Signature Hosting Supporter, Acquia

The rapid evolution of diverse end-user clients and applications has given rise to a dizzying array of digital channels to support.

Websites in the past were built from monolithic architectures utilizing web content management solutions that deliver content through a templating solution tightly “coupled” with the content management system on the back-end.

Agile organizations crave flexibility, and strive to manage structured content across different presentation layers consistently in a way that’s scalable.

Accomplishing this efficiently requires that teams have flexibility in the front-end frameworks that dominate the modern digital landscape. That’s why decoupled and headless CMS is taking off. That’s why you’re here. But now you need the right technology to support the next phase of the web and beyond.

Download this eBook on headless and decoupled CMS

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002

Wed, 03/28/2018 - 20:14
Project: Drupal coreDate: 2018-March-28Security risk: Highly critical 21∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code Execution Description: 

CVE: CVE-2018-7600

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.

The security team has written an FAQ about this issue.

Solution: 

Upgrade to the most recent version of Drupal 7 or 8 core.

  • If you are running 7.x, upgrade to Drupal 7.58. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
  • If you are running 8.5.x, upgrade to Drupal 8.5.1. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)

Drupal 8.3.x and 8.4.x are no longer supported and we don't normally provide security releases for unsupported minor releases. However, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.

Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x. Please take the time to update to a supported version after installing this security update.

This issue also affects Drupal 8.2.x and earlier, which are no longer supported. If you are running any of these versions of Drupal 8, update to a more recent release and then follow the instructions above.

This issue also affects Drupal 6. Drupal 6 is End of Life. For more information on Drupal 6 support please contact a D6LTS vendor.

Reported By: Fixed By:  Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Thunder, the Drupal 8 Distribution for Professional Publishing

Wed, 03/28/2018 - 01:41
https://thunder.org/

Thunder is the Drupal 8 distribution for professional publishing. Thunder was designed by Hubert Burda Media and released as open-source software under the GNU General Public License in 2016. As members of the Thunder community, publishers, partners, and developers build custom extensions and share them with the community to further enhance Thunder.

Thunder consists of the current Drupal 8 functionality, lots of handpicked publisher-centric modules with custom enhancements (our own Thunder Admin Theme, the Paragraphs module, the Media Entity module, the Entity Browser module, and lots more), and an environment which makes it easy to install, deploy and add new functionality (e.g. the Thunder Updater).

To learn more about Thunder projects, read these case studies: German magazine Mein Schöner Garten (Gardening Magazine for Hubert Burda Media), US magazine American Heritage (American Heritage Magazine Migration – Drupal 8), and Serbian television and radio station PannonRTV (News portal for media house – PannonRTV).

About the idea:

We at the Thunder Core Team believe that publishers do not compete with each other through technology, but rather through content and brands. That is why the German publisher Hubert Burda Media established the Thunder community which aims to join forces among media companies by sharing code and innovation power. The goal is to innovate faster and spend less money overall by working together.

The Thunder community’s core product is the open-source content management system Thunder. Community members develop useful modules, use them for their own purposes and share them with the community by publishing them under the GNU General Public License. Neither Hubert Burda Media nor the other publishers in the community charge anyone for their contributions.

Any company publishing content professionally is welcome as a member of the Thunder community - both as user and as contributor. Anyone can join by contributing to the distribution. The usefulness and richness of Thunder’s functionality directly benefit from the number of contributors.

Why Drupal was chosen: 

For Burda, Drupal is the content management platform of choice. It is a free and open-source content-management framework written in PHP and distributed under the GNU General Public License.

The standard Drupal core already provides the essential features, e.g. user management, menu management, RSS feeds, taxonomy, page layout customization, and system administration. It is easily adaptable and extensible with thousands of modules provided by a global community of users and developers. In addition, developers at Hubert Burda Media have had previous good experiences with Drupal. Drupal is therefore a tried and tested basis and has become even better with Drupal 8.

Describe the project (goals, requirements and outcome): 

Thunder started as a way to share innovation and synergies among the many different brands and products within the Burda Corporation to save costs and speed up the time to market. It did not take long until we realized that the model that worked within the very diverse Burda universe would be useful for almost all digital publishers. That was when we decided to open source the distribution.

Due to its open source basis on Drupal 8, all features and functionality within Thunder are available to anyone wishing to benefit from Burda’s industry experience. Individual brands can add modules to tailor the system to their specific needs. Many of those “specific” customizations will prove to be valuable to more than just the organizations they originated from. We therefore designed Thunder in a way that we can easily incorporate those add-ons into the main distribution and share the features among all brands.

Goals:

We aim at becoming the best open-source content management system for professional publishing. In this, we focus on the creation of content. We want to help editors to create articles, to add media, to build landing pages, in short, to share their stories with the world.
We want Thunder to be a CMS jointly developed by its users and are therefore working towards building a community of publishers, IT agencies, and anyone else who shares our ideas and contributes to Thunder.

Our aim in doing so is to stay very close to the Drupal community and the Drupal core instead of creating a Thunder fork. Whenever we want to implement a new functionality or solve a problem, we try to do this in Drupal core or in the modules Thunder uses instead of fixing things in the distribution.

Time spent:

It’s difficult to measure the time spent on the development of Thunder, as this is an ongoing process. Currently, there are four developers employed by Hubert Burda Media working on the distribution full-time, plus several external developers. They focus on the advancement of Thunder as well as Drupal core and the contrib modules used in the distribution. A community manager is working on coordinating and growing the Thunder community of publishers, developers, and other partners.

Timeline and Milestones:
  • 30th August 2015: Repository and first commits for Thunder
  • September 2015: playboy.de – the first website running on Thunder
  • November 2015: instyle.de – the second website running on Thunder as well as proof of concept of the sharing model
  • 17th March 2016: Official press release about Thunder
  • October 2016: produceretailer.com is the first professional non-Burda website running on Thunder
  • 30th January 2017: Release of Thunder 1.0
  • March 2016: One year after the official launch of the Thunder initiative, 15 websites (we know of) are running on Thunder.
  • 1st June 2017: Release of Thunder 2.0
  • 20th July 2017: Release of Thunder Admin Theme
  • 20th November 2017: First community event, the Thunder Day in Hamburg
Results:

We released Thunder 1.0 in January 2017. One year later, at least 60 professional websites that we know of now run on Thunder. In the meantime, we have also released Thunder 2.0 and the Thunder Admin Theme.

Publishing houses grabbed the idea of working together. The Austrian publisher kurier.at, for example, contributed to the liveblog module used in Thunder and developed a new functionality to split text paragraphs.

In community matters, we talked to more than 300 companies worldwide. We established the “Certified Thunder Integrator” program to help publishers to find IT agencies as well as IT agencies to find customers. As of now, there are more than 20 companies certified or in the certification process.

We aim at bringing people together to share experiences. For this purpose, we introduced a Slack team for the Thunder community as well as several social media accounts. Furthermore, we organized the first community event – the Thunder Day – with around 120 participants in November 2017.

Challenges and how we resolved them:

Updating:

Distributions such as Thunder face the problem of losing control after the installation. How should a distribution actually deliver features and updates? We thought a lot about this problem and introduced the Thunder Updater, the “Thunder way to keep your site up to date”. Thunder checks if installed configurations have been changed – if not, they can be updated. Otherwise, you will get a message telling you there’s an update pending and what to do if you wish to have it. This functionality is currently an integral part of the distribution but we plan to detach it and publish it as a module on drupal.org soon so that everybody can use it.

Testing:

Writing an Admin Theme is very difficult because Drupal offers so many possibilities to adapt things: If you change something it can have unexpected effects in unexpected places. To avoid surprises, we developed Sharpeye, a visual regression tool. It takes screenshots and compares them in automated tests. This gives us a good overview. We open sourced the tool and you can download it here: github.com/BurdaMagazinOrg/sharpeye

Technical details, tips, and tricks: Tooling:

We invested a lot of time into automated testing but it was well worth the effort, not only for Thunder but also for Drupal core and the contrib modules we use since we discovered a lot of bugs there too.

Development process:

We don’t use a closed issue tracker but publish our tickets on drupal.org, thereby creating transparency. We use Github rather than drupal.org for the development because the developer experience is much better.

Organizations involved: 

Thunder

Modules/Themes/Distributions

Key modules/theme/distribution used: 

Why these modules/theme/distribution were chosen:  Requirements / Key modules Storytelling

In professional publishing, it’s all about the story. It has to be easy to create a story, to extend it, to change its narrative strand, and to enrich it with multimedia content. We use the Paragraphs module for this. Instead of putting all their content in one WYSIWYG body field including images and videos, end-users can now choose on the fly between pre-defined Paragraph Types independent from one another. Paragraph Types can be anything you want from a simple text block or image to a complex and configurable slideshow. This allows editors to structure an article into sub-elements which can easily be created, edited, and reorganized.

Media Handling

Editors want to enrich their articles with pictures, videos, content from social media, and whatever else you might think of. Paragraphs are one part of this, the other is the combination of the Media Entity module and the Entity Browser module. With those modules, editors can easily upload new content but also find and reuse existing entities.

SEO

Search engine optimization plays a major role in every editor’s life. Thunder therefore gas a plethora of different adjusting screws, from several meta tags for Facebook, Twitter, and Open Graph up to the simple XML sitemap.

Scheduled Publishing

The editor’s daily life is a lot about planning. With Thunder, you can schedule articles, ensuring they will be published at a given date and time. Even more importantly, you can also schedule the time at which an article or a picture should not be shown on the website anymore, e.g. if the contract period for a photograph has ended or an event announcement isn’t useful anymore.

Improved Authoring Experience

Our primary focus is making the editors’ work with Thunder as easy as possible. In order to achieve this, we created the Thunder Admin Theme based on findings of user tests and a survey conducted with editors working with Thunder.

Detailed Module List

Find a detailed list of the modules we use in Thunder here: burdamagazinorg.github.io/thunder-documentation/modules

Community contributions: 

Since we get a lot from the Drupal community, we give our best to contribute back, e.g. by fixing the bugs we find through automated tests and by supporting Drupal events and code sprints with developer time, talks, and sponsoring. Christian Fritsch, a member of the Thunder Core Team, contributed a lot of his time to the media initiative. Ingo Rübe, the initiator of Thunder, is a member of the Drupal Association’s Board of Directors.

Project team: 
  • Daniel Bosen - Lead Developer
  • Christian Fritsch - Senior Developer
  • Mladen Todorovic - Senior Developer
  • Volker Killesreiter - Senior Developer
  • Julia Pradel - Community Manager
  • Ingo Rübe - Initiator of Thunder
  • Collin Müller - Head of Strategic Development
Team members:  Thunder is proud sponsor of the Media and Publishing Summit ahead of the DrupalCon in Nashville. Meet us on 9th April to learn more about Thunder and how it is used in professional publishing.

Drupal 7 and 8 core highly critical release on March 28th, 2018 PSA-2018-001

Wed, 03/21/2018 - 20:13
  • Advisory ID: DRUPAL-PSA-2018-001
  • Project: Drupal Core
  • Version: 7.x, 8.x
  • Date: 2018-March-21
Description

There will be a security release of Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28th 2018 between 18:00 - 19:30 UTC, one week from the publication of this document, that will fix a highly critical security vulnerability. The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page.

While Drupal 8.3.x and 8.4.x are no longer supported and we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0. The Drupal security team strongly recommends the following:

  • Sites on 8.3.x should immediately update to the 8.3.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
  • Sites on 8.4.x should immediately update to the 8.4.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
  • Sites on 7.x or 8.5.x can immediately update when the advisory is released using the normal procedure.

The security advisory will list the appropriate version numbers for all three Drupal 8 branches. Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x, but temporarily updating to the provided backport for your site's current version will ensure you can update quickly without the possible side effects of a minor version update.

The Security Team or any other party is not able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.drupal.org/security, over Twitter, and in email for those who have subscribed to our email list. To subscribe to the email list: log in on drupal.org, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.

Journalists interested in covering the story are encouraged to email security-press@drupal.org to be sure they will get a copy of the journalist-focused release. The Security Team will release a journalist-focused summary email at the same time as the new code release and advisory.

If you find a security issue, please report it at https://www.drupal.org/security-team/report-issue.

Drupal 8.5.0 is now available

Wed, 03/07/2018 - 22:51
What's new in Drupal 8.5.0?

This new version makes Media module available for all, improves migrations significantly, stabilizes the Content Moderation and Settings Tray modules, serves dynamic pages faster with BigPipe enabled by default, and introduces a new experimental entity layout user interface. The release includes several very important fixes for workflows of content translations and supports running on PHP 7.2.

Download Drupal 8.5.0

Media in core improved and available to all site builders

In Drupal 8.4, we added a Media API to core that drew on work from the contributed Media Entity module, but the module was hidden from the user interface due to user experience issues. In Drupal 8.5, many of the usability issues have been addressed, and the module now can be enabled normally. Media in Drupal 8.5 supports uploading and playing audio and video files, as well as listing and reusing media.

For an optimal user experience, we suggest enhancing the core feature set with the rich ecosystem of contributed modules that extends the core Media module. In future releases, we will improve the core user experience with a media library and other tools, add WYSIWYG integration, add support for remote media types like YouTube videos, and provide an upgrade path for existing basic File and Image field data on existing sites.

Settings Tray and Content Moderation now stable

Two experimental modules originally added with Drupal 8.2.0 have been steadily improving in past releases and are now stable. The Settings Tray module provides a quick solution to manage settings in context, such as moving items around in a menu block. The Content Moderation module allows defining content workflow states such as Draft, Archived, and Published, as well as which roles have the ability to move content between states. Drupal 8.5.0 also adds support for translations to be moderated independently.

New experimental Layout Builder module

The new experimental Layout Builder module provides display layout capabilities for articles, pages, user profiles, and other entity displays. Layout Builder uses the same "outside-in" user interface that Settings Tray module does, allowing site builders to edit their layouts on the actual page (rather than having to go to a separate form on the backend). The current user interface is a basic implementation but we expect it will improve significantly in the coming months.

Big steps for migrations

After over four years of work, this release marks the Migrate system's architecture stable. The Drupal Migrate and Drupal Migrate UI modules are also considered stable for upgrading monolingual sites. (Multilingual site upgrades are still not fully supported.) Support for incremental migrations is also included in this release. See the migrate announcement for further details on migrating to Drupal 8.

BigPipe by default

The BigPipe module provides an advanced implementation of Facebook's BigPipe page rendering strategy for greatly improved perceived performance for pages with dynamic, personalized, or uncacheable content. The module was added in Drupal 8.1.0 experimentally and became stable in Drupal 8.3.0. Following real-world testing, Big Pipe is now included as part of Drupal 8.5.0's Standard installation profile, so that all Drupal 8 sites will be faster by default. BigPipe is also the first new Drupal 8 feature to mature from an experimental prototype all the way to being part of a standard installation!

Groundwork for a Drupal 8 "Out of the Box" demo

Drupal 8.5.0 includes the groundwork for a new demo profile and theme from the Out of the Box Initiative, which will be a beautiful, modern demonstration of Drupal's capabilities. This will allow us to provide the demo experimentally, possibly in a future Drupal 8.5 release. (The demo profile and theme should not be used on actual production or development sites since no backwards compatibility or upgrade paths are provided.) If you'd like to see this demo in action, you can also see it in the 8.6.x development version.

PHP 7.2 now supported

Drupal 8.5.0 now runs on PHP 7.2, which comes with new features and improves performance over PHP 7.1. PHP 7.2 is now the recommended PHP version to use with Drupal 8.

What does this mean for me? Drupal 8 site owners

Update to 8.5.0 to continue receiving bug and security fixes. The next bugfix release (8.5.1) is scheduled for April 4, 2018.

Updating your site from 8.4.5 to 8.5.0 with update.php is exactly the same as updating from 8.4.4 to 8.4.5. Drupal 8.5.0 also has updates to several dependencies, including a backwards-compatible update to a Symfony long-term-support release (which will be supported for many years). Modules, themes, and translations may need updates for these and other changes in this minor release, so test the update carefully before updating your production site.

Note that Drupal 8 will require PHP 7 starting in March 2019, one year from now. If your site is hosted on PHP 5.5 or 5.6, you should begin planning to upgrade (and consider upgrading to PHP 7.2 now that it is supported). See the Drupal core announcement about the PHP 5 end-of-life for more information.

Drupal 6 and 7 site owners

Drupal 7 is still fully supported and will continue to receive bug and security fixes throughout all minor releases of Drupal 8. Drupal 6 is no longer supported. See the migrate announcement for further details on migrating to Drupal 8.

Translation, module, and theme contributors

Minor releases like Drupal 8.5.0 include backwards-compatible API additions for developers as well as new features. Read the 8.5.0 release notes for more details on the improvements for developers in this release.

Since minor releases are backwards-compatible, modules, themes, and translations that supported Drupal 8.4.x and earlier will be compatible with 8.5.x as well. However, the new version does include some changes to strings, user interfaces, internal APIs and API deprecations. This means that some small updates may be required for your translations, modules, and themes. See the announcement of the 8.5.0 release candidate for more background information.

Big steps for migrations in Drupal 8.5.0

Wed, 03/07/2018 - 22:51

After over four years of work with over 570 contributors and 1300+ closed issues, Drupal 8.5.0 releases the Migrate system's architecture as fully stable. This means that developers can write migration paths without worrying for stability of the underlying system.

On top of that the Migrate Drupal and Migrate Drupal UI modules (providing Drupal 6 and 7 to Drupal 8 migrations) are considered stable for upgrading monolingual sites. All of the remaining critical issues for the Migrate Drupal module's upgrade paths and stability are related to multilingual migration support (so multilingual site upgrades are still not fully supported).

Support for incremental migrations is now also available, which means that site owners can work gradually on their new Drupal 8 site while content is still being added to the old site. When migrations (including incremental migrations) are run through the user interface, site owners will now see a warning if some data on the Drupal 8 site might be overwritten. (A similar fix for Drush is not yet available, so be careful not to overwrite data if you run a migration on the command line.) 

Upgrade instructions for Drupal 6 and Drupal 7 sites can be found in the Upgrading to Drupal 8 handbook. Your old site can still remain up and running while you test migrating your data into your new Drupal 8 site. If you happen to find a bug, that is not a known migrate issue, your detailed bug report with steps to reproduce is a big help!

Unlike previous versions, Drupal 8 stores translated content as single entities. Multilingual sites with reference fields (node_reference, entity_reference) or multilingual menus can upgrade to Drupal 8 using Drush, executing the desired migrations one by one. In this process you need to create and run a series of additional custom migrations to reflect the new entity identifiers assigned during earlier migrations. There is no automation implemented for this process yet.

Data can be migrated to Drupal 8 also from non-Drupal sources such as CSV, XML, JSON, or directly from 3rd party systems' databases. For instructions and examples, refer to Migrate API handbook.

Huge thanks again to all the contributors who made this possible.

Remembering J-P Stacey

Mon, 02/26/2018 - 06:35

In 2017 we saw the passing of J-P, community friend, mentor, leader, and contributor. Within the community J-P's was known for his passions: Drupal, programming culture, gardening, cycling and the environment. We invited people to share their memories of J-P and his impact; we share them with you now in memoriam. This is a moving tribute and a celebration of his life.

We invite you to also share your tributes in the comments section.


J-P Stacey on the Tour de Drupal 2016 Photo by Christian Ziegler
The person

J-P was a bright intelligent, quirky chap, ADORED animals, he would melt at the mention of our pets names, he would happily spend hours cooing over stories of his beloved cat Indie, he'd oblige you in hours and hours of stories about your beloved animals - kae76

Whenever I was with JP he was always smiling. He was always there to help and it was always a pleasure to see JP at Drupal events and chat to him on IRC - aburrows

Nice. My overriding memory of J-P is how nice he was. When he moved up to Sheffield and started attending the Yorkshire meetups he fitted right in straight away. He always found time to ask how people were doing and genuinely cared what they were saying. He was always patient, positive and happy to help others - kmbremner

I remember first meeting J-P at DrupalCamp Oxford in 2012, when I had just started out running a small business and I remember thinking how much of a mad professor he looked, and discussing different parts of Oxford with him. The last time I saw J-P was sharing a meal with at DrupalCamp London 2017 near Euston. Both times J-P was actively seeking to engage people from the edges of the community (all the other Drupalists at the meal were freelancers or small businesses) and I know that was something he was highly instrumental at working with. I actually went back to that restaurant recently, and it seems slightly strange that I won't see J-P at another event - willhallonline

J-P being present just simply makes you happy, such an open genuine chap. Always disappointment around if he can't attend a catch-up, and anticipation if you know he will be there. J-P, always the gentleman, honoured my poor jokes with a titter or a laugh, even if it first met with an understandable groan - waako

I knew J-P, in that we participated together every year as mentors at the Friday Core Sprints at Drupalcon. Last year at Drupalcon Dublin, I asked J-P to be my "mentor mentor" because I was so impressed by his gentle and unruffled style. He organized the team at his table with exemplary grace and good humour. I was particularly struck by how quickly he gathered a group of enthusiastic people around him. Bye J-P, it was a true honour to have known you, if only once a year, in this particular context - michaellenahan

He was *always* cheerful! - greg.harvey

JP always took the time to talk to people and explain things to people who needed help. It's safe to say that helping people was a passion for JP - Ikit-claw

I recall the Friday evening of Drupalcamp London 2017, J-P and I met at Old Street Station and travelled to Kings Cross to meet up with fellow Drupalists for a meal at the Diwana Bhel Poori house for a meal. The trip and the hour long wait there for the rest to join us was filled with fun and interesting conversation. We realised how much we had in common and made each other laugh. That plus stimulating conversation over great food I will remember for a long while - TechnoTim2010

The thing I will always remember best about J-P his determination to stick to his principles; be they in code, in process, in environmental matters or even his house and garden! It was so sweet on occasion to see him struggle when pragmatism meant they couldn’t always be followed but it constantly reminded me to try harder myself. I miss J-P but I know I’ll be a better person for knowing him and looking up to him - rachel_norfolk

I met him via tour de drupal Amsterdam and Barcelona. J-P was cycling a long way alone, Criz and I would cycle the Pyrenees for 2 days and then we met for the final leg to Barcelona and had a really good time. I didn't get to know Stacey too much but felt he was a very calm, positive, free person - dasjo

Working on a project with J-P with him as lead developer and me acting as project manager, what I loved was the fact he would always push back on every story, but as we chatted about options, he'd end up getting excited and committing to even more than I expected to get in the first place - stevecowie

J-P was a brilliant companion on various Tour de Drupal cycle rides from the UK to wherever Drupalcon was being held. His great sense of humour, adventure and unflappable flexibility made him an excellent person to cycle with, and he was great at drawing people in, involving them and making everyone feel at ease. These same characteristics made him great fun to be around at a conference; I remember the "I'll do it if you will" approach that got us into talking at a Drupal unconference, with just a few minutes' notice in his case. He cared about others, and his strong sense of fairness and inclusion as well as pragmatism were of great value when there were difficult decisions to be made - martin_q

JP was involved with the modern web development apprentices (a.k.a. Drupal apprentices) programme in the UK. The last time I met JP was shortly before his holiday trip to Spain. We were scoping out some training days for the apprentices programme, as budget had become available to run 1-day topic-focussed trainings with external specialists. He was looking forward to training apprentices on test-driven development after his holiday - andrewmacpherson


#drupal #sprintweekend Sheffield 2016 Shared on twitter by @rivimey
The Drupaller & mentor

I was aware how deeply knowledgeable he was, and his ability to make that knowledge accessible to others, and his nature to always hear others out, always assuming he hadn't got the answer. He wasn't shy to press someone about a topic which he believed was being overlooked, or underrepresented - kae76

He was excellent at explaining and helping others - aburrows

I remember J-P presenting about Drush Make at DrupalCamp North West 2013. It really opened my eyes to how there was a more efficient way of doing things than I had known before. Years later he was a strong advocate for Composer evangelising the benefits to the local community and beyond - kmbremner

The thing I will remember most about J-P was his passion around open-source software. He was committed to Drupal and passionate about the community. It always seemed that he really cared about the *little* guy. The person starting up, or the newcomer to the community - willhallonline

He was always interested in problem solving, beyond that he was interested in understanding the problem, not solving it for you. He could explain code, like super-intelligent physics jokes, in the most clear manner and help you find direction. He would ask all the right questions about what you needed to achieve - waako

He totally "got" contrib, always looking for the pragmatic solution, always looking to use and/or improve existing code - greg.harvey

JP would take the time to help people learn code and point them in the right direction you could take to him on slack or irc and he would take the time to help you - Ikit-claw

J-P was always willing, if he had time, to help with any coding issues on IRC. He was busy much of the time. I would loved to have collaborated on a project with him, sadly never to be - TechnoTim2010

I’ve learned so much from J-P’s blog posts and always enjoyed our encounters at various events over the years. Highly technically competent and willing to spend time to share skills and knowledge, I saw J-P as part of the very fabric of what makes Drupal Drupal, the reason why I’ve hung around for so long - Steve Purkiss

Time. It didn’t matter how long it took for J-P to work with someone until they understood something - he’d see it through - rachel_norfolk

J-P was the alternative to Drupal stack exchange - stevecowie

JP shared his own learning very freely. After D8 came out JP set about learning the new API - he published what he learned on his blog, and those are some of the best D8 tutorials I've seen. "Did JP figure this out yet?" was often my first question, before approaching the official docs - andrewmacpherson

The future: what would J-P would want us to remember?

J-P would want us to remember the people behind the code; to spend the time helping new members of the community and making them feel welcome. To have a beer and get to know each other on a personal level - kmbremner

Documentation! Joking aside ... I honestly not sure how to answer this, fundamentally the J-P we all knew - cared about a lot of things, the environment, equal rights, good clean code, great clear documentation, meaningful social interactions and impact. But my everlasting memory is how much he held his family and friends in focussed concern - listening and hearing - sharing daft jokes and I personally honor him for his vulnerability he was an open book. This is the lesson I will learn and keep learning from J-P; listening and HEARING the ones you love, open honest vulnerability and there is never a bad time for a cat pun - kae76

Be kind to each other and get involved in the Drupal eco-system - aburrows

I think that the enduring message is that it is not about code. Code is far more ephemeral than community. People's enduring care for the Drupal community is what makes it powerful. And I feel that J-P knew that - willhallonline

He would want us to grow things, to experiment, cycle and to listen & engage with each other - waako

The planet - greg.harvey

I think he would want us to pay forward all the kind gestures he had done for others. If JP ever took the time to help you and see someone stuck who you could help I think he would want people to take 30 minutes to help someone else and encourage them - Ikit-claw

J-P was passionate about Drupal and would want us to share that passion, and help our fellow Drupalists. He was also passionate about Green issues and protecting and improving the environment, I am sure he would be happy I created a Drupal 8 site to support a campaign not to concrete over beautiful countryside, but instead push cycling and other non-destructive solutions -

We should consider our own green credentials and do anything we can for our local environment - TechnoTim2010

Learn, then teach - Steve Purkiss

His garden - rachel_norfolk

Go by your own pace - dasjo


From left to right: Christian, Youri, J-P, Stephen, Martin (Photo by Conor Cahill)
Reflections on Tour de Drupal 2016 Shared by MegaChriz - An evening in Belfast

On a cold Friday evening in Belfast - late September 2016 - J-P, Martin and Stephen arranged to meet me and Christian at a small restaurant in town. The streets were empty - as if everybody was either out of town or at home. But the restaurant was full till the brim - there was no more room inside. J-P, Martin and Stephen were sitting outside on the terrace of the restaurant when I and Christian arrived, having a drink and presumably trying to ignore the cold. Despite the cold, we had to wait for a table to become free inside before we could order some food (outside the ordered food would become cold in minutes, maybe even in seconds). So we sat there for about an hour and still no one came out to make room for us.

J-P had a hard time fighting his hunger and finally said "Maybe I should just go inside and stare at people to make them want to go away". J-P spread his eyes wide-open, pretend to be staring at us. That was one of the funniest moments I had with J-P.

J-P didn't go inside to stare people away, after some more time waiting there finally came room for us and together with Martin and Stephen, J-P ordered a 22 inch pizza. 

Tour de Drupal 2016

The next two days we cycled together from Belfast to Dublin. It was a great ride with mostly flat land and sometimes lots of rain! There were also some hills and J-P had a hard time cycling these on his Brompton. 

We hadn't arranged a overnight stay between the first and second cycle day, so on the first day J-P and Stephen had to make calls to several guest houses, bed and breakfasts, airbnb's, etc. to find a place for us to sleep. "Next time, I'll book an overnight beforehand," J-P said, "This was way too stressful."

The second day was more windy and because we seemed to be running out of time to get to Dublin the same day we took a shortcut. This was alongside a road where traffic was allowed to reach speeds of 100 km/hour. This was the part of the tour I didn't like much. One time I got blown to the berm, nearly falling off my bike! With time still running out I only got to Skerries as couldn't reach a higher speed (I took the rest by train). Despite that, I'm glad I have been able to cycle with this group.

It was our Tour de Drupal!


The Five Bikers Staring to the Sea. From left to right: Youri, Christian, Stephen, J-P, Martin. (Photo by Martin Quested)
AttachmentSize JP_bike_web_use.jpg84.89 KB

Drupal 8.5.0-rc1 is available for testing

Thu, 02/22/2018 - 19:28

The first release candidate for the upcoming Drupal 8.5.0 release is now available for testing. Drupal 8.5.0 is expected to be released March 7.

Download Drupal-8.5.0-rc1

8.5.x makes the Media module available for all, improves migrations significantly, stabilizes the Content Moderation and Settings Tray modules, serves dynamic pages faster with BigPipe enabled by default, and introduces the new experimental Layout Builder module. The release includes several very important fixes for workflows of content translations and supports PHP 7.2. Finally, 8.5.0-rc1 also includes the same security updates that are provided in 8.4.5.

What does this mean to me? For Drupal 8 site owners

Drupal 8.4.5, a security update and the final release of the 8.4.x series, has also been released this week. 8.4.x sites should update immediately to 8.4.5, but going forward, 8.4.x will receive no further releases following 8.5.0's release date, and sites should prepare to update from 8.4.x to 8.5.x in order to continue getting bug and security fixes. Use update.php to update your 8.4.x sites to the 8.5.x series, just as you would to update from (e.g.) 8.4.2 to 8.4.3. You can use this release candidate to test the update. (Always back up your data before updating sites, and do not test updates in production.)

If you're an early tester who is already running 8.5.0-alpha1 or 8.5.0-beta1, you should update to 8.5.0-rc1 immediately. 8.5.0-rc1 includes security fixes (the same fixes that were released in Drupal 8.4.5).

Site owners should also take note of the fact that Drupal 8's support for PHP 5 will end in one year, in March 2019. PHP 7.2 is now the best recommended PHP version to use with Drupal 8.

For module and theme authors

Drupal 8.5.x is backwards-compatible with 8.4.x. However, it does include internal API changes and API changes to experimental modules, so some minor updates may be required. Review the change records for 8.5.x, and test modules and themes with the release candidate now.

For translators

Some text changes were made since Drupal 8.4.0. Localize.drupal.org automatically offers these new and modified strings for translation. Strings are frozen with the release candidate, so translators can now update translations.

For core developers

All outstanding issues filed against 8.4.x were automatically migrated to 8.5.x. Future bug reports should be targeted against the 8.5.x branch. 8.6.x will remain open for new development during the 8.5.x release candidate phase. The 8.5.x branch will be subject to release candidate restrictions, with only critical fixes and certain other limited changes allowed.

Your bug reports help make Drupal better!

Release candidates are a chance to identify bugs for the upcoming release, so help us by searching the issue queue for any bugs you find, and filing a new issue if your bug has not been reported yet.

Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2018-001

Wed, 02/21/2018 - 18:10
Project: Drupal coreVersion: 8.4.x-dev7.x-devDate: 2018-February-21Security risk: Critical 16∕25 AC:Basic/A:User/CI:Some/II:Some/E:Exploit/TD:DefaultVulnerability: Multiple Vulnerabilities Description: 

This security advisory fixes multiple vulnerabilities in both Drupal 7 and Drupal 8. See below for a list.

Comment reply form allows access to restricted content - Critical - Drupal 8

Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content.

This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.

JavaScript cross-site scripting prevention is incomplete - Critical - Drupal 7 and Drupal 8

Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML. This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.

The PHP functions which Drupal provides for HTML escaping are not affected.

Private file access bypass - Moderately Critical - Drupal 7

When using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.

jQuery vulnerability with untrusted domains - Moderately Critical - Drupal 7

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit.

For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 as a side effect of upgrading Drupal core to use a newer version of jQuery. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.

Language fallback can be incorrect on multilingual sites with node access restrictions - Moderately Critical - Drupal 8

When using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability.

This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hook_node_access_records().

Note that the update will mark the node access tables as needing a rebuild, which will take a long time on sites with a large number of nodes.

Settings Tray access bypass - Moderately Critical - Drupal 8

The Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for.

If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses.

This vulnerability can be mitigated by disabling the Settings Tray module.

External link injection on 404 pages when linking to the current page - Less Critical - Drupal 7

Drupal core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.

Solution: 

Install the latest version:

Reported By: 
  • Comment reply form allows access to restricted content - Critical - Drupal 8
  • JavaScript cross-site scripting prevention is incomplete - Critical - Drupal 7 and Drupal 8)
  • Private file access bypass - Moderately Critical - Drupal 7
  • jQuery vulnerability with untrusted domains - Moderately Critical - Drupal 7
  • Language fallback can be incorrect on multilingual sites with node access restrictions - Moderately Critical - Drupal 8
  • Settings Tray access bypass - Moderately Critical - Drupal 8
  • External link injection on 404 pages when linking to the current page - Less Critical - Drupal 7
Fixed By: 

Pages