You may have heard that a vulnerability in the OpenSSL cryptographic library called Heartbleed or formally called CVE-2014-0160 has been disclosed and that it represents a potential security threat to a large number of websites. Using this vulnerability, malicious individuals could access sensitive information submitted by people actively visiting a website including usernames, passwords and credit card numbers. Users across the Internet should be especially aware of suspicious activity on their accounts.
We want to communicate a couple pieces of information about this news with regard to Drupal.org.
Members of the Drupal Association staff, Drupal Security Team and Drupal Infrastructure Team have reviewed Drupal.org’s potential exposure to the vulnerability.
As of now, we have no indication that Drupal.org was attacked using this vulnerabililty. That said, the nature of the vulnerability makes an attack difficult to detect and we prefer to be cautious.
We have taken steps to protect users of Drupal.org, including a forced password reset for users with administrative access or access to code repositories for projects. While we have only forced the password reset for some users, we recommend that all of our users change their passwords.
We have taken the following steps to protect Drupal.org account holders:
Also, we simply want to help create awareness about the vulnerability and encourage people to review their sites for exposure. For more information, please see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
Feel free to comment on the post with any questions. Thank you!
Since joining Drupal.org in 2007, Lee Rowlands (larowlan) has been an important contributor to the Drupal project. A major core contributor and Drupal 8 advocate, Rowlands has become a well-recognized and celebrated member of the Drupal community.
Rowlands is an important Drupal figure in Australia, and has spoken at DrupalCamp Brisbane 2010, Drupal Downunder Melbourne 2012, DrupalCon Sydney 2013 and Drupal South Wellington 2014. An occasional mentor during Drupal Office Hours in the Australian timezone (GMT+10), Rowlands is also a well-recognized figure in the international Drupal community for his involvement with core and his contributions to a huge variety of projects on Drupal.org.
How did you get involved with Drupal?
Jim Morrison and a naked native american came to me in a dream and told me it was my destiny. Just kidding. I started up my own IT consulting business and I’d built a couple of Drupal 5 sites.
The third site I built needed some tricky mapping functionality. This was in Drupal 5 and the site was for a locally owned fishing tackle franchise. Their point of difference with the big national chain-store was local knowledge. So they had this great idea to create a series of online fishing maps for local regions, each featuring points of interest for that region. Each point of interest had a marker icon based on its type, eg there were boat ramps, fishing spots etc. Each marker had a popup with an image and some text. The kind of thing you can build on your own with Google Maps now, but back then – it was a fairly new concept.
At the time gmap module was the go-to mapping option (Drupal 5) but it didn’t support the image/marker/description functionality. So I wrote a patch to allow wiring up a content-type with gmap functionality to do so. And in order to post the patch, I had to sign up for a Drupal.org account. So that was my first comment on Drupal.org, a sizeable patch!
Not long after that I pitched the idea of a website to a local motel that had just had a renovation. At this stage Drupal 6 was out and the go-to ecommerce solution was Ubercart. My pitch included online-reservations so I worked with Will Vincent to round out a hotel-booking solution for Ubercart. That’s how I got my CVS access on Drupal.org.
Contributing my code back to Drupal.org opened my consulting business up to the world. Up until that point most of my work had been for local businesses. Once I had a project on Drupal.org I started receiving work offers via my Drupal.org project page, mostly for adding new pieces of functionality.
I continued building sites and I always ensured that I had contract provisions to open-source any generic modules that the project needed. Over time I ended up with more than 30 contrib projects on Drupal.org, all with varying degrees of maintenance. Each of these kept resulting in work referrals and I kept expanding my skillset and client-base.
Then Drupal 7 came out and it felt like I had to start learning all over again. I had a long car-trip coming up so I downloaded the mega ‘Upgrading 6.x modules to 7.x’ thread from Drupal.org and spent about three hours taking in all the changes. As soon as I had net access, I subscribed to the Drupal core issues RSS feed. At this stage my motivation was just to keep across changes happening in core, but after a while I started seeing issues posted that I realised I could fix/work on. So I started commenting and posting the odd patch.
Not long after an epic thread was posted by @sun in the issue queue titled ‘Make core maintainable’ (https://drupal.org/node/1255674), basically it was proposing that if we didn’t get more hands on deck in core, the only way forward was to start dropping unmaintained modules. I jumped into irc and put my hand up to maintain forum, one of the modules on the chopping block. I had a conversation with @chx who later remarked ‘yesterday I saw a guy on IRC who was contemplating on taking the forum module maintainer hat’ (http://www.drupal4hu.com/node/303).
So from there I took a more active role in core contribution. Those threads are a great read, even today, as they indicates the level of frustration that core developers were experiencing in the first six months of Drupal 7′s release.
What do you do with Drupal these days?
I build sites for some of Australia’s largest government, education, media and non-profit organisations with one of Australia’s most respected Drupal Agencies, PreviousNext. It’s a great team and I get to work on interesting projects.
After all this time I still enjoy working with Drupal. Sometimes people lament Drupal’s ease of site-building, likening it to ‘golden handcuffs’, but that’s where contributing to core and contrib help. If you find yourself stuck in a ‘click-monkey’ rut, contributing code lets you flex your ‘code-monkey’ muscles.
You’re involved with quite a variety of projects in the Drupal community – can you describe some of the things you do and why you like them?
I particularly like working on Drupal core because it helps me keep abreast of upcoming changes. I don’t have a CS education, I have degrees in mathematics and engineering, and I’ve been quoted before saying I got my CS education in the Drupal issue queues. As a contributor you are incredibly lucky to have your work constructively reviewed by some of the world’s best programmers. Every time someone makes a suggestion on your patch, you learn a little more. I’ve learnt so many programming concepts from reviewing other’s code and having my code reviewed by others. Particularly during the Drupal 8 cycle, where we’ve effectively rewritten Drupal in a new language – PHP 5.3.
What’s the coolest project you’ve worked on?
Its not live anymore unfortunately but I worked on sendmypostcards.com which was a Drupal 6 site with Ubercart where you could create your own postcards and pay to have them printed. You could use your Facebook photo-galleries, Flickr account or upload your own files. The designer/editor was built with jQuery and the site used batch-jobs to generate 300dpi print-ready PDFs. It was a challenging project but it did end up spawning a number of contrib modules including Image Cache External which allows you to generate derivatives of remote images. Unfortunately the site didn’t last, but I did get a couple of Christmas cards printed and sent to my office. It was great to have something tangible, I still have them mounted on my office wall.
What changes do you hope will come in Drupal 8?
I’m disappointed we didn’t get a layout builder in core but I’m excited by the opportunities for it to develop and mature in the contrib ecosystem. Some of the work done as part of the Scotch Initiative by @sdboyer and @eclipsegc was pretty awesome. @sdboyer stepped me through the ‘Princess’ branch (the name was a dare) at the stage when it was fairly functional and the possibilities it opened up were pretty awesome. Hopefully that work will be leveraged for what becomes of panels/page manager in Drupal 8.
What is your favorite part about the Drupal community?
Getting to work with insanely intelligent and brilliant people. There are so many awesome people working with and on Drupal every day who are always willing to share their experiences and knowledge.
Tell us a little about your background or things that interest you outside Drupal?
I live in Central Queensland at the Southern tip of Australia’s Great Barrier Reef. We have three World Heritage listed destinations all within our reach – the reef, Fraser Island and Mon Repos Turtle Rookery, where you can watch Marine turtles lay their eggs or the hatchlings make their way into the world. The climate is great, the cost of living is low and the people are some of the friendliest in the world. I get to work out of an office with two great Drupal devs who also work for PreviousNext, @nick_schuch and @grom385. Its a great lifestyle, our office is right on the beach.
Outside Drupal I’m passionate about family, with two school aged children and I’ve been married for 15 years. I’m lucky that Drupal gave me an income while my children were pre-school aged and when they went off to school I was able to turn this into a career.
The Drupal.org primary database server experienced a crash due to a full disk earlier today around 6:59am PST (14:59 UTC). The Nagios monitoring system which normally alerts us to prevent these outages had also crashed and failed to send any notices of…
Free Software is not just about saving money. It’s not just about sharing for sharing’s sake. Free Software, at its core, is about empowering people. It is about ensuring that everyone has ultimate control over their own electronic lives, because th…
Drupal 7.26 and Drupal 6.30, maintenance releases which contain fixes for security vulnerabilities, are now available for download. See the Drupal 7.26 and Drupal 6.30 release notes for further information.
Download Drupal 7.26Download Drupal 6.30
4877. That is where the tradition within the Drupal community of making predictions for the year ahead with regards to our software, our community and broader, the web, started. Node 4877, written at the end of the year 2003. We have come a long way si…
Drupal.org will be going down for up to 1 hour Monday, Jan 13, 17:00 PDT (Jan 14, 1:00 UTC). This maintenance window will be used for routine Drupal updates, which need to alter large tables. Single sign on for sub-sites (api.drupal.org, groups.drupal….
Drupal.org will be going down for up to 2 hours Wednesday, Jan 8, 17:00 PDT (Jan 9, 1:00 UTC). This maintenance window will be used to improve the speed of issue queues. Single sign on for sub-sites (api.drupal.org, groups.drupal.org, etc) will be down…
Update: Drupal 7.26 is now available.
Download Drupal 7.25
The Drupal Association, with the help of a Search Committee comprised of Board and Advisory Board members, is beginning a search for a Chief Technical Officer (CTO) for Drupal.org (not the Drupal software project). The CTO will fill a critical role for the both the Association and the community, working at the strategic level with the Drupal.org Working Groups to build a roadmap for Drupal.org, create and manage processes critical to the success of the site (including security and disaster recovery), and ensure that Drupal.org roadmaps are met. A CTO role ensures that Drupal.org has the technical and strategic oversight needed to drive improvements and innovations. Specifically we want to ensure that we have the best platform for developers, community involvement, and critical revenue-generating opportunities.
The CTO is the first of several hires we will make over the course of the next few months to significantly increase our ability to improve the experience of Drupal.org for our many constituents. These hires will include more development and devops bandwidth, among other things. In short, this is a really exciting time to work on Drupal.org!
We’re asking for your help to find the right person for this role. We’re looking for someone with strong product management skills, a community player who can work with our broad base of remarkable volunteers, and the experience to guide and manage our development, infrastructure and operations teams. Please review and share the Drupal Association CTO Job Description.
We’ve also included a little more context below if you want to learn more. And, if you have any questions, please feel free to contact Holly Ross.
Why a CTO? Isn’t that a bit much for our needs?
Our focus at the Association in 2013 has been re-aligning Association resources to bring more support and funding to our community’s most important asset: Drupal.org. During the last 9 months, we’ve begun diversifying our revenue streams so that we can scale our income and provide more funding for Drupal.org projects. We launched Working Groups to manage the strategic direction and policy setting we need to make good decisions for the site. Most recently, we hired a Technology Manager for the Association so that our limited technical staff can focus more fully on Drupal.org.
In 2014, we are planning for an even more dramatic shift, bringing on engineering and infrastructure staff to pay off years of technical debt and begin to move the site forward with new developer tools, better site performance, and strong security practices. We’re incredibly excited to help the community move Drupal.org forward and really meet community needs. We see the CTO role as essential to making this happen. It sets us up to proactively address Drupal.org needs at a strategic level – forecasting necessary changes before they become critical problems.
Isn’t this the role of the Working Groups?
Yes – the Working Group charters put them in charge of direction-setting and strategy for the sites. We anticipate that the CTO will work closely with the Working Groups to coordinate their work and ensure that those decisions are translated into a cohesive roadmap. Additionally, the Working Groups are not designed to implement the roadmap. The CTO will oversee the team that does that – either in-house, using 3rd party tools, through contractors, with volunteers, or a combination of these options.
Are you going to hire from within the community?
We are certainly going to look within the community. We will also look outside the Drupal community. The committee seeks a candidate who brings a breadth of experience and knowledge regarding open source community sites.
Is this a technical role or a business role?
We expect that the right candidate will have equal parts technical chops and business savvy. We are not expecting the CTO to write production code, but the CTO will have to know how to do that so that they can manage it well. Additionally, the CTO will need to understand business problems and how technology can be strategically deployed to meet those needs.
Where will the position be based?
Ideally, in Portland, OR, at the Drupal Association headquarters. We know however, that this is likely unrealistic as a hard and fast constraint, and will encourage applicants from around the globe.
Drupal 6.0 was released almost 6 years ago in February 2008. The Drupal community is committed to release Drupal 6 bugfixes until Drupal 8.0 is released and with recent changes provide security fixes much longer.
Back in November of 2011, I appointed Greg Knaddison to lead the Drupal Security Team, for a term of two years. In that time, Greg has done a tremendous job helping the Security Team scale. November 2013 ends the term that Greg and I agreed to, Greg is…
Update: Drupal 7.25 and Drupal 6.30 are now available.
If you are reading this announcement right now, then we did it! Drupal.org runs on Drupal 7! This was a big and complicated project, which took longer than we expected. But we are finally done!
Our goal was a straight port to Drupal 7 without major changes to functionality or layout, but with greatly improved code under the hood. However some things did change, please see Drupal.org D7 F.A.Q. for details. Overall Drupal 7 gives us more flexibility to implement new features and there will be a boost in performance for some of the pages.
NOTE: issues are still being indexed, listings and searches will show incomplete results till the indexing is done.
There probably will be some bugs. If you encounter something unusual, please check the Drupal.org D7 F.A.Q. first. It may be that the change was intentional. If you are sure that you found a bug, please use the D7 upgrade QA queue to report them.
* * *
The only thing we really want to say now is..
Thank you to all of you for being patient with us during this long project. We know it took longer than anticipated and there were some bumps along the way. Our only goal throughout the project was to make Drupal.org better for all of you.
Thank you to all our fantastic contributors. There are so many of them, we even have a special page. Thank you:
Andrei Mateescu / amateescu
Thank you to the Drupal Association Supporting Partners, who gave us the funding required to make the upgrade happen.
We couldn’t have done this without you!
Front page news:
The Drupal.org D7 upgrade launch is confirmed. Today is Monday, 28th of October, we have 0 launch blocking issues and performance tests are looking fine. Therefore, we are going to launch on Thursday, October 31st, 2013.
What will the launch process be like?
Drupal.org will be down for approximately 24 hours during deployment. It will be replaced by a static page with a download link for the latest Drupal release available. Sub-sites will stay online, but with user logins disabled. Both updates.drupal.org and ftp.drupal.org will stay online. drush make / dl will work fine, update status module as well.
We will start deployment around 15:00 UTC on October 31st. We expect the site to be back up by 15:00 UTC on November 1st.
We realize this will be a significant inconvenience for users who rely on Drupal.org, and will try to minimize downtime as much as possible.
What if there are problems? Do you have a backup plan?
Yes, we do. If we encounter significant problems during migration, we will roll back to the Drupal 6 version of Drupal.org and restore with a backup made right before migration started.
How can I find out what’s going on during deployment?
What changes will I experience when the site comes back online?
You can find information about the changes in functionality or UI in the Drupal.org D7 F.A.Q. Most pages on the site won’t change as far as layout or functionality. Our goal for this project was a straight port from Drupal 6 to Drupal 7. The only place where you will see significant UI changes is the issue page. This blog post explains what is changing on the issue page and why in detail. In general Drupal 7 gives us more flexibility to implement new features and there will be a boost in performance for some of the pages.
Why aren’t we waiting and upgrading to Drupal 8 once it releases?
The Drupal 7 upgrade began in March 2012. The upgrade took longer than we anticipated due to a variety of reasons that include the scale and complexity of Drupal.org and resource contstraints. We decided to push ahead and complete the Drupal 7 upgrade so Drupal.org can be on the latest release of Drupal, and so we can use the learnings in future upgrades.
UPDATE: We’ve finished running studies for this initial period. Analysis and findings now published.
Usability studies are one of the best ways to keep improving Drupal 8. We want to speak with people who create or edit content on the web to take part in a UX research study to help improve Drupal 8.
This study will help us learn how content creators move between admin and non-admin interfaces. Editing content is a key part of working with Drupal, so understanding this interaction is essential.
There are a few ways you can help:
And, with a pool of willing participants, we’ll have people we can reach out to for future studies.
If you’re interested in helping out on other Drupal User Experience issues, join us in IRC in #drupal-usability (particularly Mondays at 4:00PM Eastern Time) or follow along with issues posted in https://groups.drupal.org/usability.
Front page news:
After a month-long Community QA, we are getting ready to deploy Drupal.org D7 upgrade. During the last couple of weeks we were limiting the number of ‘to-do before launch’ issues to those that are absolutely essential. Currently our launch blocker list consists of the 12 open issues.
We took a look at the upcoming Drupal events to find a quiet week, which won’t interfere with major camps and sprints, and..
If by Monday, 28 of October, launch blocker issue is down to 0, we plan to deploy the Drupal.org D7 upgrade on Thursday, 31 of October.
If by Monday, 28 of October, the launch blocker issue count is higher than 0, we will have to postpone deployment for a few weeks.
What will the launch look like?
Drupal.org will be down for approximately 24 hours during deployment. It will be replaced by a static page with a download link for the latest Drupal release available. Sub-sites will stay online, but with user logins disabled. We realize this will be a significant inconvenience for users who rely on Drupal.org, and will try to bring it up as soon as possible.
We will start deployment around 15:00 UTC on October 31st. We expect the site to be back up by 15:00 UTC on November 1st.
Update: both updates.drupal.org and ftp.drupal.org will stay online. drush make / dl will work fine, update status module as well.
What if there are problems? Do you have a back up plan?
Yes, we do. If we encounter significant problems during migration, we will roll back to the Drupal 6 version of Drupal.org and restore backup made right before migration started.
How can I find out what’s going on during deployment?
What changes will I see when the site comes back online?
Most pages on the site won’t change. Our goal for this project was straight port from Drupal 6 to Drupal 7. The only place where you will see significant UI changes is the issue page. Some time ago we wrote up this blog post, which explains what is changing and why in detail. We will also publish an F.A.Q. right before launch, which will list all changes you might encounter on the website.
How can I help?
To ensure we are able to launch on time, you can help us by bringing launch blockers count to 0.
Here are the issues:
If you have been on Drupal.org today, you may have noticed something interesting near the bottom of the page. At some point during the past 24 hours, the millionth user joined Drupal.org!
It is tempting to overlook those statistics at the bottom of the page because our eyes tend to skip over what they see repeatedly. But it’s worth taking a moment to think about it. 228 countries. 181 languages. And counting.
As Dries pointed out in his keynote at Prague, more than 1,600 people have contributed to Drupal 8. That’s nearly double the number of contributors for Drupal 7!
The Drupal community is truly global and it’s always growing, always moving forward, 24 hours a day, 365 days a year.
Here’s to the next 1 million!
Congratulations to Mortendk and Matthew Saunders, our newly elected Directors at Large, representing the community on the board of the Drupal Association. Please join me in thanking all the candidates who put themselves forward to stand for election.
This was our third community election for the rebooted Drupal Association. We’ve learned a lot along the way and made some minor adjustments as we went, but it´s always good to reflect in the process, and perhaps reassess how we go about this in the future. We’re excited to welcome Matthew to the board and have Morten continue on for another year.
This year we’ve heard and share the community´s disappointment about the lack of diversity amongst the candidates and welcome everyone’s ideas on how to ensure we reach out wider next time. If you know great people who would be willing to serve on the board, please help us and encourage them to nominate themselves next year.
We also need to encourage more people to vote. This year 668 people cast their vote. That is 0.36% of eligible voters, which compares with last year when 0.55% of eligible voters cast a vote. Voting was open for 6 days, as opposed to 2 weeks last year. So that may well be a factor in the lower turn-out. Nonetheless we should explore the reasons, and find ways to engage more of our community in this process in the future. We´ll be opening discussion on the elections on groups.drupal.org and invite all those interested to share their thoughts.
Finally, I’d really like to thank Tatiana, Neil and Holly for taking on the work of running the elections, and outgoing community board member Pedro Cambra not only for wrangling the election software, but for being so great to work with over the past year.
Voting is now open for the 2013 At-Large Board positions for the Drupal Association! If you haven’t yet, check out the candidate profiles and review the Meet the Candidate sessions (first and second) that we held. Get to know your candidates, and then get ready vote.
How does voting work? Voting is open to all individuals who have a Drupal.org account by the time nominations open and who have logged in at least once in the past year. These individuals’ accounts will be added to the voters list on association.drupal.org and they will have access to the voting.
To vote, you will rank candidates in order of your preference (1st, 2nd, 3rd, etc.). The results will be calculated using an “instant runoff” method. For an accessible explanation of how instant runoff vote tabulation works, see videos linked in this discussion.
Elections will be held from September 15, 2013 through September 19, 2013. During this period, you can review and comment on candidate profiles on association.drupal.org and engage all candidates through posting to the Drupal Association group.
Have questions? Contact Drupal Association Executive Director Holly Ross.