Drupal 7.32 released

Drupal 7.32, a maintenance release which contain fixes for security vulnerabilities, is now available for download. See the Drupal 7.32 release notes for further information.

Download Drupal 7.32

Upgrading your existing Drupal 7 is strongly recommend…

Drupal 8.0.0 beta 1 released

Drupal 8.0.0-beta1 has just been released for testing and feedback! This key milestone is the work of over 2,300 people who have contributed more than 11,500 committed patches to 15 alpha releases, and especially the 234 contributors who fixed 177 “bet…

Drupal.org Maintenance: Sep 23rd 14:00 PDT (21:00 UTC)

Drupal.org will be affected by maintenance Tuesday, September 23rd 14:00 PDT, 21:00 UTC.
Switching version control systems for Drupal.org deployment will cause a short downtime as docroot files are migrated. We plan on a 30 minutes window of potential …

Drupal Security Team update.

Joint Security release with WordPress

In big news, we had our first joint release with WordPress. We collaborated together with the WordPress team on a PHP security issue discovered by a security researcher. We’re thrilled that we had an opportunity to work together with others in the open source CMS community. We shared a few tips and tricks and it was great working with the WordPress team.

Keeping Drupal Secure

In keeping with our mission to showcase security best practices at Drupal’s online home, we’ve upgraded https://security.drupal.org to Drupal 7. This ensures we’re on a supported platform. We also took the opportunity to add some new features that help us enhance our team’s efficiency by automating a number of routine tasks.

As part of our dedication to keeping Drupal users safe, we’ve written and announced the Long Term support (LTS) plan for Drupal 6 (https://www.drupal.org/d6-lts-support). This is an important step as we look forward to the release of Drupal 8. Soon we will be introducing two-factor authentication to Drupal.org, thanks to hard work from security team members Ben Jeavons, Greg Knaddison , Neil Drumm, and Michael Hess. (https://groups.drupal.org/node/439868 and https://drupal.org/node/2239973)

And here’s one last, fun note: Security.Drupal.org issues now show up on the drupal.org dashboard if you add the widget. You can get it clicking on dashboard after logging in and adding the widget.

Securing Drupal E-Commerce

Some Drupal security team members were recently involved in putting together a compliance White paper for keeping track of PCI compliance. Anyone who runs a Drupal site and takes credit cards should read the whitepaper. Here’s a little more information:

Version 3.0 of the PCI compliance standard becomes mandatory on January 1st, 2015 and will be a complete game changer for many Drupal eCommerce sites. This includes triple the number of security controls if your website touches credit card information and more. The community supported Drupal PCI Compliance White Paper (http://drupalpcicompliance.org/) will give you a high level overview of what PCI compliance is, why you need to comply, and (most importantly) how to get started. This paper was written and reviewed by several members of the Drupal security team, including Rick Manelius, Greg Knaddison, Ned McClain, Michael Hess, and Peter Wolanin.

Simplifying Security

We’ve redesigned our Security Advisory system to make evaluating and analyzing security threats easier and more intuitive. This came about after several core contributors informed us that they wanted a better way to address security threats. We sent out a survey through Twitter to learn more about how people write and read the Security Advisories. Based on the responses we put together a new Security Advisory system that takes much of the guesswork out of the process of evaluating threats. We’ve added and reordered elements on the Security Advisory’s criticality scale and added explanations to help people understand where a security problem is on the spectrum of potential threats.

Our Growing Team

We’ve brought a number of new members onto the security team. Please help us give a very warm welcome to our newest security team members:

Alex Pott (alexpott) – IRC nick: alexpott, Organization: Chapter Three
Cash Williams (cashwilliams) – IRC nick: CashWilliams, Organization: Acquia
Dan Smith (galooph) – IRC nick: galooph, Organization: Code Enigma
David Snopek (dsnopek) – IRC nick: dsnopek, Organization: MVPcreator
Rick Manelius (rickmanelius) – IRC nick: rickmanelius, Organization: NewMedia!

We’re always looking for more qualified people who place a high priority on security. If you’d like to join the security team: https://security.drupal.org/join

Drupal version: 

Maintainers can give credit to organizations that support Drupal projects

This week, we added a feature to projects on Drupal.org to help highlight the contributions made by supporting organizations. Maintainers of distributions, modules, and themes can give credit to organizations that have materially contributed to projects on Drupal.org using the new “Supporting Organizations” field.

Supporting organizations field

How do you use this field? When an organization funds the development of a project or when a company takes on maintainership of a key module in the community, the maintainers of that project can add a reference to one or more of them on the project node. Maintainers may chose to give this credit to any organization that contributes significant code or support to a project.

We noticed that many projects would manually follow this pattern in the project description, but wanted to take it a step further. Not only will this provide a link to the organization, it will also show up on the organization’s marketplace page.

Projects supported field on organization display

This is just the first step, we are also looking for community feedback and help in providing credit to companies, organizations and customers that contribute to the development of Drupal. Implementing this step will be a key way to show how organizations are giving code and support to Drupal Core. Look for it in the coming months.

Dries has written an excellent post on how we might give credit to organizations and another on the value of hiring a core contributor to help push Drupal forward that were a basis for much of this work.

If you are a project maintainer, take a moment to give some credit to the organizations that have helped build the Drupal ecosystem.

Front page news: 

Introducing Drupal.org Terms of Service and Privacy Policy

Almost half a year ago, with the help of the Drupal.org Content Working Group and lawyers, the Drupal Association started working on a Drupal.org Terms of Service (ToS) and Privacy Policy. After a number of drafts and rewrites, we are now ready to introduce both documents to Drupal.org users.

Why do we need a ToS?

Drupal.org has grown organically for many years. Currently the site has thousands of active users that generate lots of content every day. Our current Terms of Service are limited to a short line on the account creation form:

“Please note: All user accounts are for individuals. Accounts created for more than one user or those using anonymous mail services will be blocked when discovered.”

This line is an insufficient ToS for a website of our size. In fact, Drupal.org is probably the only website of this size which operates without a published Terms of Service. This situation is uncomfortable, and even dangerous, for both Drupal community and the Drupal Association, which is legally responsible for Drupal.org and its contents.

In the absence of a ToS, a lot of rules—“do’s and don’ts”—regarding the website are just “common knowledge” of users who have a long memory and accounts created in the early days of Drupal.org. This might result in new users making mistakes and misbehaving only because they do not know what the unwritten rules are. Website moderators often lack guidance on how to react in specific situations, because those policies are not written anywhere. Some policies, such as organization accounts policy or account deletion policy still need to be defined. Lastly, absence of clearly defined Terms of Service and Privacy Policy could lead to legal disputes regarding the site.

What’s next?

The new Drupal.org Terms of Service and Privacy Policy are published now for the community review. We’ll continue refining them based on community feedback and announce the ‘official’ implementation day additionally. On that day all existing users will have to accept these ToS and Privacy Policy to continue using the website. All new users starting on that day will have to accept the ToS and Privacy Policy upon account creation.

Click to review Drupal.org Terms of Service

Click to review Drupal.org Privacy Policy

In the future, we will make sure to keep ToS and Privacy Policy up-to-date and update them every time policies or functionality of the website changes. We will proactively notify users of all modifications to both documents.

Thanks

We’d like to say thanks to the Drupal.org Content Working Group members and community members who already reviewed proposed documents and provided us with their valuable feedback.


UPDATE: Edits to the original drafts were made on 21st of August, 2014, based on feedback in comments to this post.

UPDATE #2 (03.09.2014): We are postponing ToS/PP official launch and will come back with an updated draft shortly.

Drupal 7.31 and 6.33 released

Drupal 7.31 and Drupal 6.33, maintenance releases which contain fixes for security vulnerabilities, are now available for download. See the Drupal 7.31 and Drupal 6.33 release notes for further information.

Download Drupal 7.31Download Drupal 6.33
Upg…

Drupal 7.30 released

Update: Drupal 7.31 is now available.
Drupal 7.30, a maintenance release with several bug fixes (no security fixes), including a fix for regressions introduced in Drupal 7.29, is now available for download. See the Drupal 7.30 release notes for a full …

Drupal 7.29 and 6.32 released

Update: Drupal 7.30 and Drupal 6.33 are now available.
Drupal 7.29 and Drupal 6.32, maintenance releases which contain fixes for security vulnerabilities, are now available for download. See the Drupal 7.29 and Drupal 6.32 release notes for further inf…

Drupal.org Maintenance: July 8th 11:00 PDT (July 8th 18:00 UTC)

Drupal.org will be affected by maintenance Tuesday, July 8th, 11:00 PDT (July 8th, 18:00 UTC).
To finish our load balancer rebuilds, we are moving traffic from our old load balancer to our new load balancer. During this process, there may be a five min…

Drupal 6 extended support announcement

On February 13, 2008, Drupal 6 was released. The policy of the community is to support only the current and previous stable versions. (When Drupal 6 was released, Drupal 4.7.x was marked unsupported. When Drupal 7 came out, Drupal 5.x was marked un…

Drupal.org Maintenance: June 16th 4PM PDT (June 16th 23:00 UTC)

Drupal.org will be affected by our ISP’s maintenance window starting Monday, June 16th, 16:00 PDT (June 16th, 23:00 UTC) and ending Monday, June 16th, 18:00 PDT (June 17th, 01:00 UTC).

Our ISP will be upgrading the firmware on the customer aggregation routers, and we expect to see a 10‒15 minute disruption in traffic sometime during the maintenance window.

Please follow the @drupal_infra Twitter account for any issues encountered during the maintenance window.

Thanks for your patience!

Community Spotlight on Emanuel Greucean, Maurits Dekkers, and Ernő Zsemlye

For this month’s community spotlight, we wanted to showcase three stellar Drupalistas who went above and beyond at the Dev Days Szeged sprints. Emanuel Greucean (gremy), Maurits Dekkers (Mauzeh), and Ernő Zsemlye (zserno) all made big contributions to the project at Dev Days Szeged. Here’s a little bit about each.

Emanuel Greucean (gremy)

How did you get involved with Drupal?

Picture of Emanuel GreuceanI got involved with Drupal right after college, in 2009. I went to a job interview, showed the employers my enthusiasm about web development and my very not impressive profile, one of which was a Joomla website, and they accepted me. At this job, I got initiated in the art of web development and got a solid education in Drupal. At my first day on the job, I was given the Drupal Developer’s “Bible” (Pro Drupal Development, 2nd edition), and was told that I had to know it by heart.

What do you think open source represents?

For me, open source represents the opportunity to have access to awesome products for free. It also represents the opportunity to join a community of passionate developers and to learn a lot, and also to pass on your knowledge. If you are a contributor, it’s also an opportunity to leave a mark, and a joy to know that your work is being used by millions of people.

Why did you choose to work in Szeged on beta blocking, and what is your fondest memory from Szeged?

One reason for working on beta blockers in Szeged was the desire to get Drupal 8 as close as possible to being released, because I really want to start using it in Production.

One of my fondest memories from Szeged might be the moment when I actually finished the last missing “Change Record” issue, and with this Drupal 8 change records were up to date for the first time in three years. Also I really appreciate all the help I received from people I had never met before. They initiated me into contributing to the community.

Are you working on any fun projects at the moment?

Yes. I am currently collaborating with Kalamuna, a Drupal shop from San Francisco’s East Bay Area. They are really great colleagues, and I have the opportunity to work on great projects with them. One of the projects I am most excited about is Kalabox, and I have to say that I am really enthusiastic about its future.

Maurits Dekkers (Mauzeh)

How did you get involved with Drupal?

Picture of Maurits DekkersI got involved with Drupal through a client about three years ago. They were using Drupal mainly for its ability to allow site builders to create their own fieldable data structures. Until then I had mostly worked with Zend Framework and Symfony, and I never even knew there was an open source system that could do this! Or course, now I know that there is so much more about Drupal that is awesome, and I cannot imagine a web development life without it!

What do you think open source represents?

For me, open source represents people (!) who provide their time, effort, and financial resources on something that provides only indirect value. An open source developer spends their free time working on a feature not knowing whether it will actually make it into the final product (unless they are the project lead…). For some this might be an unrewarding way of working because there appear to be few direct, short-term, rewards. So if you contribute something to open source software, you must do it for reasons unrelated to direct income or revenue. Therefore, the passion that people have for the product comes from a much deeper belief.

Why did you choose to work in Szeged on Drupal 8 beta blocking/debugging, and what is your fondest memory from Szeged?

Despite working with open source software on a daily basis, and lurking around in the issue queues, I never had the guts to really get involved. I realized that getting to know the people behind the nicknames would certainly help because I could just walk over and ask something. So when I saw the announcement for Szeged, I jumped in straight away. And I’m really glad I did. I most remember the people I was working with and having beers with at night, with Cathy (YesCT) being just amazing to get people up to speed. Her passion for the community is really remarkable. I wanted to learn more about how the Entity API works in Drupal 8, and was directed to tstoeckler and plach, from whom I learned very much very quickly.

Are you working on any fun projects at the moment?

I’m currently working as a freelancer for a few Drupal site building shops. Since I just started as a freelancer in November last year, I’m working quite a lot to make sure I have some financial room to contribute some more to D8.

Ernő Zsemlye (zserno)

How did you get involved with Drupal?

Picture of Ernő ZsemlyeIt all started during my 4th year at the university. I needed a few more credits for the upcoming semester and stumbled upon a new elective course titled “Open Source Content Management Systems” held by a guy called Kristof Van Tomme. I had absolutely no idea about the topic but it sounded pretty cool so I applied. The first lecture was about open source in general and a brief introduction to the Drupal world. At the end of the lecture, Kristof mentioned that he was looking for interns for his new company. I applied the next day and I am sure that was the best move in my career to date. :)

What do you think open source represents?

I could compare it to traveling. Once you experience what traveling to new places feels like, you suddenly start to feel as if you had been looking at the world through a small and dirty window. Then you also realize how small you are in this life. This is so true for open source.

Why did you choose to work in Szeged on Drupal 8 beta blocking/debugging, and what is your fondest memory from Szeged?

I wanted to work on something that would give me the opportunity to dive deep into Drupal 8 and learn as much as possible about the new system. I was assigned to an Entity API beta blocker. After having spent my first 3 days on getting my head around all the new things in D8, I got stuck. The next day Berdir pinged me on IRC that he wanted to discuss the next steps with me in person. We talked for about 5 minutes but that was enough to put me back on track with the issue and also gave me great inspiration that I could talk to a real rockstar in person.

Are you working on any fun projects at the moment?

I am working at the Central European University as a web developer. We are a small team of four people who maintain virtually any web presence of the whole university: main institutional site with heavy traffic, custom websites for each departments, research groups, alumni campaigns, student groups, etc. It is a constant challenge to use our limited resources to address all arising needs successfully. So we are continuously looking for new ways to create reusable solutions across all these websites. And this is lots of fun. For example I just finished building a custom installation profile based on the fantastic Panopoly distribution so firing up a new website became ridiculously easy.

Gremy, mauzeh, and zserno were just a few of a huge number of rock stars who worked hard and made great contributions at Szeged. Thank you so much to everyone who turned out for the sprints! The next major sprint event will be at DrupalCon Austin. Our community organizers (led by YesCT) have worked hard to make sure we’ll have seven days of sprints that culminate in a huge sprint on Friday, June 6. We hope to see you there.

Drupal version: 

Drupal 7.28 released

Drupal 7.28, a maintenance release with numerous bug fixes (no security fixes) is now available for download. See the Drupal 7.28 release notes for a full listing.

Download Drupal 7.28
Upgrading your existing Drupal 7 sites is recommended. There are n…

Drupal.org Response to Heartbleed Security Incident

You may have heard that a vulnerability in the OpenSSL cryptographic library called Heartbleed or formally called CVE-2014-0160 has been disclosed and that it represents a potential security threat to a large number of websites. Using this vulnerability, malicious individuals could access sensitive information submitted by people actively visiting a website including usernames, passwords and credit card numbers. Users across the Internet should be especially aware of suspicious activity on their accounts.

We want to communicate a couple pieces of information about this news with regard to Drupal.org.

Members of the Drupal Association staff, Drupal Security Team and Drupal Infrastructure Team have reviewed Drupal.org’s potential exposure to the vulnerability.

As of now, we have no indication that Drupal.org was attacked using this vulnerabililty. That said, the nature of the vulnerability makes an attack difficult to detect and we prefer to be cautious.

We have taken steps to protect users of Drupal.org, including a forced password reset for users with administrative access or access to code repositories for projects. While we have only forced the password reset for some users, we recommend that all of our users change their passwords.

We have taken the following steps to protect Drupal.org account holders:

  • Installed new SSL certificates based on a new private key
  • Revoked the old SSL certificates
  • Replaced the private strings (drupal_private_key and drupal_hash_salt) which are used for a variety of security related purposes in all Drupal sites
  • Replaced the private key used by the “bakery” single-sign-on system on Drupal.org
  • Removed all active sessions
  • Verified the email addresses in use today match those in use a week ago
  • Required that all Drupal.org users with administrative or project repository access to reset their passwords

Also, we simply want to help create awareness about the vulnerability and encourage people to review their sites for exposure. For more information, please see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

Feel free to comment on the post with any questions. Thank you!

Community Spotlight: Lee Rowlands (larowlan)

Lee RowlandsSince joining Drupal.org in 2007, Lee Rowlands (larowlan) has been an important contributor to the Drupal project. A major core contributor and Drupal 8 advocate, Rowlands has become a well-recognized and celebrated member of the Drupal community.

Rowlands is an important Drupal figure in Australia, and has spoken at DrupalCamp Brisbane 2010, Drupal Downunder Melbourne 2012, DrupalCon Sydney 2013 and Drupal South Wellington 2014. An occasional mentor during Drupal Office Hours in the Australian timezone (GMT+10), Rowlands is also a well-recognized figure in the international Drupal community for his involvement with core and his contributions to a huge variety of projects on Drupal.org.

How did you get involved with Drupal?

Jim Morrison and a naked native american came to me in a dream and told me it was my destiny. Just kidding. I started up my own IT consulting business and I’d built a couple of Drupal 5 sites.

The third site I built needed some tricky mapping functionality. This was in Drupal 5 and the site was for a locally owned fishing tackle franchise. Their point of difference with the big national chain-store was local knowledge. So they had this great idea to create a series of online fishing maps for local regions, each featuring points of interest for that region. Each point of interest had a marker icon based on its type, eg there were boat ramps, fishing spots etc. Each marker had a popup with an image and some text. The kind of thing you can build on your own with Google Maps now, but back then – it was a fairly new concept.

At the time gmap module was the go-to mapping option (Drupal 5) but it didn’t support the image/marker/description functionality. So I wrote a patch to allow wiring up a content-type with gmap functionality to do so. And in order to post the patch, I had to sign up for a Drupal.org account. So that was my first comment on Drupal.org, a sizeable patch!

Not long after that I pitched the idea of a website to a local motel that had just had a renovation. At this stage Drupal 6 was out and the go-to ecommerce solution was Ubercart. My pitch included online-reservations so I worked with Will Vincent to round out a hotel-booking solution for Ubercart. That’s how I got my CVS access on Drupal.org.

Contributing my code back to Drupal.org opened my consulting business up to the world. Up until that point most of my work had been for local businesses. Once I had a project on Drupal.org I started receiving work offers via my Drupal.org project page, mostly for adding new pieces of functionality.

I continued building sites and I always ensured that I had contract provisions to open-source any generic modules that the project needed. Over time I ended up with more than 30 contrib projects on Drupal.org, all with varying degrees of maintenance. Each of these kept resulting in work referrals and I kept expanding my skillset and client-base.

Then Drupal 7 came out and it felt like I had to start learning all over again. I had a long car-trip coming up so I downloaded the mega ‘Upgrading 6.x modules to 7.x’ thread from Drupal.org and spent about three hours taking in all the changes. As soon as I had net access, I subscribed to the Drupal core issues RSS feed. At this stage my motivation was just to keep across changes happening in core, but after a while I started seeing issues posted that I realised I could fix/work on. So I started commenting and posting the odd patch.

Not long after an epic thread was posted by @sun in the issue queue titled ‘Make core maintainable’ (https://drupal.org/node/1255674), basically it was proposing that if we didn’t get more hands on deck in core, the only way forward was to start dropping unmaintained modules. I jumped into irc and put my hand up to maintain forum, one of the modules on the chopping block. I had a conversation with @chx who later remarked ‘yesterday I saw a guy on IRC who was contemplating on taking the forum module maintainer hat’ (http://www.drupal4hu.com/node/303).

So from there I took a more active role in core contribution. Those threads are a great read, even today, as they indicates the level of frustration that core developers were experiencing in the first six months of Drupal 7’s release.

What do you do with Drupal these days?

I build sites for some of Australia’s largest government, education, media and non-profit organisations with one of Australia’s most respected Drupal Agencies, PreviousNext. It’s a great team and I get to work on interesting projects.

After all this time I still enjoy working with Drupal. Sometimes people lament Drupal’s ease of site-building, likening it to ‘golden handcuffs’, but that’s where contributing to core and contrib help. If you find yourself stuck in a ‘click-monkey’ rut, contributing code lets you flex your ‘code-monkey’ muscles.

You’re involved with quite a variety of projects in the Drupal community – can you describe some of the things you do and why you like them?

I particularly like working on Drupal core because it helps me keep abreast of upcoming changes. I don’t have a CS education, I have degrees in mathematics and engineering, and I’ve been quoted before saying I got my CS education in the Drupal issue queues. As a contributor you are incredibly lucky to have your work constructively reviewed by some of the world’s best programmers. Every time someone makes a suggestion on your patch, you learn a little more. I’ve learnt so many programming concepts from reviewing other’s code and having my code reviewed by others. Particularly during the Drupal 8 cycle, where we’ve effectively rewritten Drupal in a new language – PHP 5.3.

What’s the coolest project you’ve worked on?

Its not live anymore unfortunately but I worked on sendmypostcards.com which was a Drupal 6 site with Ubercart where you could create your own postcards and pay to have them printed. You could use your Facebook photo-galleries, Flickr account or upload your own files. The designer/editor was built with jQuery and the site used batch-jobs to generate 300dpi print-ready PDFs. It was a challenging project but it did end up spawning a number of contrib modules including Image Cache External which allows you to generate derivatives of remote images. Unfortunately the site didn’t last, but I did get a couple of Christmas cards printed and sent to my office. It was great to have something tangible, I still have them mounted on my office wall.

What changes do you hope will come in Drupal 8?

I’m disappointed we didn’t get a layout builder in core but I’m excited by the opportunities for it to develop and mature in the contrib ecosystem. Some of the work done as part of the Scotch Initiative by @sdboyer and @eclipsegc was pretty awesome. @sdboyer stepped me through the ‘Princess’ branch (the name was a dare) at the stage when it was fairly functional and the possibilities it opened up were pretty awesome. Hopefully that work will be leveraged for what becomes of panels/page manager in Drupal 8.

What is your favorite part about the Drupal community?

Getting to work with insanely intelligent and brilliant people. There are so many awesome people working with and on Drupal every day who are always willing to share their experiences and knowledge.

Tell us a little about your background or things that interest you outside Drupal?

I live in Central Queensland at the Southern tip of Australia’s Great Barrier Reef. We have three World Heritage listed destinations all within our reach – the reef, Fraser Island and Mon Repos Turtle Rookery, where you can watch Marine turtles lay their eggs or the hatchlings make their way into the world. The climate is great, the cost of living is low and the people are some of the friendliest in the world. I get to work out of an office with two great Drupal devs who also work for PreviousNext, @nick_schuch and @grom385. Its a great lifestyle, our office is right on the beach.

Outside Drupal I’m passionate about family, with two school aged children and I’ve been married for 15 years. I’m lucky that Drupal gave me an income while my children were pre-school aged and when they went off to school I was able to turn this into a career.

Drupal version: 

Unplanned Drupal.org Downtime Earlier Today (Thu Feb 13 14:59-15:21 UTC 2014)

The Drupal.org primary database server experienced a crash due to a full disk earlier today around 6:59am PST (14:59 UTC). The Nagios monitoring system which normally alerts us to prevent these outages had also crashed and failed to send any notices of…

Joining The Day We Fight Back

Free Software is not just about saving money. It’s not just about sharing for sharing’s sake. Free Software, at its core, is about empowering people. It is about ensuring that everyone has ultimate control over their own electronic lives, because th…

Drupal 7.26 and 6.30 released

Drupal 7.26 and Drupal 6.30, maintenance releases which contain fixes for security vulnerabilities, are now available for download. See the Drupal 7.26 and Drupal 6.30 release notes for further information.

Download Drupal 7.26Download Drupal 6.30
Upg…

Predictions for 2014

4877. That is where the tradition within the Drupal community of making predictions for the year ahead with regards to our software, our community and broader, the web, started. Node 4877, written at the end of the year 2003. We have come a long way si…