Web Design and Development

What’s new on Drupal.org? - November 2016

Drupal - Thu, 12/08/2016 - 09:27

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

The engineering team at the Drupal Association had much to be thankful for in November. With the support of the wonderful volunteers in our community and the contributions of our Supporting Partners we were able to deliver some great tools for the project. Let's dive and see what's new.

Drupal.org updates Promoting Drupal by Industry

In November we finished the technical scaffolding for the upcoming industry pages, and began working with the wider Association team on content development for these pages. Because we were ahead of our internal targets for this page and we felt it would add significant value, we've also added the ability to geotarget content on these industry pages.

This is the first instance of geo-targeting on Drupal.org, and we'll be using it to help connect Drupal evaluators with regionally appropriate content and partners on these pages. Work on the industry pages is ongoing, but we're excited to bring them to you soon.

Developer Tools Evaluation

During November the engineering team also had a two day retreat here in Portland, OR with webchick - one of the members of the Technical Advisory Committee. We used this retreat to do a deep dive into the current state of developer tools on Drupal.org, and to evaluate our options to continue evolving the tools we offer to the community.

We gave a summary of our exploration along with some next steps to the Drupal Association Board on November 22nd. You can find the minutes and a recording here.

Core release packaged with --no-dev composer dependencies

Starting with the Drupal 8.2.3 release, we are now packaging full releases of Drupal core with --no-dev composer dependencies. This means that packages downloaded will not include extraneous developer extras that should not be used in production sites, and that the release packages will be smaller. We will continue to package dev releases with the dev dependencies.

Feature branch testing support

Drupal.org allows maintainers to create feature branches for issues by using the name format [issue#]-[short-description]. Any commits made to a branch in this format will appear in the sidebar of the associated issue. To improve the utility of these feature branches, DrupalCI patch file tests now also run on push to these branches.

To add tests, users can simply click on the 'add test' link beneath the git branch in the issue sidebar, or click on the existing test result bubble to re-test or add a new test. Since this feature was introduced we've run over 200 issue branch tests.

Project maintainers can add Documentation Guides


We're continuing to support the migration of documentation to the new documentation system, and we've now enabled Project Maintainers to add related documentation guides to their projects. Once added, the related projects will appear on the documentation guides, in the sidebar.

Documentation Maintainers can find their Guides

Many community volunteers have stepped up to become maintainers of the new documentation guides. We want to make sure we're giving them the tools they need to do the work of maintaining those guides and the pages within them.

We've added a 'Your Guides' section to the user profile which will list all of the guides that a user maintains, as well as the pages within those guides. This should allow maintainers to see when pages have been recently changed or added, and to easily keep their guide content curated and up to date.

Infrastructure Virtualization and Improved Config Management

In November, we completed the majority of two major infrastructure projects. Firstly, we've virtualized the majority of the infrastructure and standardized on Debian 8 images. Secondly we've updated our configuration and user management from Puppet 3 + LDAP to Puppet 4 + Hiera. This is a significant milestone for our infrastructure, and gives us a more portable and maintainable infrastructure to manage moving forwards.

Community Initiatives

Community initiatives are a collaboration; with dedicated community volunteers building improvements to Drupal.org with the architectural guidance and oversight of the Drupal Association engineering team.

Drupal 8 User Guide Launched!

We're very happy to say that the Drupal 8 User Guide is now live on Drupal.org! This documentation guide is carefully curated to provide all the information a new user needs to become skilled at managing a Drupal 8 site. We want to give a special thanks to jhodgdon for all her work on the User Guide project.

Initiatives need your help

Are you a Drupal.org power user who relies on Dreditor? Markcarver, who is currently leading the charge to port Dreditor features to Drupal.org, has invited anyone interested in contributing to join him in #dreditor on freenode IRC or the Dreditor GitHub.

Is the written word your domain? Consider putting your skills to use by becoming a maintainer of Drupal documentation. If you are a developer interested in contributing code to the new documentation system, please contact tvn.

———

As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects.

If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.

Follow us on Twitter for regular updates: @drupal_org, @drupal_infra

Drupal 8 turns one!

Drupal - Fri, 11/18/2016 - 05:49

Republished from buytaert.net

Tomorrow is the one year anniversary of Drupal 8. On this day last year we celebrated the release of Drupal 8 with over 200 parties around the world. It's a project we worked on for almost five years, bringing the work of more than 3,000 contributors together to make Drupal more flexible, innovative, scalable, and easier to use.

To celebrate tomorrow's release-versary, I wanted to look back at a few of the amazing Drupal 8 projects that have launched in the past year.

1. NBA.com

The NBA is one of the largest professional sports leagues in the United States and Canada. Millions of fans around the globe rely on the NBA's Drupal 8 website to livestream games, read stats and standings, and stay up to date on their favorite team. Drupal 8 will bring you courtside, no matter who you're rooting for.

2. Nasdaq

Nasdaq Corporate Solutions has selected Drupal 8 as the basis for its next generation Investor Relations Website Platform. IR websites are where public companies share their most sensitive and critical news and information with their shareholders, institutional investors, the media and analysts. With Drupal 8, Nasdaq Corporate Solutions will be providing companies with the most engaging, secure, and innovative IR websites to date.

3. Hubert Burda Media

For more than 100 years, Hubert Burda Media has been Germany's premier media company. Burda is using Drupal 8 to expand their traditional business of print publishing to reach more than 52 million readers online. Burda didn't stop there, the media company also open sourced Thunder, a distribution for professional publishers built on Drupal 8.

4. Jurassic World

Drupal 8 propels a wide variety of sites, some of Jurassic proportion. Following the release of the blockbuster film, Jurassic World built its digital park on Drupal 8. Jurassic World offers fans games, video, community forums, and even interactive profiles all of the epic dinosaurs found on Isla Nublar.

5. WWF

The World Wide Fund for Nature has been a leading conservation organization since its founding in 1961. WWF's mission is to protect our planet and Drupal 8 is on their team. WWF UK uses Drupal 8 to engage the community, enabling users to adopt, donate and join online. From pole to pole, Drupal 8 and WWF are making an impact.

6. YMCA Greater Twin Cities

The YMCA is one the leading non-profit organizations for youth development, healthy living, and social responsibility. The YMCA serves more than 45 million people in 119 countries. The team at YMCA Greater Twin Cities turned to Drupal 8 to build OpenY, a platform that allows YMCA members to check in, set fitness goals, and book classes. They even hooked up Drupal to workout machines and wearables like Fitbit, which enables visitors to track their workouts from a D8 powered mobile app. The team at Greater Twin Cities also took advantage of Drupal 8's built-in multilingual capabilities so that other YMCAs around the world can participate. The YMCA has set a new personal record, and is a great example of what is possible with Drupal 8.

7. Jack Daniels

The one year anniversary of Drupal 8 is cause for celebration, so why not raise a glass? You might try Jack Daniels and their Drupal 8 website. Jack Daniels has been making whiskey for 150 years and you can get your fill with Drupal 8.

8. Al Jazeera Media Network

Al Jazeera is the largest news organization focused on the Middle East, and broadcasts news and current affairs 24 hours a day, 7 days a week. Al Jazeera required a platform that could unify several different content streams and support a complicated editorial workflow, allowing network wide collaboration and search. Drupal 8 allowed Al Jazeera to do that and then some. Content creators can now easily deliver critical news to their readers in real time.

9. Alabama.gov

From Boston to LA and even Australia, Drupal is supporting the digital needs of governments around the globe. Alabama is leading the way with Drupal 8. Alabama.gov puts its citizens first, and demonstrates how open source can change the way the public sector engages online.

10. Box

Box has been a leader in the technology industry since its founding in 2005. Box takes advantage of Drupal 8 and the improved features made available right out-of-the-box. Bad puns aside, companies like Box are using Drupal 8's new features and improved user interface to build the best digital experiences yet.

11. Habitat for Humanity

The historic nonprofit Habitat for Humanity doesn't just build houses for those in need; they build habitat.org on Drupal 8. Habitat for Humanity provides affordable housing for communities in over 70 countries around the world. You can discover their impact through the "Where we Build” interactive map, donate, and volunteer all on their Drupal 8 site.

12. Obermeyer

Obermeyer and Drupal 8 will take you into new territory. The ski wear company offers seamless end to end commerce integration, providing both new and loyal customers a great shopping experience. Let Obermeyer's Drupal 8 integration with Drupal Commerce keep you warm because winter is coming ...

Happy 1st birthday Drupal 8!

I can't think of a better way to celebrate Drupal 8's one year anniversary than by sharing some incredible experiences that are being created with Drupal 8. Whether the project is big or small, features dinosaurs, or spreads awareness for an important cause, I'm proud to say that Drupal 8 is supporting an amazing array of projects. In my recent keynote at DrupalCon Dublin, I explained why the why of Drupal is so important. After one year of Drupal 8, it's clear how powerful our collective purpose, projects, and passions can be.

Thank you to everyone who has continued to contribute to Drupal 8! I can't wait for another year of exciting projects. Special thanks to Paul Johnson for crowdsourcing great examples that I wouldn't have known about otherwise.

Drupal 8.2.3 and 7.52 released

Drupal - Wed, 11/16/2016 - 10:11

Drupal 8.2.3 and Drupal 7.52, maintenance releases which contain fixes for security vulnerabilities, are now available for download.

See the Drupal 8.2.3 and Drupal 7.52 release notes for further information.

Download Drupal 8.2.3
Download Drupal 7.52

Upgrading your existing Drupal 8 and 7 sites is strongly recommended. There are no new features nor non-security-related bug fixes in these releases. For more information about the Drupal 8.2.x release series, consult the Drupal 8 overview. More information on the Drupal 7.x release series can be found in the Drupal 7.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 8 and 7 include the built-in Update Manager module, which informs you about important updates to your modules and themes.

Bug reports

Both Drupal 8.2.x and 7.x are being maintained, so given enough bug fixes (not just bug reports) more maintenance releases will be made available, according to our monthly release cycle.

Change log

Drupal 8.2.3 is a security release only. For more details, see the 8.2.3 release notes. A complete list of all changes in the stable 8.2.x branch can be found in the git commit log.

Drupal 7.52 is a security release only. For more details, see the 7.52 release notes. A complete list of all changes in the stable 7.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 8.2.3 and 7.52 were released in response to the discovery of security vulnerabilities. Details can be found in the official security advisories:

To fix the security problem, please upgrade to either Drupal 8.2.3 or Drupal 7.52.

Update notes

See the 8.2.3 and 7.52 release notes for details on important changes in this release.

Known issues

See the 8.2.3 release notes or 7.52 release notes for a list of known issues affecting each release.

Drupal 8 will no longer include dev dependencies in release packages

Drupal - Fri, 11/11/2016 - 17:19

As a best practice, development tools should not be deployed on production sites. Accordingly, packaged Drupal 8 stable releases will no longer contain development PHP libraries, because development code is not guaranteed to be secure or stable for production.

This only applies to a few optional libraries that are provided with Drupal 8 for development purposes. The many stable required libraries for Drupal 8, like Symfony and Twig, will still be included automatically in packaged releases. Drupal 7 is not affected.

Updating your site

To adopt this best practice for your site, do one of the following (depending on how you install Drupal):

  • If you install Drupal using the stable release packages provided by Drupal.org (for example, with an archive like drupal-8.2.2.tar.gz or via Drush), update to the next release (8.2.3) as soon as it is available. (Read about core release windows.) Be sure to follow the core update instructions, including removing old vendor files. Once updated, your site will no longer include development libraries and no further action will be needed.
  • If you use a development snapshot on your production site (like 8.2.x-dev), you should either update to a stable release (preferred) or manually remove the dependencies. Remember that development snapshots are not supported for production sites.
  • If you install your site via Composer, you should update your workflows to ensure you specify --no-dev for your production sites.
Development and continuous integration workflows

If you have a continuous integration workflow or development site that uses these development dependencies, your workflow might be impacted by this change. If you installed from a stable Drupal.org package and need the development dependencies, you have three options:

  1. Install Composer and run composer install --dev,
  2. Use a development snapshot (for example, 8.2.x-dev) instead of a tagged release for your development site, or
  3. Install the development dependencies you need manually into Drupal's vendor directory or elsewhere.

However, remember that these development libraries should not be installed on production sites.

For background on this change, see Use "composer install --no-dev" to create tagged core packages. For more information on Composer workflows for Drupal, see Using Composer to manage Drupal site dependencies.

What’s new on Drupal.org? - October 2016

Drupal - Fri, 11/11/2016 - 12:43

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

The Drupal Association team has been getting back to work after coming back from DrupalCon Dublin in September. For the engineering team, October has been focused on some back-end services and infrastructure that support the Drupal project, while we continue to move forward on some longer term front facing initiatives.

Drupal.org updates Promoting Drupal by Industry

Last month we talked about the new homepage we released for Drupal.org, and using those editorial tools to build a membership campaign. We hinted that additional changes will be coming soon. While we're not ready to launch this new content - we can talk about it in some greater detail.

Dries Buytaert, the project founder, has called Drupal the platform for ambitious digital experiences. That phrase expresses the incredible power and flexibility of Drupal, but also encapsulates an aspect of Drupal that can be difficult for newcomers. It can be very hard for newcomers to Drupal to understand how to take a base install of Drupal core, and extend that to achieve that ambitious vision.

We want to help close that gap in understanding—to help evaluators see how Drupal achieves these ambitions. To do this, we'll be creating a series of landing pages that focus granularly on how Drupal creates success stories in particular industries. Look for more on this topic in coming months.

DrupalCon Vienna Site Launched

As is tradition, during the closing session of DrupalCon Dublin we announced that the next DrupalCon in Europe will be held in Vienna! We launched the splash page announcing the event at vienna2017.drupal.org and we have information about sponsorship and hotel reservations already available.

DrupalCon Vienna will happen from the 25th to 29th of September 2017, and we'll hope to see you there!

More flexible project testing

We've made a significant update to how tests are configured on the Automated Testing tab of any project hosted on Drupal.org. Automated testing, using the DrupalCI infrastructure, allows developers to ensure their code will be compatible with core, and with a variety of PHP versions and database environments. In October, we updated the configuration options for module maintainers.

Maintainers can now select a specific branch of core, a specific environment, and select whether to run the test once, daily, on commit, or for issues. Issues are limited to a single test configuration, to ensure that the code works in a single environment before being regression tested against multiple environments on on-commit or daily tests.

Better database replication and reliability

Behind the scenes, we've made some updates to our database cluster - part of our infrastructure standardization on Debian 8 environments managed in Puppet 4. We've made some improvements to replication and reliability - and while these changes are very much behind the scenes they should help maintain a reliable and performant Drupal.org.

Response to Critical Security Vulnerabilities

When it rains, it pours—a maxim we take to heart in Portland, Oregon—and that was especially true in the realm of security in October. The most widely known vulnerability disclosed was the 'DirtyCow' vulnerability in the Linux kernel. A flaw in the copy-on-write system of the Linux kernel made it possible, in principle, for an unprivileged user to elevate their own privileges.

Naturally, responding to this vulnerability was a high priority in October, but DirtyCow was not the only vulnerability disclosed, as security releases were also made for PHP, mariadb, tar, libxslt, and curl. We mitigated each of these vulnerabilities in short order.

Community Initiatives

Community initiatives are a collaboration; with dedicated community volunteers building improvements to Drupal.org with the architectural guidance and oversight of the Drupal Association engineering team.

Drupal 8 User Guide

The Drupal 8 User Guide is getting very close to being available on Drupal.org. We are working closely with contributor jhodgdon to resolve some perplexing inconsistencies between what we're seeing in our development environment and in our initial production deployment.

Dreditor

markcarver who is currently leading the charge to port Dreditor features to Drupal.org, has invited anyone interested in contributing to join him in #dreditor on freenode IRC or the Dreditor GitHub.

Documentation Maintainership

Finally, we want to continue to encourage the community to become maintainers of Drupal documentation. If you are a developer interested in contributing code to the new documentation system, please contact tvn.

———

As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects.

If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.

Follow us on Twitter for regular updates: @drupal_org, @drupal_infra

Nasdaq Chooses Drupal 8

Drupal - Fri, 10/21/2016 - 05:47

Republished from buytaert.net

I wanted to share the exciting news that Nasdaq Corporate Solutions has selected Drupal 8 as the basis for its next generation Investor Relations Website Platform. About 3,000 of the largest companies in the world use Nasdaq's Corporate Solutions for their investor relations websites. This includes 78 of the Nasdaq 100 Index companies and 63% of the Fortune 500 companies.

What is an IR website? It's a website where public companies share their most sensitive and critical news and information with their shareholders, institutional investors, the media and analysts. This includes everything from financial results to regulatory filings, press releases, and other company news. Examples of IR websites include http://investor.starbucks.comhttp://investor.apple.com andhttp://ir.exxonmobil.com -- all three companies are listed on Nasdaq.

All IR websites are subject to strict compliance standards, and security and reliability are very important. Nasdaq's use of Drupal 8 is a fantastic testament for Drupal and Open Source. It will raise awareness about Drupal across financial institutions worldwide.

In their announcement, Nasdaq explained that all the publicly listed companies on Nasdaq are eligible to upgrade their sites to the next-gen model "beginning in 2017 using a variety of redesign options, all of which leverage Acquia and the Drupal 8 open source enterprise web content management (WCM) system."

It's exciting that 3,000 of the largest companies in the world, like Starbucks, Apple, Amazon, Google and ExxonMobil, are now eligible to start using Drupal 8 for some of their most critical websites. 

What's new on Drupal.org? - September 2016

Drupal - Thu, 10/20/2016 - 08:37

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

This month's update comes to you a couple weeks late, but only because we were on site at DrupalCon together with the community to move the project forward! DrupalCon Dublin was a great event, with the entire Drupal Association staff engaged to make DrupalCon the best place to develop your Drupal skills, learn what's coming for the project, and sprint on core and contrib. We are tremendously thankful to the community that joins us for DrupalCon, and to the incredible volunteers that help us put on the event. If you couldn't join us in person, you can still review the session recordings.

Now, on to the updates!

Drupal.org updates New homepage

Certainly the most visible change to Drupal.org in September was the refresh of our home page. As the front door of our community home, the front page needs to be inviting to both existing community members, and people new to Drupal who are just beginning their adoption journey. The changes are more than aesthetic. We also put in place new editorial tools to give us greater flexibility with the front page itself, and with future landing pages that we hope to create in the same highly-designed, attractive style. In addition to these structural and editorial changes we made some content changes as well, cleaning up our news feed, and giving DrupalCon a new, more prominent position on the home page.

And there are more updates to come! Using the same editorial tools we'll soon be rolling out additional content for Drupal evaluators - promoting proven solutions built using Drupal in specific industries. Look forward to this in the coming months.

Membership campaign

We used the same editorial tools that built the new homepage to build a landing page for our fall membership campaign. This campaign showcases how Drupal Association members make community cultivation grants possible - and the stories that those grants create.

These community stories run to the heart of our mission - enabling our global community build connections on the local level, and extending Drupal's reach across the world.

Case studies on organization profiles

In September we also made a small but significant update to organization profiles. We've moved the often unwieldy index of people associated with an organization to a subpage, in order to make room for listing the case studies that an organization has created. We want to encourage Drupal organizations of all kinds to share their stories of success, especially around Drupal 8.

If your organization has never created a Drupal case study before, we have some materials to teach you how to create a case study on Drupal.org.

Issue Credit Updates

The issue credit system has had a remarkable impact on the community. Being able to quantify the contribution of organizations to Drupal's codebase has lead to an unprecedented level of healthy competition between organizations who support the project—each trying to outdo the other with their contributions. It has been amazing to see how generous these organizations are, sponsoring the work of committed community contributors to advance the project.

To maintain this system in a healthy way, we need to monitor it carefully and make small adjustments to ensure that we're creating the right incentives for true contribution, and not a system to be gained for self-promotion. We've made a few small tweaks in september to reduce spurious re-opening of issues in order to 'reset the clock' on credits, and we have a few more fixes on the plate to keep this ecosystem healthy.

We're also looking to expand the kinds of activities that receive contribution credit - so look forward to further updates on that front in the coming months.

Community Initiatives

Finally, here are some updates on our active community initiatives. Community initiatives are a collaboration; with dedicated community volunteers building improvements to Drupal.org with the architectural guidance and oversight of the Drupal Association engineering team.

Documentation Migration

The migration of Drupal.org documentation to the new documentation content types is well under way. Tremendous thanks to tvn and eojthebrave for spearheading this effort and recruiting additional volunteers to help maintain the new documentation guides and move the community over into the new system.

We still need your help! We need community volunteers to take on small sub-sets of documentation to maintain, and make sure they're cleaned up post-migration.

If you don't want to commit to maintaining a guide, you can still help out by doing some of the pending tasks for any of the documentation pages.

Lastly, if any Drupal developers are interested in contributing code to the new documentation system to clean up a few minor bugs and features, please contact tvn.

Drupal 8 User Guide

As outlined in our previous update, the Drupal 8 User guide is a special subset of documentation that's been produced in a highly curated, editorially controlled way - to create a guide to Drupal 8 that rivals the standards of an industry publication. All of the components needed to publish this guide to Drupal.org are now in place, so our final step will be to coordinate some last tweaks and bug fixes with jhodgdon, and then to begin linking it prominently on Drupal.org.

Dreditor

In the weeks leading up to DrupalCon Dublin there was a small crisis in the contributor community. Because of changes in the browser add-on validation process, the incredibly valuable and popular Dreditor browser extension, first developed by sun, and currently maintained by markcarver, andcottser has reached its end of life—or has it?

After a tremendous outpouring from the community a new plan was made, and now Mark is working on porting the features of Dreditor directly to Drupal.org. Work is still ongoing, but as it proceeds, users will be able to optionally enable these features component by component on their user profiles.

———

As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects.

If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.

Follow us on Twitter for regular updates: @drupal_org, @drupal_infra

Groups audience: Drupal.org

Technical Advisory Committee formed to modernize developer tools

Drupal - Tue, 10/18/2016 - 11:37

At DrupalCon Dublin, I spoke about The Association’s commitment to help Drupal thrive by improving the contribution and adoption journeys through our two main community assets, DrupalCon and Drupal.org. You can see the video here.

One area I touch on was my experience as a new code contributor. Contributing my patch was a challenging, but joyous experience and I want more people to have that feeling—and I want to make it as easy as possible for others to contribute, too. It’s critical for the health of the project.

At the heart of the Drupal contributor community are our custom development tools, including the issue tracker, Git repositories, packaging, updates server, and automated testing. We believe there are many aspects of Drupal’s development workflow that have been essential to our project's success, and our current tooling reflects and reinforces our community values of self-empowerment, collaboration, and respect, which we seek to continue to uphold.

It’s time to modernize these developer tools. To support the Association with this objective The Drupal Association created a Technical Advisory Committee (TAC). The TAC consists of community members Angie Byron, Moshe Weitzman, and Steve Francia, who is also our newest Drupal Association board member. The TAC acts in an advisory role and reports to me.

Building off of the work the community has already done, the TAC is exploring opportunities to improve the tools we use to collaborate on Drupal.org. The crux of this exploration is determining whether we should continue to rely on and invest in our self-built tools, or whether we should partner with an organization that specializes in open source tooling.

Our hope is that we will be able to bring significant improvements to our contribution experience faster by partnering with an organization willing to learn from our community and adapt their tools to those things we do uniquely well. Such a partnership would benefit both the Drupal community—with the support of their ongoing development—and potentially the broader open source community—by allowing our partner to bring other projects those aspects of our code collaboration workflow.

The TAC will use a collaborative process, working with staff and community to make a final recommendation. The TAC has already begun the process and has some very positive exploratory conversations. The TAC and staff will be communicating their progress with the community in upcoming blog posts.  

Drupal file upload by anonymous or untrusted users into public file systems -- PSA-2016-003

Drupal - Mon, 10/10/2016 - 10:09
Description

Recently the Drupal Security Team has seen a trend of attacks utilizing a site mis-configuration.
This issue only affects sites that allow file uploads by non-trusted or anonymous visitors, and stores those uploads in a public file system. These files are publically accessible allowing attackers to point search engines and people directly to them on the site. The majority of the reports are based around the webform module, however, other modules are vulnerable to this misconfiguration as well.

For example, if a webform configured to allow anonymous visitors to upload an image into the public file system, that image would then be accessible by anyone on the internet. The site could be used by an attacker to host images and other files that the legitimate site maintainers would not want made publicly available through their site.

To resolve this issue:
  1. Configure upload fields that non-trusted visitors, including anonymous visitors, can upload files with, to utilize use the private file system.
  2. Ensure cron is properly running on the site. Read about setting up cron for for Drupal 7 or or Drupal 8).
  3. Consider forcing users to create accounts before submitting content.
  4. Audit your public file space to make sure that files that are uploaded there are valid.
Awareness acknowledgment

The Drupal Security Team became aware of the existence and exploits of this issue because the community reported this issue to the security team. As always, if your site has been exploited, even if the cause is a mistake in configuration, the security team is interested in hearing about the nature of the issue. We use these reports to look for trends and broader solutions.

Coordinated by

This post may be updated as more information is learned.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal 8.2.0 is now available

Drupal - Wed, 10/05/2016 - 02:57
*/

Drupal 8.2.0, the second minor release of Drupal 8, is now available. With Drupal 8, we made significant changes in our release process, adopting semantic versioning and scheduled feature releases. This allows us to make extensive improvements to Drupal 8 in a timely fashion while still providing backwards compatibility.

What's new in Drupal 8.2.x?

This new version includes additional experimental modules to place blocks on pages, to edit configuration related to blocks without leaving the page, to create content moderation workflows, and to use date ranges. Several smaller authoring experience, site building, and REST and decoupled site improvements are included as well. (Experimental modules are provided with Drupal core for testing purposes, but are not yet fully supported.)

Download Drupal 8.2.0

Easier to place and configure blocks on pages

The new experimental Place Block module allows placing blocks on any page without having to navigate to the backend administration form. After selecting the region for placement, block configuration can be adjusted in a modal dialog allowing full control of all the details.

There is also a much easier way to modify block configuration, with the experimental Settings Tray module. Editing a block opens a tray in a sidebar with the block's title and other settings. For the site name block, for example, you can edit the site name directly in the sidebar. For menu blocks, you can adjust the menu there.

Content moderation now included

Drupal has always supported both published and unpublished content, but more granular workflow support was not available in Drupal core. The new experimental Content Moderation module, based on the contributed Workbench Moderation project, allows defining content workflow states such as Draft, Archived, and Published, as well as which roles have the ability to move content between states.

Support for date ranges

The Datetime module included with core only supports storing single points in time. The experimental Datetime Range module provides a new field type that also allows end dates. This is important for helping contributed modules like the Calendar module to work with Drupal 8 core.

Site building, content authoring, and administrative improvements

Drupal 8.2.0 also improves stable functionality for administration, site building, and authoring. Drupal now enables revisions by default for new content types, to provide better accountability, to create a "safety net" for recovering from unintended changes, and to integrate with future workflow features. Content editors will enjoy a more seamless experience, as CKEditor's built-in dialogs are now styled to match Drupal-native dialogs, and creating any entity will always display a message linking to the new entity.

Other incremental enhancements include:

  • The user interface text has been improved on numerous administrative pages.
  • The redirection of site-wide contact forms is now configurable.
  • The comment view mode can now be selected in the display formatter form.
  • Relative URLs are converted to absolute ones in generated RSS feeds (ensuring that images and links work wherever the feeds are used).
  • Administrators can now elect to remove a module's content entities in order to uninstall the module.
  • The internal page cache has been improved for 404 responses.
Platform features for web services

The Drupal 8.2 release continues to expand Drupal's support for web services that benefit decoupled sites and applications, with bug fixes, simplified configuration, improved responses, and new features. It is now possible to read (GET) configuration entities like vocabularies and content types as REST resources, resolving a significant limitation for REST functionality in 8.1.x and earlier. Login, logout, and user registration are also now possible with REST. The authentication mechanism used by a REST Export Views Display is now configurable, and a cors.config service parameter was added for enabling and configuring cross-origin resource sharing (CORS). REST resource configuration is now also significantly simpler.

Developer API improvements

Minor releases like Drupal 8.2.0 include backwards-compatible API additions for developers as well as new features. Read the 8.2.0 release notes for more details on the improvements for developers in this release.

What does this mean to me? Drupal 8 site owners

Update to 8.2.0 to continue receiving bug and security fixes. The next bugfix release, 8.2.1, is scheduled for November 2, 2016.

Updating your site from 8.1.10 to 8.2.0 with update.php is exactly the same as updating from 8.1.7 to 8.1.8. Modules, themes, and translations may need small changes for this minor release, so test the update carefully before updating your production site.

Drupal 6 site owners

Drupal 6 is not supported anymore. Create a Drupal 8 site and try migrating your data into it as soon as possible. Your Drupal 6 site can still remain up and running while you test migrating your Drupal 6 data into your new Drupal 8 site. Core now provides migrations for most Drupal 6 data, but the migration of multilingual functionality in particular is not complete. If you find a new bug not covered by the known issues with the experimental Migrate module suite, your detailed bug report with steps to reproduce is a big help!

Drupal 7 site owners

Drupal 7 is still fully supported and will continue to receive bug and security fixes throughout all minor releases of Drupal 8.

The migration path from Drupal 7 to 8 is not complete, especially for multilingual sites, so you may encounter errors or missing migrations when you try to migrate. That said, since your Drupal 7 site can remain up and running while you test migrating into a new Drupal 8 site, you can help us stabilize the Drupal 7 to Drupal 8 migration path! Testing and bug reports from your real-world Drupal 7 sites will help us stabilize this functionality sooner for everyone. (Search the known issues.)

Translation, module, and theme contributors

Minor releases like Drupal 8.2.0 are backwards-compatible, so modules, themes, and translations that support Drupal 8.1.x and Drupal 8.0.x will be compatible with 8.2.x as well. However, the new version does include some changes to strings, user interfaces, and internal APIs (as well as more significant changes to experimental modules). This means that some small updates may be required for your translations, modules, and themes. See the announcement of the 8.2.0 release candidate for more background information.

The first annual Drupal CEO Survey reports that there is a bright future for Drupal in the enterprise segment

Drupal - Thu, 09/29/2016 - 02:42

Results from the global Drupal CEO business survey conducted by One Shoe and Exove, in partnership with the Drupal Association, indicate that Drupal will adopt a role as an enterprise level platform. The Drupal CEO Survey has been carried out this year out for the first time and gives insights in the key issues that Drupal agency owners and company leaders worldwide face.

Among the surveyed 75 Drupal companies, the C-level respondents mainly work at digital agencies (37.8%) and software companies (27%). Most of the surveyed companies were small to medium sized enterprises. Only 9.9% said they have more than 80 employees, while 21.9% reported five or less employees.

A bright future for Drupal in the enterprise segment

A vast majority (90.5%) believes that Drupal has reinvented itself with the release of Drupal 8, the newest version of the CMS, released in November 2015. Even though Drupal has become somewhat more complex, respondents don’t think this is a turnoff for developers (77.1%). As one respondent said, "Some developers will resent the added complexity, but I see it becoming the defacto standard for 'Enterprise' CMSs." This respondent is not the only one: 89.2% of the respondents think that the popularity of Drupal for clients will grow in the next three years. Drupal is seen as being a leader in larger enterprise deployments in the future. As one respondent stated, "Drupal will see continued growth for clients who are committed to their digital strategy and see its importance as part of their overall business goals. But it will probably tail off for clients who just need a website." Or, as another respondent sees it: "Drupal will become the platform of choice for enterprise level solutions."

Drupal is popular for enterprise healthcare projects

The surveyed companies serve clients in numerous industries. From enterprise perspective, the major industries are healthcare and medicine (40.0% respondents have clients from this industry), banking and insurances (38.7%), and retail (37.3%). Overall, Drupal companies also work with charities and non-profit organizations (64%), government and public administration (56.0%), media (49.3%), IT (45.3%), and arts and culture (36.0%).

The cost of an enterprise solution project varies from company to company. Most of the companies (28.0%) work in 100,000 - 250,000 euro range, while 18.7% of the companies charge 250,000 - 500,000 euro. Another 18.7% charge 50,000 - 100,000 euro for an enterprise level solution built on Drupal. Only a handful of companies, 4.0%, charge between half a million and one million euro. Compared to the typical cost of enterprise level solutions, Drupal based solutions are implemented with less costs. This is due to the good fit of Drupal to the enterprise needs, flexibility of the platform, and huge amount of readymade modules.

Drupal empowers growth

The most important strategic priorities of the companies also focus on growth: finding the right talent, 53.3%; ensuring financial growth, 45.3%; and developing new growth strategies, 41.3%. The executives expect to face challenges in the coming three years on the same areas: finding the right talent, 59.5%; talent retention, 36.5%; and ensuring financial growth, 33.8%.

While finding and retaining the talent is seen challenging, 60.0% of the respondents do not outsource work to vendors. Companies operating in Europe less use outsourcing, as 67.0% of these companies do not employ vendors. European companies outsource work to Asia (17.0%) and Europe (17.0%), while non-European companies use vendors in North America (25.0%), South America (25.0%), and Asia (19%).

Also illustrating the growth-empowering aspects of Drupal is the geographical presence of companies. One third (31.1%) of the surveyed companies have offices in more than one country, and 12.0% has offices in five or more countries.

Comments

The survey organizers Janne Kalliola from Exove and Michel van Velde from One Shoe are very happy with the results. "This survey confirms a number of positive indications about Drupal which we have been seeing in our markets. I am especially happy with the strong enterprise focus of Drupal companies across the globe, as our experiences with enterprise customers have confirmed that Drupal is an excellent fit to enterprise," Janne Kalliola says. Michel van Velde continues: "We are foreseeing steady growth of Drupal in a number of markets. There are so many untapped opportunities for Drupal and it’s great to see that Drupal 8 is now equipped to compete with closed source solutions like Sitecore and Adobe.”

Megan Sanicki, Executive Director at Drupal Association says, "I am excited that this survey has been made and so many Drupal companies have answered the call. The results validate the positive and energetic feeling we see and hear in the Drupal marketplace. To help the agencies, the Drupal Association is working together with the Drupal business community to amplify Drupal’s success on Drupal.org. We connect enterprises evaluating Drupal with agencies providing Drupal services, we organize DrupalCons to attract and train new talent to work with Drupal, and we support the local business communities in countries around the globe."

Dries Buytaert, the Drupal founder and project lead, President of Drupal Association, and CTO of Acquia, says, "The results of the survey verify my understanding of the situation of companies in the Drupal business community. I am very proud of the new opportunities and prospects these companies are creating for Drupal - and also feel satisfied that Drupal is seen as so good fit for their needs. And it gets even better with the soon to be released Drupal 8.2."

About Exove

Exove delivers digital growth. We help our clients to grow their digital business by designing and building solutions with agile manner, service design methodologies, and open technologies. Our clients include Sanoma, Fiskars, Neste, Informa, Trimble, and Finnlines. We serve also start-up companies, unions and public sector. Exove has offices in Helsinki, Oulu and Tampere, Finland; Tallinn, Estonia; and London, United Kingdom. For more information, please visit www.exove.com.

About One Shoe

One Shoe is an integrated advertising and digital agency with more than 10 years experience in Drupal. With more than 40 specialists, One Shoe combines strategy, UX, design, advertising, web and mobile development to deliver unique results for international clients like DHL, Shell, Sanofi, LeasePlan, MedaPharma and many more. For more information, please visit www.oneshoe.com.

About Drupal Association

The Drupal Association is a non-profit organization headquartered in Portland, OR, USA. It helps the Drupal project and community thrive with funding, infrastructure, and events. Its vision is to help create spaces where anyone, anywhere, can use Drupal to build ambitious digital experiences. For more information, please visit association.drupal.org.

----

For media enquiries, please contact Janne Kalliola ([email protected]), Michel van Velde ([email protected]), or Bradley Fields ([email protected]).

The transformation of Drupal 8 for continuous innovation

Drupal - Wed, 09/28/2016 - 00:00

Republished from buytaert.net.

In the past, after every major release of Drupal, most innovation would shift to two areas: (1) contributed modules for the current release, and (2) core development work on the next major release of Drupal. This innovation model was the direct result of several long-standing policies, including our culture of breaking backward compatibility between major releases.

In many ways, this approach served us really well. It put strong emphasis on big architectural changes, for a cleaner, more modern, and more flexible codebase. The downsides were lengthy release cycles, a costly upgrade path, and low incentive for core contributors (as it could take years for their contribution to be available in production). Drupal 8's development was a great example of this; the architectural changes in Drupal 8 really propelled Drupal's codebase to be more modern and flexible, but also came at the cost of four and a half years of development and a complex upgrade path.

As Drupal grows — in lines of code, number of contributed modules, and market adoption — it becomes harder and harder to rely purely on backward compatibility breaks for innovation. As a result, we decided to evolve our philosophy starting after the release of Drupal 8.

The only way to stay competitive is to have the best product and to help people adopt it more seamlessly. This means that we have to continue to be able to reinvent ourselves, but that we need to make the resulting changes less scary and easier to absorb. We decided that we wanted more frequent releases of Drupal, with new features, API additions, and an easy upgrade path.

To achieve these goals, we adopted three new practices:

  1. Semantic versioning: a major.minor.patch versioning scheme that allows us to add significant, backwards-compatible improvements in minor releases like Drupal 8.1.0 and 8.2.0.
  2. Scheduled releases: new minor releases are timed twice a year for predictability. To ensure quality, each of these minor releases gets its own beta releases and release candidates with strict guidelines on allowed changes.
  3. Experimental modules in core: optional alpha-stability modules shipped with the core package, which allow us to distribute new functionality, gather feedback, and iterate faster on the modules' planned path to stability.

Now that Drupal 8 has been released for about 10 months and Drupal 8.2 is scheduled to be released next week, we can look back at how this new process worked. Drupal 8.1 introduced two new experimental modules (the BigPipe module and a user interface for data migration), various API additions, and usability improvements like spell checking in CKEditor. Drupal 8.2 further stabilizes the migration system and introduces numerous experimental alpha features, including significant usability improvements (i.e. block placement and block configuration), date range support, and advanced content moderation — among a long list of other stable and experimental improvements.

It's clear that these regular feature updates help us innovate faster — we can now add new capabilities to Drupal that previously would have required a new major version. With experimental modules, we can get features in users' hands early, get feedback quickly, and validate that we are implementing the right things. And with the scheduled release cycle, we can deliver these improvements more frequently and more predictably. In aggregate, this enables us to innovate continuously; we can bring more value to our users in less time in a sustainable manner, and we can engage more developers to contribute to core.

It is exciting to see how Drupal 8 transformed our capabilities to continually innovate with core, and I'm looking forward to seeing what we accomplish next! It also raises questions about what this means for Drupal 9 — I'll cover that in a future blog post.

A new look for Drupal.org

Drupal - Wed, 09/21/2016 - 12:09

As you can see we've put a fresh coat of paint on Drupal.org - but the changes run below the surface. This latest iteration of the front page brings the key concepts of our design system to the forefront: Clean, Modern, Technical.

This change also brings new editorial tools for Drupal.org content editors. The new home page provides us more flexibility with content and presentation, and so you'll see more frequent updates, more information about DrupalCon, and more editorial flexibility on the home page than you've seen in the past. These tools are also helping us to build cleaner, modern landing pages - like you've just seen with our Fall Membership Campaign.

We've previewed this work with several key members of the community and the board, and we want to say thank you to everyone who's given us their feedback on this first step for our new home page. We also want to give an extra special thank you to dyannenova for her contributions to this effort.

This is just the beginning - very soon we'll have a new visual look for the case studies that are featured on the home page, and then shortly after that we'll begin promoting solutions to Drupal evaluators in specific industries, like Higher Education, Media & Publishing, and Government.

If Drupal.org is the home of the community, than the front page is our front door. We want to welcome new users and evaluators of Drupal, highlight the project's strengths, and promote news and happenings from throughout the ecosystem.

We hope you like the changes, and we think you'll like the upcoming iterations even more. We'd love to hear your feedback!

Drupal 8.1.10 released

Drupal - Wed, 09/21/2016 - 09:33

Drupal 8.1.10, a maintenance release which contains fixes for security vulnerabilities, is now available for download.

See the Drupal 8.1.10 release notes for further information.

Download Drupal 8.1.10

Upgrading your existing Drupal 8 sites is strongly recommended. There are no new features nor non-security-related bug fixes in this release. For more information about the Drupal 8.x release series, consult the Drupal 8 overview.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 8 includes the built-in Update Manager module, which informs you about important updates to your modules and themes.

Bug reports

This is the final security release for the 8.1.x series. Future maintenance releases will be made available in the 8.2.x series, according to our monthly release cycle.

Change log

Drupal 8.1.10 is a security release only. For more details, see the 8.1.10 release notes. A complete list of all changes in the upcoming 8.2.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 8.1.10 was released in response to the discovery of security vulnerabilities. Details can be found in the official security advisories:

To fix the security problem, please upgrade to Drupal 8.1.10. (Sites testing the 8.2.x release should update to 8.2.0-rc2.)

Update notes

See the 8.1.10 release notes for details on important changes in this release.

This is the final security release of the 8.1.x series. Sites should prepare to update to 8.2.0 following this release.

Known issues

See the 8.1.10 release notes for known issues.

Can Drupal outdo native applications?

Drupal - Wed, 09/14/2016 - 00:00

Republished from buytaert.net

I've made no secret of my interest in the open web, so it won't come as a surprise that I'd love to see more web applications and fewer native applications. Nonetheless, many argue that "the future of the internet isn't the web" and that it's only a matter of time before walled gardens like Facebook and Google — and the native applications which serve as their gatekeepers — overwhelm the web as we know it today: a public, inclusive, and decentralized common good.

I'm not convinced. Native applications seem to be winning because they offer a better user experience. So the question is: can open web applications, like those powered by Drupal, ever match up to the user experience exemplified by native applications? In this blog post, I want to describe inversion of control, a technique now common in web applications and that could benefit Drupal's own user experience.

Native applications versus web applications

Using a native application — for the first time — is usually a high-friction, low-performance experience because you need to download, install, and open the application (Android's streamed apps notwithstanding). Once installed, native applications offer unique access to smartphone capabilities such as hardware APIs (e.g. microphone, GPS, fingerprint sensors, camera), events such as push notifications, and gestures such as swipes and pinch-and-zoom. Unfortunately, most of these don't have corresponding APIs for web applications.

A web application, on the other hand, is a low-friction experience upon opening it for the first time. While native applications can require a large amount of time to download initially, web applications usually don't have to be installed and launched. Nevertheless, web applications do incur the constraint of low performance when there is significant code weight or dozens of assets that have to be downloaded from the server. As such, one of the unique challenges facing web applications today is how to emulate a native user experience without the drawbacks that come with a closed, opaque, and proprietary ecosystem.

Inversion of control

In the spirit of open source, the Drupal Association invited experts from the wider front-end community to speak at DrupalCon New Orleans, including from Ember and Angular. Ed Faulkner, a member of the Ember core team and contributor to the API-first initiative, delivered a fascinating presentation about how Drupal and Ember working in tandem can enrich the user experience.

One of Ember's primary objectives is to demonstrate how web applications can be indistinguishable from native applications. And one of the key ideas of JavaScript frameworks like Ember is inversion of control, in which the client side essentially "takes over" from the server side by driving requirements and initiating actions. In the traditional page delivery model, the server is in charge, and the end user has to wait for the next page to be delivered and rendered through a page refresh. With inversion of control, the client is in charge, which enables fluid transitions from one place in the web application to another, just like native applications.

Before the advent of JavaScript and AJAX, distinct states in web applications could be defined only on the server side as individual pages and requested and transmitted via a round trip to the server, i.e. a full page refresh. Today, the client can retrieve application states asynchronously rather than depending on the server for a completely new page load. This improves perceived performance. I discuss the history of this trend in more detail in this blog post.

Through inversion of control, JavaScript frameworks like Ember provide much more than seamless interactions and perceived performance enhancements; they also offer client-side storage and offline functionality when the client has no access to the server. As a result, inversion of control opens a door to other features requiring the empowerment of the client beyond just client-driven interactions. In fact, because the JavaScript code is run on a client such as a smartphone rather than on the server, it would be well-positioned to access other hardware APIs, like near-field communication, as web APIs become available.

Inversion of control in end user experiences

When a user clicks a teaser image on the homepage of an Ember-enhanced Drupal.com, the page seamlessly transitions into the full content page for that teaser, with the teaser image as a reference point, even though the URL changes.

In response to our recent evaluation of JavaScript frameworks and their compatibility with Drupal, Ed applied the inversion of control principle to Drupal.com using Ember. Ed's goal was to enhance Drupal.com's end user experience with Ember to make it more application-like, while also preserving Drupal's editorial and rendering capabilities as much as possible.

Ed's changes are not in production on Drupal.com, but in his demo, clicking a teaser image causes it to "explode" to become the hero image of the destination page. Pairing Ember with Drupal in this way allows a user to visually and mentally transition from a piece of teaser content to its corresponding page via an animated transition between pages — all without a page refresh. The animation is very impressive and the animated GIF above doesn't do it full justice. While this transition across pages is similar to behavior found in native mobile applications, it's not currently possible out of the box in Drupal without extensive client-side control.

Rather than the progressively decoupled approach, which embeds JavaScript-driven components into a Drupal-rendered page, Ed's implementation inverts control by allowing Ember to render what is emitted by Drupal. Ember maintains control over how URLs are loaded in the browser by controlling URLs under its responsibility; take a look at Ed's DrupalCon presentation to better understand how Drupal and Ember interact in this model.

These impressive interactions are possible using the Ember plugin Liquid Fire. Fewer than 20 lines of code were needed to build the animations in Ed's demo, much like how SDKs for native mobile applications provide easy-to-implement animations out of the box. Of course, Ember isn't the only tool capable of this kind of functionality. The RefreshLess module for Drupal by Wim Leers (Acquia) also uses client-side control to enable navigating across pages with minimal server requests. Unfortunately, RefreshLess can't tap into Liquid Fire or other Ember plugins.

Inversion of control in editorial experiences

In CardStack Editor, an editorial interface with transitions and animations is superimposed onto the content page in a manner similar to outside-in, and the editor benefits from an in-context, in-preview experience that updates in real time.

We can apply this principle of inversion of control not only to the end user experience but also to editorial experiences. The last demos in Ed's presentation depict CardStack Editor, a fully decoupled Ember application that uses inversion of control to overlay an administrative interface to edit Drupal content, much like in-place editing.

CardStack Editor communicates with Drupal's web services in order to retrieve and manipulate content to be edited, and in this example Drupal serves solely as a central content repository. This is why the API-first initiative is so important; it enables developers to use JavaScript frameworks to build application-like experiences on top of and backed by Drupal. And with the help of SDKs like Waterwheel.js (a native JavaScript library for interacting with Drupal's REST API), Drupal can become a preferred choice for JavaScript developers.

Inversion of control as the rule or exception?

Those of you following the outside-in work might have noticed some striking similarities between outside-in and the work Ed has been doing: both use inversion of control. The primary purpose of our outside-in interfaces is to provide for an in-context editing experience in which state changes take effect live before your eyes; hence the need for inversion of control.

Thinking about the future, we have to answer the following question: does Drupal want inversion of control to be the rule or the exception? We don't have to answer that question today or tomorrow, but at some point we should.

If the answer to that question is "the rule", we should consider embracing a JavaScript framework like Ember. The constellation of tools we have in jQuery, Backbone, and the Drupal AJAX framework makes using inversion of control much harder to implement than it could be. With a JavaScript framework like Ember as a standard, implementation could accelerate by becoming considerably easier. That said, there are many other factors to consider, including the costs of developing and hosting two codebases in different languages.

In the longer term, client-side frameworks like Ember will allow us to build web applications which compete with and even exceed native applications with regard to perceived performance, built-in interactions, and a better developer experience. But these frameworks will also enrich interactions between web applications and device hardware, potentially allowing them to react to pinch-and-zoom, issue native push notifications, and even interact with lower-level devices.

In the meantime, I maintain my recommendation of (1) progressive decoupling as a means to begin exploring inversion of control and (2) a continued focus on the API-first initiative to enable application-like experiences to be developed on Drupal.

Conclusion

I'm hopeful Drupal can exemplify how the open web will ultimately succeed over native applications and walled gardens. Through the API-first initiative, Drupal will provide the underpinnings for web and native applications. But is it enough?

Inversion of control is an important principle that we can apply to Drupal to improve how we power our user interactions and build robust experiences for end users and editors that rival native applications. Doing so will enable us to enhance our user experience long into the future in ways that we may not even be able to think of now. I encourage the community to experiment with these ideas around inversion of control and consider how we can apply them to Drupal.

Special thanks to Preston So for contributions to this blog post and to Angie ByronWim LeersKevin O'LearyMatt Grill, and Ted Bowman for their feedback during its writing.

What's new on Drupal.org? - August 2016

Drupal - Tue, 09/13/2016 - 07:44

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

Our latest update about Drupal.org comes as the Drupal Association has moved out of our central office in Portland, OR, and gone to an all-distributed team. A move of that sort always creates some upheaval but amidst the move we've continued to push forward on several initiatives to improve Drupal.org.

At the same time we've been pushing forward towards DrupalCon Dublin at the end of September- and we hope to see you there!

Drupal.org updates A new home page, coming soon

As we recently previewed on the Drupal.org blog, some changes are coming to the home page. We're building some new editorial tools to allow for more flexibility with the home page content, and to enable an increased focus on the adoption journey for visitors to Drupal.org. You'll see styles reminiscent of the Drupal 8 release announcement pages, and a continued modernization of theme.

The launch of the new home page is coming soon, but as a precursor we've been making some small improvements. The new user menu which we launched in July has been updated for better keyboard accessibility, and to show a user picture as an indicator that a user has logged in. We've also moved the search feature into an icon in the top navigation. This gives us more flexibility with the header, which can be customized per-page type or per-section with the overall site search box still being present. For example, the header in the new documentation section features search box specific to this particular section, so while you are there you can search for other documentation without having to go through the full-site search and then filtering down. Lastly, we've merged the 'Get Started' and 'Download & Extend' pages. 90% of the content on these pages was duplicated with each other - and the new page presents a cleaner experience with the essential details needed for getting started with Drupal.

The new front page is beginning editorial review, with the help of DA staff, a marketing task-force from the Drupal Association board, and a few key community members.

We've also just launched our fall membership campaign, and we've used this opportunity to beta test some of these new editorial tools to build the campaign landing page. Your support makes our work possible. Thank you!

Documentation

There's some news to report on the documentation front as well. Firstly, as mentioned above, we've updated the header of the documentation section to default to a documentation-specific search box. While not so important for other areas of the site,, we want to preserve and improve the highly-visible, in context search for Documentation.

We've also made some updates to the new system for Documentation maintainers. Authors of new documentation guides will now automatically become maintainers of those guides and automatically 'follow' the guide content so that they will receive notifications of activity in that guide. Any user following a guide can modify notifications settings at any time from their user profile. Within the notification settings a user can select their prefered method of receiving updates - via email or via their tracker page.

Tvn has continued to spearhed the migration of documentation from the old book pages, to our new documentation system.

We have completed the migration of the majority of the 'general' documentation. While that is done, there is still a lot of work to do to make the documentation content better using the new tools that are now available.

We need community volunteers to take on small sub-sets of documentation to clean them up post-migration and to maintain going forward.

If you don't want to commit to maintaining a guide, you can still help out by doing some of the pending tasks for any of the documentation pages.

Lastly, if any Drupal developers are interested in contributing code to the new documentation system to clean up a few minor bugs and features, please contact tvn. And if you are going to be at DrupalCon Dublin, consider joining us at the sprints!

Quality of Life Improvements

We also took the time in August to make a few quality of life improvements, both for our end users, and for our own team. Firstly, we've made it easier than ever to download a copy of your invoice for DrupalCon. Any user can now log into events.Drupal.org and any time, go to "My Account" -> "Orders" and download a pdf of their invoice for any past event. If your company is sending you to DrupalCon, this makes the process easier than ever. (And if they're not, here are some tools to convince your boss!)

Behind the scenes, we've made some additional improvements to our sophisticated spam prevention system, which focuses on preventing bad actors from even registering on Drupal.org in the first place. For those few bad actors that do get through, the system is also tuned to allow us to prevent those users from making multiple account registrations, as one of the primary methods for targeting Drupal.org in the past has been to make a large number of 'sleeper' account registrations that can be later updated with spam links. Unfortunately, on rare occasions this tool can make it difficult for legitimate users to register an account, so we've updated the system with a whitelisting system that allows legitimate to register, without opening the floodgates to the bad actors.

Infrastructure Virtualization and better Drupal.org dev sites

On the infrastructural side we've been focused on improving the maintainability, stability, and portability of our infrastructure with our smaller engineering team. In particular we've been focusing on virtualizing all the components of our infrastructure.

In August in particular we completed the virtualization of pre-production services. We've optimized the snapshotting and whitelisting process that allows us to create staging and development environments to make that process more efficient and easier to manage. We've also replaced our drupal.org dev site architecture with a new architecture that is no longer vulnerable to docker-fs faults which have multiple times resulted in data loss on our development environments. Drupal.org contributors who've been affected by dev site fragility should find dev sites to be much more robust moving forward.

Community Initiative Updates

Finally, here are some updates on our active community initiatives. Community initiatives are a collaboration; with dedicated community volunteers building improvements to Drupal.org with the architectural guidance and oversight of the Drupal Association engineering team.

Drupal 8 User Guide

The Drupal.org user guide is an effort lead by jhodgdon and a number of other contributors to create a highly produced, tightly editorially controlled guide to using Drupal 8. This user guide has been written to the standard of an industry publication, and uses a custom editorial workflow with git + asciidoc. Jhodgdon has been building out functionality to publish the user guide to a Documentation guide on Drupal.org.

Security

A few interrelated initiatives are in progress to improve how information about project security is displayed on Drupal.org. Mlhess has been working on a new security advisory content type for Drupal.org, which will allow security advisory content to be more easily related to project releases, among other things.

With the input and collaboration of quite a few community members, including the security working group, we've also deployed an update to project pages.

This update adds a shield icon next to stable releases. This shield icon indicates which releases are covered by the security advisory policy. This small change is also part of the groundwork for a project application revamp.

Community initiatives are not work that the Drupal Association can tackle on our own. Our mandate requires us to remain focused. That said, whenever the community has arrived at a strong plan and individual volunteers are ready to contribute code, the engineering team can provide architectural advice, code review, and deployment support.

———

As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects.

If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.

Follow us on Twitter for regular updates: @drupal_org, @drupal_infra

Drupal 8.2.0-rc1 is available for testing

Drupal - Wed, 09/07/2016 - 15:07

The first release candidate for the upcoming Drupal 8.2.0 release is now available for testing. With Drupal 8, we made major changes in our release process, adopting semantic versioning and scheduled releases. This allows us to make significant improvements to Drupal 8 in a timely fashion while still providing backwards compatibility. Drupal 8.2.0 is the second such update, expected to be released October 5.

Download Drupal-8.2.0-rc1

8.2.x includes many REST improvements; new experimental modules for content moderation, block placement, a sidebar to configure site elements in place, and end date support; and many other features and improvements. You can read a detailed list of improvements in the announcements of beta1, beta2, and beta3.

What does this mean to me? For Drupal 8 site owners

The final bugfix release of 8.1.x has been released. 8.1.x will receive no further releases following 8.2.0, and sites should prepare to update from 8.1.x to 8.2.x in order to continue getting bug and security fixes. Use update.php to update your 8.1.x sites to the 8.2.x series, just as you would to update from (e.g.) 8.1.4 to 8.1.5. You can use this release candidate to test the update. (Always back up your data before updating sites, and do not test updates in production.)

For module and theme authors

Drupal 8.2.x is backwards-compatible with 8.1.x. However, it does include internal API changes and API changes to experimental modules, so some minor updates may be required. Review the change records for 8.2.x, and test modules and themes with the release candidate now.

For translators

Some text changes were made since Drupal 8.1.0. Localize.drupal.org automatically offers these new and modified strings for translation. Strings are frozen with the release candidate, so translators can now update translations.

For core developers

All outstanding issues filed against 8.1.x are automatically migrated to 8.2.x now. Future bug reports should be targeted against the 8.2.x branch. 8.3.x will remain open for new development during the 8.2.x release candidate phase. For more information, see the beta and release candidate phase announcement.

Your bug reports help make Drupal better!

Release candidates are a chance to identify bugs for the upcoming release, so help us by searching the issue queue for any bugs you find, and filing a new issue if your bug has not been reported yet.

Who sponsors Drupal development?

Drupal - Tue, 09/06/2016 - 10:32

Republished from buytaert.net

There exist millions of Open Source projects today, but many of them aren't sustainable. Scaling Open Source projects in a sustainable manner is difficult. A prime example is OpenSSL, which plays a critical role in securing the internet. Despite its importance, the entire OpenSSL development team is relatively small, consisting of 11 people, 10 of whom are volunteers. In 2014, security researchers discovered an important security bug that exposed millions of websites. Like OpenSSL, most Open Source projects fail to scale their resources. Notable exceptions are the Linux kernel, Debian, Apache, Drupal, and WordPress, which have foundations, multiple corporate sponsors and many contributors that help these projects scale.

We (Dries Buytaert is the founder and project lead of Drupal and co-founder and Chief Technology Officer of Acquia and Matthew Tift is a Senior Developer at Lullabot and Drupal 8 configuration system co-maintainer) believe that the Drupal community has a shared responsibility to build Drupal and that those who get more from Drupal should consider giving more. We examined commit data to help understand who develops Drupal, how much of that work is sponsored, and where that sponsorship comes from. We will illustrate that the Drupal community is far ahead in understanding how to sustain and scale the project. We will show that the Drupal project is a healthy project with a diverse community of contributors. Nevertheless, in Drupal's spirit of always striving to do better, we will also highlight areas where our community can and should do better.

Who is working on Drupal?

In the spring of 2015, after proposing ideas about giving credit and discussing various approaches at length, Drupal.org added the ability for people to attribute their work to an organization or customer in the Drupal.org issue queues. Maintainers of Drupal themes and modules can award issues credits to people who help resolve issues with code, comments, design, and more.


A screenshot of an issue comment on Drupal.org. You can see that jamadar worked on this patch as a volunteer, but also as part of his day job working for TATA Consultancy Services on behalf of their customer, Pfizer.


Drupal.org's credit system captures all the issue activity on Drupal.org. This is primarily code contributions, but also includes some (but not all) of the work on design, translations, documentation, etc. It is important to note that contributing in the issues on Drupal.org is not the only way to contribute. There are other activities—for instance, sponsoring events, promoting Drupal, providing help and mentoring—important to the long-term health of the Drupal project. These activities are not currently captured by the credit system. Additionally, we acknowledge that parts of Drupal are developed on GitHub and that credits might get lost when those contributions are moved to Drupal.org. For the purposes of this post, however, we looked only at the issue contributions captured by the credit system on Drupal.org.

What we learned is that in the 12-month period from July 1, 2015 to June 30, 2016 there were 32,711 issue credits—both to Drupal core as well as all the contributed themes and modules—attributed to 5,196 different individual contributors and 659 different organizations.

Despite the large number of individual contributors, a relatively small number do the majority of the work. Approximately 51% of the contributors involved got just one credit. The top 30 contributors (or top 0.5% contributors) account for over 21% of the total credits, indicating that these individuals put an incredible amount of time and effort in developing Drupal and its contributed modules:

Rank Username Issues 1 dawehner 560 2 DamienMcKenna 448 3 alexpott 409 4 Berdir 383 5 Wim Leers 382 6 jhodgdon 381 7 joelpittet 294 8 heykarthikwithu 293 9 mglaman 292 10 drunken monkey 248 11 Sam152 237 12 borisson_ 207 13 benjy 206 14 edurenye 184 15 catch 180 16 slashrsm 179 17 phenaproxima 177 18 mbovan 174 19 tim.plunkett 168 20 rakesh.gectcr 163 21 martin107 163 22 dsnopek 152 23 mikeryan 150 24 jhedstrom 149 25 xjm 147 26 hussainweb 147 27 stefan.r 146 28 bojanz 145 29 penyaskito 141 30 larowlan 135 How much of the work is sponsored?

As mentioned above, from July 1, 2015 to June 30, 2016, 659 organizations contributed code to Drupal.org. Drupal is used by more than one million websites. The vast majority of the organizations behind these Drupal websites never participate in the development of Drupal; they use the software as it is and do not feel the need to help drive its development.

Technically, Drupal started out as a 100% volunteer-driven project. But nowadays, the data suggests that the majority of the code on Drupal.org is sponsored by organizations in Drupal's ecosystem. For example, of the 32,711 commit credits we studied, 69% of the credited work is "sponsored".

We then looked at the distribution of how many of the credits are given to volunteers versus given to individuals doing "sponsored work" (i.e. contributing as part of their paid job):

Looking at the top 100 contributors, for example, 23% of their credits are the result of contributing as volunteers and 56% of their credits are attributed to a corporate sponsor. The remainder, roughly 21% of the credits, are not attributed. Attribution is optional so this means it could either be volunteer-driven, sponsored, or both.

As can be seen on the graph, the ratio of volunteer versus sponsored don't meaningfully change as we look beyond the top 100—the only thing that changes is that more credits that are not attributed. This might be explained by the fact that occasional contributors might not be aware of or understand the credit system, or could not be bothered with setting up organizational profiles for their employer or customers.

As shown in jamadar's screenshot above, a credit can be marked as volunteer and sponsored at the same time. This could be the case when someone does the minimum required work to satisfy the customer's need, but uses his or her spare time to add extra functionality. We can also look at the amount of code credits that are exclusively volunteer credits. Of the 7,874 credits that marked volunteer, 43% of them (3,376 credits) only had the volunteer box checked and 57% of them (4,498) were also partially sponsored. These 3,376 credits are one of our best metrics to measure volunteer-only contributions. This suggests that only 10% of the 32,711 commit credits we examined were contributed exclusively by volunteers. This number is a stark contrast to the 12,888 credits that were "purely sponsored", and that account for 39% of the total credits. In other words, there were roughly four times as many "purely sponsored" credits as there were "purely volunteer" credits.

When we looked at the 5,196 users, rather than credits, we found somewhat different results. A similar percentage of all users had exclusively volunteer credits: 14% (741 users). But the percentage of users with exclusively sponsored credits is only 50% higher: 21% (1077 users). Thus, when we look at the data this way, we find that users who only do sponsored work tend to contribute quite a bit more than users who only do volunteer work.

None of these methodologies are perfect, but they all point to a conclusion that most of the work on Drupal is sponsored. At the same time, the data shows that volunteer contribution remains very important to Drupal. We believe there is a healthy ratio between sponsored and volunteer contributions.

Who is sponsoring the work?

Because we established that most of the work on Drupal is sponsored, we know it is important to track and study what organizations contribute to Drupal. Despite 659 different organizations contributing to Drupal, approximately 50% of them got 4 credits or less. The top 30 organizations (roughly top 5%) account for about 29% of the total credits, which suggests that the top 30 companies play a crucial role in the health of the Drupal project. The graph below shows the top 30 organizations and the number of credits they received between July 1, 2015 and June 30, 2016:

While not immediately obvious from the graph above, different types of companies are active in Drupal's ecosystem and we propose the following categorization below to discuss our ecosystem.

Category Description Traditional Drupal businesses Small-to-medium-sized professional services companies that make money primarily using Drupal. They typically employ less than 100 employees, and because they specialize in Drupal, many of these professional services companies contribute frequently and are a huge part of our community. Examples are Lullabot (shown on graph) or Chapter Three (shown on graph). Digital marketing agencies Larger full-service agencies that have marketing led practices using a variety of tools, typically including Drupal, Adobe Experience Manager, Sitecore, WordPress, etc. They are typically larger, with the larger agencies employing thousands of people. Examples are Sapient (shown on graph) or AKQA. System integrators Larger companies that specialize in bringing together different technologies into one solution. Example system agencies are Accenture, TATA Consultancy Services, Capgemini or CI&T. Technology and infrastructure companies Examples are Acquia (shown on graph), Lingotek (shown on graph), BlackMesh, RackSpace, Pantheon or Platform.sh. End-users Examples are Pfizer (shown on graph), Examiner.com (shown on graph) or NBC Universal.


Most of the top 30 sponsors are traditional Drupal companies. Sapient (120 credits) is the only digital marketing agency showing up in the top 30. No system integrator shows up in the top 30. The first system integrator is CI&T, which ranked 31st with 102 credits. As far as system integrators are concerned CI&T is a smaller player with between 1,000 and 5,000 employees. Other system integrators with credits are Capgemini (43 credits), Globant (26 credits), and TATA Consultancy Services (7 credits). We didn't see any code contributions from Accenture, Wipro or IBM Global Services. We expect these will come as most of them are building out Drupal practices. For example, we know that IBM Global Services already has over 100 people doing Drupal work.

When we look beyond the top 30 sponsors, we see that roughly 82% of the code contribution on Drupal.org comes from the traditional Drupal businesses. About 13% of the contributions comes from infrastructure and software companies, though that category is mostly dominated by one company, Acquia. This means that the technology and infrastructure companies, digital marketing agencies, system integrators and end-users are not meaningfully contributing code to Drupal.org today. In an ideal world, the pie chart above would be sliced in equal sized parts.

How can we explain that unbalance? We believe the two biggest reasons are: (1) Drupal's strategic importance and (2) the level of maturity with Drupal and Open Source. Various of the traditional Drupal agencies have been involved with Drupal for 10 years and almost entirely depend on on Drupal. Given both their expertise and dependence on Drupal, they are most likely to look after Drupal's development and well-being. These organizations are typically recognized as Drupal experts and sought out by organizations that want to build a Drupal website. Contrast this with most of the digital marketing agencies and system integrators who have the size to work with a diversified portfolio of content management platforms, and are just getting started with Drupal and Open Source. They deliver digital marketing solutions and aren't necessarily sought out for their Drupal expertise. As their Drupal practices grow in size and importance, this could change, and when it does, we expect them to contribute more. Right now many of the digital marketing agencies and system integrators have little or no experience with Open Source so it is important that we motivate them to contribute and then teach them how to contribute.

There are two main business reasons for organizations to contribute: (1) it improves their ability to sell and win deals and (2) it improves their ability to hire. Companies that contribute to Drupal tend to promote their contributions in RFPs and sales pitches to win more deals. Contributing to Drupal also results in being recognized as a great place to work for Drupal experts.

We also should note that many organizations in the Drupal community contribute for reasons that would not seem to be explicitly economically motivated. More than 100 credits were sponsored by colleges or universities, such as the University of Waterloo (45 credits). More than 50 credits came from community groups, such as the Drupal Bangalore Community and the Drupal Ukraine Community. Other nonprofits and government organization that appeared in our data include the Drupal Association (166), National Virtual Library of India (25 credits), Center for Research Libraries (20), and Welsh Government (9 credits).

Infrastructure and software companies

Infrastructure and software companies play a different role in our community. These companies are less reliant on professional services (building Drupal websites) and primarily make money from selling subscription based products.

Acquia, Pantheon and Platform.sh are venture-backed Platform-as-a-Service companies born out of the Drupal community. Rackspace and AWS are public companies hosting thousands of Drupal sites each. Lingotek offers cloud-based translation management software for Drupal.

The graph above suggests that Pantheon and Platform.sh have barely contributed code on Drupal.org during the past year. (Platform.sh only became an independent company 6 months ago after they split off from CommerceGuys.) The chart also does not reflect sponsored code contributions on GitHub (such as drush), Drupal event sponsorship, and the wide variety of value that these companies add to Drupal and other Open Source communities.

Consequently, these data show that the Drupal community needs to do a better job of enticing infrastructure and software companies to contribute code to Drupal.org. The Drupal community has a long tradition of encouraging organizations to share code on Drupal.org rather than keep it behind firewalls. While the spirit of the Drupal project cannot be reduced to any single ideology-- not every organization can or will share their code -- we would like to see organizations continue to prioritize collaboration over individual ownership. Our aim is not to criticize those who do not contribute, but rather to help foster an environment worthy of contribution.

End users

We saw two end-users in the top 30 corporate sponsors: Pfizer (158 credits) and Examiner.com (132 credits). Other notable end-users that are actively giving back are Workday (52 credits), NBC Universal (40 credits), the University of Waterloo (45 credits) and CARD.com (33 credits). The end users that tend to contribute to Drupal use Drupal for a key part of their business and often have an internal team of Drupal developers.

Given that there are hundreds of thousands of Drupal end-users, we would like to see more end-users in the top 30 sponsors. We recognize that a lot of digital agencies don't want, or are not legally allowed, to attribute their customers. We hope that will change as Open Source continues to get more and more adopted.

Given the vast amount of Drupal users, we believe encouraging end-users to contribute could be a big opportunity. Being credited on Drupal.org gives them visibility in the Drupal community and recognizes them as a great place for Open Source developers to work.

The uneasy alliance with corporate contributions

As mentioned above, when community-driven Open Source projects grow, there becomes a bigger need for organizations to help drive its development. It almost always creates an uneasy alliance between volunteers and corporations.

This theory played out in the Linux community well before it played out in the Drupal community. The Linux project is 25 years old now has seen a steady increase in the number of corporate contributors for roughly 20 years. While Linux companies like Red Hat and SUSE rank highly on the contribution list, so do non-Linux-centric companies such as Samsung, Intel, Oracle and Google. The major theme in this story is that all of these corporate contributors were using Linux as an integral part of their business.

The 659 organizations that contribute to Drupal (which includes corporations), is roughly three times the number of organizations that sponsor development of the Linux kernel, "one of the largest cooperative software projects ever attempted". In fairness, Linux has a different ecosystem than Drupal. The Linux business ecosystem has various large organizations (Red Hat, Google, Intel, IBM and SUSE) for whom Linux is very strategic. As a result, many of them employ dozens of full-time Linux contributors and invest millions of dollars in Linux each year.

In the Drupal community, Acquia has had people dedicated full-time to Drupal starting nine years ago when it hired Gábor Hojtsy to contribute to Drupal core full-time. Today, Acquia has about 10 developers contributing to Drupal full-time. They work on core, contributed modules, security, user experience, performance, best practices, and more. Their work has benefited untold numbers of people around the world, most of whom are not Acquia customers.

In response to Acquia’s high level of participation in the Drupal project, as well as to the number of Acquia employees that hold leadership positions, some members of the Drupal community have suggested that Acquia wields its influence and power to control the future of Drupal for its own commercial benefit. But neither of us believe that Acquia should contribute less. Instead, we would like to see more companies provide more leadership to Drupal and meaningfully contribute on Drupal.org.

Who is sponsoring the top 30 contributors? Rank Username Issues Volunteer Sponsored Not specified Sponsors 1 dawehner 560 84.1% 77.7% 9.5% Drupal Association (182), Chapter Three (179), Tag1 Consulting (160), Cando (6), Acquia (4), Comm-press (1) 2 DamienMcKenna 448 6.9% 76.3% 19.4% Mediacurrent (342) 3 alexpott 409 0.2% 97.8% 2.2% Chapter Three (400) 4 Berdir 383 0.0% 95.3% 4.7% MD Systems (365), Acquia (9) 5 Wim Leers 382 31.7% 98.2% 1.8% Acquia (375) 6 jhodgdon 381 5.2% 3.4% 91.3% Drupal Association (13), Poplar ProductivityWare (13) 7 joelpittet 294 23.8% 1.4% 76.2% Drupal Association (4) 8 heykarthikwithu 293 99.3% 100.0% 0.0% Valuebound (293), Drupal Bangalore Community (3) 9 mglaman 292 9.6% 96.9% 0.7% Commerce Guys (257), Bluehorn Digital (14), Gaggle.net, Inc. (12), LivePerson, Inc (11), Bluespark (5), DPCI (3), Thinkbean, LLC (3), Digital Bridge Solutions (2), Matsmart (1) 10 drunken monkey 248 75.4% 55.6% 2.0% Acquia (72), StudentFirst (44), epiqo (12), Vizala (9), Sunlime IT Services GmbH (1) 11 Sam152 237 75.9% 89.5% 10.1% PreviousNext (210), Code Drop (2) 12 borisson_ 207 62.8% 36.2% 15.9% Acquia (67), Intracto digital agency (8) 13 benjy 206 0.0% 98.1% 1.9% PreviousNext (168), Code Drop (34) 14 edurenye 184 0.0% 100.0% 0.0% MD Systems (184) 15 catch 180 3.3% 44.4% 54.4% Third and Grove (44), Tag1 Consulting (36), Drupal Association (4) 16 slashrsm 179 12.8% 96.6% 2.8% Examiner.com (89), MD Systems (84), Acquia (18), Studio Matris (1) 17 phenaproxima 177 0.0% 94.4% 5.6% Acquia (167) 18 mbovan 174 7.5% 100.0% 0.0% MD Systems (118), ACTO Team (43), Google Summer of Code (13) 19 tim.plunkett 168 14.3% 89.9% 10.1% Acquia (151) 20 rakesh.gectcr 163 100.0% 100.0% 0.0% Valuebound (138), National Virtual Library of India (NVLI) (25) 21 martin107 163 4.9% 0.0% 95.1% 22 dsnopek 152 0.7% 0.0% 99.3% 23 mikeryan 150 0.0% 89.3% 10.7% Acquia (112), Virtuoso Performance (22), Drupalize.Me (4), North Studio (4) 24 jhedstrom 149 0.0% 83.2% 16.8% Phase2 (124), Workday, Inc. (36), Memorial Sloan Kettering Cancer Center (4) 25 xjm 147 0.0% 81.0% 19.0% Acquia (119) 26 hussainweb 147 2.0% 98.6% 1.4% Axelerant (145) 27 stefan.r 146 0.7% 0.7% 98.6% Drupal Association (1) 28 bojanz 145 2.1% 83.4% 15.2% Commerce Guys (121), Bluespark (2) 29 penyaskito 141 6.4% 95.0% 3.5% Lingotek (129), Cocomore AG (5) 30 larowlan 135 34.1% 63.0% 16.3% PreviousNext (85), Department of Justice & Regulation, Victoria (14), amaysim Australia Ltd. (1), University of Adelaide (1)


We observe that the top 30 contributors are sponsored by 45 organizations. This kind of diversity is aligned with our desire not to see Drupal controlled by a single organization. The top 30 contributors and the 45 organizations are from many different parts in the world and work with customers large or small. We could still benefit from more diversity, though. The top 30 lacks digital marketing agencies, large system integrators and end-users -- all of whom could contribute meaningfully to making Drupal for them and others.

Evolving the credit system

The credit system gives us quantifiable data about where our community's contributions come from, but that data is not perfect. Here are a few suggested improvements:

  1. We need to find ways to recognize non-code contributions as well as code contributions outside of Drupal.org (i.e. on GitHub). Lots of people and organizations spend hundreds of hours putting together local events, writing documentation, translating Drupal, mentoring new contributors, and more—and none of that gets captured by the credit system.
  2. We'd benefit by finding a way to account for the complexity and quality of contributions; one person might have worked several weeks for just one credit, while another person might have gotten a credit for 30 minutes of work. We could, for example, consider the issue credit data in conjunction with Git commit data regarding insertions, deletions, and files changed.
  3. We could try to leverage the credit system to encourage more companies, especially those that do not contribute today, to participate in large-scale initiatives. Dries presented some ideas two years ago in his DrupalCon Amsterdam keynote and Matthew has suggested other ideas, but we are open to more suggestions on how we might bring more contributors into the fold using the credit system.
  4. We could segment out organization profiles between end users and different kinds of service providers. Doing so would make it easier to see who the top contributors are in each segment and perhaps foster more healthy competition among peers. In turn, the community could learn about the peculiar motivations within each segment.

Like Drupal the software, the credit system on Drupal.org is a tool that can evolve, but that ultimately will only be useful when the community uses it, understands its shortcomings, and suggests constructive improvements. In highlighting the organizations that sponsor work on Drupal.org, we hope to provoke responses that help evolve the credit system into something that incentivizes business to sponsor more work and that allows more people the opportunity to participate in our community, learn from others, teach newcomers, and make positive contributions. We view Drupal as a productive force for change and we wish to use the credit system to highlight (at least some of) the work of our diverse community of volunteers, companies, nonprofits, governments, schools, universities, individuals, and other groups.

Conclusion

Our data shows that Drupal is a vibrant and diverse community, with thousands of contributors, that is constantly evolving and improving the software. While here we have examined issue credits mostly through the lens of sponsorship, in future analyses we plan to consider the same issue credits in conjunction with other publicly-disclosed Drupal user data, such as gender identification, geography, seasonal participation, mentorship, and event attendance.

Our analysis of the Drupal.org credit data concludes that most of the contributions to Drupal are sponsored. At the same time, the data shows that volunteer contribution remains very important to Drupal.

As a community, we need to understand that a healthy Open Source ecosystem is a diverse ecosystem that includes more than traditional Drupal agencies. The traditional Drupal agencies and Acquia contribute the most but we don't see a lot of contribution from the larger digital marketing agencies, system integrators, technology companies, or end-users of Drupal—we believe that might come as these organizations build out their Drupal practices and Drupal becomes more strategic for them.

To grow and sustain Drupal, we should support those that contribute to Drupal, and find ways to get those that are not contributing involved in our community. We invite you to help us figure out how we can continue to strengthen our ecosystem.

We hope to repeat this work in 1 or 2 years' time so we can track our evolution. Special thanks to Tim Lehnen (Drupal Association) for providing us the credit system data and supporting us during our research.

Documentation overhaul

Drupal - Tue, 08/30/2016 - 09:11

One of the biggest content areas on Drupal.org—and one of the most important assets of any open source project—is documentation. Community-written Drupal documentation consists of about 10,000 pages. Preparations for the complete overhaul of the documentation tools were in the works for quite some time, and in the recent weeks we finally started to roll out the changes on the live site.

Background

Improving documentation on Drupal.org has been a part of a larger effort to restructure content on the site based on content strategy we developed.

The new section comes after a few we launched earlier in the year. It also uses our new visual system, which will slowly expand into other areas.

Goals and process

The overall goal for the new Documentation section is to increase the quality of the community documentation.

On a more tactical level, we want to:

  • Introduce the concept of "maintainers" for distinct parts of documentation
  • Flatten deep documentation hierarchy
  • Split documentation per major Drupal version
  • Notify people about edits or new documentation
  • Make comments more useful

To achieve those goals, we went through the following process:

First, we wrote a bunch of user stories based on our user research and the story map exercise we went through with the Documentation Working Group members. Those stories cover all kinds of things different types of users do while using documentation tools.

We then wireframed our ideas for how the new documentation system should look and work. We ran a number of remote and in person usability testing sessions on those wireframes.

Our next step was to incorporate the feedback, update our wireframes, and create actual designs. And then we tested them again, in person, during DrupalCamp London.
Incorporated feedback again, and started building.

The new system

So, how does the new documentation system work exactly? It is based on two new content types:

  1. Documentation guide: a container content type. It will group documentation pages on a specific topic, and provide an ability to assign 'maintainers' for this group of pages (similar to maintainers for contributed projects). Additionally, users will be able to follow the guide and receive notifications about new pages added or existing pages edited.
  2. Documentation page: a content type for the actual documentation content. These live inside of documentation guides.


Example of a new documentation guide

All of the documentation is split per major Drupal version, which means every documentation guide or page lives inside of one of a few top level 'buckets', e.g. Drupal 7 documentation, Drupal 8 documentation.
It is also possible to connect guides and pages to each other via a 'Related content' field, which should make it easier to discover relevant information. One of our next to-do’s is to provide an easy way to connect documentation guides to projects, enabling 'official' project documentation functionality.

More information on various design decisions we made for the new documentation system, and the reasons behind them, can be found in our DrupalCon New Orleans session (slides).

Current status

Right now, we have the new content types and related tools ready on Drupal.org.
We are currently migrating existing documentation (all 10,000 pages!) into the new system. The first step is generic documentation (e.g. 'Structure Guide'), with contributed projects documentation to follow later.

While working on the migration, we are recruiting maintainers for the new guides. If you are interested in helping out, sign up in the issue. Please only sign up if you actually have some time to work on documentation in the near future.

There is a lot of work to be done post-migration (both by guide maintainers and regular readers/editors). The content is being migrated as-is, and it needs to be adapted for the new system. This means almost every single page needs to be edited. New fields (such as Summary) filled out with meaningful text (to replace text automatically generated by the migration script). A lot of pages include information for both Drupal 7 and Drupal 8, but this content needs to be split, with Drupal 8 information moved to pages in the appropriate version of the guide. These are just some of the steps that need to happen once the documentation has been migrated into the new system.

Next steps

As staff, we have a few follow-up tasks for minor improvements to the content types and tools. However, the bulk of the work is editing and improving the actual documentation, as I described above. This is in your hands now. Not only do we not have enough staff members to edit every single documentation page in a reasonable amount of time, we are also not subject matter experts for many of the topics, and so can't provide meaningful edits. The tools are ready, now it is up to the community to pick them up and write great documentation.


Example of a documentation page

Thank you

Lastly we want to say thanks.

Thanks to all the community volunteers who wrote those 10,000 pages over the years. Thanks to the Documentation Working Group members for their expertise, insight, and patience.

And, of course, thanks to staff. Unfortunately due to recent changes for the Engineering team, this will be the last section we'll have resources to work on for a while. This was a fun and important project to work on, and we are glad that we got to finish it. It is a beautiful legacy of the work we did together with some of our former colleagues: DyanneNova, japerry, and joshuami. Thank you!

Upcoming Changes to the Front Page

Drupal - Wed, 08/24/2016 - 11:22

In recent weeks we've been making several small changes to Drupal.org: precursors to bigger things to come. First, we moved the user activity links to a user menu in the header. Next, we're moving the search function from the header to the top navigation. These changes aren't just to recover precious pixels so you can better enjoy those extra long issue summaries—these are the first step towards a new front page on Drupal.org.

As the Drupal 8 life-cycle has moved from development, to release, to adoption, we have adapted Drupal.org to support the needs of the project in the moment. And today, the need of the moment is to support the adoption journey.

As we make these changes you'll see echoes of the visual style we used when promoting the release of Drupal 8.

  • The Drupal wordmark region will help to define Drupal, and promote trying a demo.

  • A ribbon will promote contextual CTAs like learning more about Drupal 8.

  • The news feed will be tweaked.

  • DrupalCon will have a permanent home on the front page.

  • Community stats and featured case studies will be carried over(but may evolve).

  • The home page sponsorship format may change.

  • We'll be phasing in a new font throughout the site: Ubuntu - which you've already seen featured in the new Documentation section.

Here's a teaser

… a sneak preview of some new page elements and styles you'll see in the new home page.  

Our first deployment will introduce the new layout and styles. Additional changes will follow as we introduce content to support our turn towards the adoption journey. Drupal evaluators beginning their adoption journey want to know who uses Drupal, and what business needs Drupal can solve. We will begin promoting specific success stories: solutions built in Drupal to meet a concrete need.

What's next?

We're continuing to refine our content model and editorial workflow for the new front page. You'll see updates in the Drupal.org change notifications as we get closer to deployment.

Wondering why we're making these changes now? This turn towards the adoption journey is part of our changing priorities for the next 12 months.

Pages