Planet Drupal

Syndicate content - aggregated feeds in category Planet Drupal
Updated: 50 min 27 sec ago

Drupalize.Me: Controlling CSS Classes with the Classy Theme in Drupal 8

Tue, 11/04/2014 - 13:15
div class=field field-name-body field-type-text-with-summary field-label-hidden text-content text-secondarydiv class=field-itemsdiv class=field-item evenpYou may have heard some news about the fact that a new theme has been added to Drupal, named Classy. But what kind of theme is it exactly? Is it a pretty new look for Drupal 8? Well, no. You will still see Bartik as the default theme on your Drupal 8 site, so why another theme? Classy is a new base theme in core, which Bartik and Seven will then use as their bases. The idea here is to provide more flexibility to themers when it comes to choosing default CSS classes./p /div/div/divdiv id=comment-wrapper-nid-1911/div

Acquia: PHP is getting Faster

Mon, 11/03/2014 - 18:05
div class=field field-name-body field-type-text-with-summary field-label-hidden div class=field-items div property=content:encoded class=field-item evenp Competition is helping to drive big performance gains in PHP. Alternative ways of running PHP are becoming viable and with them is coming accelerated speed. /p/div /div /div span property=dc:title content= PHP is getting Faster class=rdf-meta/span

OhTheHugeManatee: Drupalgeddon: Best Practices Aren't Good Enough Anymore

Mon, 11/03/2014 - 17:30
pLast weekrsquo;s a href= Service Announcement/a from the Drupal security team caused a lot of attention. And rightfully so ndash; it told us that the vast majority of Drupal 7 sites around the world are considered compromised. A mere 7 hours after critical security patch a href= was released, robots were spotted in the wild, bulk-hacking Drupal 7 sites with this vulnerability. This is something thatrsquo;s never happened to the Drupal community before, and it is extremely serious. In some way itrsquo;s our own version of Heartbleed and other highly-publicized critical vulnerabilities in open source software./p pThis issue should not reflect badly on the Drupal community, or the Drupal product at all. Vulnerabilities happen to every software project ndash; particularly the large and complex ones like Drupal! In this case it was the result of a choice in the database abstraction layer to use emulated prepared statements. Therersquo;s a great dissection of the whole vulnerability at a href=, but the point here is that it was an intentional decision. We were aware of a theoretical security risk, just as we are in making lots of decisions. But theoretical risks donrsquo;t mean much compared with real, measurable losses from the available alternatives. As I said before, this can happen to any software project, and Drupal is a relatively responsible, well written one. Whatrsquo;s interesting now, is the response./p pFirst of all, I am amazed to read responses from many Drupal users who are panicked at having to run a diff of their sites, because they donrsquo;t have appropriate tools in place. If you are developing without a VCS and automated backups, you are doing more harm than good. Just stop. Take a week to learn the basic requirements of a development environment, and start employing them. End of story./p pIrsquo;m not concerned for those people ndash; their sites were disasters waiting for an excuse anyway. Whatrsquo;s frightening about this particular situation is that even if you are working with backups and a VCS, even if you patch critical security vulnerabilities on an aggressive schedule, it still wasnrsquo;t good enough./p pAll of my Drupal 7 sites are affected by this PSA. I work for a large, well-respected agency, with access to leading-edge workflows and tools. We follow best practices. All of my sites are secured well beyond PCI requirements. But PCI requirements say that critical security patches have to be applied within 30 days of release. Our best practices include patch review from the tech lead, and validating patches on test environments before pushing them live. With only 7 hours between patch release and exploits in the wild, there isnrsquo;t time for any of that./p pIrsquo;ve heard people complain that itrsquo;s too difficult to update Drupal. ldquo;drush up mdash;security-onlyrdquo; seems pretty simple to me, or at least simple enough that further simplification wonrsquo;t address the real problem. Thatrsquo;s because the real problem isnrsquo;t that itrsquo;s difficult to apply updates ndash; itrsquo;s that a human be ing has to initiate them. I live in the Central European timezone, GMT+6. The patch was released at 10PM for me, and bots were exploiting it by 5AM the following morning. I went to work that day and initiated the patching process, so that my patches could be ldquo;responsiblyrdquo; deployed to live with 24-48 hours of client validation time on my dev and staging environments. Despite being relatively on top of patches and responding relatively quickly, the fact that Irsquo;m human, and my clients are human, meant we never stood a chance of patching this issue fast enough. Even if we skipped validation, and even if the update process was just one button (rather than two commands), we would still have failed to update in time. I find myself reminded of the Battlestar Galactica pilot, where the Cylon robots are chasing the humans. After each hyperspace jump, the humans have 33 minutes to complete the calculations for another jump before the machines catch up with them. After 130 hours and 237 jumps, it becomes apparent that the humans#8217; need for sleep is a critical vulnerability./p pThe only solution is automated patching. Itrsquo;s hard to figure out a workflow that allows it; indeed yoursquo;re forced into post-hoc testing, which means engineering an easy rollback solution. The truth is that 99% of security patches will not affect any of the functionality yoursquo;ve customized or upon which you rely, so hopefully this will be an edge case. But itrsquo;s a problem that actually has to be addressed. Herersquo;s how Irsquo;m adapting my own projects over the coming weeks:/p pEvery wednesday, every hour, my Jenkins instance runs a script which checks modules and core for each project for security updates. When an update is available, it automatically creates a branch off of Stable (my staging branch), applies the updates, and pushes the result up to the server. My git scripts already create a new subdirectory environment for every pushed branch. Once the environment is ready, Jenkins runs all available behat tests against the new branch. If all tests pass, the branch is automatically merged back into Master, Stage, and Live, and pushed. This push operation triggers a normal Jenkins deployment, which takes a backup anyway. An email is generated to the project administrator advising them which security updates were automatically applied, and linking to the relevant changefiles./p pIrsquo;m excited about implementing this new layer of automation, because it builds on the best practice workflows I already like (test driven development, git flow VCS organization, automated deployment and backupshellip;) to produce a tangible time savings and security improvement for my sites. At the same time, I canrsquo;t say that this is something I recommend for EVERYONE, precisely because it requires such a high level of environment maintenance. When yoursquo;re a one-person development shop, itrsquo;s hard to afford the time to set up the perfect development environment. Itrsquo;s hard to convince those bottom-of-the-food-chain clients to pay for things like automated testing and deployment. And certainly once you have those things set up, you donrsquo;t get paid for maintaining them!/p pIrsquo;m going to be keeping my eyes open for better solutions that can be applied by the ldquo;developer on the street.rdquo; Something relatively easy, but which allows the same kind of automated, fast response time for security patches. Irsquo;m interested in any ideas you want to post in the comments!/p

Phase2: Learn The Hard Things About Project Management At BADCamp!

Mon, 11/03/2014 - 16:53
p dir=ltrI’ll be giving a talk at a href= called #8220;a href= I have Made: Collected Project Management Failures/a.#8221; It#8217;ll be funny, and true, and probably reference a few different stories from the past. However, when I look at what the real truth is to a talk about project management mistakes, I go to the source. emstrongWhat are the hardest things about project management?/strong/em/p pIf you google this, you#8217;re likely to get the answer of #8216;everything#8217;./p pFor me, when I look at this, I separate this out into five different areas of hard:/p ol listrongTeam/strong/li listrongClients/strong/li listrongServices/strong/li listrongAlignment / Mission  /strong/li listrongGeneral Sucking: Hard decisions/strong/li /ol pspan style=font-family: 'Source Sans Pro', Helvetica, Arial, sans-serif; font-size: 1.5em;1. Team/span/p p dir=ltrAround the area of team, I think this is one of the biggest things that you#8217;re hired to watch over as a project manager. It#8217;s your job to make sure that you#8217;re engaging the team to make sure that the problems get solved, that you’re building what you set out to build. It#8217;s so common in my own work that when I feel like there is friction or struggle, I have to lean back and ask myself if I#8217;ve actually worked on really engaging the team #8211; or if I#8217;ve just charged ahead full bore.  (Mistake #543)/p h3 dir=ltrDo I have the right team?/h3 p dir=ltrI have definitely been on projects or working with teams that just didn#8217;t have the right fit. There had never been a conversation about if the people working on that particular #8216;thing#8217; were right for it. (Mistake #324) Or they were being used in ways that didn#8217;t suit them personally, they were being asked to use their weakest skills in a really strong way, and it was burning them out. (Mistake #221)/p h3 dir=ltrDid I give everyone enough time?/h3 p dir=ltrThis is where people will use Agile to its best advantage. Agile, when you#8217;re actually tracking story points and estimating, will give you enough space to be able to understand if you#8217;ve crammed too much in. (Mistake #112) Did we ask too much in that space from people? (Mistake #14) Are we working under a really silly timeline (Mistake #87) and did we not find out until too late? (Mistake #98.) Even more to the point, once we know the problem, are we not willing to correct it? (Mistake #465)/p h2 dir=ltr2. Clients/h2 p dir=ltrDo we have the right clients? Are we, the people building things for them, the right people to do it? Do we understand their mission? Did we do enough to make sure they understood when, how, and where we were going to build? Do they understand what we#8217;re not doing? Are they ok with their role here? Do they understand #8216;scarcity#8217; in action? Does that shock them?/p p dir=ltrThe list goes on, but in order to be the best technology partner, and you#8217;re helping to lead everything to the finish line, everyone has to agree./p h2 dir=ltr3. Services/h2 p dir=ltrThis is the day-to-day stuff and where new project managers that are client facing get tripped up. Answering for the developers when you shouldn#8217;t. #8220;That should be easy.#8221; Making estimates with having no idea what you#8217;re doing. Estimating things in general. Making the expectations that you#8217;re going to be available all the time. Or not setting the expectations at all./p p dir=ltrServices isn#8217;t the hardest-hardest part of this, but it generally adds to it./p h2 dir=ltr4. Alignment / Mission/h2 p dir=ltrThere#8217;s a statement running around the internet right now that working on things that aren#8217;t aligned with your values is just stressful. Working on things that are is called passion. You#8217;ll notice when it#8217;s just not working, because you can#8217;t get rid of that pit in your stomach, that sinking feeling. Not listening to it is a big mistake./p h2 dir=ltr5. General Sucking: Hard decisions/h2 p dir=ltrPart of your job is being the person that says no, that continually tries to find a way to make the project a success. You#8217;ll sometimes be in the place where everything, all of these 4 things above are collapsing around you. And it sucks. And it happens to a lot of us that do this, because you are the one that#8217;s pulling the threads together./p p dir=ltrstrongspan style=color: #ff6600;It gets better./span/strong/p p dir=ltrYou are not always going to have these weeks. I refer to them as #8216;hell weeks#8217;. Please keep your hands and arms inside the hell week until it comes to a full and complete stop. In these weeks, it#8217;s even more important for you to pay attention to you. Get some sleep. If you can#8217;t get some sleep, talk to your team about how you are feeling, and figure out how to articulate what the problem is so that everyone can solve it together. (Also, ask yourself how you#8217;re working with your team!)/p p dir=ltrInternalize the idea that you are no good to us dead, and take care of what you can. Projects end, one way or another, and you#8217;ll get through it #8211; one email, one day at a time. These things are hard, projects are hard, building things is hard #8211; but hard things are worth doing./p p dir=ltrHope to see you at BADCamp for my session #8220;a href= I have Made: Collected Project Management Failures/a.#8221; Check out all of the a href= thought leaders at BADCamp!/a/p

Singlebrook Technology: Super Simple Drupal Layout with Region View Modes

Mon, 11/03/2014 - 15:28
pemby Jeff Amaral/em /p pCombining Drupal core’s a href= modes/a and a href= regions/a with a small home-grown module created a new way to lay out node pages./p pThe resulting module, a href= View Modes/a, places copies of nodes, rendered through specific view modes, into theme regions. Yes, those are the same regions into which you would normally place blocks. There’s no new layout system here. You use the one you already have: your theme./p pOnce enabled, using the module is pretty easy:/p ul liVisit the emManage Display/em page for any content type (e.g. Article)/li liExpand the emCustom Display Settings/em section/li liCheck the view mode for one or more theme:region combinations. For example, emBartik theme: Sidebar first region/em /li liClick emSave/em at the bottom of the page/li liYou’ll now see the activated view mode(s) near the top of the page. Click on one./li liReorder, hide, or change the settings for any fields/li liView a node of that content type/li /ul pHere’s a demo:/p piframe width=480 height=360 src=// frameborder=0/iframe /p pThat’s all you need to know to use the module, but if you’re curious about how it works, read on!... Featured Case Studies: Greenpeace Greenwire global community

Mon, 11/03/2014 - 15:21
div class=field field-name-field-mainimage field-type-image field-label-hiddendiv class=field-itemsdiv class=field-item evenimg src= width=588 height=306 alt=Greenpeace Greenwire global Drupal community //div/div/divdiv class=field field-name-field-link field-type-link-field field-label-abovediv class=field-labelCompleted Drupal site or project URL:nbsp;/divdiv class=field-itemsdiv class=field-item evena href= class=field field-name-body field-type-text-with-summary field-label-hiddendiv class=field-itemsdiv class=field-item evenh2An international community for a greener future/h2 pNalini lives in a small city in India. To save money, all school books and student papers are copied or printed at the local print shop. Nalini is immensely annoyed with her classmates when they choose to print on a single side of paper. If everyone used both sides, she reasons, it would reduce their paper use by half. Nalini sends a message to Greenpeace International through Facebook: I have an idea for a campaign you should run! /p pGreenpeace International is an worldwide independent nonprofit organisation that aims to protect the environment and promote world peace. Originally founded in 1971, the organisation is now active in 44 countries and has 2.8 million supporters. With nearly 2 million Facebook likes and millions of site visitors worldwide, Greenpeace International receives suggestions like Nalini’s thousands of times per year, and because they simply can’t take on every new campaign idea, they wanted to find a way to empower its supporters to run their own campaigns, in their own communities./p pIn addition, Greenpeace International already had an active volunteer base of 20,000 volunteers, organised in about 400 local groups - each local group, or national volunteer network, had it’s own management and communication tools - a true global volunteering ‘database’ was non-existent, with the data instead spread across lots of individual spreadsheets and google-docs, making it hard to track and measure./p pChallenges like these spurred Greenpeace International to create Greenpeace Greenwire, its own online community for employees and volunteers. It’s a meeting place where people can connect with other volunteers, activists and groups working on environmental campaigns in their country. When Greenpeace Greenwire rolls out to more offices, it will allow international connections too./p pAs well as helping activists find and participate in Greenpeace-led volunteer groups and events, Greenpeace Greenwire lets users create their own events and organize their own activities. Users can start groups, host events, run campaigns, share photos and videos, and write blogs./p pGreenpeace Greenwire is a unique project in that it serves a worldwide community - so it needs to be able to scale up to hundreds of thousands of global users - but it also serves each element of that community’s specific set of needs. Flexibility is another key element of the project: allowing users to have different roles in different domains for national and regional offices, and also allowing for flexibility regarding which languages each user could choose. It was also crucial that each user feel comfortable providing their personal data in order to take full advantage of the Greenpeace Greenwire community, but on the other hand, the data must be kept secure and limited only to certain authorized users./p pimg src=/files/2014-09-29_12-28-59.png alt=Greenpeace Greenwire - USA homepage //p /div/div/divdiv class=field field-name-field-module field-type-node-reference field-label-abovediv class=field-labelKey modules/theme/distribution used:nbsp;/divdiv class=field-itemsdiv class=field-item evena href=/project/domainDomain Access/a/divdiv class=field-item odda href=/project/ogOrganic groups/a/divdiv class=field-item evena href=/project/search_apiSearch API/a/divdiv class=field-item odda href=/project/uuidUniversally Unique IDentifier/a/divdiv class=field-item evena href=/project/contextContext/a/divdiv class=field-item odda href=/project/entityreferenceEntity reference/a/divdiv class=field-item evena href=/project/messageMessage/a/divdiv class=field-item odda href=/project/message_subscribeMessage Subscribe/a/divdiv class=field-item evena href=/project/languagefieldLanguage field/a/divdiv class=field-item odda href=/project/mediaMedia/a/divdiv class=field-item evena href=/project/cdnCDN/a/divdiv class=field-item odda href=/project/entitycacheEntity cache/a/divdiv class=field-item evena href=/project/simpletest_fixtureSimpleTest Fixture/a/divdiv class=field-item odda href=/project/user_relationshipsUser Relationships/a/divdiv class=field-item evena href=/project/viewsViews/a/divdiv class=field-item odda href=/project/autologoutAutomated Logout/a/div/div/divdiv class=field field-name-field-developed-org field-type-node-reference field-label-abovediv class=field-labelOrganizations involved:nbsp;/divdiv class=field-itemsdiv class=field-item evena href=/node/1974846GoalGorilla/a/div/div/divdiv class=field field-name-field-profiles field-type-user-reference field-label-abovediv class=field-labelTeam members:nbsp;/divdiv class=field-itemsdiv class=field-item evena href=/u/jaapjanjaapjan/a/divdiv class=field-item odda href=/u/bramtenhovebramtenhove/a/divdiv class=field-item evena href=/u/jochemvnjochemvn/a/divdiv class=field-item odda href=/u/stefanotabarellistefanotabarelli/a/divdiv class=field-item evena href=/u/ronaldtebrakeronaldtebrake/a/divdiv class=field-item odda href=/u/kevinmullerkevinmuller/a/divdiv class=field-item evena href=/u/7gipsy7gipsy/a/div/div/div

Jonathan Brown: Drupal / Bitcoin BIP 70 / PKI certificates

Mon, 11/03/2014 - 15:00
div class=field field-name-body field-type-text-with-summary field-label-hiddendiv class=field-itemsdiv class=field-item even property=content:encodedpiPreviously: a href= on Drupal / Bitcoin Payment Protocol (BIP 70) integration/a/i/p pa href= target=_blankBIP 70/a provides a mechanism so that a customer can be sure that they are sending a Bitcoin payment to the correct place. Before BIP 70, the customer would simply be presented with a Bitcoin address to send the amount to. This address could potentially be tampered with so the funds get sent to someone else. It is also not very user-friendly to be sending money to a random collection of letters and numbers./p pNow public key infrastructure (a href= target=_blankPKI/a) is used to present the customer with cryptographic proof that they are making the correct payment. The payment information that the Bitcoin wallet receives is supplied with a certificate and is digitally signed. The wallet can then present a human-readable, secure payment destination to the customer, i.e. the name of the company or a verified email address./p pThis functionality is now implemented in a href= target=_blankCoin Tools/a./p pTo start using it you need to obtain a certificate. The easiest way to do this is to create a free account at a href= target=_blankStartSSL/a. Once they have verified that you own your email address they will put a certificate to this effect into your web browser./p pYou need to extract this certificate (and private key). Here is how to do it using Firefox, but other browsers are similar. First you need to view your certificates./p pimg src= width=648 height=332 //p pThen backup the certificate for your email address provided by StartCom Ltd./p pimg src= width=656 height=322 //p pMake sure you save the file with .p12 extension, i.e. - P12 is an archive file format for storing cryptographic objects like private keys and certificates. You will be prompted for a password to encrypt this file./p pimg src= width=559 height=394 //p pNext you need to extract your certificate and public key from this file like so:/p div class=codeblockcodeopenssl pkcs12 -in -clcerts -nokeys -out publicCert.pembr / openssl pkcs12 -in -nocerts -out privateKey.pembr //code/div pEach of these commands will require you to enter the password you encrypted the P12 file with. When extracting the private key you must provide a passphrase it should be encrypted with./p pNext you need to add the certificate to your payment type (or create a new one). With the latest version of Coin Tools 8.x-1.x there are additional fields on the payment type form for this. Paste the contents of publicCert.pem into the Certificate field./p pimg src= width=850 height=555 //p pAnd paste the contents of privateKey.pem into the Private key field. Select Private key is encrypted and enter the passphrase you encrypted it with./p pimg src= width=881 height=418 //p pWhen making a payment, the customer's wallet will now display the certificate's Common Name. In this case it is a verified email address./p pimg src= width=270 height=480 style=margin-right: 20px; /img src= width=270 height=480 //p /div/div/div Ansible and Drupal Development - Part 2

Mon, 11/03/2014 - 13:00
span class=field field-node--title field-name-title field-type-string field-label-hidden data-quickedit-field-id=node/4/title/en/rssAnsible and Drupal Development - Part 2/span div class=field field-node--body field-name-body field-type-text-with-summary field-label-hidden data-quickedit-field-id=node/4/body/en/rss div class=field-items div property=schema:text class=field-itempIn a href=/ansible-and-drupal-developmentpart 1/a of this tutorial, we covered how to configure and use Ansible for local Drupal development. If you didn't have a chance to read that article, you can download a href= fork/a of Jeff Geerling's a href= Dev VM/a to see the final, working version from part 1. In this article, we'll be switching things up quite a bit as we take a closer look at the 2nd three requirements, namely:/p/div /div /div span class=field field-node--created field-name-created field-type-created field-label-hidden data-quickedit-field-id=node/4/created/en/rssMon, 11/03/2014 - 07:00/span span class=field field-node--uid field-name-uid field-type-entity-reference field-label-hidden data-quickedit-field-id=node/4/uid/en/rssspan lang= about=/user/2 typeof=schema:Person property=schema:name datatype=aaron/span/span

Drupal Aid: How to quickly add SSL to your Drupal Site

Mon, 11/03/2014 - 12:09
div class=field field-name-body field-type-text-with-summary field-label-hiddendiv class=field-itemsdiv class=field-item evenpspan style=line-height: 20.7999992370605px;Something that new Drupalers struggle with is getting their site secured with SSL, the little lock in the browser or https://. Their first reaction is, “There has to be a module for that” and there are a few modules for getting your site HTTPS friendly, but there is a much easier solution. Read on to find out how to do it simply through your .htaccess file./span/p /div/div/div

Blue Drop Shop: Update: Drupal Camp A/V Kit REBOOT!

Sun, 11/02/2014 - 22:56
div class=field field-name-body field-type-text-with-summary field-label-hiddendiv class=field-itemsdiv class=field-item even property=content:encodedpIn my a href=/blog/drupal-camp-av-kit-rebootinitial test of a new session recording kit/a, some records were lost due to lack of audio. Also, the test setup used powered lav mics, which don't fly too well with multiple presenters. /p pAs a follow up, I tested the a href= H2N digital voice recorder/a because it just so happens to have a line out jack. So the question was whether that line out would be compatible with the HD PVR for audio. I'm happy to report that it is!/p pThis is fantastic news for many reasons: /p ulliCo-presenters or panels: Standing several feet away from the unit for the test resulted in great sound quality/li liNo microphone cords: Speakers are free to roam, if that is their style/li liRedundancy: If the voice recorder is powered and hooked up correctly, the PVR will spit out a finished MP4, but should that audio fail for any reason, there will be a backup record on an SD card/li /ulpAt $160, the recorder definitely costs more than the original lav mic tested at DrupalCamp Fox Valley. With the suggested accessories (A/C power, tripod, wired remote, case, 32 MB SD Card, audio cable) the audio component comes up to about $225. This brings the total kit cost to just approximately $425 per room, which should accept a full day of recording and accommodate most laptops./p pI'll be attending BADCamp and plan to bring the full kit with me, if anyone wants to check it out. Hell, if I get the chance, I will try to test it in the wild. Next steps are testing dongles for various portable devices, as well as contacting the Drupal Association to see what is needed to make these available for camps./p pHuzzah!/p /div/div/divdiv class=field field-name-field-tags field-type-taxonomy-term-reference field-label-above clearfixh3 class=field-labelTags: /h3ul class=linksli class=taxonomy-term-reference-0 rel=dc:subjecta href=/tags/drupal-planet typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=drupal planet/a/lili class=taxonomy-term-reference-1 rel=dc:subjecta href=/tags/drupal-camps typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=drupal camps/a/lili class=taxonomy-term-reference-2 rel=dc:subjecta href=/tags/session-recording typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=session recording/a/li/ul/div

Open Source Training: 7 Things to Know about the Drupal Security Issue

Sun, 11/02/2014 - 11:24
!-- Start ScreenSteps Content -- div class=LessonContent div class=LessonStep top pimg style=float: right; src= alt=autoupdate or die /By now you've probably heard about a href= extremely serious Drupal security issue/a from mid-October./p pThe Drupal security team issued a href= new warning/a two weeks later that, if possible, escalated the severity of the issue./p pHere's an overview of the issue and its impact./pimg src= height=1 width=1/

Modules Unraveled: Why doesn't Drupal offer an auto update feature like Wordpress?

Sat, 11/01/2014 - 19:30
div class=field field--name-field-image field--type-image field--label-hiddendiv class=field__itemsdiv class=field__item even rel=og:image rdfs:seeAlso resource= typeof=foaf:Image src= width=480 height=288 alt=Drupal Auto Update Feature? //div/div/divspan class=submitted-by/spandiv class=field field--name-body field--type-text-with-summary field--label-hiddendiv class=field__itemsdiv class=field__item even property=content:encodedpLet me start out by stating that I don't know the technical implications of an autocomplete feature. Okay? I don't have the answer. I'm just looking for information. Best case, I can help get something started that will benefit the entire Drupal community in the future./p pWith that out of the way, I firmly believe that anything is possible with Drupal. And with the Drupageddon of late, an auto update feature would be greatly appreciated by many, I'm sure. (I certainly would have benefited from one.)/p pI was recently discussing the security update with some friends, and one of them asked Does Drupal have an auto update?/p pAnd I was like pImmediately, I thought about all of the updates I don't immediately apply to contrib projects because they change a configuration option, or otherwise modify the way I've set up the site./p pSo I thought I don't really want an auto update because it might break things./p pThat said, why can't Drupal automatically update security fixes - at least in core - automatically? If it did, Drupageddon could have never been a widespread issue./p pIt's easy to think, Well, it's fixed now, so there's nothing to worry about./p pBut I think that's shortsighted./p pThe particular vulnerability that caused Drupageddon has been around since the inception of Drupal 7, which was officially released in 2011. So, for at least 3 years, every time we've fixed a security flaw, we've thought, It's fixed now, so there's nothing to worry about. ... until the next issue was found, and this last one was a pretty gigantic one!/p pWordpress introduced auto update in version 3.7 on October 24, 2013. They also included options in their configuration file that can be set to disable auto updates, as well as choose which types of updates should be performed automatically: none, major and minor or minor only./p pYou can read more about it on the Configuring Automatic Background Updates page:br / pI'm just curious if this is something that can be added in a point release of D8 (like 8.5 or something)./p pAlso, I've ready a few posts saying that auto updates would not fit their workflow. They use Drush, Git, etc. to manage their development workflow. And if that's you, I'd say that turning the auto update setting to off would mean that you can continue to work the way you currently do./p pHowever, small business owners, churches, non-profits and the like that have volunteers (with little to no development background) managing their sites don't have the luxury of utilizing Git, Drush etc. In those scenarios, I think the case could be made that an autoupdate feature (as long as the updates are tested before release) could be a much more stable way of maintaining a site than having a volunteer FTP files to a server without really knowing what they are doing./p pIf you have thoughts, please add them below. I'd love to hear them!/p pstrongUpdates/strong/p olliAfter doing some more research, I've found that some people tried to do this in D7, but postponed to D8. However, there hasn't been any movement since April 28, 2013. a href= rel=nofollow liThere's also a post explaining why auto updates would be a very bad idea from September 1, 2011. a href= rel=nofollow I'm not sure that I agree with everything he says though./li /ol/div/div/divdiv class=field field--name-field-tags field--type-taxonomy-term-reference field--label-abovediv class=field__labelTags:nbsp;/divdiv class=field__itemsdiv class=field__item even rel=dc:subjecta href=/tags/drupal-core typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=Drupal Core/a/divdiv class=field__item odd rel=dc:subjecta href=/tags/security typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=Security/a/divdiv class=field__item even rel=dc:subjecta href=/tags/auto-update typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=Auto-Update/a/divdiv class=field__item odd rel=dc:subjecta href=/planet-drupal typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=planet-drupal/a/div/div/div

Bryan Ruby: Drupal Security: Not Shocking but Responsible

Sat, 11/01/2014 - 17:24
div class=field field-name-body field-type-text-with-summary field-label-hidden view-mode-rssdiv class=field-itemsdiv class=field-item even property=content:encodedpOver the years, I've made it an unwritten policy not to sensationalize bug fixes and security vulnerabilities in content management systems. While there may be great interest in such stories, I believe such stories have a tendency to cause more harm than good. When sensationalized, such articles tend to cause customers to address security concerns with emotion instead of logic which is never a good thing. So, when the security vulnerability known as Drupageddon broke and Drupal developer Bevan Rudge posted a href= Drupal website has a backdoor/a, I knew this story was going to eventually reach mainstream media. In the meantime, I've been struggling on how best to write this article and what story need to be told./p pFor those that don't know, Drupageddon is the highly critical SQL injection vulnerability in Drupal 7 core and was fully disclosed by the Drupal Security Team in a href=  Since the dawn of time when databases were introduced to websites, a href= injection/a vulnerabilities have been discovered and in the majority of cases when found are patched by their developers and system administrators. What makes Drupageddon particularly nasty is the vulnerability can be exploited by users not even logged into your site (in Drupal they're called anonymous users). Worse, if you didn't update your site quickly enough, your site may still be compromised even after applying the fix (in a href= 7.32/a or later versions)./p pIt took two weeks, but the media have finally begun to use this Drupal event to sell their headlines. A recent a href= article/a claims that up to 12 million websites may have been compromised by attackers who took advantage of a bug in the widely used Drupal software. While there is the empotential/em for every single Drupal site on this earth to be compromised, I tend to believe Bevan Rudge's assessment that the real world numbers are more likely in the hundreds of thousands. But the author of the article also found someone to state that this vulnerability and the need to audit your system for additional vulnerabilities is shocking./p pHaving managed various software applications and websites for two decades, I find myself annoyed and angry that once again I'm patching and auditing my websites with extreme effort. We've all seen these type of security exploits in a wide range of software applications from a wide range of software developers. Ten years ago I discovered an ecommerce website that I managed hacked due to a SQL injection exploit. What upset me the most wasn't that the site was hacked but that the application's developers were aware of the problem for months but failed to publicly disclose the information to users. While the software industry has gotten better to disclose vulnerabilities and provide fixes for their software there is a lot of improvement than can still be made./p pPerhaps what is shocking for those that don't know Drupal's open source community isn't the security exploit itself, but observing Drupal's willingness to fully disclose and take responsible steps to fix what is broken. It has been my experience that too many software vendors attempt to soften the blow in their disclosures to please the marketing arm of their company no matter how serious the exploit. Drupal on the other hand often takes the opposite approach. As a CMS critic I don't think I could write stronger words of warning in an article than what Drupal's community already does./p blockquotepema href= Security Team:/a  /emA vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users. [October 15, 2014]/p /blockquote blockquotepema href= Rudge, Drupal.Geek.NZ/a:/em I estimate hundreds of thousands of Drupal websites now have backdoors; between ten and ninety percent of all Drupal websites. Automated Drupageddon exploits were in the wild within hours of the announcement. Updating or patching Drupal does not fix backdoors that attackers installed before updating or patching Drupal. Backdoors give attackers admin access and allow arbitrary PHP execution./p pIf your Drupal 7 (and 8) website is not updated or patched it is most likely compromised. If your website was not updated within a day of the announcement, it is probably compromised. Even if your website was updated within a day, it may be compromised. [October 22, 2014]/p /blockquote blockquotepema href= Security Team/a:/em While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch. [October 29, 1014]/p /blockquote pI'm not a software developer, but I understand the news cycle for covering content management systems very well. Although this is a two week story for the Drupal community, we can expect to see more articles from authors and experts claiming their shock and dismay that such vulnerabilities in the Drupal software can exist. My spin is simply this, the media is only aware of this story because Drupal takes ownership and responsibility to disclose and address security issues in its own software. I personally find news of the vulnerability a non-story. The real story out there are the companies and software developers pointing fingers at Drupal and are not so forthcoming with their own security vulnerabilities. Those are the stories that need to be told./p pemThis article was originally posted on a href= Report/a./em/p /div/div/divsection class=field field-name-field-tags field-type-taxonomy-term-reference field-label-above view-mode-rssh2 class=field-labelTags:nbsp;/h2ul class=field-itemsli class=field-item even rel=dc:subjecta href=/tags/drupal typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=Drupal/a/lili class=field-item odd rel=dc:subjecta href=/tags/planet-drupal typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=Planet Drupal/a/lili class=field-item even rel=dc:subjecta href=/tags/security typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=Security/a/lili class=field-item odd rel=dc:subjecta href=/tags/information-technology typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=Information Technology/a/lili class=field-item even rel=dc:subjecta href=/tags/words typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=Words/a/li/ul/section

Károly Négyesi: MongoDB and Drupal 8: what and why?

Sat, 11/01/2014 - 16:22
pNow that we have a fairly good idea how Drupal 8 and data looks let's discuss what can MongoDB provide and why would you want to run it. In Drupal 8, every kind of data can be stored independently. I fully expect that people will indeed mix storages. For example, D8 by default runs a config query on every page to find the blocks to be displayed for the current theme. Again, by default, config entities are stored as serialized PHP arrays so the only way a query like that can run is to load every single block entity from the database and iterate over them. This can get quite slow with hundreds of blocks -- don't forget that a block entity just stores the placement of a block and the same block can be placed several times. Also, after finding the blocks for the current theme, visibility rules (path, node types, roles) are applied again in PHP. If the configuration is stored in MongoDB then all this can become an indexed, practically instant query. Configuration storage, after all, is just storing and querying and retrieving arrays and MongoDB is really, really good at that. Because of this, I expect many sites to pick MongoDB for their configuration storage. I also expect that because of the simplicity of cross-entity type JOINs, many people will stick with SQL for their content storage. Although it must be noted that the choice can be made per entity type and as MongoDB stores complete entities it is able to index even those queries that the SQL storage can not. /p pThere are some simpler storages which are also a good fit for MongoDB: sessions because of the write performance and logging because MongoDB has a capped collection (a circular buffer) feature so you will always have the latest N messages and never too much./p

Paul Booker: 5 commands that help with drupalgeddon

Sat, 11/01/2014 - 00:41
div class=field field-name-body field-type-text-with-summary field-label-hiddendiv class=field-itemsdiv class=field-item even property=content:encodedpShowing files that have changed on the live server:/p pre class=brush: bash git status /prep Looking for code execution attempts via menu_router:/p pre class=brush: sql select * from menu_router where access_callback = 'file_put_contents' /prep Showing which files are on the live server and not in version control:/p pre class=brush: bash diff -r docroot repo | grep docroot | grep 'Only in docroot' /prep Finding PHP files in the files directory:/p pre class=brush: bash find . -path *php /prep Checking the amount of time between when a user logged into your site and their most recent page visit:/p pre class=brush: sql select (s.timestamp - u.login) / 60 / 60 / 24 AS days_since_login, u.uid from sessions s inner join users u on s.uid = u.uid; /prep Hotfix: (SA-CORE-2014-005)/p pre class=brush: php curl | patch -p1 /prep Sorry , that was 6. Please add others in the comments. /p pIf you need help regarding the recent drupal vulnerability feel free to a href= me/a./p /div/div/divdiv class=field field-name-field-tags field-type-taxonomy-term-reference field-label-above clearfixh3 class=field-labelTags: /h3ul class=linksli class=taxonomy-term-reference-0a href=/drupal-developer/tags/drupalgeddon typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=drupalgeddon/a/lili class=taxonomy-term-reference-1a href=/drupal-developer/tags/drupalplanet typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=drupalplanet/a/li/ul/divdiv class=easy_social_box clearfix horizontal easy_social_lang_und div class=easy_social-widget easy_social-widget-twitter firsta href= class=twitter-share-button data-url= data-count=horizontal data-lang = en data-via= data-related=:Check it out! data-text=5 commands that help with drupalgeddonTweet/a/div div class=easy_social-widget easy_social-widget-facebookiframe src=//;href=http%3A//;send=falseamp;layout=button_countamp;width=88amp;show_faces=trueamp;action=likeamp;colorscheme=lightamp;font=amp;height=21amp;appId= scrolling=no frameborder=0 style=border:none; overflow:hidden; width:88px; height:21px; allowTransparency=true/iframe/div div class=easy_social-widget easy_social-widget-googleplusdiv class=g-plusone data-size=medium data-annotation=bubble data-href= div class=easy_social-widget easy_social-widget-linkedin lastscript type=in/share data-url= data-counter=right/script/div /div !-- /.easy_social_box --

Stauffer: Drupal Internationalization

Sat, 11/01/2014 - 00:32
div class=field field-name-body field-type-text-with-summary field-label-hiddendiv class=field-itemsdiv class=field-item even property=content:encodeddivspan style=line-height: 1.538em;The need to translate sites to other languages continues to increase with each passing year. Businesses seeking expansion in new markets are incorporating additional languages to their sites as a way to further drive growth. Developers in the Drupal community recognized this shift and have taken action./span/divdivnbsp;/divdivThe following questions arise when one begins the process of internationalizing a website: Do we have to override everything in the additional language(s)? Is there a way for citizens of other countries to have the whole configuration and administration of Drupal in their language? Is there any support for their language? If so, what does this translate? Only Content? GUI? Both? How can this best be achieved?/divdivnbsp;/divdivLuckily, Drupal has the ability to expand its core benefits using modules. Modules are a very powerful tool that allows Drupal users and developers to add new functionality to their site. In the case of creating an international website, we know we must have two or more languages available on the site. In order to make this happen, one must use the appropriate list of modules in order to not only get the administration in the other language, but to also make the nbsp;content and the whole site in the desired language(s). nbsp;/divdivnbsp;/divdivThe Drupal modules for this are: Internalization, Pathauto, Token, Transliteration, Variable, Chaos Tools, Views, Internalization Views, Localization Update and Administration Language.nbsp;/divdivnbsp;/divdivFor more details on how to install a module see a href= Modules (Drupal 7)/a./divdivnbsp;/divdivAfter installing each module, you should enable each one under Administer gt; Modules, or if you're familiar with command line, use drush. For more information on how to use drush see: a href= a site from the command line using Drush/a./divdivnbsp;/divdivThe next step will be configuring each module to make our international site live. For more information regarding the steps to do on each module after installing them visitnbsp;a href= Basic Internationalization setup/a./divdivnbsp;/div/div/div/divdiv class=field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfixdiv class=field-labelTags:nbsp;/divdiv class=field-itemsdiv class=field-item evena href=/tags/drupal typeof=skos:Concept property=rdfs:label skos:prefLabelDrupal/anbsp;,nbsp;/divdiv class=field-item odda href=/tags/internationalization typeof=skos:Concept property=rdfs:label skos:prefLabelinternationalization/anbsp;,nbsp;/divdiv class=field-item evena href=/tags/international typeof=skos:Concept property=rdfs:label skos:prefLabelinternational/anbsp;,nbsp;/divdiv class=field-item odda href=/tags/translate typeof=skos:Concept property=rdfs:label skos:prefLabeltranslate/anbsp;,nbsp;/divdiv class=field-item evena href=/tags/multilingual-website typeof=skos:Concept property=rdfs:label skos:prefLabelmultilingual website/anbsp;,nbsp;/divdiv class=field-item odda href=/tags/website typeof=skos:Concept property=rdfs:label skos:prefLabelwebsite/anbsp;,nbsp;/divdiv class=field-item evena href=/tags/planet-drupal typeof=skos:Concept property=rdfs:label skos:prefLabelPlanet Drupal/a/div/div/div

Drupal core announcements: What changes are allowed during the Drupal 8 beta phase?

Fri, 10/31/2014 - 22:00
pNow that a href= 8 is in beta/a, we are narrowing the changes we allow to Drupal 8 core to accelerate our progress toward Drupal 8's release. The Drupal 8 branch maintainers have established a a href= on the allowed changes during the Drupal 8 beta/a to help contributors understand what changes are no longer allowed. All core contributors should review this policy and try to apply it in each issue./p h3Key updates for core contributors/h3 ol liTo take full advantage of the sprints at DrupalCon Amsterdam, we allowed one month after the initial beta release for many changes to go in. The deadline for those issues was October 27, so now all issues are subject to the beta policy./li liMany changes will now be postponed to a later release, especially many types of normal tasks that do not directly help make Drupal 8 releasable. See the policy issue for specifics./li liWe will also be more rigorous about a href= priority/a settings. For example, many issues that are currently major tasks will be reassessed and possibly downgraded to normal (and subsequently may be postponed)./li /ol h3Flowchart for evaluating issues/h3 pSee the a href= changes policy/a for details./p pimg src= alt=Flowchart of how to assess changes during the D8 beta //p h3Next steps for core contributors/h3 pRead over the new policy, and take special note of a href= to evaluate issues/a. Help by posting on your issues with where they fall under the policy. /p

Acquia: Acquia’s Response to the October 15 Drupal Security Alert

Fri, 10/31/2014 - 19:22
div class=field field-name-body field-type-text-with-summary field-label-hidden div class=field-items div property=content:encoded class=field-item evenpAcquia is committed to ensuring the security and performance of our customers’ sites. /p/div /div /div span property=dc:title content=Acquia’s Response to the October 15 Drupal Security Alert class=rdf-meta/span

Appnovation Technologies: AJAXify Your Links

Fri, 10/31/2014 - 18:57
div class=field field-name-body field-type-text-with-summary field-label-hiddendiv class=field-itemsdiv class=field-item even property=content:encoded pYou can apply AJAX to any elements on the page by adding the emuse-ajax/em class to that element. Typically we apply this to link elements./p/div/div/divdiv class=field field-name-field-blog-header-image field-type-image field-label-hiddendiv class=field-itemsdiv class=field-item evena href=/blog/ajaxify-your-linksimg typeof=foaf:Image src= width=680 height=200 alt= //a/div/div/divdiv class=sharethis-buttonsdiv class=sharethis-wrapperspan st_url= st_title=AJAXify Your Links class=st_facebook/span span st_url= st_title=AJAXify Your Links class=st_twitter/span span st_url= st_title=AJAXify Your Links class=st_sharethis/span script type='text/javascript'var switchTo5x = false;/scriptscript type='text/javascript' src=''/scriptscript type='text/javascript'stLight.options({publisher:dr-75626d0b-d9b4-2fdb-6d29-1a20f61d683});/script/div/div

Chris Hall on Drupal 8: Drupageddon a chance to prove the calibre of Drupal community

Fri, 10/31/2014 - 16:39
div class=field field-node--body field-name-body field-type-text-with-summary field-label-hidden data-edit-id=node/24/body/und/rssdiv class=field-itemsdiv class=field-item evenpI doubt that many people who read this will be unaware of the extremely severe security vulnerability that was discovered reported and patched a couple of weeks ago or the later realease and many related blog posts pointing out a href= target=_blankexactly how critical early updates and patching are/a. /p pIf this has ruined a little of your free time recently and/or entailed your agency really earning the costs of any maintenance contracts you offer consider how a href= target=_blankterrifying some of the press and implications /aare for owners of unsupported Drupal sites many of whom will be small charities and local organisations./p pI would like to think that local Drupal groups etc. and the 'Drupal community' in general would step up and help out, if enough of us do that then we could generate some positive press. Yes we have a security team etc that is good, but how are we going to help out?/p pMy a href= target=_blanklocal Drupal group/a will attempt to answer questions and find people to provide a little support (anybody else??), /p pAppreciate that many people are not in the position to provide a lot of effort for free, even a small amount of advice could get people on the right track and Drupal groups are likely to know good freelancers that can afford to help a small company for considerably less than typical agency fees. /p pAll those hackthons, sprints, efforts to drive D8 forward, anybody brave enough to divert some of that effort towards auditing/fixing local sites?? I hope so./p pBTW I have slight doubts about this site although I did fix by hand a href= target=_blankbased on this commit/a (this is an old alpha). I will be trashing this server shortly and migrating to a new Beta 2 site and fresh server. /p p /p /div/div/divdiv class=field field-node--field-blog-tags field-name-field-blog-tags field-type-taxonomy-term-reference field-label-inline clearfix clearfix data-edit-id=node/24/field_blog_tags/und/rssh3 class=field-labelTags: /h3ul class=links inlineli class=taxonomy-term-reference-0planet/li/ul/div