Drupal

Syfy.com

Drupal Main Content - 8 May 2018 - 5:16am
Completed Drupal site or project URL: http://www.syfy.com/

While the Syfy network was busy creating compelling new worlds with shows like 12 Monkeys and Helix, their website was worlds behind. It was not responsive, not beautiful, and, in the words of Matthew Chiavelli, VP of Digital Media and Strategy, "put together with duct tape and baling wire". Syfy needed a scalable, cinematic full-screen experience that would look great on any device and be commensurate to their original content.

Categories: Drupal

State of Drupal presentation (April 2018)

Drupal Main Content - 25 April 2018 - 12:11am

This blog has been re-posted and edited with permission from Dries Buytaert's blog. Please leave your comments on the original post.

© Yes Moon

Last week, I shared my State of Drupal presentation at Drupalcon Nashville. In addition to sharing my slides, I wanted to provide more information on how you can participate in the various initiatives presented in my keynote, such as growing Drupal adoption or evolving our community values and principles.

Drupal 8 update

During the first portion of my presentation, I provided an overview of Drupal 8 updates. Last month, the Drupal community celebrated an important milestone with the successful release of Drupal 8.5, which ships with improved features for content creators, site builders, and developers.

Drupal 8 continues to gain momentum, as the number of Drupal 8 sites has grown 51 percent year-over-year:

This graph depicts the number of Drupal 8 sites built since April 2015. Last year there were 159,000 sites and this year there are 241,000 sites, representing a 51% increase year-over-year.

Drupal 8's module ecosystem is also maturing quickly, as 81 percent more Drupal 8 modules have become stable in the past year:

This graph depicts the number of modules now stable since January 2016. This time last year there were 1,028 stable projects and this year there are 1,860 stable projects, representing an 81% increase year-over-year.

As you can see from the Drupal 8 roadmap, improving the ease of use for content creators remains our top priority:

This roadmap depicts Drupal 8.5, 8.6, and 8.7+, along with a column for "wishlist" items that are not yet formally slotted. The contents of this roadmap can be found at https://www.drupal.org/core/roadmap.

Four ways to grow Drupal adoption

Drupal 8 was released at the end of 2015, which means our community has had over two years of real-world experience with Drupal 8. It was time to take a step back and assess additional growth initiatives based on what we have learned so far.

In an effort to better understand the biggest hurdles facing Drupal adoption, we interviewed over 150 individuals around the world that hold different roles within the community. We talked to Drupal front-end and back-end developers, contributors, trainers, agency owners, vendors that sell Drupal to customers, end users, and more. Based on their feedback, we established four goals to help accelerate Drupal adoption.

Goal 1: Improve the technical evaluation process

Matthew Grasmick recently completed an exercise in which he assessed the technical evaluator experience of four different PHP frameworks, and discovered that Drupal required the most steps to install. Having a good technical evaluator experience is critical, as it has a direct impact on adoption rates.

To improve the Drupal evaluation process, we've proposed the following initiatives:

Initiative Issue link Stakeholders Initiative coordinator Status Better discovery experience on Drupal.org Drupal.org roadmap Drupal Association hestenet Under active development Better "getting started" documentation #2956879 Documentation Working Group grasmash In planning More modern administration experience #2957457 Core contributors ckrina and yoroy Under active development

To become involved with one of these initiatives, click on its "Issue link" in the table above. This will take you to Drupal.org, where you can contribute by sharing your ideas or lending your expertise to move an initiative forward.

Goal 2: Improve the content creator experience

Throughout the interview process, it became clear that ease of use is a feature now expected of all technology. For Drupal, this means improving the content creator experience through a modern administration user interface, drag-and-drop media management and page building, and improved site preview functionality.

The good news is that all of these features are already under development through the Media, Workflow, Layout and JavaScript Modernization initiatives.

Most of these initiative teams meet weekly on Drupal Slack (see the meetings calendar), which gives community members an opportunity to meet team members, receive information on current goals and priorities, and volunteer to contribute code, testing, design, communications, and more.

Goal 3: Improve the site builder experience

Our research also showed that to improve the site builder experience, we should focus on improving the three following areas:

  • The configuration management capabilities in core need to support more common use cases out-of-the-box.
  • Composer and Drupal core should be better integrated to empower site builders to manage dependencies and keep Drupal sites up-to-date.
  • We should provide a longer grace period between required core updates so development teams have more time to prepare, test, and upgrade their Drupal sites after each new minor Drupal release.

We plan to make all of these aspects easier for site builders through the following initiatives:

Initiative Issue link Stakeholders Initiative coordinator Status Composer & Core #2958021 Core contributors + Drupal Association Coordinator needed! Proposed Config Management 2.0 #2957423 Core contributors Coordinator needed! Proposed Security LTS 2909665 Core committers + Drupal Security Team + Drupal Association Core committers and Security team Proposed, under discussion Goal 4: Promote Drupal to non-technical decision makers

The fourth initiative is unique as it will help our community to better communicate the value of Drupal to the non-technical decision makers. Today, marketing executives and content creators often influence the decision behind what CMS an organization will use. However, many of these individuals are not familiar with Drupal or are discouraged by the misconception that Drupal is primarily for developers.

With these challenges in mind, the Drupal Association has launched the Promote Drupal Initiative. This initiative will include building stronger marketing and branding, demos, events, and public relations resources that digital agencies and local associations can use to promote Drupal. The Drupal Association has set a goal of fundraising $100,000 to support this initiative, including the hiring of a marketing coordinator.

Megan Sanicki and her team have already raised $54,000 from over 30 agencies and 5 individual sponsors in only 4 days. Clearly this initiative resonates with Drupal agencies. Please consider how you or your organization can contribute.

Fostering community with values and principles

This year at DrupalCon Nashville, over 3,000 people traveled to the Music City to collaborate, learn, and connect with one another. It's at events like DrupalCon where the impact of our community becomes tangible for many. It also serves as an important reminder that while Drupal has grown a great deal since the early days, the work needed to scale our community is never done.

Prompted by feedback from our community, I have spent the past five months trying to better establish the Drupal community's principles and values. I have shared an "alpha" version of Drupal's values and principles at https://www.drupal.org/about/values-and-principles. As a next step, I will be drafting a charter for a new working group that will be responsible for maintaining and improving our values and principles. In the meantime, I invite every community member to provide feedback in the issue queue of the Drupal governance project.

An overview of Drupal's values with supporting principles.

I believe that taking time to highlight community members that exemplify each principle can make the proposed framework more accessible. That is why it was very meaningful for me to spotlight three Drupal community members that demonstrate these principles.

Principle 1: Optimize for Impact - Rebecca Pilcher

Rebecca shares a remarkable story about Drupal's impact on her Type 1 diabetes diagnosis:

Principle 5: Everyone has something to contribute - Mike Lamb

Mike explains why Pfizer contributes millions to Drupal:

Principle 6: Choose to Lead - Mark Conroy

Mark tells the story of his own Drupal journey, and how his experience inspired him to help other community members:

Watch the keynote or download my slides

In addition to the community spotlights, you can also watch a recording of my keynote (starting at 19:25), or you can download a copy of my slides (164 MB).

Categories: Drupal

Kevin Thull, from behind the camera

Drupal Main Content - 24 April 2018 - 9:17pm

Chances are if you've attended any of the Drupal camps in North America you've run into Kevin Thull. He's the fellow that is dashing from room to room before the first session begins to set up the AV equipment and checking in with presenters making sure they all "push the red button". Because of him, we are all able attend the sessions we miss while busy elsewhere. He is personally responsible for recording over 800 sessions and donating countless hours of his time.

Not only does he record sessions at camps, he also helps organize Midwest Drupal Camp. For this next year he has been charged as their fearless leader. He will be working on their web team, arranging catering, organizing the venue, as well as doing all the audio visual.

This year at DrupalCon Nashville the Drupal Community awarded Kevin the Aaron Winborn award. The Aaron Winborn award is presented annually to an individual who demonstrates personal integrity, kindness, and above-and-beyond commitment to the Drupal community. Kevin's commitment to capturing knowledge to share with the whole community is truly inspirational. He has provided a platform that helps tie local Drupal Communities together.

The Drupal Community Spotlight Committee's AmyJune sat with Kevin before Nashville and asked him some questions about contributing to the Drupal Community.

Ironically, AmyJune had chosen to write this spotlight on Kevin a few weeks before DrupalCon. AmyJune had asked him if he was coming to Nashville and he relayed that he had a prior commitment to attend another conference for his job. Unbeknownst to us, during the interview Kevin knew he had been awarded the honor and managed to keep it a secret. While he did mention that the marketing conference only ran through Wednesday, AmyJune was pleasantly surprised to see him take the stage.

Well, not too surprised, after all he truly deserves the honor.

How long have you been involved in the Drupal community?

I’m not involved with Drupal through my employer, I work in Marketing, but I got into Drupal through freelance.

My first meet up was when the Using Drupal 6 book first came out. I would say that is when I first started getting involved in the community. So, that's close to 10 years now.

I started recording Drupal Camps back in 2013. The official Chicago Camp was having issues and so we as a far western Suburban group decided to have our own camp. I thought I could do some of the logistics and session recordings since that's what I do for work. I had the same setup with video cameras in the back of the room and I spent countless hours rebuilding these presentations. It's a similar process, but it's a very a different presentation between a marketer and someone from the Drupal community giving a presentation on diversity. A marketer might have 20 slides, but a Drupal talk may have 104.

Everybody at the time was telling me I was insane for doing this, but my response was, "Nope, it's important."

In 2014 was the first MIDCamp and we were able to get the DA recording kits. But that was not great either. There was a lot of setup, they were expensive to ship them back and forth, they didn't work terribly well, so that's when Avi Schwab ( https://www.drupal.org/u/froboy) and I started collaborating. He did all the setup for the laptops and I did all the running around from room to room and post production. We brainstormed and I started doing research. The next Suburban Camp is when I had my first test kit for what I am using today.

I saw that you recorded Pacific Northwest Drupal Summit remotely this year? Can you share that experience with us?

That's a funny story. It was the same weekend as Jersey Camp and I tend to favor camps I have already recorded. They had committed before Pacific Northwest Drupal Summit and when Amber Matz saw me at BADCAmp, I explained the conflict. I told her I had started working on the next step and would be shipping the kits to camps. I sat with her and showed her how the kit worked and she said it didn't seem too difficult, and we said "Let's do this".

I got a new case, sent 5 kits to them. It's funny how talking with the organizers of camps helps all of this come together. Because later at New England Camp, I was explaining to one of their organizers how I was shipping kits and he suggested labeling the cables. I thought that was brilliant so I got a label maker and labeled all the cables. I wrote out more a detailed instruction guide, and all these things were things I had been meaning to do.

I sent 5 kits, insured FedEx for around $50, whereas the DA sends this giant pelican case that must cost hundreds of dollars. That was part of the plan originally; we wanted something lightweight and easy to use. I heard they had an 84% capture rate which is a great start. The issue is that non-Macs recordings have no sound and so I have to lay up the backup recording into the video. A lot of times that back up recorder gets turned off or stopped for some reason.

While I was in Florida I started working on pinpointing why non-Mac machines don't have audio. Later, I had mixed success at MIDCamp, I captured a couple, some didn't work, one being an Ubuntu build. At lunch I worked with that presenter to test various setups and we found a setup that worked. Once I can crack that nut, then shipping with even more instructions will increase the capture rates.

Now that you're capturing some camps remote, how does that cut into how much you like to travel?

I do like to travel, but there are a couple of issues. A) I can't be everywhere. B) I am potentially doing 13 or 14 camps this year. Which is cool now, but it may not be cool in couple of years. And C) I don't do Drupal at work and when I first starting doing this I was using all my PTO. I don’t do any Drupal at work, but I brought back all kinds of information and my boss recognized that. She said I could count those as remote days, but of course there's a limit.

There is a balance to be found between visiting the camps and sending the kits remotely.

What are some of your favorite camps?

Everybody asks me that, that question is not fair. I like them all. It's generally the places I know the most people and/or I go ahead of time to play before camp starts. I am not a solo traveller, so if I know a lot of people at the camp I tend to like those: Badcamp, Twin Cities, St. Louis, Texas (cuz of Austin), and Montreal.

What are the things you like to do before a camp that makes it more fun?

HaHaHa, eat and drink all the things. Bar Crawls, Food Crawls, you name it.

Have you given any thought to helping with camps outside the States?

I would like to, but it’s a time and cost issue. The camps now reimburse my travel expenses. To fly to a European camp - I don’t know if that would be in their budget.

It’s interesting, Mauricio Dinarte tailed me for a few camps and he wanted, and he did, get some kits to start recording Nicaragua. One day he tweeted that he saw my kits at Drupal Camp Antwerp. It’s cool to see how these things grow organically. There’s not a camp that goes by where someone from the community doesn’t ask me about how everything works.

Congratulations Kevin!

Kevin’s not just the guy who reminds us all to push the red button. He is the guy who loans out his phone when a presenter is doing a live demo and needs an internet hotspot. He is the guy spending hours during and after Drupal Camps piecing together audio and video for maximum quality. The Drupal Community has so much to thank him for, the Aaron Winborn award couldn’t have been awarded to anyone more deserving.

Link to Kevin Thull Youtube acceptance

On Kevin, from the community:

“It has become a no-brainer to invite Kevin to Florida DrupalCamp and have him record and post all of our sessions online. He makes it easy for us to share our great content with a world-wide audience by coming prepared, making it easy for presenters, and uploading the video almost immediately. He’s a true asset to the community.”  - Mike Anello (Florida Camp)

"His never-ending abundance of energy and positive contributions in the form of Drupal Camp video services in the US is unmatched. At the camps where I’ve spoken or helped organize he has been a great person to work with through the whole process - helpful and organized across the board." - Aimee Degnan Hannaford (BADCamp)

“We appreciated Kevin’s willingness to send recording equipment and documentation to our event so that we could record sessions, even though he couldn’t be there. He was encouraging and helpful all along the way.” Amber Matz (PNWDS Portland)

Thank you Kevin for your contribution to community, for sharing your story with us, and for being a most excellent secret keeper! And thank you to the hundreds of volunteers that make Drupal Camps, Cons, meetups and picnics a success every year. And thank you AmyJune for this most excellent Drupal Community Spotlight article!

Top image credit: Image by Jordana F

Categories: Drupal

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2018-003

Drupal Main Content - 18 April 2018 - 11:34pm
Project: Drupal coreDate: 2018-April-18Security risk: Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses).

We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window.

Solution: 
  • If you are using Drupal 8, update to Drupal 8.5.2 or Drupal 8.4.7.
  • The Drupal 7.x CKEditor contributed module is not affected if you are running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable.
  • If you installed CKEditor in Drupal 7 using another method (for example with the WYSIWYG module or the CKEditor module with CKEditor locally) and you’re using a version of CKEditor from 4.5.11 up to 4.9.1, update the third-party JavaScript library by downloading CKEditor 4.9.2 from CKEditor's site.
Reported By: Fixed By: 
Categories: Drupal

Dries Buytaert Shares His View on Decoupled Drupal: When, Why, and How

Drupal Main Content - 17 April 2018 - 2:04am

The following blog was written by Drupal Association Signature Hosting Supporter, Acquia

More and more developers are choosing content-as-a-service solutions known as decoupled CMSes, and due to this trend, people are asking whether decoupled CMSes are challenging the market for traditional CMSes.

By nature, decoupled CMSes lack end-user front ends, provide few to no editorial tools for display and layout, and as such leave presentational concerns almost entirely up to the front-end developer. Luckily, Drupal has one crucial advantage that propels it beyond these concerns of emerging decoupled competitors.

Join Dries Buytaert, founder of Drupal and CTO at Acquia, as he shares his knowledge on how Drupal has an advantage over competitors, and discusses his point-of-view on why, when, and how you should implement decoupled Drupal.

Dries will touch on:

  • His thoughts on decoupled CMSes - where is the CMS market headed and when?
  • His opinion on whether decoupled CMSes will replace traditional CMSes
  • The advantages of decoupled Drupal vs. emerging decoupled competitors
  • Considerations when determining if decoupled Drupal is right for your project
Click here to watch the webinar. Dries Buytaert

CHAIRMAN, CHIEF TECHNOLOGY OFFICERACQUIA, INC.

Dries Buytaert is an open source developer and technology executive. He is the original creator and project lead for Drupal, an open source platform for building websites and digital experiences. Buytaert is also co-founder and chief technology officer of Acquia, a venture-backed technology company. Acquia provides an open cloud platform to many large organizations, which helps them build, deliver and optimize digital experiences. A Young Global Leader at the World Economic Forum, he holds a PhD in computer science and engineering from Ghent University and a Licentiate Computer Science (MsC) from the University of Antwerp. He was named CTO of the Year by the Massachusetts Technology Leadership Council, New England Entrepreneur of the Year by Ernst & Young, and a Young Innovator by MIT Technology Review. He blogs frequently on Drupalopen sourcestartupsbusiness, and the future at dri.es.

LinkedIn

Twitter

https://www.acquia.com/resources/webinars/dries-buytaert-shares-his-view-decoupled-drupal-when-why-and-how?cid=7010c000002ZXzYAAW&ct=online-advertising&ls=drupalpremiumbenefits-dries&lls=pro_ww_drupalassociationpremiumbenefits_2018

Categories: Drupal

Imperial War Museums

Drupal Main Content - 12 April 2018 - 9:17pm
Completed Drupal site or project URL: https://www.iwm.org.uk/

Deeson designed and built a powerful digital platform to harness Imperial War Museums' collection and drive deeper engagement with their events.

The brief.

Deeson was asked to support Imperial War Museums (IWM) in evaluating the effectiveness of their existing digital presence in helping them meet their strategic goals. After a strategic and technical audit, IWM elected to rebuild their website.

They tasked us with launching their new website as a groundbreaking "sixth site" to sit alongside the museum's five physical branches. The site needed to showcase the museum's rich content in compelling new ways.

The results.

We created a bold new website powered by Drupal 8 that is a confident declaration of what Imperial War Museums represents, and reflects the urgency and importance of the subject matter.

The visually arresting design brings to life IWM's collection, branches, and the rich variety of their public programme of events and exhibitions, enabling them to tell the fascinating stories formerly buried deep within their collection.

Categories: Drupal

Implementation Guide on Headless and Decoupled CMS

Drupal Main Content - 3 April 2018 - 5:03am

The following blog was written by Drupal Association Signature Hosting Supporter, Acquia

The rapid evolution of diverse end-user clients and applications has given rise to a dizzying array of digital channels to support.

Websites in the past were built from monolithic architectures utilizing web content management solutions that deliver content through a templating solution tightly “coupled” with the content management system on the back-end.

Agile organizations crave flexibility, and strive to manage structured content across different presentation layers consistently in a way that’s scalable.

Accomplishing this efficiently requires that teams have flexibility in the front-end frameworks that dominate the modern digital landscape. That’s why decoupled and headless CMS is taking off. That’s why you’re here. But now you need the right technology to support the next phase of the web and beyond.

Download this eBook on headless and decoupled CMS
Categories: Drupal

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002

Drupal Main Content - 29 March 2018 - 2:14am
Project: Drupal coreDate: 2018-March-28Security risk: Highly critical 24∕25 AC:None/A:None/CI:All/II:All/E:Exploit/TD:DefaultVulnerability: Remote Code Execution Description: 

CVE: CVE-2018-7600

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.

The security team has written an FAQ about this issue.

Solution: 

Upgrade to the most recent version of Drupal 7 or 8 core.

  • If you are running 7.x, upgrade to Drupal 7.58. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
  • If you are running 8.5.x, upgrade to Drupal 8.5.1. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)

Drupal 8.3.x and 8.4.x are no longer supported and we don't normally provide security releases for unsupported minor releases. However, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.

Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x. Please take the time to update to a supported version after installing this security update.

This issue also affects Drupal 8.2.x and earlier, which are no longer supported. If you are running any of these versions of Drupal 8, update to a more recent release and then follow the instructions above.

This issue also affects Drupal 6. Drupal 6 is End of Life. For more information on Drupal 6 support please contact a D6LTS vendor.

Reported By: Fixed By:  Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Drupal

Thunder, the Drupal 8 Distribution for Professional Publishing

Drupal Main Content - 28 March 2018 - 7:41am

Thunder is proud sponsor of the Media and Publishing Summit ahead of the DrupalCon in Nashville. Meet us on 9th April and during the DrupalCon to learn more about Thunder and how it is used in professional publishing.

https://thunder.org/

Thunder is the Drupal 8 distribution for professional publishing. Thunder was designed by Hubert Burda Media and released as open-source software under the GNU General Public License in 2016. As members of the Thunder community, publishers, partners, and developers build custom extensions and share them with the community to further enhance Thunder.

Thunder consists of the current Drupal 8 functionality, lots of handpicked publisher-centric modules with custom enhancements (our own Thunder Admin Theme, the Paragraphs module, the Media Entity module, the Entity Browser module, and lots more), and an environment which makes it easy to install, deploy and add new functionality (e.g. the Thunder Updater).

To learn more about Thunder projects, read these case studies: German magazine Mein Schöner Garten (Gardening Magazine for Hubert Burda Media), US magazine American Heritage (American Heritage Magazine Migration – Drupal 8), and Serbian television and radio station PannonRTV (News portal for media house – PannonRTV).

About the idea:

We at the Thunder Core Team believe that publishers do not compete with each other through technology, but rather through content and brands. That is why the German publisher Hubert Burda Media established the Thunder community which aims to join forces among media companies by sharing code and innovation power. The goal is to innovate faster and spend less money overall by working together.

The Thunder community’s core product is the open-source content management system Thunder. Community members develop useful modules, use them for their own purposes and share them with the community by publishing them under the GNU General Public License. Neither Hubert Burda Media nor the other publishers in the community charge anyone for their contributions.

Any company publishing content professionally is welcome as a member of the Thunder community - both as user and as contributor. Anyone can join by contributing to the distribution. The usefulness and richness of Thunder’s functionality directly benefit from the number of contributors.

Why Drupal was chosen: 

For Burda, Drupal is the content management platform of choice. It is a free and open-source content-management framework written in PHP and distributed under the GNU General Public License.

The standard Drupal core already provides the essential features, e.g. user management, menu management, RSS feeds, taxonomy, page layout customization, and system administration. It is easily adaptable and extensible with thousands of modules provided by a global community of users and developers. In addition, developers at Hubert Burda Media have had previous good experiences with Drupal. Drupal is therefore a tried and tested basis and has become even better with Drupal 8.

Describe the project (goals, requirements and outcome): 

Thunder started as a way to share innovation and synergies among the many different brands and products within the Burda Corporation to save costs and speed up the time to market. It did not take long until we realized that the model that worked within the very diverse Burda universe would be useful for almost all digital publishers. That was when we decided to open source the distribution.

Due to its open source basis on Drupal 8, all features and functionality within Thunder are available to anyone wishing to benefit from Burda’s industry experience. Individual brands can add modules to tailor the system to their specific needs. Many of those “specific” customizations will prove to be valuable to more than just the organizations they originated from. We therefore designed Thunder in a way that we can easily incorporate those add-ons into the main distribution and share the features among all brands.

Goals:

We aim at becoming the best open-source content management system for professional publishing. In this, we focus on the creation of content. We want to help editors to create articles, to add media, to build landing pages, in short, to share their stories with the world.
We want Thunder to be a CMS jointly developed by its users and are therefore working towards building a community of publishers, IT agencies, and anyone else who shares our ideas and contributes to Thunder.

Our aim in doing so is to stay very close to the Drupal community and the Drupal core instead of creating a Thunder fork. Whenever we want to implement a new functionality or solve a problem, we try to do this in Drupal core or in the modules Thunder uses instead of fixing things in the distribution.

Time spent:

It’s difficult to measure the time spent on the development of Thunder, as this is an ongoing process. Currently, there are four developers employed by Hubert Burda Media working on the distribution full-time, plus several external developers. They focus on the advancement of Thunder as well as Drupal core and the contrib modules used in the distribution. A community manager is working on coordinating and growing the Thunder community of publishers, developers, and other partners.

Timeline and Milestones:
  • 30th August 2015: Repository and first commits for Thunder
  • September 2015: playboy.de – the first website running on Thunder
  • November 2015: instyle.de – the second website running on Thunder as well as proof of concept of the sharing model
  • 17th March 2016: Official press release about Thunder
  • October 2016: produceretailer.com is the first professional non-Burda website running on Thunder
  • 30th January 2017: Release of Thunder 1.0
  • March 2016: One year after the official launch of the Thunder initiative, 15 websites (we know of) are running on Thunder.
  • 1st June 2017: Release of Thunder 2.0
  • 20th July 2017: Release of Thunder Admin Theme
  • 20th November 2017: First community event, the Thunder Day in Hamburg
Results:

We released Thunder 1.0 in January 2017. One year later, at least 60 professional websites that we know of now run on Thunder. In the meantime, we have also released Thunder 2.0 and the Thunder Admin Theme.

Publishing houses grabbed the idea of working together. The Austrian publisher kurier.at, for example, contributed to the liveblog module used in Thunder and developed a new functionality to split text paragraphs.

In community matters, we talked to more than 300 companies worldwide. We established the “Certified Thunder Integrator” program to help publishers to find IT agencies as well as IT agencies to find customers. As of now, there are more than 20 companies certified or in the certification process.

We aim at bringing people together to share experiences. For this purpose, we introduced a Slack team for the Thunder community as well as several social media accounts. Furthermore, we organized the first community event – the Thunder Day – with around 120 participants in November 2017.

Challenges and how we resolved them:

Updating:

Distributions such as Thunder face the problem of losing control after the installation. How should a distribution actually deliver features and updates? We thought a lot about this problem and introduced the Thunder Updater, the “Thunder way to keep your site up to date”. Thunder checks if installed configurations have been changed – if not, they can be updated. Otherwise, you will get a message telling you there’s an update pending and what to do if you wish to have it. This functionality is currently an integral part of the distribution but we plan to detach it and publish it as a module on drupal.org soon so that everybody can use it.

Testing:

Writing an Admin Theme is very difficult because Drupal offers so many possibilities to adapt things: If you change something it can have unexpected effects in unexpected places. To avoid surprises, we developed Sharpeye, a visual regression tool. It takes screenshots and compares them in automated tests. This gives us a good overview. We open sourced the tool and you can download it here: github.com/BurdaMagazinOrg/sharpeye

Technical details, tips, and tricks: Tooling:

We invested a lot of time into automated testing but it was well worth the effort, not only for Thunder but also for Drupal core and the contrib modules we use since we discovered a lot of bugs there too.

Development process:

We don’t use a closed issue tracker but publish our tickets on drupal.org, thereby creating transparency. We use Github rather than drupal.org for the development because the developer experience is much better.

Organizations involved: 

Thunder

Modules/Themes/Distributions

Key modules/theme/distribution used: 

Why these modules/theme/distribution were chosen:  Requirements / Key modules Storytelling

In professional publishing, it’s all about the story. It has to be easy to create a story, to extend it, to change its narrative strand, and to enrich it with multimedia content. We use the Paragraphs module for this. Instead of putting all their content in one WYSIWYG body field including images and videos, end-users can now choose on the fly between pre-defined Paragraph Types independent from one another. Paragraph Types can be anything you want from a simple text block or image to a complex and configurable slideshow. This allows editors to structure an article into sub-elements which can easily be created, edited, and reorganized.

Media Handling

Editors want to enrich their articles with pictures, videos, content from social media, and whatever else you might think of. Paragraphs are one part of this, the other is the combination of the Media Entity module and the Entity Browser module. With those modules, editors can easily upload new content but also find and reuse existing entities.

SEO

Search engine optimization plays a major role in every editor’s life. Thunder therefore gas a plethora of different adjusting screws, from several meta tags for Facebook, Twitter, and Open Graph up to the simple XML sitemap.

Scheduled Publishing

The editor’s daily life is a lot about planning. With Thunder, you can schedule articles, ensuring they will be published at a given date and time. Even more importantly, you can also schedule the time at which an article or a picture should not be shown on the website anymore, e.g. if the contract period for a photograph has ended or an event announcement isn’t useful anymore.

Improved Authoring Experience

Our primary focus is making the editors’ work with Thunder as easy as possible. In order to achieve this, we created the Thunder Admin Theme based on findings of user tests and a survey conducted with editors working with Thunder.

Detailed Module List

Find a detailed list of the modules we use in Thunder here: burdamagazinorg.github.io/thunder-documentation/modules

Community contributions: 

Since we get a lot from the Drupal community, we give our best to contribute back, e.g. by fixing the bugs we find through automated tests and by supporting Drupal events and code sprints with developer time, talks, and sponsoring. Christian Fritsch, a member of the Thunder Core Team, contributed a lot of his time to the media initiative. Ingo Rübe, the initiator of Thunder, is a member of the Drupal Association’s Board of Directors.

Project team: 
  • Daniel Bosen - Lead Developer
  • Christian Fritsch - Senior Developer
  • Mladen Todorovic - Senior Developer
  • Volker Killesreiter - Senior Developer
  • Julia Pradel - Community Manager
  • Ingo Rübe - Initiator of Thunder
  • Collin Müller - Head of Strategic Development
Team members: 
Categories: Drupal

Drupal 7 and 8 core highly critical release on March 28th, 2018 PSA-2018-001

Drupal Main Content - 22 March 2018 - 3:13am
  • Advisory ID: DRUPAL-PSA-2018-001
  • Project: Drupal Core
  • Version: 7.x, 8.x
  • Date: 2018-March-21
Description

There will be a security release of Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28th 2018 between 18:00 - 19:30 UTC, one week from the publication of this document, that will fix a highly critical security vulnerability. The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page.

While Drupal 8.3.x and 8.4.x are no longer supported and we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that include the fix for sites which have not yet had a chance to update to 8.5.0. The Drupal security team strongly recommends the following:

  • Sites on 8.3.x should immediately update to the 8.3.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
  • Sites on 8.4.x should immediately update to the 8.4.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
  • Sites on 7.x or 8.5.x can immediately update when the advisory is released using the normal procedure.

The security advisory will list the appropriate version numbers for all three Drupal 8 branches. Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x, but temporarily updating to the provided backport for your site's current version will ensure you can update quickly without the possible side effects of a minor version update.

This will not require a database update.

Patches for Drupal 7.x and 8.3.x, 8.4.x, 8.5.x and 8.6.x will be provided.

The CVE for this issue is CVE-2018-7600. The Drupal-specific identifier for the issue is SA-CORE-2018-002.

The Security Team or any other party is not able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.drupal.org/security, over Twitter, and in email for those who have subscribed to our email list. To subscribe to the email list: log in on drupal.org, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.

Journalists interested in covering the story are encouraged to email security-press@drupal.org to be sure they will get a copy of the journalist-focused release. The Security Team will release a journalist-focused summary email at the same time as the new code release and advisory.

If you find a security issue, please report it at https://www.drupal.org/security-team/report-issue.

updated 2018-03-22: Added information about database updates

updated 2018-03-27: Added information about patches

updated 2018-03-28: Added information about CVE and identifiers

Categories: Drupal

Drupal 8.5.0 is now available

Drupal Main Content - 8 March 2018 - 5:51am
What's new in Drupal 8.5.0?

This new version makes Media module available for all, improves migrations significantly, stabilizes the Content Moderation and Settings Tray modules, serves dynamic pages faster with BigPipe enabled by default, and introduces a new experimental entity layout user interface. The release includes several very important fixes for workflows of content translations and supports running on PHP 7.2.

Download Drupal 8.5.0

Media in core improved and available to all site builders

In Drupal 8.4, we added a Media API to core that drew on work from the contributed Media Entity module, but the module was hidden from the user interface due to user experience issues. In Drupal 8.5, many of the usability issues have been addressed, and the module now can be enabled normally. Media in Drupal 8.5 supports uploading and playing audio and video files, as well as listing and reusing media.

For an optimal user experience, we suggest enhancing the core feature set with the rich ecosystem of contributed modules that extends the core Media module. In future releases, we will improve the core user experience with a media library and other tools, add WYSIWYG integration, add support for remote media types like YouTube videos, and provide an upgrade path for existing basic File and Image field data on existing sites.

Settings Tray and Content Moderation now stable

Two experimental modules originally added with Drupal 8.2.0 have been steadily improving in past releases and are now stable. The Settings Tray module provides a quick solution to manage settings in context, such as moving items around in a menu block. The Content Moderation module allows defining content workflow states such as Draft, Archived, and Published, as well as which roles have the ability to move content between states. Drupal 8.5.0 also adds support for translations to be moderated independently.

New experimental Layout Builder module

The new experimental Layout Builder module provides display layout capabilities for articles, pages, user profiles, and other entity displays. Layout Builder uses the same "outside-in" user interface that Settings Tray module does, allowing site builders to edit their layouts on the actual page (rather than having to go to a separate form on the backend). The current user interface is a basic implementation but we expect it will improve significantly in the coming months.

Big steps for migrations

After over four years of work, this release marks the Migrate system's architecture stable. The Drupal Migrate and Drupal Migrate UI modules are also considered stable for upgrading monolingual sites. (Multilingual site upgrades are still not fully supported.) Support for incremental migrations is also included in this release. See the migrate announcement for further details on migrating to Drupal 8.

BigPipe by default

The BigPipe module provides an advanced implementation of Facebook's BigPipe page rendering strategy for greatly improved perceived performance for pages with dynamic, personalized, or uncacheable content. The module was added in Drupal 8.1.0 experimentally and became stable in Drupal 8.3.0. Following real-world testing, Big Pipe is now included as part of Drupal 8.5.0's Standard installation profile, so that all Drupal 8 sites will be faster by default. BigPipe is also the first new Drupal 8 feature to mature from an experimental prototype all the way to being part of a standard installation!

Groundwork for a Drupal 8 "Out of the Box" demo

Drupal 8.5.0 includes the groundwork for a new demo profile and theme from the Out of the Box Initiative, which will be a beautiful, modern demonstration of Drupal's capabilities. This will allow us to provide the demo experimentally, possibly in a future Drupal 8.5 release. (The demo profile and theme should not be used on actual production or development sites since no backwards compatibility or upgrade paths are provided.) If you'd like to see this demo in action, you can also see it in the 8.6.x development version.

PHP 7.2 now supported

Drupal 8.5.0 now runs on PHP 7.2, which comes with new features and improves performance over PHP 7.1. PHP 7.2 is now the recommended PHP version to use with Drupal 8.

What does this mean for me? Drupal 8 site owners

Update to 8.5.0 to continue receiving bug and security fixes. The next bugfix release (8.5.1) is scheduled for April 4, 2018.

Updating your site from 8.4.5 to 8.5.0 with update.php is exactly the same as updating from 8.4.4 to 8.4.5. Drupal 8.5.0 also has updates to several dependencies, including a backwards-compatible update to a Symfony long-term-support release (which will be supported for many years). Modules, themes, and translations may need updates for these and other changes in this minor release, so test the update carefully before updating your production site.

Note that Drupal 8 will require PHP 7 starting in March 2019, one year from now. If your site is hosted on PHP 5.5 or 5.6, you should begin planning to upgrade (and consider upgrading to PHP 7.2 now that it is supported). See the Drupal core announcement about the PHP 5 end-of-life for more information.

Drupal 6 and 7 site owners

Drupal 7 is still fully supported and will continue to receive bug and security fixes throughout all minor releases of Drupal 8. Drupal 6 is no longer supported. See the migrate announcement for further details on migrating to Drupal 8.

Translation, module, and theme contributors

Minor releases like Drupal 8.5.0 include backwards-compatible API additions for developers as well as new features. Read the 8.5.0 release notes for more details on the improvements for developers in this release.

Since minor releases are backwards-compatible, modules, themes, and translations that supported Drupal 8.4.x and earlier will be compatible with 8.5.x as well. However, the new version does include some changes to strings, user interfaces, internal APIs and API deprecations. This means that some small updates may be required for your translations, modules, and themes. See the announcement of the 8.5.0 release candidate for more background information.

Categories: Drupal

Big steps for migrations in Drupal 8.5.0

Drupal Main Content - 8 March 2018 - 5:51am

After over four years of work with over 570 contributors and 1300+ closed issues, Drupal 8.5.0 releases the Migrate system's architecture as fully stable. This means that developers can write migration paths without worrying for stability of the underlying system.

On top of that the Migrate Drupal and Migrate Drupal UI modules (providing Drupal 6 and 7 to Drupal 8 migrations) are considered stable for upgrading monolingual sites. All of the remaining critical issues for the Migrate Drupal module's upgrade paths and stability are related to multilingual migration support (so multilingual site upgrades are still not fully supported).

Support for incremental migrations is now also available, which means that site owners can work gradually on their new Drupal 8 site while content is still being added to the old site. When migrations (including incremental migrations) are run through the user interface, site owners will now see a warning if some data on the Drupal 8 site might be overwritten. (A similar fix for Drush is not yet available, so be careful not to overwrite data if you run a migration on the command line.) 

Upgrade instructions for Drupal 6 and Drupal 7 sites can be found in the Upgrading to Drupal 8 handbook. Your old site can still remain up and running while you test migrating your data into your new Drupal 8 site. If you happen to find a bug, that is not a known migrate issue, your detailed bug report with steps to reproduce is a big help!

Unlike previous versions, Drupal 8 stores translated content as single entities. Multilingual sites with reference fields (node_reference, entity_reference) or multilingual menus can upgrade to Drupal 8 using Drush, executing the desired migrations one by one. In this process you need to create and run a series of additional custom migrations to reflect the new entity identifiers assigned during earlier migrations. There is no automation implemented for this process yet.

Data can be migrated to Drupal 8 also from non-Drupal sources such as CSV, XML, JSON, or directly from 3rd party systems' databases. For instructions and examples, refer to Migrate API handbook.

Huge thanks again to all the contributors who made this possible.

Categories: Drupal