Web Design and Development

Drupal Security Team update.

Drupal - 11 hours 41 min ago
Joint Security release with WordPress

In big news, we had our first joint release with WordPress. We collaborated together with the WordPress team on a PHP security issue discovered by a security researcher. We’re thrilled that we had an opportunity to work together with others in the open source CMS community. We shared a few tips and tricks and it was great working with the WordPress team.

Keeping Drupal Secure

In keeping with our mission to showcase security best practices at Drupal’s online home, we’ve upgraded https://security.drupal.org to Drupal 7. This ensures we’re on a supported platform. We also took the opportunity to add some new features that help us enhance our team’s efficiency by automating a number of routine tasks.

As part of our dedication to keeping Drupal users safe, we’ve written and announced the Long Term support (LTS) plan for Drupal 6 (https://www.drupal.org/d6-lts-support). This is an important step as we look forward to the release of Drupal 8. Soon we will be introducing two-factor authentication to Drupal.org, thanks to hard work from security team members Ben Jeavons, Greg Knaddison , Neil Drumm, and Michael Hess. (https://groups.drupal.org/node/439868 and https://drupal.org/node/2239973)

And here’s one last, fun note: Security.Drupal.org issues now show up on the drupal.org dashboard if you add the widget. You can get it clicking on dashboard after logging in and adding the widget.


Securing Drupal E-Commerce

Some Drupal security team members were recently involved in putting together a compliance White paper for keeping track of PCI compliance. Anyone who runs a Drupal site and takes credit cards should read the whitepaper. Here’s a little more information:

Version 3.0 of the PCI compliance standard becomes mandatory on January 1st, 2015 and will be a complete game changer for many Drupal eCommerce sites. This includes triple the number of security controls if your website touches credit card information and more. The community supported Drupal PCI Compliance White Paper (http://drupalpcicompliance.org/) will give you a high level overview of what PCI compliance is, why you need to comply, and (most importantly) how to get started. This paper was written and reviewed by several members of the Drupal security team, including Rick Manelius, Greg Knaddison, Ned McClain, Michael Hess, and Peter Wolanin.

Simplifying Security

We’ve redesigned our Security Advisory system to make evaluating and analyzing security threats easier and more intuitive. This came about after several core contributors informed us that they wanted a better way to address security threats. We sent out a survey through Twitter to learn more about how people write and read the Security Advisories. Based on the responses we put together a new Security Advisory system that takes much of the guesswork out of the process of evaluating threats. We’ve added and reordered elements on the Security Advisory’s criticality scale and added explanations to help people understand where a security problem is on the spectrum of potential threats.

Our Growing Team

We’ve brought a number of new members onto the security team. Please help us give a very warm welcome to our newest security team members:

Alex Pott (alexpott) - IRC nick: alexpott, Organization: Chapter Three
Cash Williams (cashwilliams) - IRC nick: CashWilliams, Organization: Acquia
Dan Smith (galooph) - IRC nick: galooph, Organization: Code Enigma
David Snopek (dsnopek) - IRC nick: dsnopek, Organization: MVPcreator
Rick Manelius (rickmanelius) - IRC nick: rickmanelius, Organization: NewMedia!

We’re always looking for more qualified people who place a high priority on security. If you’d like to join the security team: https://security.drupal.org/join

Drupal version: Drupal 7.x

Drupal.org Maintenance: Sep 16th 16:00 PDT (23:00 UTC)

Drupal - Mon, 09/15/2014 - 15:34

Drupal.org will be affected by maintenance Tuesday, September 16th 16:00 PDT, 23:00 UTC.

A regular module update will alter some larger tables, which will block other queries. We plan on up to 30 minutes of downtime while these updates run.

Please follow the @drupal_infra Twitter account for any issues encountered during the maintenance window.

Thanks for your patience!

Front page news: Drupal News

Maintainers can give credit to organizations that support Drupal projects

Drupal - Wed, 08/27/2014 - 21:09

This week, we added a feature to projects on Drupal.org to help highlight the contributions made by supporting organizations. Maintainers of distributions, modules, and themes can give credit to organizations that have materially contributed to projects on Drupal.org using the new “Supporting Organizations” field.

How do you use this field? When an organization funds the development of a project or when a company takes on maintainership of a key module in the community, the maintainers of that project can add a reference to one or more of them on the project node. Maintainers may chose to give this credit to any organization that contributes significant code or support to a project.

We noticed that many projects would manually follow this pattern in the project description, but wanted to take it a step further. Not only will this provide a link to the organization, it will also show up on the organization’s marketplace page.

This is just the first step, we are also looking for community feedback and help in providing credit to companies, organizations and customers that contribute to the development of Drupal. Implementing this step will be a key way to show how organizations are giving code and support to Drupal Core. Look for it in the coming months.

Dries has written an excellent post on how we might give credit to organizations and another on the value of hiring a core contributor to help push Drupal forward that were a basis for much of this work.

If you are a project maintainer, take a moment to give some credit to the organizations that have helped build the Drupal ecosystem.

Front page news: Drupal News

Introducing Drupal.org Terms of Service and Privacy Policy

Drupal - Fri, 08/08/2014 - 06:50

Almost half a year ago, with the help of the Drupal.org Content Working Group and lawyers, the Drupal Association started working on a Drupal.org Terms of Service (ToS) and Privacy Policy. After a number of drafts and rewrites, we are now ready to introduce both documents to Drupal.org users.

Why do we need a ToS?

Drupal.org has grown organically for many years. Currently the site has thousands of active users that generate lots of content every day. Our current Terms of Service are limited to a short line on the account creation form:

“Please note: All user accounts are for individuals. Accounts created for more than one user or those using anonymous mail services will be blocked when discovered.”

This line is an insufficient ToS for a website of our size. In fact, Drupal.org is probably the only website of this size which operates without a published Terms of Service. This situation is uncomfortable, and even dangerous, for both Drupal community and the Drupal Association, which is legally responsible for Drupal.org and its contents.

In the absence of a ToS, a lot of rules—“do’s and don’ts”—regarding the website are just “common knowledge” of users who have a long memory and accounts created in the early days of Drupal.org. This might result in new users making mistakes and misbehaving only because they do not know what the unwritten rules are. Website moderators often lack guidance on how to react in specific situations, because those policies are not written anywhere. Some policies, such as organization accounts policy or account deletion policy still need to be defined. Lastly, absence of clearly defined Terms of Service and Privacy Policy could lead to legal disputes regarding the site.

What’s next?

The new Drupal.org Terms of Service and Privacy Policy are published now for the community review. They will be made official in 4 weeks, on September 4th, 2014. On that day all existing users will have to accept these ToS and Privacy Policy to continue using the website. All new users starting on that day will have to accept the ToS and Privacy Policy upon account creation.

Click to review Drupal.org Terms of Service

Click to review Drupal.org Privacy Policy

In the future, we will make sure to keep ToS and Privacy Policy up-to-date and update them every time policies or functionality of the website changes. We will proactively notify users of all modifications to both documents.

Thanks

We’d like to say thanks to the Drupal.org Content Working Group members and community members who already reviewed proposed documents and provided us with their valuable feedback.

Drupal 7.31 and 6.33 released

Drupal - Wed, 08/06/2014 - 10:35

Drupal 7.31 and Drupal 6.33, maintenance releases which contain fixes for security vulnerabilities, are now available for download. See the Drupal 7.31 and Drupal 6.33 release notes for further information.

Download Drupal 7.31
Download Drupal 6.33

Upgrading your existing Drupal 7 and 6 sites is strongly recommended. There are no new features or non-security-related bug fixes in these releases. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement. More information on the Drupal 6.x release series can be found in the Drupal 6.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 and 6 include the built-in Update Status module (renamed to Update Manager in Drupal 7), which informs you about important updates to your modules and themes.

Bug reports

Both Drupal 7.x and 6.x are being maintained, so given enough bug fixes (not just bug reports) more maintenance releases will be made available, according to our monthly release cycle.

Changelog

Drupal 7.31 is a security release only. For more details, see the 7.31 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Drupal 6.33 is a security release only. For more details, see the 6.33 release notes. A complete list of all bug fixes in the stable 6.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 7.31 and 6.33 were released in response to the discovery of security vulnerabilities. Details can be found in the official security advisory:

To fix the security problem, please upgrade to either Drupal 7.31 or Drupal 6.33.

Update notes

See the 7.31 and 6.33 release notes for details on important changes in this release.

Known issues

None.

Front page news: Planet DrupalDrupal version: Drupal 6.xDrupal 7.x

Drupal 7.30 released

Drupal - Thu, 07/24/2014 - 15:12

Drupal 7.30, a maintenance release with several bug fixes (no security fixes), including a fix for regressions introduced in Drupal 7.29, is now available for download. See the Drupal 7.30 release notes for a full listing.

Download Drupal 7.30

Upgrading your existing Drupal 7 sites is recommended. There are no new features in this release. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 includes the built-in Update Manager module, which informs you about important updates to your modules and themes.

There are no security fixes in this release of Drupal core.

Bug reports

Drupal 7.x is being maintained, so given enough bug fixes (not just bug reports), more maintenance releases will be made available, according to our monthly release cycle.

Changelog

Drupal 7.30 is a bug fix only release. The full list of changes between the 7.29 and 7.30 releases can be found by reading the 7.30 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Update notes

See the 7.30 release notes for details on important changes in this release.

Known issues

None.

Front page news: Planet DrupalDrupal version: Drupal 7.x

Drupal 7.29 and 6.32 released

Drupal - Wed, 07/16/2014 - 13:37

Drupal 7.29 and Drupal 6.32, maintenance releases which contain fixes for security vulnerabilities, are now available for download. See the Drupal 7.29 and Drupal 6.32 release notes for further information.

Download Drupal 7.29
Download Drupal 6.32

Upgrading your existing Drupal 7 and 6 sites is strongly recommended. There are no new features or non-security-related bug fixes in these releases. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement. More information on the Drupal 6.x release series can be found in the Drupal 6.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 and 6 include the built-in Update Status module (renamed to Update Manager in Drupal 7), which informs you about important updates to your modules and themes.

Bug reports

Both Drupal 7.x and 6.x are being maintained, so given enough bug fixes (not just bug reports) more maintenance releases will be made available, according to our monthly release cycle.

Changelog

Drupal 7.29 is a security release only. For more details, see the 7.29 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Drupal 6.32 is a security release only. For more details, see the 6.32 release notes. A complete list of all bug fixes in the stable 6.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 7.29 and 6.32 were released in response to the discovery of security vulnerabilities. Details can be found in the official security advisory:

To fix the security problem, please upgrade to either Drupal 7.29 or Drupal 6.32.

Known issues

None.

Front page news: Planet DrupalDrupal version: Drupal 6.xDrupal 7.x

Drupal.org Maintenance: July 8th 11:00 PDT (July 8th 18:00 UTC)

Drupal - Mon, 06/30/2014 - 10:21

Drupal.org will be affected by maintenance Tuesday, July 8th, 11:00 PDT (July 8th, 18:00 UTC).

To finish our load balancer rebuilds, we are moving traffic from our old load balancer to our new. During this process, there maybe a five minute period of brief instability.

Please follow the @drupal_infra Twitter account for any issues encountered during the maintenance window.

Thanks for your patience!

Drupal.org Maintenance: July 2nd 13:00 PDT (July 2nd 20:00 UTC)

Drupal - Wed, 06/25/2014 - 13:00

Drupal.org will be affected by maintenance Wednesday, July 2nd, 13:00 PDT (July 2nd, 20:00 UTC).

To finish our CDN deployment on Drupal.org, we are moving the www.drupal.org CNAME to point at our CDN edge. The CNAME switch should be seamless and only take a few minutes to update across DNS.

Please follow the @drupal_infra Twitter account for any issues encountered during the maintenance window.

Thanks for your patience!

Drupal 6 extended support announcement

Drupal - Wed, 06/18/2014 - 09:42

On February 13, 2008, Drupal 6 was released. The policy of the community is to support only the current and previous stable versions. (When Drupal 6 was released, Drupal 4.7.x was marked unsupported. When Drupal 7 came out, Drupal 5.x was marked unsupported.) This policy was created to prevent core and module maintainers from having to maintain more than 2 active major versions of Drupal.

With the coming Drupal 8 release, this policy has been questioned. We want to ensure that sites that wish to move from Drupal 6 to Drupal 8 have a supported window within which to do so. The Drupal core team, key module maintainers, and representatives of the Drupal security team met at Drupalcon Austin to discuss this as an in-person follow up to the previous discussion at https://drupal.org/node/2136029.

Drupal 6 core and modules will transition to unsupported status three months after Drupal 8 is released. "Unsupported status" means the community will not be providing support or patches in the same way we do now. Continuing to support Drupal 6 would be difficult for many reasons, including a lack of automated test coverage, the requirement for rigorous manual release testing, the slow-down it introduces in the release of security fixes for the vast majority of Drupal users (on version 7+), and the general shift of volunteers in the community moving their attention onto Drupal 8 development.

This gives Drupal 6 users a few options:

1) Upgrade to Drupal 7 any time between now and 3 months after Drupal 8.0.0 is released. Drupal 7 releases undergo almost 40,000 automated tests, and Drupal 7 will be fully supported at least until Drupal 9 comes out. Given the past history, the release of Drupal 9 is likely to be around 2018.

2) Upgrade to Drupal 8 after it is released, but before Drupal 6 is not supported anymore. Fortunately, Migrate support for Drupal 6 to Drupal 8 is already in core, and there is Migrate UI, a contributed module. While not all contributed modules will be ready at the time Drupal 8 is released, Drupal 8's migration path handles most of the critical site data via its CCK to Entities/Fields in Core migrations.

3) Find an organization that will provide extended support for Drupal 6. The Drupal Security Team will provide a method for companies and/or individuals to work together in the private security issue queue to continue developing updates, and will provide a reasonable amount of time for companies to provide patches to Drupal 6 security issues that also affect Drupal 7 or Drupal 8. The security team will coordinate access to issues for companies wishing to provide extended support for Drupal 6. However, the team will not explicitly review or test the patches (some team members may do this on their own). All code created by these vendors, would be released to the community.

Organizations and individuals interested in providing this level of support for their customers
AND who have the technical knowledge to maintain a Drupal core release should go to the security team Drupal 6 long term support page.

Both the Security Team and Drupal core leadership feel that a 3-month window after Drupal 8's release before eclipsing community support for Drupal 6 is a workable compromise between leaving Drupal 6 sites on an unsupported version the second Drupal 8 comes out, and acknowledging that our community's volunteer resources are limited and have shifted focus. We hope that organizations that rely on Drupal 6 will step up to help maintain it after community support winds down, and/or help their clients update to D8.

Drupal version: Drupal 6.x

Drupal 6 extended support announcement

Drupal - Wed, 06/18/2014 - 09:42

On February 13, 2008, Drupal 6 was released. The policy of the community is to drop support only the current and previous stable versions. (When Drupal 6 was released, Drupal 4.7.x was marked unsupported. When Drupal 7 came out, Drupal 5.x was marked unsupported.) This policy was created to prevent core and module maintainers from having to maintain more than 2 active major versions of Drupal.

With the coming Drupal 8 release, this policy has been questioned, we want to ensure that sites that wish to move from Drupal 6 to Drupal 8 have a supported window within which to do so. The Drupal core team, key module maintainers, and representatives of the Drupal security team met at Drupalcon Austin to discuss this as an in-person follow up to the previous discussion at https://drupal.org/node/2136029.

Drupal 6 core and modules will transition to unsupported status three months after Drupal 8 is released. "Unsupported status" means the community will not be providing support or patches in the same way we do now. Continuing to support Drupal 6 would be difficult for many reasons, including a lack of automated test coverage, the requirement for rigorous manual release testing, the slow-down it introduces in the release of security fixes for the vast majority of Drupal users (on version 7+), and the general shift of volunteers in the community moving their attention onto Drupal 8 development.

This gives Drupal 6 users a few options:

1) Upgrade to Drupal 7 any time between now and 3 months after Drupal 8.0.0 is released. Drupal 7 releases undergo almost 40,000 automated tests, and Drupal 7 will be fully supported at least until Drupal 9 comes out. Given the past history, the release of Drupal 9 is likely to be around 2018.

2) Upgrade to Drupal 8 after it is released, but before Drupal 6 is not supported anymore. Fortunately, Migrate support for Drupal 6 to Drupal 8 is already in core, and there is a Migrate UI that is a contributed module at the moment. While not all contributed modules will be ready at the time Drupal 8 is released, Drupal 8's migration path handles most of the critical site data via its CCK to Entities/Fields in Core migrations.

3) Find an organization that will provide extended support for Drupal 6. The Drupal Security Team will provide a method for companies and/or individuals to work together in the private security issue queue to continue developing updates, and will provide a reasonable amount of time for companies to provide patches to Drupal 6 security issues that also affect Drupal 7 or Drupal 8. The security team will coordinate access to issues for companies wishing to provide extended support for Drupal 6. However, the team will not explicitly review or test the patches (some team members may do this on their own). All code, created by these vendors, would be released to the community.

Organizations and individuals interested in providing this level of support for their customers
AND who have the technical knowledge to maintain a Drupal core release Should go to the security team Drupal 6 long term support page.

Both the Security Team and Drupal core leadership feel that a 3-month window after Drupal 8's release before eclipsing community support for Drupal 6 is a workable compromise between leaving Drupal 6 sites on an unsupported version the second Drupal 8 comes out, and acknowledging that our community's volunteer resources are limited and have shifted focus. We hope that organizations that rely on Drupal 6 will step up to help maintain it after community support winds down, and/or help their clients update to D8.

Drupal version: Drupal 6.x

Drupal.org Maintenance: June 18th 3PM PDT (June 18th 22:00 UTC)

Drupal - Mon, 06/16/2014 - 14:44

Drupal.org will be affected by maintenance Wednesday, June 18th, 15:00 PDT (June 18th, 22:00 UTC) and ending Wednesday, June 18th, 16:00 PDT (June 19th, 23:00 UTC).

In preparation for our CDN deployment on Drupal.org, we are moving Drupal.org to www.drupal.org. The name switch should be seamless and only take a few minutes to update in various places.

Please follow the @drupal_infra Twitter account for any issues encountered during the maintenance window.

Thanks for your patience!

Drupal.org Maintenance: June 16th 4PM PDT (June 16th 23:00 UTC)

Drupal - Thu, 06/12/2014 - 15:04

Drupal.org will be affected by our ISP’s maintenance window starting Monday, June 16th, 16:00 PDT (June 16th, 23:00 UTC) and ending Monday, June 16th, 18:00 PDT (June 17th, 01:00 UTC).

Our ISP will be upgrading the firmware on the customer aggregation routers, and we expect to see a 10‒15 minute disruption in traffic sometime during the maintenance window.

Please follow the @drupal_infra Twitter account for any issues encountered during the maintenance window.

Thanks for your patience!

Design Finder for Mac Released

The Flash Blog - Wed, 06/04/2014 - 23:48

As you know I have been doing Cocoa development for a while now. You will see some of my Adobe work very soon, but in the meantime, my first personal app called Design Finder is now available on the Mac App Store.

The idea for this app came about because I’m always searching my hard drive for visual assets to use for FPO or just for inspiration. There are a staggering number of visual files on OS X that are buried inside of system frameworks, application packages, and other hard-to-search places. Spotlight just plain sucks for this purpose and is restricted as to where it can search.

On the first screen you set up your search with a starting directory, an optional search term, and the types of files you’re looking for. The results are displayed in a zoomable grid (see top image) and you can then reveal a file in Finder or open it with the application of your choice. Finding things like cursor images, icons, and other hard to find items is now a breeze.

I also created a microsite for the app at designfinderapp.com so check it out for more information. Hope you like it!

Swift is Here

The Flash Blog - Mon, 06/02/2014 - 17:39

Well today Apple announced their new programming language called Swift. This is very similar in syntax to what the next version of JavaScript will look like. I’m pretty excited about it even though I spent all that time learning Objective-C. I’m planning on blogging and creating some tutorials on the new language and I even procured swiftvideotutorials.com for any video tutorials I end up doing.

Here are some useful links to start checking it out:

Exciting times!