Feed aggregator

Bulgaria PHP Conference 2016

PHP Announcements - Sun, 10/22/2017 - 06:07
Bulgaria PHP Conference is the premier PHP conference, gathering PHP and frontend developers and engineers from all around Europe. Co-organized by the Bulgaria PHP User Group and SiteGround web hosting, the conference is bringing internationally renowned experts from the PHP industry to talk about APIs, Frameworks, Security, Testing, Continuous Integration, and much more! Highlights: 500+ passionate attendees 27 world renowned speakers 4 practical workshops 3 actioned-packed days 1 legendary after party Games, JeoPHPardy, Hackaton Amazing food, swag and gifts inlcuded Get your discounted ticket today. Price increases to the regular one (129 EUR) on September 1, 2016. Still not convinced? Here are several reasons to head to Sofia for Bulgaria PHP Conference.
Categories: Development News, PHP, PHP News

ScotlandPHP

PHP Announcements - Thu, 10/19/2017 - 13:46
Scotland's Original and Best PHP Conference Saturday 4th November 2017, EICC, Edinburgh 2 Tracks, 14 World Class Speakers, 2 Social Events, 1 Amazing Day! Josh Holmes MICROSOFT - Opening Keynote: “Rise of the Machines” Adam Culp ZEND - “Clean Application Development” Amanda Folson NEXMO - “Open Source for Closed Source Companies” Ciaran McNulty INVIQA - “Behat Best Practices” Christian Lück CONSULTANT - “Pushing the Limits of PHP with ReactPHP” Craig McCreath MTC - “Refactoring Large Legacy Applications with Laravel” Dave Stokes ORACLE - “MySQL 8: A New Beginning” David McKay CONSULTANT - “What even is ‘Cloud Native’?” Matt Brunt VIVA IT - “Content Security Policies: Let's Break Stuff” Renato Mefi ENRISE - “GraphQL is right in front of us, let's do it!” Seb Heuer KARTENMACHEREI - ”The Myth of Untestable Code” Terrence Ryan GOOGLE - “Containing Chaos with Kubernetes” Thomas Shone BOOKING.COM - ”Security Theatre: The State of Online Security” Meri Williams MOO.COM - Closing Keynote: “Creating Space to be Awesome” More Information... Follow us on twitter: @scotlandphp
Categories: Development News, PHP, PHP News

Community Spotlight: Rwandan enthusiasm for Drupal causes big challenge

Drupal News - Wed, 10/18/2017 - 15:00

Bikino's profile pictureFor Ildephonse Bikino (bikilde) of Rwanda, it was supposed to be an uneventful Drupal Global Training Day call-out; he expected 50 people but he got 388!

Bikino began working to get local interest in Drupal, sharing information by creating a simple website and posting information about the trainings on groups.drupal.org and sharing it locally.

Hoping to reach the room capacity of 50 people, the registrations came flowing in.

“The venue, which is kLab, where I was expecting to run my first training, they only accommodate 50 people. And the channel I used to announce the training, I was not expecting too many people attending, but people ...shared my communication to different channels and in so many different ways. I was surprised to get more than 388 applications.”

How do you deal with the logistics of training 388 people? That’s hard! Bikino was committed to the challenge. One session became eight over a number of weekends. Bikino made sure everyone got the opportunity to attend!

Discovering Drupal

Students learning about Drupal at one of the training classes

Bikino's start with Drupal began commonly enough; through his job. Like many small teams, staff get mixed roles and he inherited the website role. His experience grew from there. In 2016 he had the opportunity to attend DrupalCon New Orleans via scholarship through the Drupal Association. This let him discover the global opportunities and connections that open source software and the Drupal community can provide.

“My interest [in going to DrupalCon New Orleans] was to learn how thousands of people can just work together to deliver one single platform, how it works, and how people can really do it as volunteering work and through contributions. [The experience left me feeling that] I could really share that culture and community with young Rwandan people… and how they can love what they are doing this much. That’s where my inspiration came from.”

Bikino says technology offers more than just jobs, it provides local activities, ways to collaborate, and a chance to build knowledge. He plans to create a platform for the Rwanda Drupal community to share skills, projects, opportunities and experience.

Moving Forward

The local support for the Drupal Global Training Day is a sign of changing times in Rwanda. Those attending the training are educated, but there can be a lack of connection between what they are learning in school and the outside market. Bikino wants to connect those gaps by creating opportunities to learn, build, and develop. Like many countries across the globe, the Rwandan government sees technology as a way to build economic diversity, nurture jobs, and transform the country.

Local Projects

Students gathered during Global Training Day event

The Rwanda Information and Communication Association (RICTA) and partners launched The 1K Websites project, to promote Local Content Hosting. For now most of the websites made are Government, but they are expanding the project. With good internet infrastructure already in place, this is the start of local content creation and websites for business and community..

Diversity in the community is going to be a challenge, but Bikino realises it’s an important one. The Sustainable Development Goals 5 is “achieve gender equality and empower women and girls”, and access to technology in developing countries such as Rwanda is important for sustainability. Bikino is actively working with kLab management to find funds to develop opportunities for women in technology.

The Future

The last group of the 388 people have just gone through their training. The aim now is to develop local freelancers, do projects within the community, and find mentors to share tips, guidance and best practices. The group would even like to contribute to translating Drupal into the local language (Kinyarwanda). And of course one day, host an African DrupalCon.

Peel away the layers of an impressive attendance to a Drupal Global Training Day event, and you have a story about the potential for technology and Drupal to transform people, communities and industry.

You can follow and connect with Bikino via Twitter or say hi to him in the Drupal Slack. Bikino is the Deputy Director for ICT in Education Projects with FHI 360.

Next Spotlight?

Our next spotlight will be Fatima Sarah Khalid who you may recognise as @sugaroverflow. To those watching DrupalConEur from twitter it looked like no one had more fun than her! Fatima is going to be interviewed by Nikki Stevens who you may recognise as @drnikki. We think it’s going to be very cool.

We are also going to have our new Drupal Spotlight site up very soon. If you see Chandeep having too much fun at Drupal events around Europe tell him to get home and finish the site install - we have big ideas!

Categories: Development News, Drupal

Yandex.Metrics - Moderately critical - Cross site scripting - SA-CONTRIB-2017-78

Drupal Contributed Security - Wed, 10/18/2017 - 12:48
Project: 
Version: 
7.x-3.x-dev
7.x-2.x-dev
7.x-1.x-dev
Date: 
2017-October-18
Vulnerability: 
Cross site scripting
Description: 

The Yandex.Metrics module allows you to look for key indicators of your site effectiveness.

The module doesn't sufficiently let users know a setting page should not be given to untrusted users.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer Yandex.Metrics settings."

Edited October 19, 2017 to add a note about checking permissions.

Solution: 

Install the latest version:

  • If you use the Yandex.Metrics module for Drupal 7.x, upgrade to its 7.x-3.1 and also examine your site's permission configuration to ensure that only highly-trusted administrators have the "Administer Yandex.Metrics Settings" permission.

Also see the Yandex.Metrics project page.

Reported By: 
Fixed By: 
Coordinated By: 

MySQL Performance: Getting the Basics Right (26 Oct 2017)

MySQL Web Seminars - Fri, 10/13/2017 - 07:44

Setting up a MySQL Server solution is not a complex task, and with a few simple steps anybody can run a database. In this session learn useful tips to help you understand the preliminary steps in database design. Learn how to choose the right storage engine, table design, data types for your application, and get a set of useful recommendations. If it is true that premature optimization is the root of all performance evils, it is also true that the starting off right is the most important part of the work. Don’t miss this opportunity to learn from our Oracle MySQL performance tuning expert!



Date and Time: Thursday, 26 Oct 2017, 09:00 US/Pacific
Categories: Development News, MySQL

Using MySQL Containers: Why and How (25 Oct 2017)

MySQL Web Seminars - Fri, 10/13/2017 - 07:38

In this webinar, we’ll cover what Docker is, how MySQL fits in, and why it makes sense to use them together. You’ll then learn how to leverage the MySQL Docker containers that are now included with each of our MySQL product releases with the goal of improving your development operations.



Date and Time: Wednesday, 25 Oct 2017, 09:00 US/Pacific
Categories: Development News, MySQL

PHP 7.2.0 Release Candidate 4 Released

PHP Announcements - Thu, 10/12/2017 - 05:46
The PHP development team announces the immediate availability of PHP 7.2.0 RC4. This release is the fourth Release Candidate for 7.2.0. All users of PHP are encouraged to test this version carefully, and report any bugs and incompatibilities in the bug tracking system. THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION! For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. For source downloads of PHP 7.2.0 Release Candidate 4 please visit the download page, Windows sources and binaries can be found at windows.php.net/qa/. The next Relase Candidate will be announced on the 26th of October. You can also read the full list of planned releases on our wiki. Thank you for helping us make PHP better.
Categories: Development News, PHP, PHP News

Drupal looking to adopt React

Drupal News - Wed, 10/11/2017 - 13:05

This blog has been re-posted with permission from Dries Buytaert's blog. Please leave your comments on the original post.

Drupal looking to adopt React

Last week at DrupalCon Vienna, I proposed adding a modern JavaScript framework to Drupal core. After the keynote, I met with core committers, framework managers, JavaScript subsystem maintainers, and JavaScript experts in the Drupal community to discuss next steps. In this blog post, I look back on how things have evolved, since the last time we explored adding a new JavaScript framework to Drupal core two years ago, and what we believe are the next steps after DrupalCon Vienna.

As a group, we agreed that we had learned a lot from watching the JavaScript community grow and change since our initial exploration. We agreed that today, React would be the most promising option given its expansive adoption by developers, its unopinionated and component-based nature, and its well-suitedness to building new Drupal interfaces in an incremental way. Today, I'm formally proposing that the Drupal community adopt React, after discussion and experimentation has taken place.

Two years ago, it was premature to pick a JavaScript framework

Three years ago, I developed several convictions related to "headless Drupal" or "decoupled Drupal". I believed that:

  1. More and more organizations wanted a headless Drupal so they can use a modern JavaScript framework to build application-like experiences.
  2. Drupal's authoring and site building experience could be improved by using a more modern JavaScript framework.
  3. JavaScript and Node.js were going to take the world by storm and that we would be smart to increase the amount of JavaScript expertise in our community.

(For the purposes of this blog post, I use the term "framework" to include both full MV* frameworks such as Angular, and also view-only libraries such as React combined piecemeal with additional libraries for managing routing, states, etc.)

By September 2015, I had built up enough conviction to write several long blog posts about these views (post 1, post 2, post 3). I felt we could accomplish all three things by adding a JavaScript framework to Drupal core. After careful analysis, I recommended that we consider React, Ember and Angular. My first choice was Ember, because I had concerns about a patent clause in Facebook's open-source license (since removed) and because Angular 2 was not yet in a stable release.

At the time, the Drupal community didn't like the idea of picking a JavaScript framework. The overwhelming reactions were these: it's too early to tell which JavaScript framework is going to win, the risk of picking the wrong JavaScript framework is too big, picking a single framework would cause us to lose users that favor other frameworks, etc. In addition, there were a lot of different preferences for a wide variety of JavaScript frameworks. While I'd have preferred to make a bold move, the community's concerns were valid.

Focusing on Drupal's web services instead

By May of 2016, after listening to the community, I changed my approach; instead of adding a specific JavaScript framework to Drupal, I decided we should double down on improving Drupal's web service APIs. Instead of being opinionated about what JavaScript framework to use, we would allow people to use their JavaScript framework of choice.

I did a deep dive on the state of Drupal's web services in early 2016 and helped define various next steps (post 1, post 2, post 3). I asked a few of the OCTO team members to focus on improving Drupal 8's web services APIs; funded improvements to Drupal core's REST API, as well as JSON API, GraphQL and OpenAPI; supported the creation of Waterwheel projects to help bootstrap an ecosystem of JavaScript front-end integrations; and most recently supported the development of Reservoir, a Drupal distribution for headless Drupal. There is also a lot of innovation coming from the community with lots of work on the Contenta distribution, JSON API, GraphQL, and more.

The end result? Drupal's web service APIs have progressed significantly the past year. Ed Faulkner of Ember told us: "I'm impressed by how fast Drupal made lots of progress with its REST API and the JSON API contrib module!". It's a good sign when a core maintainer of one of the leading JavaScript frameworks acknowledges Drupal's progress.

The current state of JavaScript in Drupal

Looking back, I'm glad we decided to focus first on improving Drupal's web services APIs; we discovered that there was a lot of work left to stabilize them. Cleanly integrating a JavaScript framework with Drupal would have been challenging 18 months ago. While there is still more work to be done, Drupal 8's available web service APIs have matured significantly.

Furthermore, by not committing to a specific framework, we are seeing Drupal developers explore a range of JavaScript frameworks and members of multiple JavaScript framework communities consuming Drupal's web services. I've seen Drupal 8 used as a content repository behind Angular, Ember, React, Vue, and other JavaScript frameworks. Very cool!

There is a lot to like about how Drupal's web service APIs matured and how we've seen Drupal integrated with a variety of different frameworks. But there is also no denying that not having a JavaScript framework in core came with certain tradeoffs:

  1. It created a barrier for significantly leveling up the Drupal community's JavaScript skills. In my opinion, we still lack sufficient JavaScript expertise among Drupal core contributors. While we do have JavaScript experts working hard to maintain and improve our existing JavaScript code, I would love to see more experts join that team.
  2. It made it harder to accelerate certain improvements to Drupal's authoring and site building experience.
  3. It made it harder to demonstrate how new best practices and certain JavaScript approaches could be leveraged and extended by core and contributed modules to create new Drupal features.

One trend we are now seeing is that traditional MV* frameworks are giving way to component libraries; most people seem to want a way to compose interfaces and interactions with reusable components (e.g. libraries like React, Vue, Polymer, and Glimmer) rather than use a framework with a heavy focus on MV* workflows (e.g. frameworks like Angular and Ember). This means that my original recommendation of Ember needs to be revisited.

Several years later, we still don't know what JavaScript framework will win, if any, and I'm willing to bet that waiting two more years won't give us any more clarity. JavaScript frameworks will continue to evolve and take new shapes. Picking a single one will always be difficult and to some degree "premature". That said, I see React having the most momentum today.

My recommendations at DrupalCon Vienna

Given that it's been almost two years since I last suggested adding a JavaScript framework to core, I decided to talk bring the topic back in my DrupalCon Vienna keynote presentation. Prior to my keynote, there had been some renewed excitement and momentum behind the idea. Two years later, here is what I recommended we should do next:

  • Invest more in Drupal's API-first initiative. In 2017, there is no denying that decoupled architectures and headless Drupal will be a big part of our future. We need to keep investing in Drupal's web service APIs. At a minimum, we should expand Drupal's web service APIs and standardize on JSON API. Separately, we need to examine how to give API consumers more access to and control over Drupal's capabilities.
  • Embrace all JavaScript frameworks for building Drupal-powered applications. We should give developers the flexibility to use their JavaScript framework of choice when building front-end applications on top of Drupal — so they can use the right tool for the job. The fact that you can front Drupal with Ember, Angular, Vue, React, and others is a great feature. We should also invest in expanding the Waterwheel ecosystem so we have SDKs and references for all these frameworks.
  • Pick a framework for Drupal's own administrative user interfaces. Drupal should pick a JavaScript framework for its own administrative interface. I'm not suggesting we abandon our stable base of PHP code; I'm just suggesting that we leverage JavaScript for the things that JavaScript is great at by moving relevant parts of our code from PHP to JavaScript. Specifically, Drupal's authoring and site building experience could benefit from user experience improvements. A JavaScript framework could make our content modeling, content listing, and configuration tools faster and more application-like by using instantaneous feedback rather than submitting form after form. Furthermore, using a decoupled administrative interface would allow us to dogfood our own web service APIs.
  • Let's start small by redesigning and rebuilding one or two features. Instead of rewriting the entirety of Drupal's administrative user interfaces, let's pick one or two features, and rewrite their UIs using a preselected JavaScript framework. This allows us to learn more about the pros and cons, allows us to dogfood some of our own APIs, and if we ultimately need to switch to another JavaScript framework or approach, it won't be very painful to rewrite or roll the changes back.
Selecting a JavaScript framework for Drupal's administrative UIs

In my keynote, I proposed a new strategic initiative to test and research how Drupal's administrative UX could be improved by using a JavaScript framework. The feedback was very positive.

As a first step, we have to choose which JavaScript framework will be used as part of the research. Following the keynote, we had several meetings at DrupalCon Vienna to discuss the proposed initiative with core committers, all of the JavaScript subsystem maintainers, as well as developers with real-world experience building decoupled applications using Drupal's APIs.

There was unanimous agreement that:

  1. Adding a JavaScript framework to Drupal core is a good idea.
  2. We want to have sufficient real-use experience to make a final decision prior to 8.6.0's development period (Q1 2018). To start, the Watchdog page would be the least intrusive interface to rebuild and would give us important insights before kicking off work on more complex interfaces.
  3. While a few people named alternative options, React was our preferred option, by far, due to its high degree of adoption, component-based and unopinionated nature, and its potential to make Drupal developers' skills more future-proof.
  4. This adoption should be carried out in a limited and incremental way so that the decision is easily reversible if better approaches come later on.

We created an issue on the Drupal core queue to discuss this more.

Conclusion

Drupal supporting different javascript front ends

Drupal should support a variety of JavaScript libraries on the user-facing front end while relying on a single shared framework as a standard across Drupal administrative interfaces.

In short, I continue to believe that adopting more JavaScript is important for the future of Drupal. My original recommendation to include a modern JavaScript framework (or JavaScript libraries) for Drupal's administrative user interfaces still stands. I believe we should allow developers to use their JavaScript framework of choice to build front-end applications on top of Drupal and that we can start small with one or two administrative user interfaces.

After meeting with core maintainers, JavaScript subsystem maintainers, and framework managers at DrupalCon Vienna, I believe that React is the right direction to move for Drupal's administrative interfaces, but we encourage everyone in the community to discuss our recommendation. Doing so would allow us to make Drupal easier to use for site builders and content creators in an incremental and reversible way, keep Drupal developers' skills relevant in an increasingly JavaScript-driven world, move us ahead with modern tools for building user interfaces.

Special thanks to Preston So for contributions to this blog post and to Matt Grill, Wim Leers, Jason Enter, Gábor Hojtsy, and Alex Bronstein for their feedback during the writing process.

Categories: Development News, Drupal

netFORUM Authentication - Moderately critical - Access Bypass - SA-CONTRIB-2017-077

Drupal Contributed Security - Wed, 10/11/2017 - 13:01
Version: 
7.x-1.0
Date: 
2017-October-11
Vulnerability: 
Access Bypass
Description: 

The netFORUM Authentication module implements external authentication for users against netFORUM.

The module does not correctly use flood control making it susceptible to brute force attacks.

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
Coordinated By: 

Progress on the Salesforce Suite for D8 and a Call for Participation

Drupal News - Mon, 10/09/2017 - 15:21

The following blog was written by Drupal Association Premium Supporting Partner, Message Agency.

After months of work, hundreds of commits, and lots of new thinking, the Salesforce Suite for Drupal 8 is reaching maturity.  There is tremendous interest in these modules, and many enterprises are waiting for this milestone to integrate D8 sites with Salesforce. In an effort to accelerate refinement and adoption of this important contribution, the module’s developers are raising awareness about the release and asking the community to start downloading and contributing.

A few months ago at Drupalcon Baltimore, Message Agency announced a release candidate (8.x-3.0-rc1) for the Salesforce Suite in Drupal 8.  This collection of modules supports integration with Salesforce by mapping Drupal entities with standard or custom Salesforce objects and pushing Drupal data to Salesforce as well as pulling Salesforce data into Drupal.

Since then, we've continued to expand the Suite and build out critical features. We've also continued to groom the 8.x roadmap, solicit community participation through webinars, and build awareness about how to use the modules. With a solid foundation and full functionality, the Suite is beginning to gain traction and see increasing adoption as projects switch to Drupal 8.

What’s new in the Suite?

The modules are a complete rewrite of the Suite for Drupal 8, and they fully leverage Drupal core’s object-oriented code patterns.  Message Agency’s senior software engineer, Aaron Bauman, was the original architect of the Suite for 6.x in 2009 and has continued to support this important tool ever since. He took the lead in porting the modules for Drupal 8, based on feedback from the community, clients, and nearly a decade of experience integrating these two powerful platforms.

There is much to be excited about in this new version. There have been a number of updates from Drupal 7.x:

  • Queue on failure. There is now an attempt to push synchronization immediately on entity save and enqueue for asynchronous push only on failure. This feature idea is a great compromise between the previous binary sync/async decision point.
  • Test coverage.  Testing 3rd-party web services can be tricky, and requires careful planning and mocking. This Salesforce 8.x release includes test coverage for push and pull operations using mock REST features, allowing for proper regression testing and test-driven development.
  • Push queue overhaul, and cron-based push.  Drupal 7's asynchronous push left a lot to be desired. Lack of error handling made debugging and troubleshooting difficult to impossible. Lack of optimizations burned unnecessary API calls. Both of these limitations were imposed by Drupal Queue API's fundamental nature. In Drupal 7, our options for extending the Queue system were limited. In Drupal 8, we've implemented a Salesforce Push Queue service, building on Drupal core's overhauled Queue API. We've taken the opportunity to normalize queue items, optimize queue operations, and implement error handling and recovery.
  • Objectification of Salesforce resources. Moving in the direction of a proper REST PHP SDK, we now have proper classes for Query Result, SObject, Salesforce ID, various REST Responses, and others. This not only allows for simple type-hinting across other classes, but also gives developers consistent and reliable interfaces, and paves the way for even greater extensibility in the future.
  • Queue settings per mapping. The Suite now allows administrators to assign sync intervals per-mapping, instead of running all sync operations on every cron run. This feature idea will allow administrators to tweak their synchronizations according to business needs, without the need to implement extensive hook-based logic.

Several new features for Drupal 8 also have been developed:

  • Goodbye hooks, hello events.  Leveraging Salesforce.api.php, we mapped old hooks onto new events—a key advantage for folks already familiar with the 7.x version.
  • A new plugin system for mapping fields.  There has been a mapping UI overhaul.  Salesforce Mapping Fields now enjoy their own plugin system, allowing for maximum extensibility. For example, "Record Type" is now its own mapping field plugin type, rather than receiving special treatment in the push and pull systems.
  • Pluggable everything. including the REST Client itself, thanks to Drupal services and Dependency Injection.  
  • Examples module.  There is now a working examples module with an event subscriber, exported mapping config, and demonstration of using the  REST client to connect to an Apex endpoint.

The new version also builds in some important re-includes from 7.x - 2.x branch.

  • Mapped Objects are tied to Mappings
  • Custom push queue
  • Re-attempt on failure
  • Encryption support
What is the current status? And how can you help?

The Suite has advanced to 8.x-3.0-rc6 and is nearing a stable release.  It’s time to start downloading and using the modules to help us identify and smooth out the rough spots.

For a quick start overview, watch this Acquia webinar, delivered by Aaron Bauman on how to install and configure the Suite.

https://youtu.be/9tKrpxW1sMk https://www.acquia.com/resources/webinars/how-use-salesforce-suite-drupal-8-quick-start-guide?r=735547932

Keep those issues coming in the queue!

The Heavy Lifting

This amount of work is never done alone.  By the numbers, so far:

  • 5 contributors including 2 Message Agency staff.  (Shout out to evanjenkins, bezhermoso, and gcb for their contributions.)
  • Merged 7 major branches.
  • More than 200 commits.
  • Nearly 400 hours logged across 5 Message Agency dev and PM staff, and 3 drupal.org users

Also, major thanks to Acquia's Drupal 8 Module Acceleration Program for connecting us with clients to fund and advance module development.

Categories: Development News, Drupal

An update on projects created for Drupal

Drupal News - Sat, 10/07/2017 - 03:00

About six months ago we made a significant change to the way that modules, themes, and distributions are created on Drupal.org.

In the past, contributors had to first create a sandbox project, and then request manual review of their project in the Project Applications issue queue. The benefit of this community-driven moderation process was that modules were vetted for code quality and security issues by a group of volunteers. Project maintainers who completed this process also received the benefit of security advisory coverage from the Security Team for stable releases of their projects.

Unfortunately, the rate of project applications outpaced what volunteers could keep up with, and many worthy projects were never promoted to full project status, or moved off of Drupal.org to be hosted elsewhere.

To ameliorate this issue, we changed the process so that any confirmed user on Drupal.org may now make full projects.

To mitigate the risks of low code quality or security vulnerabilities we added new signals to project pages: including highlighting which release is recommended by the maintainer, displaying recent test results, and indicating whether the project receives security coverage both on the project page and in the composer 'extra' attribute. We're continuing to work on identifying additional signals of project quality that we can include, as well as surfacing some of this information in Drupal core. We also converted the project applications issue queue into a 'request security advisory coverage' issue queue.

What we hoped to see

We knew this would be a significant change for the project and the community. While many community members were excited to see the gates to contribution opened, others were concerned about security issues and Drupal's reputation for code quality.

Our prediction was that the lower barrier to contribution would result in an increase in full projects created on Drupal.org. This would indicate that new contributors or third party technology providers were finding it easier to integrate with Drupal and contribute those integrations back for use by others.

At the same time, we also expected to see an increase in the number of full projects that do not receive coverage from the security team. The question was whether this increase would be within an acceptable range, or represent a flood of low quality or insecure modules.

The results

The table below provides statistics about the full projects created on Drupal.org in the 5 months before March 17th, 2017 - when we opened the creation of full projects to all confirmed users.

Full projects created from 2016-10-16 to 2017-03-17…

#

% of projects created in this period

… without stable release

431

55.76%

… with stable releases

342

44.24%

… with usage >= 50 sites

237

30.66%

… with usage >= 50 sites and without stable release

68

8.80%

… with usage >= 50 sites and with stable release

169

21.86%

… with an open security coverage application*

18

2.33%

Sub-total with security coverage

342

44.24%

Sub-total without security coverage

431

55.76%

Sub-total with security coverage and >=50 usage

169

21.86%

Sub-total without security coverage and >= 50 usage

68

8.80%

Total

773

* note: full projects that did not have stable releases were not automatically opted in to security coverage when we opened the full project creation gates.

… and this table provides statistics about the projects created in the 5 months after we opened the creation of full projects to all confirmed users:

Full projects created from 2017-03-17 to 2017-08-16…

#

Diff

% of projects created

Diff %

… without stable release

851

+420

69.53%

+97%

… with stable releases

373

+31

30.47%

+9%

… with usage >= 50 sites

156

-81

12.75%

-34%

… with usage >= 50 sites and without stable release

64

-4

5.23%

-6%

… with usage >= 50 sites and with stable release

92

-77

7.52%

+46%

… with an open security coverage application

62

+44

5.07%

+344%

Sub-total with security coverage

182

-160

14.87%

-53%

Sub-total without security coverage

1,042

+611

85.13%

+242%

Sub-total with security coverage and >=50 usage

54

-115

4.41%

-32%

Sub-total without security coverage and >= 50 usage

102

+34

8.33%

+150%

Total

1,224

+451

+58%

As you can see, we have an almost 58% increase in the rate of full projects created on Drupal.org. We can also see a significant proportional increase in two key areas: projects with greater than 50 site usage and no security coverage(up 150% compared to the previous period), and projects that have applied for security coverage(up 344% compared to the previous period). Note: this increase in applications is for projects *created in these date ranges* not necessarily applications created overall.

This tells us that reducing friction in applying for security coverage, and encouraging project maintainers to do so should be a top priority.

Finally, this last table gives statistics about all of the projects currently on Drupal.org, regardless of creation date:

Full projects (7.x and 8.x)

#

% of Total

Rate of change after 2017-03-17

… with the ability to opt into security coverage

8,718

36.15%

-1.33%

… with security coverage and stable releases

8,377

34.74%

-1.49%

… without security coverage

15,396

63.85%

+1.33%

… without security coverage and with stable releases

464

1.92%

+1.04%

… with security coverage and >=50 usage
 

6,475

66.91 / 26.85%

-0.54%

… with security coverage and stable releases and >=50 usage

6,308

65.19 /26.16%

-0.65%

… without security coverage and >=50 usage

3,202

33.09 /13.28%

+0.54%

… without security coverage and with stable releases and >=50 usage

130

1.34 /0.54%

+0.51%

Sub-total with >=50 usage

9,677

40.13%

-1.72%

Total

24,114

From the overall data we see approximately what we might expect. The increase in growth of full projects on Drupal.org has lead to a modest increase in projects without security coverage.

Before the project application change, all full projects with stable releases received security advisory coverage. After this change, only those projects that apply for the ability to opt in(and then do so) receive coverage.

What has this meant for security coverage of projects hosted on Drupal.org?

1.92% of all full 7.x and 8.x projects have stable releases, but do not receive security advisory coverage. It is likely no accident that this translates into 464 projects, which is nearly equivalent to the number of projects additional projects added compared to our old growth rate.

Of those only 130 of those projects report more than 50 sites usage(or .54% of all 7.x and 8x full projects).

Next steps

From this analysis we can conclude the following:

  1. The opening of the project application gates has dramatically increased the number of projects contributed to Drupal.org.

  2. It has also increased the number of projects without security coverage, and the number of applications for the ability to opt in to coverage among new projects.

In consultation with the Security Working Group, we recommend the following:

  • For now, leave the project creation projects as it stands today - open to contribution from any confirmed user on Drupal.org.

    • Less than 2% of all Drupal projects with stable releases currently lack security coverage. The rate at which this is increasing is significant (and in the wrong direction) but not rapid enough to merit changing the project application policy immediately.

  • Solve the problem of too many security advisory coverage applications. The security advisory application queue has the same problem that the old project applications queue had - not enough volunteers to manually vet all of the applications - and therefore a significant backlog of project maintainers waiting on the ability to opt into coverage.

    • Recommendation: Implement an automated best practices quiz that maintainers can take in order to be granted the ability to opt into security advisory coverage. If this process is as successful as we hope, we may want to consider making this a gate on stable releases for full projects as well.

We look forward to working with the Security Working Group to implement this recommendation and continue to improve the contribution experience on Drupal.org, while preserving code quality and security.

Categories: Development News, Drupal

Drupal 8.4.0 is now available

Drupal News - Wed, 10/04/2017 - 16:20
What's new in Drupal 8.4.0?

This new version is an important milestone of stability for Drupal 8. It adds under-the-hood improvements to enable stable releases of key contributed modules for layouts, media, and calendaring. Many other core experimental modules have also become stable in this release, including modules for displaying form errors inline and managing workflows.

The release includes several very important fixes for content revision data integrity as well as an update to stop the deletion of orphaned files that was causing data loss for many sites, alongside numerous improvements for site builders and content authors.

Download Drupal 8.4.0

Important: If you use Drush to manage Drupal, be sure to update to Drush 8.1.12 or higher before updating Drupal. Updating to Drupal 8.4.0 using Drush 8.1.11 or earlier will fail. (Always test minor version updates carefully before making them live.)

Inline Form Errors

The Inline Form Errors module provides a summary of any validation errors at the top of a form and places the individual error messages next to the form elements themselves. This helps users understand which entries need to be fixed, and how. Inline Form Errors was provided as an experimental module from Drupal 8.0.0 on, but it is now stable and polished enough for production use.

Screenshot showing form error displayed with the field rather than at the top of the form.

Datetime Range

The Datetime Range module provides a field type that allows end dates to support contributed modules like Calendar. This stable release is backwards-compatible with the Drupal 8.3.x experimental version and shares a consistent API with other Datetime fields. Future releases may improve Views support, usability, Datetime Range field validation, and REST support.

Screenshot showing form elements to specify start and end dates.

Layout Discovery API

The Layout Discovery module provides an API for modules or themes to register layouts as well as five common layouts. Providing this API in core enables core and contributed layout solutions like Panels and Display Suite to be compatible with each other. This stable release is backwards-compatible with the 8.3.x experimental version and introduces support for per-region attributes.

Media API

The new core Media module provides an API for reusable media entities and references. It is based on the contributed Media Entity module.

Since there is a rich ecosystem of Drupal contributed modules built on Media Entity, the top priority for this release is to provide a stable core API and data model for a smoother transition for these modules. Developers and expert site builders can now add Media as a dependency. Work is underway to provide an update path for existing sites' Media Entity data and to port existing contributed modules to the refined core API.

Note that the core Media module is currently marked hidden and will not appear on the 'Extend' (module administration) page. (Enabling a contributed module that depends on the core Media module will also enable Media automatically.) The module will be displayed to site builders normally once once related user experience issues are resolved in a future release.

Similarly, the REST API and normalizations for Media are not final and support for decoupled applications will be improved in a future release.

Content authoring and site administration experience improvements

The "Save and keep (un)published" dropbutton has been replaced with a "Published" checkbox and single "Save" button. The "Save and..." dropbutton was a new design in Drupal 8, but users found it confusing, so we have restored a design that is more similar to the user interface for Drupal 7 and earlier.

Both the "Comments" administration page at `/admin/content/comment` and the "Recent log messages" report provided by dblog are now configurable views. This allows site builders to easily customize, replace or clone these screens.

Updated migrations

This release adds date and node reference support for Drupal 6 to Drupal 8 migrations. Core provides migrations for most Drupal 6 data and can be used for migrating Drupal 6 sites to Drupal 8, and the Drupal 6 to 8 migration path is nearing beta stability. Some gaps remain, such as for some internationalization data. The Drupal 7 to Drupal 8 migration is incomplete but is suitable for developers who would like to help improve the migration and can be used to test upgrades especially for simple Drupal 7 sites. Most high-priority migrations are available.

Moderation and workflows

The Workflows module is now also stable, however it only provides a framework for managing workflows and is not directly useful in itself. The experimental Content Moderation module allows workflows to be applied to content and is now at beta stability. Content moderation workflows can now apply to any entity types that support revisions, and numerous usability issues and critical bugs are resolved in this release.

Platform features for web services

Drupal 8.4 continues to expand Drupal's support for web services that benefit decoupled sites and applications, including a 15% performance improvement for authenticated REST requests, expanded REST functionality, and developer-facing improvements.

Further details are available about each area in the 8.4.0 release notes.

What does this mean for me? Drupal 8 site owners

Update to 8.4.0 to continue receiving bug and security fixes. The next bugfix release (8.4.1) is scheduled for November 1, 2017.

Updating your site from 8.3.7 to 8.4.0 with update.php is exactly the same as updating from 8.3.6 to 8.3.7. If you use Drush, be sure to update to Drush 8.1.12 or higher before using it to update Drupal 8.3.7 to 8.4.0. Drupal 8.4.0 also has major updates to several dependencies, including Symfony, jQuery, and jQuery UI. Modules, themes, and translations may need updates for these and other changes in this minor release, so test the update carefully before updating your production site.

Drupal 7 site owners

Drupal 7 is still fully supported and will continue to receive bug and security fixes throughout all minor releases of Drupal 8.

Most high-priority migrations from Drupal 7 to 8 are now available, but the migration path is still not complete, especially for multilingual sites, so you may encounter errors or missing migrations when you try to migrate. That said, since your Drupal 7 site can remain up and running while you test migrating into a new Drupal 8 site, you can help us stabilize the Drupal 7 to Drupal 8 migration path! Testing and bug reports from your real-world Drupal 7 sites will help us stabilize this functionality sooner for everyone. (Search the known issues.)

Drupal 6 site owners

Drupal 6 is not supported anymore. Create a Drupal 8 site and try migrating your data into it as soon as possible. Your Drupal 6 site can still remain up and running while you test migrating your Drupal 6 data into your new Drupal 8 site. Core now provides migrations for most Drupal 6 data, but the migrations of multilingual functionality in particular are not complete. If you find a new bug not covered by the known issues with the experimental Migrate module suite, your detailed bug report with steps to reproduce is a big help!

Translation, module, and theme contributors

Minor releases like Drupal 8.4.0 include backwards-compatible API additions for developers as well as new features. Read the 8.4.0 release notes for more details on the improvements for developers in this release.

Since minor releases are backwards-compatible, modules, themes, and translations that supported Drupal 8.3.x and earlier will be compatible with 8.4.x as well. However, the new version does include some changes to strings, user interfaces, and internal APIs (as well as more significant changes to experimental modules). This means that some small updates may be required for your translations, modules, and themes. See the announcement of the 8.4.0 release candidate for more background information.

Categories: Development News, Drupal

PHP 7.1.10 Release Announcement

PHP Announcements - Fri, 09/29/2017 - 04:10
The PHP development team announces the immediate availability of PHP 7.1.10. This is a bugfix release, with several bug fixes included. All PHP 7.1 users are encouraged to upgrade to this version. For source downloads of PHP 7.1.10 please visit our downloads page, Windows source and binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: Development News, PHP, PHP News

PHP 7.2.0 Release Candidate 3 Released

PHP Announcements - Thu, 09/28/2017 - 06:58
The PHP development team announces the immediate availability of PHP 7.2.0 RC3. This release is the third Release Candidate for 7.2.0. All users of PHP are encouraged to test this version carefully, and report any bugs and incompatibilities in the bug tracking system. THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION! For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. For source downloads of PHP 7.2.0 Release Candidate 3 please visit the download page, Windows sources and binaries can be found at windows.php.net/qa/. The next Relase Candidate will be announced on the 12th of October. You can also read the full list of planned releases on our wiki. Thank you for helping us make PHP better.
Categories: Development News, PHP, PHP News

State of Drupal presentation (September 2017)

Drupal News - Wed, 09/27/2017 - 10:33

This blog has been re-posted with permission from Dries Buytaert's blog. Please leave your comments on the original post.

Group photo

Yesterday, I shared my State of Drupal presentation at DrupalCon Vienna. In addition to sharing my slides, I wanted to provide some more detail on how Drupal is evolving, who Drupal is for, and what I believe we should focus on.

Drupal is growing and changing

I started my keynote by explaining that Drupal is growing. Over the past year, we've witnessed a rise in community engagement, which has strengthened Drupal 8 adoption.

This is supported by the 2017 Drupal Business Survey; after surveying 239 executives from Drupal agencies, we can see that Drupal 8 has become the defacto release for them and that most of the Drupal businesses report to be growing.

Drupal 8 Agency Adoption

Drupal Agency Growth

While the transition from Drupal 7 to Drupal 8 is not complete, Drupal 8's innovation continues to accelerate. We've seen the contributed modules ecosystem mature; in the past year, the number of stable modules has more than doubled. Additionally, there are over 4,000 modules in development.

Drupal 8 module readiness

In addition to growth, both the vendor and technology landscapes around Drupal are changing. In my keynote, I noted three primary shifts in the vendor landscape. Single blogs, portfolio sites and brochure sites, which represent the low end of the market, are best served by SaaS tools. On the other side of the spectrum, a majority of enterprise vendors are moving beyond content management into larger marketing suites. Finally, the headless CMS market segment is growing rapidly, with some vendors growing at a rate of 500% year over year.

There are also significant changes in the technology landscape surrounding Drupal, as a rising number of Drupal agencies have also started using modern JavaScript technologies. For example, more than 50% of Drupal agencies are also using Node.js to support the needs of their customers.

Changing technology stack

While evolving vendor and technology landscapes present many opportunities for Drupal, it can also introduce uncertainty. After listening to many people in the Drupal community, it's clear that all these market and technology trends, combined with the long development and adoption cycle of Drupal 8, has left some wondering what this all means for Drupal, and by extension also for them.

Drupal is no longer for simple sites

Over the past year, I've explained why I believe Drupal is for ambitious digital experiences, in both my DrupalCon Baltimore keynote and on my blog. However, I think it would be valuable to provide more detail on what I mean by "ambitious digital experiences". It's important that we all understand who Drupal is for, because it drives our strategy, which in turn allows us to focus our efforts.

Today, I believe that Drupal is no longer for simple sites. Instead, Drupal's sweetspot is sites or digital experiences that require a certain level of customization or flexibility — something I refer to as "richness".

Who is Drupal for?

Ambitious is much more than just enterprise

This distinction is important because I often find that the term "ambitious" becomes conflated with "enterprise". While I agree that Drupal is a great fit for the enterprise, I personally never loved that categorization. It's not just large organizations that use Drupal. Individuals, small startups, universities, museums and nonprofits can be equally ambitious in what they'd like to accomplish and Drupal can be an incredible solution for them.

An example of this could be a small business that manages 50 rental properties. While they don't have a lot of traffic (reach), they require integrations with an e-commerce system, a booking system, and a customer support tool to support their business. Their allotted budget is $50,000 or less. This company would not be considered an enterprise business; however, Drupal would be a great fit for this use case. In many ways, the "non-enterprise ambitious digital experiences" represent the majority of the Drupal ecosystem. As I made clear in my presentation, we don't want to leave those behind.

Drupal is for ambitious digital experiences

Addressing the needs of smaller organizations

The Drupal ecosystem majority are organizations with sites that require medium-to-high richness, which SaaS builders cannot support. However, they also don't need to scale at the level of enterprise companies. As the Drupal community continues to consider how we can best support this majority, a lot of smaller Drupal agencies and end-users have pointed out that they would benefit from the following two things:

  1. Powerful site building tools. They want easy-to-use site building tools that are simple to learn, and don't require dozens of contributed modules to be installed and configured. They would also prefer to avoid writing a lot of custom code because their clients have smaller budgets. Great examples of tools that would improve site building are Drupal's upcoming layout builder, workspaces and media library. To make some of Drupal's own administrative UIs more powerful and easier to use, I proposed that we add a modern JavaScript to core.
  2. Easier updates and maintenance. While each Drupal 8 site benefits from continuous innovation, it also needs to be updated more often. The new Drupal 8 release cycle has monthly patch releases and 6-month minor releases. In addition, organizations have to juggle ad-hoc updates from contributed modules. In addition, site updates has often become more complex because our dependency on third-party libraries and because not everyone can use Composer. Many smaller users and agencies would benefit tremendously from auto-updates because maintaining and updating their Drupal 8 sites can be too manual, too complex and too expensive.

The good news is that we have made progress in both improving site builder tools and simplifying updates and maintenance. Keep an eye on future blog posts about these topics. In the meantime, you can watch a recording of my keynote (starting at 22:10), or you can download a copy of my slides (56 MB).

Categories: Development News, Drupal

Drupal Business Survey 2017

Drupal News - Mon, 09/25/2017 - 06:02

The Drupal Business Survey 2017 shows that Drupal has a steady position in the market, and Drupal 8 has secured its role as the most popular version for new Drupal projects. Further, Drupal is often becoming part of a larger set of solutions.

The Drupal Business Survey is an annual survey that aims to give insights into the key issues that Drupal agency owners and company leaders worldwide face. The survey is an initiative of Exove, One Shoe and the Drupal Association and has been carried out this year for the second time. It covers topics about Drupal business in general, Drupal projects and talent needs. This article summarizes the most important findings along with commentary and insights from a total of 239 respondents.

Drupal is growing steadily

The Drupal Business Survey gleaned its data for 2017 from 239 respondents in CEO/COO/CTO/founder role (87%), director role (4.6%) or management role (4.6%), working at Drupal companies with a total of 300 offices spread around the globe. The most popular office location (30.1%) was USA. The second most popular with 12.1% was UK, and after that Germany, Netherlands, India, Canada and France. There were respondents from Africa, Asia, Europe, North America, South America and Oceania.

Drupal Business Survey 2017 -  Respondents

Analysis of the data made immediately clear that Drupal is a healthy business:

Drupal project pipeline grows

For almost half of the respondents (48.5%) the Drupal project pipeline grew within the last year. For 28.9% it stayed roughly the same, and for 22.6% the pipeline shrank.

Size of Drupal projects grows

For a majority (52.3%) of the respondents the average size of Drupal project deals grew. For about one third (31.4%) the Drupal deal size stayed roughly the same, and for only 16.3% the size of deals shrank.

Drupal’s project win rate stays roughly the same

Despite the increasing competition in the CMS market, for many (46.4%) of the companies their Drupal project win rate has stayed on the same level over the last year, and about a third (34.7%) have managed to grow their win rate. For less than a fifth of the companies (18.8%) the win rate had decreased.

Drupal project win-rate

Drupal’s position as a high-demand service platform is steady, especially for projects in the Charities and Non-Profit sector, which is catered to by two thirds (64.9%) of the respondents. Other popular industries that use Drupal are Government & Public Administration (56.1%) and Healthcare & Medicine (49.4%). There are no major differences in industries served by Drupal companies compared to the 2016 survey results.  

Drupal client sectors

Choosing Drupal

When choosing the right platform, Drupal clients trust the technical provider’s expertise: Drupal is often chosen by the clients as a result of the provider’s recommendation. In some cases the client’s previous experience or familiarity with Drupal is the definitive factor.

Besides Drupal being open-source and free of licensing fees, the definitive reasons for choosing Drupal are that Drupal is a reliable and flexible CMS choice with a strong reputation:

Without -most often than not- being able to precisely explain the reasons for which they prefer Drupal, those who do, sense that it is a better solution for their business; we shall imagine that this is due to the image of the CMS, which evokes a more robust, and serious CMS than the others.

Can do anything. Secure.

Choosing the company

When Drupal itself is less the dominating factor for the client, other unique aspects are often key factor for clients choosing a supplier, agency, or partner. The respondents mentioned that trust, commitment, quality, level of service, full service proposition, technical expertise, good reputation, and references were important factors for client decision making.

Drupal 8 has a strong place in the market

Drupal project version

Drupal 8, the newest version of the CMS, seems to have taken a strong place in the market. The respondents’ new Drupal projects were most commonly (38.1%) built on Drupal 8. One fourth of the respondents stated that they build mostly with both Drupal 8 and some with Drupal 7. For 18% of the respondents most new project were built with Drupal 7 and some with Drupal 8. A few (6.7%) of the respondents said their new projects are equally often built with Drupal 7 and Drupal 8. 12.1% still built all of their new projects with Drupal 7.

Drupal companies broaden their services, skill-sets, techniques and expertise

Remarkably, despite the popularity of Drupal, the survey shows that a lot of Drupal companies have changed their business model over the last year to widen their services and respond to the demand.  Drupal agency business models

The most common way of changing the business model was by expanding services beyond building Drupal websites (35,1%). The data shows that companies start to offer more services, expand their technology stack and work with multiple CMS platforms.

The main reasons behind the changes were changing market conditions (40,0%) or to willingness to grow the pipeline better or faster (49,4%). A respondent explains: “Drupal is too restricted to cover all the market's needs; furthermore, adding other services allows us to expand our clientele and thus revenues.”

More services

Drupal agency services

In addition to pure web development – coding the sites – most of the companies provide services such as support, system integration, user experience design, visual design, hosting, and mobile development.

Changing the technology stack

The companies also found adding other technologies as a useful way of expanding the technology stack.

More than half of the respondents’ companies used also Node.js, while Angular (43.5%), Symfony (42.3%) and React.js (33.9%) were also commonly used technologies within the respondents. Some used also Laravel (17.2%), Vue.js (9.6%) and Django (5.9%).

Expanding their services by adding other services and CMS platforms to their toolkit

Almost half of the companies (45.2%) have added other CMS platforms to expand their services and getting variety to projects. WordPress is the most usual (54.67%) addition to the toolkit, serving particularly smaller projects, with Magento eCommerce platform and Grav CMS following. For most respondents (69.6%), the reason for using more than one CMS tool is being able to use the tool best suited for the project. For almost the half (40.2%) the reason arose from the client's’ wishes on the tool.

“WordPress is more popular, and customers want it because of the user experience.”

“There's still a battle out there between Drupal and WordPress. Clients are not enough informed about the differences, so their opinion is often based on information and visions by previous suppliers”

“We’re adding Adobe and wordpress. Looking into JS frameworks.”  

Drupal in a landscape of solutions

Drupal is widely considered as one of the most popular options in the CMS landscape. However, while digital solutions have become more complex, Drupal increasingly often serves as a part of a larger set of solutions. The survey data shows that Drupal companies do this in the belief that the company sells solutions rather than technology.  

There’s a broad range of options available for companies to build platforms. Every Drupal organization seeks different combinations of software products and programming languages that they seem most important for their projects. There are endless options that excel in their own right.

Our clients rarely come asking for Drupal (10% of the time ). But our technical prowess is a big part of their choice. That skill just happens to be in Drupal due to our own choice of platforms.

[Our Drupal expertise is the most definitive factor] when clients approach us for Drupal projects, if Drupal is not the main reason to approach us (the most common case) then Drupal expertise is irrelevant.

When it is a Drupal project the expertise is important but we no longer sell Drupal as a major part of projects. We just use it. We now sell the solution.

I sell solutions to digital problems, not solutions to Drupal problems.

The study made it clear that there are often other definitive factors than Drupal expertise affecting the client’s decision of choosing agencies. The clients reportedly value vendor’s portfolio and references of previous projects, reputation, communication, and services that differentiate the agency from its peers.

The Drupal talent factor

According to the survey, Drupal talent is hard to find and takes a lot of work. Only fraction (10.9%) of the companies say that they find Drupal talent easily. Compared to last year, the demand for Drupal talent at responding companies seems to be split between decreasing (23.4%) and increasing (25.5%) demand, with demand staying about the same at 36.8%.

With Drupal 8 gaining more and more popularity, most respondents say that Drupal 8 skills are somewhat in demand (38.1%) or high demand (33.5%). 15.9% say that Drupal 8 skills are not in demand.

Most respondents ranked the number of skilled Drupal 8 developers as average (40.2%). The responses indicate that more Drupal talent is needed, especially skilled Drupal 8 developers, due to the fact that Drupal 8 is more complex than its predecessors:

2016/17 and D8 has been a big shakeout for talent in Drupal. A lot of people who could operate in commercial Drupal delivery in 2012-2015 (with demand outstripping supply markedly) simply will not be viable candidates for Drupal work in 2018. There is no 'easy" work left and many people who came in during the good times will not be able to sustain careers in the new world.

The evolution of the CMS marketplace to favor more comprehensive and thus also more complex solutions is favoring bigger companies with stronger competences through number of experts in specific fields. This can be a struggle for small vendors, as mastering clients’ needs requires more expertise than is available on their staff:

Demand, as a whole, for Drupal seems to be significantly dropping as the increased complexity of each major release of Drupal cuts off greater and greater numbers of the ‘do-it-themselves’ business owning client/builder types. These types are prime candidates for initially using Drupal and then later turning their Drupal site over to a professional company.

Conclusion

Based on the study results, it is safe to say that Drupal has a steady position in the market, and Drupal 8 has secured its role as the most popular version for new Drupal projects.

The content management market is shifting towards more comprehensive and also complex solutions. Drupal agencies are well positioned to respond to this trend due to modern Drupal 8 architecture and also by combining Drupal into larger solutions. This drives Drupal business into larger deals and allows more long-term partnerships with the clients, thus giving financial stability to the companies and also to the community.

On the other end of the market, Drupal also faces competition from low-end solutions such as Wordpress. Some of the agencies now offering other content management solutions, Wordpress included.

The market might be challenging for smaller companies with only one CMS in their toolkit. Companies that can react to changing market conditions and provide a variety of solutions are going to succeed. Additiionally, companies that are able to distinguish themselves from other vendors through a good set of services, specialisation, or excellent customer service will flourish. This is all part of a natural evolution of any digital platform marketplace and it should be seen as a good juncture to raise the Drupal agencies to the next level.

Talent finding challenges indicate that there will be a need for multi-skilled developers with very good technical expertise.

Want to go in-depth?

More detailed results of the survey will be published at the DrupalCon Vienna CEO Dinner on Wednesday, September 27th. The presentation will become available for download afterwards.

-----

For more information, please contact Janne Kalliola (janne@exove.fi) or Michel van Velde (michel.vanvelde@oneshoe.com)

About Exove

Exove delivers digital growth. We help our clients to grow their digital business by designing and building solutions with agile manner, service design methodologies, and open technologies. Our clients include Sanoma, Fiskars, Neste, Informa, Trimble, and Finnlines. We serve also start-up companies, unions and public sector. Exove has offices in Helsinki, Oulu and Tampere, Finland; Tallinn, Estonia; and London, United Kingdom. For more information, please visit www.exove.com.

About One Shoe

One Shoe is an integrated advertising and digital agency with more than 10 years experience in Drupal. With more than 40 specialists, One Shoe combines strategy, UX, design, advertising, web and mobile development to deliver unique results for international clients like DHL, Shell, Sanofi, LeasePlan, MedaPharma and many more. For more information, please visit www.oneshoe.com.

About the Drupal Association

The Drupal Association is a non-profit organization headquartered in Portland, OR, USA. It helps the Drupal project and community thrive with funding, infrastructure, and events. Its vision is to help create spaces where anyone, anywhere, can use Drupal to build ambitious digital experiences. For more information, please visit drupal.org/association.

Categories: Development News, Drupal

Skype Status - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-076

Drupal Contributed Security - Wed, 09/20/2017 - 14:48
Description

This module enables you to obtain the status for a user's Skype account

The module doesn't sufficiently sanitize the user input for their Skype ID.

This vulnerability is mitigated by the fact that an attacker must have an account on the site and be allowed to edit/input their Skype ID.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Skype Status (skype_status) 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Skype Status module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Skype Status project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Page Access - Unsupported - SA-CONTRIB-2017-75

Drupal Contributed Security - Wed, 09/20/2017 - 14:43
  • Advisory ID: DRUPAL-SA-CONTRIB-2017-75
  • Project: Page Access (third-party module)
  • Date: 20-September-2017
Description

This module will provide the option to give the View and Edit access for users and roles on each node pages.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Versions affected
  • All versions

Drupal core is not affected. If you do not use the contributed Page Access module, there is nothing you need to do.

Solution

If you use the Page Access module for Drupal you should uninstall it.

Also see the Page Access project page.

Reported by Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

What’s new on Drupal.org? - August 2017

Drupal News - Tue, 09/19/2017 - 12:38

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

Announcement TLS 1.0 and 1.1 deprecated

Drupal.org uses the Fastly CDN service for content delivery, and Fastly has depreciated support for TLS 1.1, 1.0, and 3DES on the cert we use for Drupal.org, per the mandate by the PCI Security Standards Council. This change took place on 9 Aug 2017. This means that browsers and API clients using the older TLS 1.1 or 1.0 protocols will no longer be supported. Older versions of curl or wget may be affected as well.

Almost time for DrupalCon Vienna

DrupalCon Vienna

DrupalCon Vienna is almost here! From September 26-29 you can join us for keynotes, sessions, and sprinting. Most of the Drupal Association engineering team will be on site, and we'll be hosting a panel discussion about recent updates to Drupal.org, and our plans for the future.

We hope to see you there!

Drupal.org updates 8.4.0 Alpha/Beta/Release Candidate 1

On August 3rd, Drupal 8.4.0 received its alpha release, followed on the 17th by a beta release, and on September 6th by the first release candidate. Several new stable API modules are now included in core for everything from workflow management to media management. Core maintainers hope to reach a stable release of Drupal 8.4 soon.

Improvements to Project Pages

We made a number of improvements to project pages in August, one of which was to clean up the 'Project information' section and add new iconography to make signals about project quality more clear to site builders.

Project information improvements

In the same vein, we've also improved the download table for contrib projects, by making it more clear which releases are recommended by the maintainer, providing pre-release information for minor versions, and displaying recent test results.

Download table improvements

Metadata about security coverage available to Composer

Developers who build Drupal sites using Composer may miss some of the project quality indicators from project pages on Drupal.org. Because of this, we now include information about whether a project receives security advisory coverage in the Composer 'extra' attribute. By including this information in the composer json for each project, we hope to make it easier for developers using Composer to ensure they are only using modules with security advisory coverage. This information is also accessible for developers who may want to make additional tools for managing composer packages.

Automatic issue credit for committers

Just about the last step in resolving any code-related issue is for a project maintainer to commit the changes. To make sure these maintainers are credited for the work they do to review these code changes, we now automatically add issue credit for committers.

Performance Improvements for Events.Drupal.org

With DrupalCon coming up in September we spent a little bit of time tuning the performance of Events.Drupal.org. We managed to resolve a session management bug that was the root cause of a significant slow down, so now the site is performing much better.

Syncing your DrupalCon schedule to your calendar

A long requested feature for our DrupalCon websites has been the ability to sync a user's personal schedule to a calendar service. In August we released an initial implementation of this feature, and we're working on updating it in September to support ongoing syncing - stay tuned!

Membership CTA on Download and Extend

We've added a call to action for new members on the Drupal.org Download and Extend page, which highlights some great words and faces from the community. Membership contributions are a crucial part of funding Drupal.org and DrupalCon, but much the majority of traffic we receive on Drupal.org is anonymous, and may not reach the areas of the site where we've promoted membership in the past. We're hoping this campaign will help us reach a wider audience.

Membership CTA on the Download page

DrupalCI sponsorship

DrupalCI is one of the most critical services the Drupal Association provides to the project, and also one of the more expensive. We've recently added a very small section to highlight how membership contributions help provide testing for the project - and in the future we hope to highlight sponsors who will step up specifically to subsidize testing for the Drupal project.

Infrastructure More semantic labels for testing

In August we added more semantic labels for DrupalCI test configuration. This means that project maintainers no longer have to update their testing targets with each new release of Drupal, they can instead test against the 'pre-release' or 'supported' version, etc. More information can be found in the DrupalCI documentation.

Semantic Labels for Testing

Started PCI audit

In August we also began a PCI audit, and developed a plan of action to reduce the Drupal Association's PCI scope. Protecting our community's personal and financial information is critically important, and with a small engineering team, the more we can offload PCI responsibility onto our payment vendors the better. We'll be continuing to work on these changes into the new year.

———

As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects. In particular we want to thank:

If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.

Follow us on Twitter for regular updates: @drupal_org, @drupal_infra

Categories: Development News, Drupal

PHP 7.2.0 Release Candidate 2 Released

PHP Announcements - Thu, 09/14/2017 - 12:07
The PHP development team announces the immediate availability of PHP 7.2.0 RC2. This release is the second Release Candidate for 7.2.0. All users of PHP are encouraged to test this version carefully, and report any bugs and incompatibilities in the bug tracking system. THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION! For more information on the new features and other changes, you can read the NEWS file, or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. For source downloads of PHP 7.2.0 Release Candidate 2 please visit the download page, Windows sources and binaries can be found at windows.php.net/qa/. The next Relase Candidate will be announced on the 28th of September. You can also read the full list of planned releases on our wiki. Thank you for helping us make PHP better.
Categories: Development News, PHP, PHP News
Syndicate content