Subscribe to Drupal core announcements feed
Core announcement
Updated: 2 hours 59 min ago

Recording from July 3rd 2015 Drupal 8 critical issues discussion

July 3, 2015 at 10:19am

This was our 6th critical issues discussion meeting to be publicly recorded in a row. (See all prior recordings). Here is the recording of the meeting video and chat from today in the hope that it helps more than just those who were on the meeting:

If you also have significant time to work on critical issues in Drupal 8 and we did not include you, let me know as soon as possible.

The meeting log is as follows (all times are CEST real time at the meeting):


[11:06am] alexpott: https://www.drupal.org/node/2280965
[11:06am] Druplicon: https://www.drupal.org/node/2280965 => [meta] Remove or document every SafeMarkup::set() call [#2280965] => 90 comments, 13 IRC mentions
[11:06am] alexpott: https://www.drupal.org/node/2506581
[11:06am] Druplicon: https://www.drupal.org/node/2506581 => Remove SafeMarkup::set() from Renderer::doRender [#2506581] => 49 comments, 9 IRC mentions
[11:07am] alexpott: https://www.drupal.org/node/2506195
[11:07am] Druplicon: https://www.drupal.org/node/2506195 => Remove SafeMarkup::set() from XSS::filter() [#2506195] => 40 comments, 3 IRC mentions
[11:09am] dawehner: https://www.drupal.org/node/2502785
[11:09am] Druplicon: https://www.drupal.org/node/2502785 => Remove support for #ajax['url'] and $form_state->setCached() for GET requests [#2502785] => 51 comments, 18 IRC mentions
[11:09am] Druplicon: dawehner: 5 hours 36 sec ago tell dawehner you might already be following https://www.drupal.org/node/1412090 but I figure you would be in favor.
[11:10am] alexpott: GaborHojtsy: do you what the you link is for the live hangout?
[11:11am] GaborHojtsy: live hangout page: http://youtu.be/rz_EissgU7Q
[11:11am] GaborHojtsy: alexpott: ^^^
[11:11am] GaborHojtsy: to watch that is
[11:11am] alexpott: GaborHojtsy: thanks!
[11:12am] plach: https://www.drupal.org/node/2453153
[11:12am] Druplicon: https://www.drupal.org/node/2453153 => Node revisions cannot be reverted per translation [#2453153] => 159 comments, 58 IRC mentions
[11:12am] plach: https://www.drupal.org/node/2453175
[11:12am] Druplicon: https://www.drupal.org/node/2453175 => Remove EntityFormInterface::validate() and stop using button-level validation by default in entity forms [#2453175] => 79 comments, 9 IRC mentions
[11:14am] plach: https://www.drupal.org/node/2478459
[11:14am] Druplicon: https://www.drupal.org/node/2478459 => FieldItemInterface methods are only invoked for SQL storage and are inconsistent with hooks [#2478459] => 112 comments, 29 IRC mentions
[11:14am] larowlan: https://www.drupal.org/node/2354889
[11:14am] Druplicon: https://www.drupal.org/node/2354889 => Make block context faster by removing onBlock event and replace it with loading from a BlockContextManager [#2354889] => 100 comments, 19 IRC mentions
[11:15am] larowlan: https://www.drupal.org/node/2421503
[11:16am] Druplicon: https://www.drupal.org/node/2421503 => SA-CORE-2014-002 forward port only checks internal cache [#2421503] => 46 comments, 11 IRC mentions
[11:16am] larowlan: https://www.drupal.org/node/2512460
[11:16am] Druplicon: https://www.drupal.org/node/2512460 => "Translate user edited configuration" permission needs to be marked as restricted [#2512460] => 20 comments, 8 IRC mentions
[11:17am] WimLeers: catch: pfrenssen is likely gonna be working on the "numerous paramconverters" issue
[11:17am] WimLeers: the issue catch talked about: https://www.drupal.org/node/2512718
[11:17am] Druplicon: https://www.drupal.org/node/2512718 => Numerous ParamConverters in core break the route / url cache context [#2512718] => 22 comments, 12 IRC mentions
[11:17am] catch: WimLeers: did you discuss last night's discussion with him already?
[11:18am] WimLeers: https://www.drupal.org/project/issues/search/drupal?project_issue_follow...
[11:19am] WimLeers: https://www.drupal.org/node/2450993
[11:19am] Druplicon: https://www.drupal.org/node/2450993 => Rendered Cache Metadata created during the main controller request gets lost [#2450993] => 132 comments, 27 IRC mentions
[11:20am] pfrenssen: catch: WimLeers: yes I'm working on that, for the moment just studying how it works
[11:20am] berdir: WimLeers: I think we can also demote it if all the other must issues are critical on their own
[11:20am] GaborHojtsy: https://www.drupal.org/node/2512460
[11:20am] Druplicon: https://www.drupal.org/node/2512460 => "Translate user edited configuration" permission needs to be marked as restricted [#2512460] => 20 comments, 9 IRC mentions
[11:20am] catch: pfrenssen: cool. I'll be around most of today so just ping if you want to discuss.
[11:21am] GaborHojtsy: https://www.drupal.org/node/2512466
[11:21am] Druplicon: https://www.drupal.org/node/2512466 => Config translation needs to be validated on input for XSS (like other t string input) [#2512466] => 34 comments, 3 IRC mentions
[11:21am] WimLeers: pfrenssen++
[11:21am] WimLeers: berdir: assuming you're talking about https://www.drupal.org/node/2429287 — then yes, that's exactly the plan :)
[11:21am] Druplicon: https://www.drupal.org/node/2429287 => [meta] Finalize the cache contexts API & DX/usage, enable a leap forward in performance [#2429287] => 112 comments, 10 IRC mentions
[11:21am] GaborHojtsy: https://www.drupal.org/node/2489024
[11:21am] Druplicon: https://www.drupal.org/node/2489024 => Arbitrary code execution via 'trans' extension for dynamic twig templates (when debug output is on) [#2489024] => 43 comments, 12 IRC mentions
[11:22am] GaborHojtsy: https://www.drupal.org/node/2512718
[11:22am] Druplicon: https://www.drupal.org/node/2512718 => Numerous ParamConverters in core break the route / url cache context [#2512718] => 22 comments, 13 IRC mentions
[11:22am] xjm: GaborHojtsy: I took care of updating the security polict with mlhess
[11:22am] xjm: GaborHojtsy: that's done
[11:23am] • xjm listening to the meeting but cannot join because of 10 person limit
[11:23am] GaborHojtsy: xjm: yay
[11:23am] GaborHojtsy: xjm++
[11:24am] WimLeers: Yes
[11:24am] WimLeers: I DO HAVE A MICROPHONE!!!
[11:24am] WimLeers: :P
[11:24am] xjm: GaborHojtsy: https://www.drupal.org/node/475848/revisions/view/7267195/8630716 now restrict access is mentioned explicitly, so any perm that has it is covered
[11:24am] Druplicon: https://www.drupal.org/node/475848 => Security advisories process and permissions policy => 0 comments, 1 IRC mention
[11:25am] larowlan: https://www.drupal.org/node/2509898
[11:25am] Druplicon: https://www.drupal.org/node/2509898 => Additional uncaught exception thrown while handling exception after service changes [#2509898] => 22 comments, 5 IRC mentions
[11:25am] alexpott: WimLeers: a working microphone :)
[11:28am] WimLeers: alexpott: all of you guys are breaking up for me from time to time. It looks like it's something with Chrome/Hangouts :(
[11:28am] xjm: WimLeers: yeah I had to use FF
[11:28am] WimLeers: My mic *works* if I test it locally.
[11:28am] WimLeers: xjm: lol, the beautiful irony
[11:30am] WimLeers: berdir: alexpott: I checked and I agree with the change you guys just asked me feedback on: https://www.drupal.org/node/2375695#comment-10082188
[11:30am] Druplicon: https://www.drupal.org/node/2375695 => Condition plugins should provide cache contexts AND cacheability metadata needs to be exposed [#2375695] => 117 comments, 40 IRC mentions
[11:32am] alexpott: https://www.drupal.org/node/2497243
[11:32am] Druplicon: https://www.drupal.org/node/2497243 => Rebuilding service container results in endless stampede [#2497243] => 97 comments, 22 IRC mentions
[11:33am] • larowlan using FF too, doesn't trust Google
[11:33am] alexpott: dawehner, catch: anyone got the nid of the chx container issue?
[11:33am] dawehner: https://www.drupal.org/node/2513326
[11:33am] catch: alexpott: https://www.drupal.org/node/2513326
[11:33am] Druplicon: https://www.drupal.org/node/2513326 => Performance: create a PHP storage backend directly backed by cache [#2513326] => 43 comments, 13 IRC mentions
[11:33am] Druplicon: https://www.drupal.org/node/2513326 => Performance: create a PHP storage backend directly backed by cache [#2513326] => 43 comments, 14 IRC mentions
[11:34am] catch: beat me.
[11:36am] larowlan: https://www.drupal.org/node/2511568 for the ctools issue I mentioned
[11:36am] Druplicon: https://www.drupal.org/node/2511568 => Create "context stack" service where available contexts can be registered [#2511568] => 0 comments, 3 IRC mentions
[11:41am] xjm: dropping off now to walk to the venue
[11:41am] alexpott: pfrenssen++
[11:50am] GaborHojtsy: for browser we are working on https://www.drupal.org/node/2430335
[11:50am] Druplicon: https://www.drupal.org/node/2430335 => Browser language detection is not cache aware [#2430335] => 47 comments, 21 IRC mentions
[11:50am] GaborHojtsy: Fabianx-screen: see above
[11:51am] berdir: and it's not a blocker
[11:51am] berdir: because right now it just kills page/smart cache
[11:51am] berdir: so if you use that, you are not seeing a cached page anyway
[11:51am] berdir: Fabianx-screen: we have a cache context for the content language
[11:52am] xjm: the youtube video has like a 20 second delay
[11:53am] GaborHojtsy: xjm: we get what we pay for :D
[11:54am] xjm: now I am talking
[11:55am] plach: https://www.drupal.org/node/2453175#comment-10080242
[11:55am] Druplicon: https://www.drupal.org/node/2453175 => Remove EntityFormInterface::validate() and stop using button-level validation by default in entity forms [#2453175] => 79 comments, 10 IRC mentions
[11:55am] xjm: more like 60s
[11:55am] GaborHojtsy: xjm: well, you’ll be in the recording forver now :D
[11:55am] xjm: :P
[11:56am] xjm: GaborHojtsy: is there any way to increase the number of participants or to include the chat sidebar in the video?
[11:56am] WimLeers1: catch: Can you leave a comment on https://www.drupal.org/node/2512718 with your POV/conclusion — sounds like you have the clearest grasp on this/completest view on the likely solution.
[11:56am] Druplicon: https://www.drupal.org/node/2512718 => Numerous ParamConverters in core break the route / url cache context [#2512718] => 23 comments, 14 IRC mentions
[11:56am] WimLeers1: xjm: chat is here, we don't use Google Hangout's chat sidebar
[11:56am] GaborHojtsy: xjm: the chat window is THIS ONE
[11:57am] larowlan: xjm: the chat one is lost soon as the call ends
[11:57am] xjm: WimLeers: GaborHojtsy: so the thing is that listening to the video it's very hard to figure out which issues people are discussing, even with Gábor's notes
[11:57am] larowlan: xjm: you can get more than 10 in the call if you have a corporate account I think
[11:57am] WimLeers: larowlan: Gábor copy/pastes this chat to the g.d.o post with the link of the recording
[11:57am] • larowlan nods
[11:57am] WimLeers: that was meant for xjm, oops
[11:58am] GaborHojtsy: xjm: the trick is if we would start on time, then my chat log shows timestamps which are sync with the video
[11:58am] GaborHojtsy: xjm: we have a few minute delay between the video start and the top of the hour
[11:58am] catch: WimLeers: yep will do.
[11:59am] GaborHojtsy: xjm: because people arrive later basically :)
[11:59am] WimLeers: catch++
[12:01pm] GaborHojtsy: xjm: its also hard to get Druplicon in google hangouts — as in impossible ÉD
[12:01pm] GaborHojtsy: xjm: and there was some interest for people watching to be able to follow links WHILE the meeting was on
[12:02pm] xjm: GaborHojtsy: but it doesn't work -- I'm trying that right now -- the delay is too big
[12:02pm] WimLeers: alexpott: regarding in title: https://api.drupal.org/comment/26#comment-26
[12:03pm] GaborHojtsy: xjm: well, then at least the Druplicon advantage is there :)
[12:03pm] GaborHojtsy: xjm: I am happy to use some way to get the comments in if there is one
[12:04pm] GaborHojtsy: xjm: I am not sure it helps if eg. someone shares their screen with an IRC client throughout the video
[12:04pm] GaborHojtsy: xjm: the links are not clickable either
[12:04pm] xjm: GaborHojtsy: shannon did that for the meeting we had 2y ago -- though the same problem with links not being clickable
[12:04pm] GaborHojtsy: xjm: but that may be a workaround

Categories: Planet Drupal

Portsmouth NH theme system critical sprint recap

July 3, 2015 at 3:16am

In early June a Drupal 8 theme system critical issues sprint was held in Portsmouth, New Hampshire as part of the D8 Accelerate program.

The sprint started the afternoon of June 5 and continued until midday June 7.

Sprint goals

We set out to move forward the two (at the time) theme system criticals, #2273925: Ensure #markup is XSS escaped in Renderer::doRender (created May 24, 2014) and #2280965: [meta] Remove or document every SafeMarkup::set() call (created June 6, 2014).

Sponsors

The Drupal Association provided the D8 Accelerate grant which covered travel costs for joelpittet and Cottser.

Bowst provided the sprint space.

As part of its NHDevDays series of contribution sprints, the New Hampshire Drupal Group provided snacks and refreshments during the sprint, lunch and even dinner on Saturday.

Digital Echidna provided time off for Cottser.

Summary

xjm committed #2273925: Ensure #markup is XSS escaped in Renderer::doRender Sunday afternoon! xjm’s tweet sums things up nicely.

As for the meta (which is comprised of about 50 sub-issues), by the end of the sprint we had patches on over 30 of them, 3 had been committed, and 7 were in the RTBC queue.

Thanks to the continued momentum provided by the New Jersey sprint, as of this writing approximately 20 issues from the meta issue have been resolved.

Friday afternoon

peezy kicked things off with a brief welcome and acknowledgements. joelpittet and Cottser gave an informal introduction to the concepts and tasks at hand for the sprinters attending.

After that, leslieg on-boarded our Friday sprinters (mostly new contributors), getting them set up with Drupal 8, IRC, Dreditor, and so on. leslieg and a few others then went to work reviewing documentation around #2494297: [no patch] Consolidate change records relating to safe markup and filtering/escaping to ensure cross references exist.

Meanwhile in "critical central" (what we called the meeting room where the work on the critical issues was happening)…

lokapujya and joelpittet got to work on the remaining tasks of #2273925: Ensure #markup is XSS escaped in Renderer::doRender.

cwells and Cottser started the work on removing calls to SafeMarkup::set() by working on #2501319: Remove SafeMarkup::set in _drupal_log_error, DefaultExceptionSubscriber::onHtml, Error::renderExceptionSafe.

Thai food was ordered in, and many of us continued working on issues late into the evening.

Saturday

joelpittet and Cottser gave another brief introduction to keep new arrivals on the same page and reassert concepts from the day before.

leslieg did some more great on-boarding Saturday and worked with a handful of new contributors on implementing #2494297: [no patch] Consolidate change records relating to safe markup and filtering/escaping to ensure cross references exist. The idea was that by reviewing and working on this documentation the contributors would be better equipped to work directly on the issues in the SafeMarkup::set() meta.

Mid-morning Cottser led a participatory demo with the whole group of a dozen or so sprinters, going through one of the child issues of the meta and ending up with a patch. This allowed us to walk through the whole process and think out loud the whole time.

Sprinters gathered around a table
The Benjamin Melançon XSS attack in action. Having some fun while working on our demo issue.

By this time we had identified some common patterns after working on enough of these issues.

By the end of Saturday all of the sprinters including brand new contributors were collaborating on issues from the critical meta and the issue stickies were flying around the room with fervor (a photo of said issue stickies is below).

15 Drupalists posing outside the sprint space after a long day of sprinting

10 Drupalists having dinner
Then we had dinner :)

Sunday morning

drupal.org was down for a while.

We largely picked up where we left off Saturday, cranked out more patches, and joelpittet and Cottser started to review the work that had been done the day before that was in the “Needs Human” column.

A whiteboard with many sticky notes representing drupal.org issues
Our sprint board looked something like this on the last day of the sprint.

Thank you

Thanks to the organizing committee (peezy, leslieg, cwells, and kbaringer), xjm, effulgentsia, New Hampshire DUG, Seacoast DUG, Bowst, Drupal Association, Digital Echidna, and all of our sprinters: cdulude, Cottser, cwells, Daniel_Rose, dtraft, jbradley428, joelpittet, kay_v, kbaringer, kfriend, leslieg, lokapujya, mlncn, peezy, sclapp, tetranz.

AttachmentSize 20150606_114556.jpg453.91 KB 20150606_184029.jpg549.46 KB 20150607_130317.jpg353.87 KB IMG_8589.JPG781.47 KB
Categories: Planet Drupal

No Drupal 6 or Drupal 7 core release on Wednesday, July 1

June 29, 2015 at 1:42pm

The monthly Drupal core bug fix/feature release window is scheduled for this Wednesday. However, there have not been enough changes to the development version since the last bug fix/feature release two months ago to warrant a new release, so there will be no Drupal core release on that date.

Upcoming release windows include:

  • Wednesday, July 15 (security release window)
  • Wednesday, August 5 (bug fix/feature release window)

For more information on Drupal core release windows, see the documentation on release timing and security releases, and the discussion that led to this policy being implemented.

Categories: Planet Drupal

Recording from June 26th 2015 Drupal 8 critical issues discussion

June 26, 2015 at 10:12am

This was our fifth critical issues discussion meeting to be publicly recorded in a row. (See all prior recordings). Here is the recording of the meeting video and chat from today in the hope that it helps more than just those who were on the meeting:

Unfortunately not all people invited made it this time. If you also have significant time to work on critical issues in Drupal 8 and we did not include you, let me know as soon as possible.

The meeting log is as follows (all times are CEST real time at the meeting):


[11:04am] jibran: Issues https://www.drupal.org/project/issues/search/drupal?status[0]=1&status[1]=13&status[2]=8&status[3]=14&status[4]=4&priorities[0]=400&categories[0]=1&categories[1]=2&categories[2]=5&version[0]=8.x
[11:07am] dawehner: https://www.drupal.org/node/2509300
[11:07am] Druplicon: https://www.drupal.org/node/2509300 => Path alias UI allows node/1 and /node/1 as system path then fatals [#2509300] => 55 comments, 5 IRC mentions
[11:07am] dawehner: https://www.drupal.org/node/2408371
[11:07am] Druplicon: https://www.drupal.org/node/2408371 => Proxies of module interfaces don't work [#2408371] => 71 comments, 14 IRC mentions
[11:13am] plach: alexpott: dawehner GaborHojtsy: WimLeers: hamletic questions in the critical meeting
[11:13am] GaborHojtsy: plach: :P
[11:13am] plach: :)
[11:14am] WimLeers: "hamletic", wow :D
[11:14am] plach: https://www.drupal.org/node/2478459
[11:14am] Druplicon: https://www.drupal.org/node/2478459 => FieldItemInterface methods are only invoked for SQL storage and are inconsistent with hooks [#2478459] => 105 comments, 26 IRC mentions
[11:14am] plach: https://www.drupal.org/node/2453153
[11:14am] Druplicon: https://www.drupal.org/node/2453153 => Node revisions cannot be reverted per translation [#2453153] => 134 comments, 42 IRC mentions
[11:14am] dawehner: alexpott: i mean our request context ->getCompleteBaseUrl is basically that
[11:15am] alexpott: dawehner: yep
[11:16am] dawehner: GH sadly does not allow you to filter by 3.0.issues
[11:16am] WimLeers: that's weird
[11:16am] jibran: https://www.drupal.org/node/2500523
[11:16am] Druplicon: https://www.drupal.org/node/2500523 => Rewrite views_ui_add_ajax_trigger() to not rely on /system/ajax. [#2500523] => 27 comments, 6 IRC mentions
[11:16am] dawehner: alexpott: https://github.com/symfony/symfony/issues/6406#issuecomment-58411133
[11:19am] catch: https://www.drupal.org/node/2470679
[11:19am] Druplicon: https://www.drupal.org/node/2470679 => [meta] Identify necessary performance optimizations for common profiling scenarios [#2470679] => 62 comments, 15 IRC mentions
[11:19am] catch: https://www.drupal.org/node/2497185
[11:19am] Druplicon: https://www.drupal.org/node/2497185 => Create standardized core profiling scenarios and start tracking metrics for them [#2497185] => 36 comments, 11 IRC mentions
[11:19am] GaborHojtsy: lol, my chrome died, is the meeting still running? :)
[11:19am] alexpott: GaborHojtsy: yes
[11:19am] WimLeers: https://docs.google.com/spreadsheets/d/1iTFR2TVP-9961RUQ4of-N7jZLTOtfwf3...
[11:19am] dawehner: GaborHojtsy: yes
[11:20am] GaborHojtsy: yay I got back the controls when it reopened
[11:20am] GaborHojtsy: huh
[11:20am] GaborHojtsy: will still be able to stop broadcast, etc.
[11:20am] WimLeers: nice!
[11:20am] Druplicon: darn tooting it sure is!
[11:21am] WimLeers: https://www.drupal.org/node/2429287
[11:21am] Druplicon: https://www.drupal.org/node/2429287 => [meta] Finalize the cache contexts API & DX/usage, enable a leap forward in performance [#2429287] => 105 comments, 8 IRC mentions
[11:22am] WimLeers: https://www.drupal.org/node/2450993
[11:22am] Druplicon: https://www.drupal.org/node/2450993 => Rendered Cache Metadata created during the main controller request gets lost [#2450993] => 104 comments, 20 IRC mentions
[11:22am] WimLeers: https://www.drupal.org/node/2351015
[11:22am] Druplicon: https://www.drupal.org/node/2351015 => Link CSRF tokens can be hijacked when cached with insufficient contexts [#2351015] => 98 comments, 35 IRC mentions
[11:24am] WimLeers: https://www.drupal.org/node/2429287
[11:24am] Druplicon: https://www.drupal.org/node/2429287 => [meta] Finalize the cache contexts API & DX/usage, enable a leap forward in performance [#2429287] => 105 comments, 9 IRC mentions
[11:25am] WimLeers: https://www.drupal.org/node/2487600
[11:25am] Druplicon: https://www.drupal.org/node/2487600 => #access should support access result objects or better has to always use it [#2487600] => 17 comments, 1 IRC mention
[11:27am] WimLeers: https://www.drupal.org/node/2493033
[11:27am] Druplicon: https://www.drupal.org/node/2493033 => Make 'user.permissions' a required cache context [#2493033] => 18 comments, 4 IRC mentions
[11:29am] WimLeers: https://www.drupal.org/node/2473873
[11:29am] Druplicon: https://www.drupal.org/node/2473873 => Add cacheablity support for entity operations [#2473873] => 26 comments, 3 IRC mentions
[11:34am] GaborHojtsy: https://www.drupal.org/node/2512460
[11:34am] Druplicon: https://www.drupal.org/node/2512460 => "Translate user edited configuration" permission needs to be marked as sensitive [#2512460] => 2 comments, 1 IRC mention
[11:36am] GaborHojtsy: https://localize.drupal.org/node/63903
[11:36am] Druplicon: https://localize.drupal.org/node/63903 => Test the staging version of localize.drupal.org on Drupal 7 NOW! => 0 comments, 4 IRC mentions
[11:36am] dawehner: alexpott: would you be okay with adding \Drupal\Core\Http to add things like TrustedRedirectResponse there?
[11:46am] plach: https://www.drupal.org/node/2507899#comment-10059322
[11:46am] Druplicon: https://www.drupal.org/node/2507899 => [policy, no patch] Require hook_update_N() for Drupal 8 core patches beginning June 29 [#2507899] => 34 comments, 5 IRC mentions
[11:48am] dawehner: https://www.drupal.org/node/2509898
[11:48am] Druplicon: https://www.drupal.org/node/2509898 => Additional uncaught exception thrown while handling exception after service changes [#2509898] => 3 comments, 1 IRC mention
[11:49am] • jibran hates this cycle of exception rendering.
[11:50am] WimLeers: https://www.drupal.org/node/2450993
[11:50am] Druplicon: https://www.drupal.org/node/2450993 => Rendered Cache Metadata created during the main controller request gets lost [#2450993] => 104 comments, 21 IRC mentions
[11:54am] dawehner: https://www.drupal.org/node/2489024
[11:54am] Druplicon: https://www.drupal.org/node/2489024 => Arbitrary code execution via 'trans' extension for dynamic twig templates (when debug output is on) [#2489024] => 24 comments, 9 IRC mentions
[12:03pm] WimLeers: https://www.drupal.org/project/issues/search/drupal?project_issue_follow...
[12:04pm] plach: WimLeers++
[12:04pm] plach: (oh boy :D)
[12:04pm] WimLeers: :P
[12:04pm] jibran: slow clap for WimLeers

Categories: Planet Drupal

Update: Drupal 8 beta 12 rescheduled for June 29; get ready for hook_update_N() in core

June 24, 2015 at 10:35pm

We've rescheduled Drupal 8 beta 12 for June 29, 2015 to provide a little more leeway time for Drupal 8 core issues that require an update function. Starting June 29, any Drupal 8 core issue that includes a data model change must include an update function and update path test. See the previously announced core policy on requiring hook_update_N() for more information.

Identify your data model changes now!

If you have any core patches that are currently under development, please start identifying the data model changes in those patches now. Tag any issue that requires a data model change with D8 upgrade path and document the specific data model changes in the issue summary. Or, help triage major issues with specific attention to the data model changes.

It's actually also a good idea to start writing hook_update_N() implementations for your patches now! This will ensure in-progress issues can be committed as soon as possible following the next beta, and if your patch is ready before June 29, your update function will still help provide the corresponding update for the head2head project. Plus, if you uncover a critical limitation with Drupal 8 core's update functionality while working on your update function during the next week, the upcoming D8 Accelerate critical issues sprint will be an opportunity to get that critical issue fixed and unblock your patch.

Note for Drupal site owners and developers

Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs. Betas are not supported releases of Drupal, and generally are not recommended for non-technical users, nor for production websites. The current beta release includes known critical bugs, including publicly disclosed security vulnerabilities. More information on beta releases.

The addition of update functions for Drupal 8.0.x issues should make it easier for developers to update their existing development sites between beta releases using update.php. However, these update functions may include bugs or even introduce data integrity issues, so developers should always back up the site and be prepared to rebuild it from scratch or manually update or migrate the data in case update.php fails to update it properly.

Categories: Planet Drupal

Requiring hook_update_N() for Drupal 8 core patches beginning June 24

June 20, 2015 at 12:58am

In [policy, no patch] Require hook_update_N() for Drupal 8 core patches beginning June 24, the Drupal 8 release managers outline a policy to begin requiring hook_update_N() implementations for core patches that introduce data model changes starting after the next beta release. The goal of this policy change is to start identifying common update use-cases, to uncover any limitations we have for providing update functions in core, and to prepare core developers for considering upgrade path issues as we create the last few betas and first release candidates of Drupal 8. We need your help reviewing and communicating about this proposed policy, as well as identifying core issues that will be affected. Read the issue for more details.

Categories: Planet Drupal

Recording from June 19th 2015 Drupal 8 critical issues discussion

June 19, 2015 at 10:37am

This was our fourth critical issues discussion meeting to be publicly recorded in a row. (See all prior recordings). This time to make discussions easier to follow for all of us, we switched to #drupal-contribute in IRC to post links, so those following real time can follow the links and we can just paste the meeting log here as well. Here is the recording of the meeting from today in the hope that it helps more than just those who were on the meeting:

Unfortunately not all people invited made it this time. If you also have significant time to work on critical issues in Drupal 8 and we did not include you, let me know as soon as possible.

The meeting log is as follows (all times are CEST real time at the meeting):


[11:07am] plach: https://www.drupal.org/node/2478459
[11:07am] Druplicon: https://www.drupal.org/node/2478459 => FieldItemInterface methods are only invoked for SQL storage and are inconsistent with hooks [#2478459] => 93 comments, 19 IRC mentions
[11:07am] dawehner: https://www.drupal.org/node/2500527
[11:07am] Druplicon: https://www.drupal.org/node/2500527 => Rewrite \Drupal\file\Controller\FileWidgetAjaxController::upload() to not rely on form cache [#2500527] => 34 comments, 6 IRC mentions
[11:08am] plach: https://www.drupal.org/node/2453153
[11:08am] Druplicon: https://www.drupal.org/node/2453153 => Node revisions cannot be reverted per translation [#2453153] => 107 comments, 31 IRC mentions
[11:09am] jibran: https://www.drupal.org/node/2263569#comment-10039344
[11:10am] Druplicon: https://www.drupal.org/node/2263569 => Bypass form caching by default for forms using #ajax. [#2263569] => 219 comments, 35 IRC mentions
[11:11am] Fabianx-screen: https://www.drupal.org/node/2354889
[11:11am] Druplicon: https://www.drupal.org/node/2354889 => Make block context faster by removing onBlock event and replace it with loading from a BlockContextManager [#2354889] => 66 comments, 13 IRC mentions
[11:11am] WimLeers: https://www.drupal.org/node/2375695
[11:11am] Druplicon: https://www.drupal.org/node/2375695 => Condition plugins should provide cache contexts AND cacheability metadata needs to be exposed [#2375695] => 75 comments, 25 IRC mentions
[11:13am] GaborHojtsy: Fabianx-screen is talking about https://www.drupal.org/node/2354889
[11:13am] Druplicon: https://www.drupal.org/node/2354889 => Make block context faster by removing onBlock event and replace it with loading from a BlockContextManager [#2354889] => 66 comments, 14 IRC mentions
[11:14am] WimLeers: No, he was talking about https://www.drupal.org/node/2501989
[11:14am] Druplicon: https://www.drupal.org/node/2501989 => [meta] Page Cache Performance [#2501989] => 24 comments, 5 IRC mentions
[11:14am] WimLeers: (i.e. the very first part of what he said)
[11:14am] GaborHojtsy: (I directly copied the link he posted in hangouts :D)
[11:14am] WimLeers: lol ok :P
[11:16am] WimLeers: https://www.drupal.org/node/2429287
[11:16am] Druplicon: https://www.drupal.org/node/2429287 => [meta] Finalize the cache contexts API & DX/usage, enable a leap forward in performance [#2429287] => 102 comments, 7 IRC mentions
[11:17am] WimLeers: https://www.drupal.org/node/2450993
[11:17am] Druplicon: https://www.drupal.org/node/2450993 => Rendered Cache Metadata created during the main controller request gets lost [#2450993] => 35 comments, 14 IRC mentions
[11:18am] larowlan: GaborHojtsy: still working sorry, sent apology to dawehne_r this morning with my update
[11:18am] GaborHojtsy: larowlan: yeah jibran relayed that :)
[11:19am] GaborHojtsy: https://www.drupal.org/node/2495179
[11:19am] Druplicon: https://www.drupal.org/node/2495179 => Twig placeholder filter should not map to raw filter [#2495179] => 53 comments, 7 IRC mentions
[11:20am] GaborHojtsy: https://www.drupal.org/node/2487972
[11:20am] Druplicon: https://www.drupal.org/node/2487972 => [META] Results of testing localize.drupal.org on Drupal 7 in June 2015 [#2487972] => 18 comments, 5 IRC mentions
[11:21am] jibran: https://www.drupal.org/node/2453153
[11:21am] Druplicon: https://www.drupal.org/node/2453153 => Node revisions cannot be reverted per translation [#2453153] => 107 comments, 32 IRC mentions
[11:31am] larowlan: jibran++
[11:31am] larowlan: GaborHojtsy++
[11:31am] GaborHojtsy: Fabianx-screen: what’s the issue link?
[11:33am] jibran: https://www.drupal.org/node/2489024
[11:33am] dawehner: https://www.drupal.org/node/2508591
[11:33am] Druplicon: https://www.drupal.org/node/2489024 => Arbitrary code execution via 'trans' extension for dynamic twig templates (when debug output is on) [#2489024] => 18 comments, 7 IRC mentions
[11:33am] Druplicon: https://www.drupal.org/node/2508591 => Move Drupal into subdirectory and get external dependencies/libraries out of the web-accessible path [#2508591] => 8 comments, 3 IRC mentions
[11:42am] dawehner: https://www.drupal.org/node/2508654#comment-10039315
[11:42am] Druplicon: https://www.drupal.org/node/2508654 => File inclusion in transliteration service [#2508654] => 17 comments, 2 IRC mentions
[11:43am] GaborHojtsy: dawehner: that one yeah
[11:43am] GaborHojtsy: https://www.drupal.org/drupal8-security-bounty running for 2 more months
[11:43am] jibran: https://www.drupal.org/node/1305882
[11:43am] Druplicon: https://www.drupal.org/node/1305882 => drupal_html_id() considered harmful; remove ajax_html_ids to use GET (not POST) AJAX requests [#1305882] => 153 comments, 22 IRC mentions
[11:48am] dawehner: https://www.drupal.org/node/2500523
[11:48am] Druplicon: https://www.drupal.org/node/2500523 => Rewrite views_ui_add_ajax_trigger() to not rely on /system/ajax. [#2500523] => 6 comments, 2 IRC mentions

Categories: Planet Drupal

Recording from June 12th 2015 Drupal 8 critical issues discussion

June 15, 2015 at 9:56am

It came up multiple times at recent events that it would be very helpful for people significantly working on Drupal 8 critical issues to get together more often to talk about the issues and unblock each other on things where discussion is needed. While these do not by any means replace the issue queue discussions (much like in-person meetings at events are not), they do help to unblock things much more quickly. We also don't believe that the number of or the concrete people working on critical issues should be limited, so we did not want to keep the discussions closed. After our second meeting last week, here is the recording of the third meeting from today in the hope that it helps more than just those who were on the meeting:

Unfortunately not all people invited made it this time. If you also have significant time to work on critical issues in Drupal 8 and we did not include you, let me know as soon as possible.

The issues mentioned were as follows:

Alex Pott
Rebuilding service container results in endless stampede: https://www.drupal.org/node/2497243
Twig placeholder filter should not map to raw filter: https://www.drupal.org/node/2495179

Francesco Placella
https://www.drupal.org/project/issues/search/drupal?project_issue_followers=&status[]=Open&priorities[]=400&version[]=8.x&component[]=entity+system&component[]=field+system&component[]=language+system&component[]=content_translation.module&component[]=language.module&component[]=views.module&issue_tags_op=%3D
FieldItemInterface methods are only invoked for SQL storage and are inconsistent with hooks: https://www.drupal.org/node/2478459

Lee Rowlands
Make block context faster by removing onBlock event and replace it with loading from a BlockContextManager: https://www.drupal.org/node/2354889

Francesco Placella
FieldItemInterface methods are only invoked for SQL storage and are inconsistent with hooks: https://www.drupal.org/node/2478459

Alex Pott
Rewrite \Drupal\file\Controller\FileWidgetAjaxController::upload() to not rely on form cache https://www.drupal.org/node/2500527

Gábor Hojtsy
Twig placeholder filter should not map to raw filter: https://www.drupal.org/node/2495179

Daniel Wehner
drupal_html_id() considered harmful; remove ajax_html_ids to use GET (not POST) AJAX requests: https://www.drupal.org/node/1305882

Francesco Placella
Node revisions cannot be reverted per translation: https://www.drupal.org/node/2453153
https://www.drupal.org/project/issues/search/drupal?project_issue_followers=&status[]=Open&priorities[]=400&version[]=8.x&issue_tags_op=%3D&issue_tags=D8+upgrade+path

Daniel Wehner
SA-CORE-2014-002 forward port only checks internal cache: https://www.drupal.org/node/2421503

Francesco Placella
Nat: it would be good to have your feedback on the proposed solution the translation revisions issue aside from its criticality (see https://www.drupal.org/node/2453153#comment-9991563 and following)

Fabian Franz
[PP-2] Remove support for #ajax['url'] and $form_state->setCached() for GET requests: https://www.drupal.org/node/2502785
Condition plugins should provide cache contexts AND cacheability metadata needs to be exposed: https://www.drupal.org/node/2375695
Make block context faster by removing onBlock event and replace it with loading from a BlockContextManager: https://www.drupal.org/node/2354889

Alex Pott
[meta] Identify necessary performance optimizations for common profiling scenarios: http://drupal.org/node/2470679

Nathaniel Catchpole
Core profiling scenarios: https://www.drupal.org/node/2497185
Node::isPublished() and Node:getOwnerId() are expensive: https://www.drupal.org/node/2498919
And User:getAnonymousUser() takes 13ms due to ContentEntityBase::setDefaultLangcode() (https://www.drupal.org/node/2504849) is similar.

Categories: Planet Drupal

Drupal core security release window on Wednesday, June 17

June 12, 2015 at 10:30pm
Start:  2015-06-17 (All day) America/New_York Online meeting (eg. IRC meeting) Organizers:  David_Rothstein

The monthly security release window for Drupal 6 and Drupal 7 core will take place on Wednesday, June 17.

This does not mean that a Drupal core security release will necessarily take place on that date for either the Drupal 6 or Drupal 7 branches, only that you should prepare to look out for one (and be ready to update your Drupal sites in the event that the Drupal security team decides to make a release).

There will be no bug fix/feature release on this date; the next window for a Drupal core bug fix/feature release is Wednesday, July 1.

For more information on Drupal core release windows, see the documentation on release timing and security releases, and the discussion that led to this policy being implemented.

Categories: Planet Drupal

DrupalCI: It's coming!

June 11, 2015 at 6:25pm

DrupalCI is the next-generation version of our beloved testbot. The MVP ("minimum viable product") is coming soon (rolled out in parallel with the old testbot for awhile).

Here's a sneak peak at what it'll look like and some of its new capabilities: https://groups.drupal.org/node/471473

Categories: Planet Drupal

D8 Accelerate critical issue sprint in London, UK, July 2-8

June 11, 2015 at 5:08pm
Start:  2015-07-02 09:00 - 2015-07-08 18:00 UTC Sprint Organizers:  xjm

Sprint toward a Drupal 8 release candidate

As of this writing, 22 known critical issues block a Drupal 8 release candidate. It's time to close that gap.

The D8 Accelerate program is sponsoring a critical issue sprint in London, UK, from Thursday, July 2 to Wednesday, July 8. The sprint will be hosted by UK company and Drupal Association member BrightLemon at Unit 12, Zeus House 16-30 Provost Street London, N1 7NG United Kingdom.

Space is limited but we welcome your help!

This sprint will be focused exclusively on resolving critical issues in Drupal 8. Confirmed attendees so far include alexpott, amateescu, Berdir, dawehner, pfrenssen, plach, xjm, Wim Leers, and znerol. If you can help resolve the remaining critical issues, we'd love to collaborate with you as well! Space is limited, so contact xjm if you are interested in signing up for the sprint.

Remote collaboration is also welcome; join us in #drupal-contribute during the sprint. If you can't make this sprint, you can help on Drupal 8 criticals in the issue queue now or at one of the other upcoming Drupal 8 sprints, or help by triaging major issues.

Let's get Drupal 8 done!

Categories: Planet Drupal

Drupal 8 Jersey shore sprint, Asbury Park, June 13-14

June 10, 2015 at 5:07pm

June 13-14, 2015, the Central NJ Drupal Group is hosting a core sprint
focusing on the upcoming release of Drupal 8.

The current plan is to focus on [meta] Remove or document every SafeMarkup::set() call, continuing the work done at the recent Drupal 8 theme system critical issues sprint (June 5-7 in Portsmouth, NH.)

See the event post at https://groups.drupal.org/node/468408 for more details, and
registration information.

Categories: Planet Drupal

Recording from June 5th 2015 Drupal 8 critical issues discussion

June 5, 2015 at 12:07pm

It came up multiple times at recent events that it would be very helpful for people significantly working on Drupal 8 critical issues to get together more often to talk about the issues and unblock each other on things where discussion is needed. While these do not by any means replace the issue queue discussions (much like in-person meetings at events are not), they do help to unblock things much more quickly. We also don't believe that the number of or the concrete people working on critical issues should be limited, so we did not want to keep the discussions closed. After our first meeting last week, here is the recording of the second meeting from today in the hope that it helps more than just those who were on the meeting:

Unfortunately not all people invited made it this time. If you also have significant time to work on critical issues in Drupal 8 and we did not include you, let me know as soon as possible.

The issues mentioned were as follows:

Alex Pott
Performance issue: https://www.drupal.org/node/2470679
Entity title: https://www.drupal.org/node/2498849
Render cache for views: https://www.drupal.org/node/2381277

daniel wehner, Gábor Hojtsy
Make Views bulk operations entity translation aware: https://www.drupal.org/node/2484037

Lee Rowlands
Ensure #markup is XSS escaped in Renderer::doRender(): https://www.drupal.org/node/2273925
Create a php script that can dump a database for testing update hooks: https://www.drupal.org/node/2497323
Views::getApplicableViews() initializes displays during route rebuilding etc.: https://www.drupal.org/node/2497017

Jibran Ijaz
FieldItemInterface methods are only invoked for SQL storage and are inconsistent with hooks: https://www.drupal.org/node/2478459#comment-9983133

Alex Pott
FieldItemInterface: https://www.drupal.org/node/2478459
Ajax form patch: https://www.drupal.org/node/2263569

daniel wehner
HTML IDs: https://www.drupal.org/node/1305882

Jibran Ijaz
PHP Script for dumping the database: https://www.drupal.org/node/2497323

Categories: Planet Drupal

Drupal 8 Security bug bounty program: Get paid to find security issues in D8

June 3, 2015 at 8:17pm

Drupal 8 is nearing release, and with all the big architectural changes it brings, we want to ensure D8 upholds the same level of security as our previous releases. That's where you come in!

The security team is using monies from the D8 Accelerate fund to pay for valid security issues found in Drupal 8, from now until August 31, 2015 (open to extension). This program is open for participation by anyone.

Read more details here: https://www.drupal.org/drupal8-security-bounty

Categories: Planet Drupal

D8 User Manual proposal

June 2, 2015 at 2:19pm

There's a new proposal to create a coherent, internationalized Drupal 8 User Manual, which Joe Shindelar (eojthebrave) discussed at DrupalCon Los Angeles recently. Because we want comments on the proposal, it's posted in the Documentation group (the Core group doesn't allow comments):
https://groups.drupal.org/node/470648

I thought some other groups might be interested, so I'm posting this quick note to let you know. Follow the link for all the details and discussions.

Categories: Planet Drupal

This month in Drupal Documention (May 2015)

June 1, 2015 at 9:29pm

Here we are again with an update from our Documentation Working Group (DocWG) on what has been happening in Drupal Documentation in the last month or so. Because this is posted in the Core group as well as Documentation you can not comment on this post. If you have comments or suggestions, please see the DocWG home page for how to contact us.

Requesting a grant to write a Drupal 8 user manual

The Documentation Working Group is going to request a grant from the Drupal Association to fund a Drupal 8 user manual. This manual would be intended for site builders and site administrators at the “Newcomer” or “Learner” level. The manual would not be limited to Drupal Core, and not necessarily covering every module of Drupal Core. The manual would be under git version control and would be written in a text format that is easy to manage for technical writers. We just posted a proposal on groups.drupal.org to get feedback from the community.

Thanks for writing documentation

May 2015 was a productive documentation month with 247 people revising almost 900 pages on drupal.org. These were the most active editors:

Many thanks go out to everyone that helped improving Drupal's on line documentation.

Let's Talk About Documentation at Drupalcon Los Angeles

Documentation Working Group member Joe Shindelar presented a session together with his Lullabot colleagues Amber Himes Matz and Greg Dunlap about the state of Drupal documentation. They discussed the current issues in, for example, the community documentation on drupal.org and talked about possible solutions. If you missed it, you can find the recording on events.drupal.org.

Documentation Priorities

Our priority is currently Drupal 8 documentation. Plenty of work has been going on in reviewing the embedded help texts in Drupal 8 and this work is almost complete.
The remain issues are:

The Current documentation priorities page is always a good place to look to figure out what to work on, and it has been updated recently.

If you would like to contribute to Drupal documentation, but don't know where to start, then New contributor task can be a good starting point.

Categories: Planet Drupal

No Drupal 6 or Drupal 7 core release on Wednesday, June 3

June 1, 2015 at 4:26pm

The monthly Drupal core bug fix/feature release window is scheduled for this Wednesday. However, there have been Drupal 7 releases the past two months (in both April and May), and not enough changes to the development version since then to warrant a new release, so there will be no Drupal core release on that date.

Upcoming release windows include:

  • Wednesday, June 17 (security release window)
  • Wednesday, July 1 (bug fix/feature release window)

For more information on Drupal core release windows, see the documentation on release timing and security releases, and the discussion that led to this policy being implemented.

Categories: Planet Drupal

Drupal 8 theme system critical issues sprint (June 5-7 in Portsmouth, NH)

May 30, 2015 at 1:26am

Join us at the NHDevDays 2 sprint in Portsmouth, New Hampshire June 5-7.

The sprint will be focused on resolving the two remaining theme system criticals around autoescape and SafeMarkup:

Thanks to funding from the Drupal Association via Drupal 8 Accelerate to cover travel expenses two of the Drupal 8 theme system maintainers – joelpittet and Cottser – will be in attendance leading the sprint and providing guidance.

We recommend you have Drupal 8 installed before the sprint and if possible have some experience working on Drupal core (attending core contribution mentoring hours would be a great way to get a kick start!).

The theme system maintainers will be giving a brief overview of text sanitization and autoescaping in Drupal 8 and you will learn more about working with the theme layer in Drupal 8.

We also welcome remote attendees, join us in #drupal-twig and RSVP – there is a remote sprinter option when registering.

For more details and to register see the event in the Boston regional group.

Categories: Planet Drupal

Formal usability testing of Drupal 8 at the University of Minnesota Usability Lab, 22nd–25th June

May 29, 2015 at 8:35pm

On the 23rd–25th of June, just before Twin Cities Drupal Camp, we will be conducting usability testing focusing on Drupal 8 at the University of Minnesota. This is a great opportunity to evaluate the current state of Drupal 8 and identify issues that can be resolved before release, or require much of our attention after release.

We'll start on fixing items found during the Twin Cities DrupalCamp Sprints and continue throughout Drupal 8's release cycle.

The University of Minnesota's Usability Services Department has been an amazing long-time supporter of the Drupal project. Hosting us in 2008 just after Drupal 6's release for the first-ever Drupal formal usability study, and again in 2011 just after Drupal 7's release. These usability test results have been invaluable in shaping Drupal's user experience over the years.

What will we be testing?

The tasks for this study will varied and focused around both content creation and site building activities:

  • Mobile content creation experience
  • Content authoring (preview, menus, in-place editing)
  • Layout modeling (placing blocks and editing blocks)
  • Content modeling (Field UI, Views)

We will be inviting users with a technical background, of which at least half have experience with Drupal 6/7.

The findings will be presented at Drupalcamp Twin Cities (and hopefully in addition, DrupalCon Barcelona), and all the corresponding issues will be tagged with UMN 2015.

Your help is needed!

We are close to release thus we have a small window of opportunity to fix these problems before Drupal 8 is released.

  • Review the test script (should be ready next week, to be finalized by June 15).
  • Help find and fix any major user-facing bugs prior to Beta12 (June 17) that will get in the way of users completing the test script. File these under the UMN 2015 prep tag.
  • Attend the usability testing, either in-person or remotely (see below).
  • Contribute during the Twin Cities DrupalCamp sprint (in-person or remotely in #drupal-usability) to translate problems that were found into actionable Drupal core issues.
  • Provide solutions/reviews to the identified issues with the UMN 2015 tag.

Attending the sessions

While space is limited, we are able to accommodate some community members who wish to attend the usability testing sessions either in-person or remotely (over WebEx). In case you are interested please get in contact with Lewis Nyman.

We know that experiencing a usability are quite transformative, and hope that anyone interested reaches out. Sadly, the sessions will not be fully open - as we wish to respect our participants' privacy. Attendees will be required to sign the University of Minnesota Usability Lab's Code of Conduct in order to ensure the privacy of testing subjects is upheld.

We are very excited about learning more about our users and Drupal, and hope to share the results with you as soon as possible!

Yay!

Categories: Planet Drupal

Drupal 8 beta 12 on Wednesday, June 17, 2015

May 29, 2015 at 5:49pm
Start:  2015-06-17 (All day) Europe/London Online meeting (eg. IRC meeting) Organizers:  xjm catch

The next beta release for Drupal 8 will be beta 12! (Read more about beta releases.) The beta is scheduled for Wednesday, June 17, 2015.

To ensure a reliable release window for the beta, there will be a Drupal 8 commit freeze from 00:00 to 23:30 UTC on June 17.

Categories: Planet Drupal

Pages