WEBVTT

74
00:10:01.750 --> 00:10:05.770
benji: Welcome. This is the drupal usability meeting for May 30, th 2025.

75
00:10:05.920 --> 00:10:10.030
benji: I'm Benji Fisher, moderating. Ralph Kohler is sharing their screen.

76
00:10:10.300 --> 00:10:13.100
benji: and Simo Helston is also here. Go ahead, Ralph.

77
00:10:14.360 --> 00:10:25.139
Ralf Koller: Thanks. We are looking again at issue number 3, 5, 1, 1, 9, 7, 2 allow, compose, and Rsync location to be configured via the Ui.

78
00:10:27.560 --> 00:10:35.230
Ralf Koller: I'll simply go into the page again, where we've already taken a look at last week.

79
00:10:37.540 --> 00:10:43.900
Ralf Koller: Yes, to briefly re capitulate is

80
00:10:45.080 --> 00:10:50.770
Ralf Koller: that is basically under configuration system package manager settings.

81
00:10:50.960 --> 00:11:02.410
Ralf Koller: We have that one. And we also have on the status reports page and entry composer.

82
00:11:03.560 --> 00:11:08.610
Ralf Koller: as you can see here. And just for.

83
00:11:10.710 --> 00:11:15.120
Ralf Koller: to illustrate, I quickly rename move.

84
00:11:15.750 --> 00:11:19.390
Ralf Koller: Use a local bin composer to compose error.

85
00:11:21.190 --> 00:11:30.309
Ralf Koller: If you load. That, then you can see compose was not found. The error message was failed to run process and

86
00:11:30.840 --> 00:11:36.209
Ralf Koller: the past. The composer can become configured in settings form. If we go there, then

87
00:11:39.420 --> 00:11:42.600
Ralf Koller: The auto detection is.

88
00:11:43.150 --> 00:11:47.869
Ralf Koller: I'm not sure on that page on the status reports Page. It's

89
00:11:48.400 --> 00:11:54.070
Ralf Koller: on point, but on here I have mixed results.

90
00:11:54.940 --> 00:11:58.009
Ralf Koller: because at the moment it should be composer.

91
00:11:59.460 --> 00:12:13.880
Ralf Koller: But it is showing that basically composer is still in place, and I quickly also rename our sync

92
00:12:14.890 --> 00:12:16.300
Ralf Koller: to our sinker.

93
00:12:24.070 --> 00:12:26.149
Ralf Koller: To illustrate the other problem.

94
00:12:26.727 --> 00:12:35.049
Ralf Koller: I've already created a follow-up issue for that. Because if we go on here oh, no, that's so.

95
00:12:38.530 --> 00:12:48.770
Ralf Koller: Status, reports Page. We still only have the composer version with an error, but the corresponding

96
00:12:48.950 --> 00:12:54.440
Ralf Koller: check for our sync is missing. There is none in place, so

97
00:12:55.220 --> 00:13:01.280
Ralf Koller: that would be a good thing from my point of view and to make it analogous to the

98
00:13:01.880 --> 00:13:09.240
Ralf Koller: composer check. And if it's our sync is not found, then also provide a link to the settings form.

99
00:13:11.390 --> 00:13:13.470
Ralf Koller: So yeah, that's it. For now

100
00:13:16.750 --> 00:13:18.240
Ralf Koller: any questions.

101
00:13:22.855 --> 00:13:29.730
benji: So those strike me as generic bugs. Not particularly usability related.

102
00:13:30.637 --> 00:13:38.590
benji: I think the usability questions on this issue had to do with how to

103
00:13:38.900 --> 00:13:43.870
benji: inform the user of whether something was automatically detected or not.

104
00:13:48.150 --> 00:13:51.369
benji: Maybe that was it. And I think in an earlier version

105
00:13:53.550 --> 00:13:57.900
benji: added something in the text area. It's said Paren

106
00:13:58.220 --> 00:14:01.390
benji: automatically detected. Close print or something like that.

107
00:14:03.108 --> 00:14:06.780
benji: And that has been changed in the current version.

108
00:14:09.996 --> 00:14:18.030
benji: So, yeah, are there remaining usability questions? Or assuming that the

109
00:14:18.980 --> 00:14:24.740
benji: generic bugs are are fixed? Do do we like having it in the status message?

110
00:14:25.500 --> 00:14:35.360
Simo Hellsten / Druid: Is that status message, something that tells you about the current state? Or is it a message about when the status is updated?

111
00:14:36.060 --> 00:14:37.860
Simo Hellsten / Druid: So is that a permanent.

112
00:14:39.690 --> 00:14:42.829
benji: I believe it's permanent. That's what it looks like to me.

113
00:14:44.340 --> 00:14:45.290
Ralf Koller: It's both

114
00:14:47.580 --> 00:14:54.519
Ralf Koller: it. It shows you if you updated something, but it also shows you the state. If you get to the page.

115
00:14:55.820 --> 00:14:57.099
benji: So if you can.

116
00:14:57.650 --> 00:15:02.690
benji: If you enter composer and Rsyncer, and save the form.

117
00:15:09.980 --> 00:15:11.030
benji: go ahead, Simo.

118
00:15:11.640 --> 00:15:18.660
Simo Hellsten / Druid: Yeah, so it doesn't. It only says that it was saved. So it doesn't change. So it's the status is the same.

119
00:15:19.460 --> 00:15:24.410
Simo Hellsten / Druid: even if you change it, it doesn't change the status message.

120
00:15:24.570 --> 00:15:34.500
Simo Hellsten / Druid: And if another question, if those are not automatically detected, is that a failure?

121
00:15:35.360 --> 00:15:37.620
Simo Hellsten / Druid: Because here we have a success message?

122
00:15:37.800 --> 00:15:41.390
Simo Hellsten / Druid: Is it a failure if they are not automatically detected?

123
00:15:43.800 --> 00:15:47.889
Simo Hellsten / Druid: Or should that be neutral message?

124
00:16:01.600 --> 00:16:05.079
Simo Hellsten / Druid: So there is a success message and an error message.

125
00:16:05.530 --> 00:16:06.040
Ralf Koller: Yep.

126
00:16:06.200 --> 00:16:07.260
Simo Hellsten / Druid: The same time.

127
00:16:08.260 --> 00:16:13.000
Ralf Koller: You know, last time we had a warning and a success message.

128
00:16:17.010 --> 00:16:19.160
benji: Yeah, I don't think we have

129
00:16:19.460 --> 00:16:24.030
benji: a distinction between a status message and an info message. Do we.

130
00:16:27.550 --> 00:16:29.049
Ralf Koller: No, I don't think so.

131
00:16:30.360 --> 00:16:34.089
Simo Hellsten / Druid: So we have warnings, errors, and success.

132
00:16:35.490 --> 00:16:35.910
benji: Right.

133
00:16:35.910 --> 00:16:42.399
Ralf Koller: Or status or a green. Let's something like that. Yep.

134
00:16:46.470 --> 00:16:54.130
benji: All right. So I would say, it's clearly better to have the information in the status message than in the text area.

135
00:16:57.080 --> 00:17:00.689
benji: But but, seemo, I guess you're you're asking.

136
00:17:01.890 --> 00:17:04.899
benji: Could we come up with a better place to put it?

137
00:17:09.950 --> 00:17:18.380
benji: For example, I think it would not be too hard to add the information

138
00:17:19.030 --> 00:17:24.240
benji: to the the help text or the description text underneath the text field.

139
00:17:25.490 --> 00:17:28.820
benji: would that be a better place to put it than than a status message.

140
00:17:33.340 --> 00:17:38.510
Ralf Koller: Oh, I wonder one other thing!

141
00:17:39.980 --> 00:17:43.739
Ralf Koller: Would it even necessary to have something like it?

142
00:17:43.890 --> 00:17:54.080
Ralf Koller: The path to composer was automatically detected. Wouldn't it be enough simply to have a the same status check

143
00:17:54.520 --> 00:17:59.870
Ralf Koller: we have over here for composer and

144
00:18:00.220 --> 00:18:03.189
Ralf Koller: ideally are sync at 1 point

145
00:18:03.310 --> 00:18:12.240
Ralf Koller: to have simply a green checkmark, or that everything is okay. And for me it's more important.

146
00:18:12.410 --> 00:18:14.059
Ralf Koller: If anything goes wrong.

147
00:18:14.960 --> 00:18:23.080
Ralf Koller: then having a warning that it's okay. But out of the box having a status message. I haven't done anything, so

148
00:18:24.700 --> 00:18:34.519
Ralf Koller: it feels a bit odd to to come to a page to get already a status message with was automatically detected, I asked myself.

149
00:18:34.660 --> 00:18:43.290
Ralf Koller: on M. And I'm on other pages. Is it? Then also automatically detected? Or it feels sort of odd and makes me think.

150
00:18:45.610 --> 00:18:48.590
benji: Yeah. Can. Can you go back to the issue for a minute?

151
00:18:49.290 --> 00:18:50.210
Ralf Koller: Yep. Yep.

152
00:18:51.260 --> 00:18:57.129
benji: So the proposed resolution add a ui to the path to composer and Rsync

153
00:18:57.320 --> 00:19:00.589
benji: to be configured, and link this ui

154
00:19:01.170 --> 00:19:04.500
benji: composer cannot be found or out of date.

155
00:19:04.770 --> 00:19:10.750
benji: Okay. So before this issue, this, this whole form, what wasn't there.

156
00:19:11.260 --> 00:19:11.795
Ralf Koller: No

157
00:19:14.420 --> 00:19:17.590
benji: And the user interface changes.

158
00:19:19.180 --> 00:19:26.209
benji: As far as we know, core doesn't have any other place where you can figure the path to an executable. So this is sort of new.

159
00:19:34.540 --> 00:19:40.869
benji: Okay? So that that the long paragraph under user interface changes isn't

160
00:19:41.740 --> 00:19:45.010
benji: really part of the user interface changes. It's

161
00:19:45.260 --> 00:19:49.390
benji: I would say it belongs under proposed resolution.

162
00:19:50.310 --> 00:19:56.320
benji: And because this issue isn't specifically about the Usability question we're discussing.

163
00:19:56.890 --> 00:19:59.248
benji: It doesn't say anything but

164
00:20:01.280 --> 00:20:09.649
benji: I guess I would like the proposed resolution to say when these information messages appear and when they don't.

165
00:20:12.520 --> 00:20:21.279
benji: For example, if you haven't saved the configuration form, the configuration is probably empty.

166
00:20:22.250 --> 00:20:26.149
benji: or is that the case, or or does it have some default value?

167
00:20:26.470 --> 00:20:36.739
Ralf Koller: It is. The default value is basically the auto-dejected one. So it is filled and pre-populated in any way.

168
00:20:38.810 --> 00:20:46.399
Simo Hellsten / Druid: Language question, was it automatically detected, or is it automatically detected?

169
00:20:46.760 --> 00:20:48.760
Simo Hellsten / Druid: So it uses past tense.

170
00:20:50.810 --> 00:20:52.620
benji: Oh, it should be was or is

171
00:21:01.130 --> 00:21:11.780
benji: so, I guess I'm thinking that once you submit the form and actually have configuration saved.

172
00:21:12.790 --> 00:21:18.710
benji: we should not have a message about it being automatically detected, because now it's using the configured value.

173
00:21:20.970 --> 00:21:21.530
Ralf Koller: Yeah.

174
00:21:22.390 --> 00:21:29.330
benji: And I guess I guess we should go back to basics. What? What is the purpose of this message?

175
00:21:29.680 --> 00:21:33.439
benji: What action are we supposed to take based on it.

176
00:21:33.600 --> 00:21:35.749
benji: Why? Why do we need it at all?

177
00:21:39.950 --> 00:21:44.730
Ralf Koller: That's my point, basically about we automatically.

178
00:21:45.100 --> 00:21:47.159
Ralf Koller: in. In the case of that

179
00:21:47.530 --> 00:21:52.820
Ralf Koller: path I'm only interested in, if something goes wrong and is missing or outdated.

180
00:21:53.530 --> 00:21:56.190
Ralf Koller: and action is needed, but otherwise.

181
00:21:59.860 --> 00:22:04.240
Simo Hellsten / Druid: One thing it could indicate that this is not an existing setting

182
00:22:04.560 --> 00:22:12.119
Simo Hellsten / Druid: so, or is it an existing setting? If you don't press, save, and export configuration.

183
00:22:12.280 --> 00:22:14.749
Simo Hellsten / Druid: Does the information go to the.

184
00:22:15.430 --> 00:22:27.200
Simo Hellsten / Druid: or is this stored as configuration, so that exporting and importing configuration will maintain the values that are shown here, even if you don't click, save

185
00:22:30.290 --> 00:22:34.340
Simo Hellsten / Druid: is detected before you open this form.

186
00:22:42.760 --> 00:22:48.449
benji: Yeah, I I've have my own installation of drupal running and

187
00:22:49.590 --> 00:22:56.390
benji: even with Ralph's help I wasn't able to find this page, so I certainly haven't submitted it.

188
00:22:56.730 --> 00:23:04.530
benji: and when I use drush to inspect the package manager settings it, says, Composer null Rsync null.

189
00:23:05.570 --> 00:23:12.639
benji: So so I think that answers my question, which is related to Simo's question.

190
00:23:13.160 --> 00:23:18.250
benji: that initially, we don't have default values. We have empty values.

191
00:23:21.880 --> 00:23:25.300
Simo Hellsten / Druid: So that status message would be relevant so that the

192
00:23:25.750 --> 00:23:29.000
Simo Hellsten / Druid: user knows that there is something added.

193
00:23:31.000 --> 00:23:36.720
benji: Right? So the so the values in the text box

194
00:23:36.890 --> 00:23:40.430
benji: in that case will be the automatically detected ones.

195
00:23:41.450 --> 00:23:46.880
benji: And then, if the user saves the configuration. I would say

196
00:23:47.830 --> 00:23:50.200
benji: the message should go away. Go ahead, Ralph.

197
00:23:50.690 --> 00:23:57.380
Ralf Koller: I have one question, then, if those 2 values are now, and if

198
00:23:57.810 --> 00:24:04.859
Ralf Koller: a user is not going to that page is package manager, then package manager, then working at all.

199
00:24:11.020 --> 00:24:23.040
benji: I I imagine that it will work without configuration if the automatically detected paths are valid.

200
00:24:27.640 --> 00:24:37.640
Ralf Koller: Okay, then then you have basically one variable for those default path.

201
00:24:37.860 --> 00:24:38.850
Ralf Koller: And

202
00:24:40.960 --> 00:24:47.289
Ralf Koller: as soon as it's updated, then those are ignored and the ones used as set in here are used.

203
00:24:52.121 --> 00:24:54.478
benji: So so here's the suggestion.

204
00:24:55.120 --> 00:25:00.040
benji: instead of using a status message or

205
00:25:00.360 --> 00:25:13.230
benji: inserting additional text underneath the 2 text boxes, what if we added a a text area.

206
00:25:13.930 --> 00:25:18.740
benji: So a markup form element rather than an input form element

207
00:25:20.080 --> 00:25:26.450
benji: and and use text something like, currently using these paths.

208
00:25:27.960 --> 00:25:35.139
benji: User, local bin composer, auto detected user bin Rsyncher paren, configured

209
00:25:37.630 --> 00:25:42.099
benji: and then had the form elements to change them if necessary.

210
00:25:53.250 --> 00:25:59.130
benji: Would that be clearer? Would that be confusing.

211
00:26:00.230 --> 00:26:00.830
Ralf Koller: 3.

212
00:26:01.680 --> 00:26:02.580
Ralf Koller: Second.

213
00:26:07.510 --> 00:26:08.790
Ralf Koller: you mean

214
00:26:13.110 --> 00:26:19.610
Ralf Koller: adding, basically that sort of status path on top.

215
00:26:21.170 --> 00:26:22.930
Ralf Koller: What is currently used.

216
00:26:25.222 --> 00:26:28.390
benji: Yes, but not in a status message just in.

217
00:26:28.390 --> 00:26:34.289
Ralf Koller: Yeah, yeah, not in the status message, but in a field set. Or however it's displayed, or.

218
00:26:37.670 --> 00:26:49.119
benji: Right? So so have have just regular text showing the current status, and then the form elements to update that status or to update the configuration.

219
00:26:49.480 --> 00:26:59.459
benji: and then, instead of pre-filling the text boxes with the auto detected values, leave them blank if they're blank.

220
00:27:00.850 --> 00:27:01.360
Ralf Koller: Yep.

221
00:27:06.390 --> 00:27:18.750
Ralf Koller: and it might have the advantage in case you add a bespoke path with a bespoke name.

222
00:27:19.358 --> 00:27:30.470
Ralf Koller: And if you remove that, then it basically moves back to the default value. And you can see it on top. And then you can, for example, yeah, provide an error

223
00:27:32.570 --> 00:27:34.990
Ralf Koller: or like something like that.

224
00:27:38.420 --> 00:27:46.010
Ralf Koller: And maybe if if we go with that kind of text version.

225
00:27:46.180 --> 00:27:55.869
Ralf Koller: text-based version, then you could also still add some sort of green checkmark, saying, Yeah, let path and

226
00:27:57.630 --> 00:27:59.439
Ralf Koller: file name is available

227
00:28:03.300 --> 00:28:06.439
Ralf Koller: and functioning. So everything is okay.

228
00:28:09.030 --> 00:28:15.190
Simo Hellsten / Druid: By the way, if it doesn't find it, was it able to save the incorrect?

229
00:28:18.960 --> 00:28:23.279
Simo Hellsten / Druid: Both did it allow saving it? It had error message.

230
00:28:23.570 --> 00:28:26.050
Simo Hellsten / Druid: And it was marking the field.

231
00:28:30.520 --> 00:28:35.760
Simo Hellsten / Druid: So it doesn't save this, because that this is something that might be really problematic because

232
00:28:35.960 --> 00:28:41.709
Simo Hellsten / Druid: or not really problematic with mathematic, just problematic, because a person might set up

233
00:28:42.400 --> 00:28:49.609
Simo Hellsten / Druid: site on their local local machine that doesn't have the path, the same paths as

234
00:28:50.010 --> 00:28:53.080
Simo Hellsten / Druid: another environment, maybe production server.

235
00:28:57.830 --> 00:29:08.090
Simo Hellsten / Druid: So then you can do it from the like. The configuration files or settings overrides. But I think.

236
00:29:10.500 --> 00:29:13.700
Simo Hellsten / Druid: not being able to detect this shouldn't be.

237
00:29:13.870 --> 00:29:17.440
Simo Hellsten / Druid: Shouldn't block saving a form.

238
00:29:17.680 --> 00:29:19.799
Simo Hellsten / Druid: It should be more of information.

239
00:29:22.500 --> 00:29:29.080
benji: Oh, that's interesting. So, for example, in a common workflow, you

240
00:29:29.380 --> 00:29:33.110
benji: configure things and save configuration on local.

241
00:29:33.260 --> 00:29:38.100
benji: and then push those configuration changes to production.

242
00:29:39.248 --> 00:29:46.989
benji: And the current way it works invalidates that that workflow

243
00:30:02.170 --> 00:30:07.730
Simo Hellsten / Druid: Well, I think, and composer. On the other hand, they probably are available.

244
00:30:12.000 --> 00:30:16.720
Simo Hellsten / Druid: but there might be some special cases where they are installed differently. But then

245
00:30:26.960 --> 00:30:38.380
Simo Hellsten / Druid: then I guess it's up to the developer to configure them, configure them in settings, overrides per environment.

246
00:30:46.230 --> 00:30:51.780
Simo Hellsten / Druid: But then, if it's also, if it's different paths.

247
00:30:51.980 --> 00:30:56.370
Simo Hellsten / Druid: for whatever reasons, between the different environments.

248
00:30:57.000 --> 00:31:04.360
Simo Hellsten / Druid: Then another thing where it comes up is when you're syncing the database or something like that.

249
00:31:05.170 --> 00:31:09.750
Simo Hellsten / Druid: But then, again, it should be in the file system so that you can import them.

250
00:31:10.380 --> 00:31:14.630
Simo Hellsten / Druid: Configuration for that environment or use overrides.

251
00:31:22.620 --> 00:31:23.960
benji: Right. So

252
00:31:27.580 --> 00:31:29.810
benji: so I guess there are are

253
00:31:29.940 --> 00:31:41.690
benji: 2 workflows. 1 1 is to use configuration, and the other is only to use config overrides. And just in your settingsphp. Say.

254
00:31:42.480 --> 00:31:49.419
benji: if this is the local environment, then use this path. And if this is the production environment, use that that other path.

255
00:31:49.730 --> 00:31:58.640
benji: So, so, so one possibility is to only let these be set in settingsphp as config overrides.

256
00:31:59.350 --> 00:32:01.570
benji: and the other option is to let

257
00:32:02.830 --> 00:32:06.520
benji: let people use the configuration form and

258
00:32:07.500 --> 00:32:14.820
benji: copy the database from local to prod, or from prod to local or just the configuration management.

259
00:32:16.830 --> 00:32:24.589
benji: So either we should allow them to submit the form with any value we like.

260
00:32:24.720 --> 00:32:28.519
benji: so that when it's deployed to the other environment it'll work.

261
00:32:29.190 --> 00:32:34.689
benji: or we should not have the form at all and require them to use settingsphp.

262
00:32:35.110 --> 00:32:36.530
benji: Does that make sense.

263
00:32:42.510 --> 00:32:45.069
Simo Hellsten / Druid: And there's also config split.

264
00:32:46.210 --> 00:32:46.860
benji: Yes.

265
00:32:47.960 --> 00:32:48.650
Simo Hellsten / Druid: Oh!

266
00:32:52.310 --> 00:32:58.869
benji: And, for example, the fact that you cannot submit this form without valid paths

267
00:32:59.760 --> 00:33:03.210
benji: makes the config split workflow also harder.

268
00:33:04.210 --> 00:33:04.750
Simo Hellsten / Druid: Yeah.

269
00:33:08.380 --> 00:33:09.510
benji: So

270
00:33:10.480 --> 00:33:17.969
benji: if we put this together with the previous idea that that we, we sort of have the the status information, and then the form.

271
00:33:18.250 --> 00:33:23.260
benji: then we can let them submit the form, and.

272
00:33:23.600 --> 00:33:27.749
benji: you know, have some warnings in the status information, part of the page.

273
00:33:28.770 --> 00:33:32.800
benji: but but let them submit the form, however, they like.

274
00:33:44.050 --> 00:33:48.050
Simo Hellsten / Druid: We have any other configurations, forms

275
00:33:48.470 --> 00:33:55.290
Simo Hellsten / Druid: where we are not allowed to submit incorrect information.

276
00:34:08.670 --> 00:34:20.260
benji: If you configure a file field with some ridiculously large file size, does it stop you from doing that?

277
00:34:27.000 --> 00:34:30.360
benji: Configuration forms that get validated.

278
00:34:48.810 --> 00:34:55.250
Simo Hellsten / Druid: I think one we could check is the file system part, either private or public.

279
00:35:06.470 --> 00:35:11.870
benji: No, I think the option to use private files is

280
00:35:12.100 --> 00:35:17.120
benji: visible, but disabled. If you have not configured the private file system.

281
00:35:20.240 --> 00:35:21.000
benji: Oh.

282
00:35:31.810 --> 00:35:36.220
Ralf Koller: Yeah, private system path is not set on this install yet.

283
00:35:41.020 --> 00:35:43.599
Simo Hellsten / Druid: That would be only one feature.

284
00:35:43.740 --> 00:35:46.229
Simo Hellsten / Druid: like in the settings, plus php.

285
00:35:59.210 --> 00:36:00.550
Ralf Koller: Where's my oops?

286
00:36:08.590 --> 00:36:10.260
Ralf Koller: What do I have to add? There.

287
00:36:15.820 --> 00:36:18.230
benji: I'm sorry I was looking at something else. What are you asking.

288
00:36:19.467 --> 00:36:24.859
Ralf Koller: I was asking what I have to add in the settings. Php. For the private file.

289
00:36:26.820 --> 00:36:28.950
benji: Oh, give me a second

290
00:36:42.848 --> 00:36:46.410
benji: settings of file, underscore private underscore path.

291
00:36:56.110 --> 00:36:56.910
Ralf Koller: File.

292
00:37:10.570 --> 00:37:13.149
Ralf Koller: But yeah, okay.

293
00:37:14.460 --> 00:37:19.440
Ralf Koller: And which path shall I add? There.

294
00:37:24.713 --> 00:37:27.816
benji: You have to have some valid directory.

295
00:37:28.960 --> 00:37:31.570
benji: I think it still lets you use

296
00:37:32.490 --> 00:37:36.439
benji: your public files, directory, slash private.

297
00:37:43.550 --> 00:37:50.249
Ralf Koller: Yeah, no, no, I meant. But in in the context of the package manager settings what Seymour wanted to test. That was.

298
00:37:53.850 --> 00:37:59.170
Simo Hellsten / Druid: I was thinking, if it allows to configure that path from there.

299
00:38:00.720 --> 00:38:05.350
Simo Hellsten / Druid: From the admin sentiment, ui.

300
00:38:07.210 --> 00:38:07.940
Ralf Koller: Oh!

301
00:38:11.890 --> 00:38:15.219
benji: So I'm configuring a file field.

302
00:38:15.580 --> 00:38:19.410
benji: and I put in a maximum upload size of 500 GB,

303
00:38:19.920 --> 00:38:21.840
benji: and it let me save that

304
00:38:22.100 --> 00:38:26.349
benji: it. Let me allow Svg file extensions.

305
00:38:28.640 --> 00:38:38.610
benji: So I I think there isn't any validation on on any of the fields for for

306
00:38:38.730 --> 00:38:40.310
benji: for an image field.

307
00:38:43.460 --> 00:38:50.430
Ralf Koller: This, then, that goes into the direction of the issue I've mentioned on our slack

308
00:38:51.490 --> 00:39:02.639
Ralf Koller: chat with the text formatted short where I've tested

309
00:39:03.514 --> 00:39:11.070
Ralf Koller: and display at this course, as you can see here, and added a maximum length

310
00:39:11.750 --> 00:39:22.492
Ralf Koller: larger than the Max for the field, and if I file. It works, but it gets reset and might be the same for

311
00:39:23.300 --> 00:39:31.800
Ralf Koller: The other fields. You've tried that those 500 GB got reset to a smaller value?

312
00:39:32.990 --> 00:39:34.309
Ralf Koller: No? Oh.

313
00:40:04.990 --> 00:40:09.790
Ralf Koller: and one question regards of that file. Private path setting

314
00:40:10.520 --> 00:40:13.940
Ralf Koller: that pass. Is it the pass inside the web container?

315
00:40:23.330 --> 00:40:33.740
benji: Let's see, I think you're expected to use an absolute path, but I think that if you use a relative path it's relative to the drupal route.

316
00:40:36.300 --> 00:40:37.090
Ralf Koller: Okay

317
00:41:08.820 --> 00:41:10.380
Ralf Koller: files, and

318
00:41:13.860 --> 00:41:16.190
Ralf Koller: there is no private. And I create a private.

319
00:41:27.750 --> 00:41:31.120
Ralf Koller: So second way.

320
00:41:35.220 --> 00:41:35.690
benji: Yes!

321
00:41:36.070 --> 00:41:39.650
Ralf Koller: Okay, so let's safe.

322
00:42:01.760 --> 00:42:06.880
Ralf Koller: Copy the our sinker.

323
00:42:09.480 --> 00:42:10.280
Ralf Koller: 2.

324
00:42:50.270 --> 00:42:51.055
Ralf Koller: Okay.

325
00:43:16.360 --> 00:43:19.899
benji: So I'm not sure what what you're thinking about now, Ralph.

326
00:43:21.682 --> 00:43:31.630
Ralf Koller: I'm I'm just trying to copy basically the composer and Rsync into the private folder.

327
00:43:36.360 --> 00:43:38.389
Simo Hellsten / Druid: I think we don't need to do that.

328
00:43:38.610 --> 00:43:39.389
Ralf Koller: Oh, so, okay.

329
00:43:39.390 --> 00:43:40.490
Simo Hellsten / Druid: Yeah, yeah.

330
00:43:44.350 --> 00:43:45.640
Ralf Koller: Okay, then

331
00:43:54.110 --> 00:43:56.000
Ralf Koller: what else should I test?

332
00:43:59.844 --> 00:44:09.319
benji: At at this point. I don't think we need to be testing anything. I think we should just say how we think it should work.

333
00:44:18.090 --> 00:44:25.239
benji: And so I think at at this point we have 2 recommendations. The 1st is that

334
00:44:26.570 --> 00:44:33.369
benji: you? You let the site admin enter whatever they want in these fields.

335
00:44:35.300 --> 00:44:40.000
benji: and the second is that instead of having information in the status message.

336
00:44:40.240 --> 00:44:42.909
benji: have it in a regular text field.

337
00:44:48.630 --> 00:44:49.160
Ralf Koller: Yep.

338
00:44:53.920 --> 00:45:00.850
Ralf Koller: And oh, I've posted the link to the other issue created.

339
00:45:04.570 --> 00:45:09.780
Ralf Koller: That is basically adding the R sync, look through composer.

340
00:45:10.130 --> 00:45:10.790
benji: Right.

341
00:45:11.810 --> 00:45:13.519
Ralf Koller: That would be necessary.

342
00:45:15.810 --> 00:45:19.493
Ralf Koller: For that approach here as well, because otherwise

343
00:45:21.470 --> 00:45:26.430
Ralf Koller: composer couldn't, I think, couldn't be shown only composer.

344
00:45:36.270 --> 00:45:39.119
benji: Okay, are we done here?

345
00:45:39.650 --> 00:45:42.610
benji: So are there still any open questions? Do we want to

346
00:45:45.130 --> 00:45:51.689
benji: come up with the exact interface text of of the additional field, or leave that for the developers.

347
00:46:07.710 --> 00:46:13.320
Ralf Koller: I guess there shouldn't. And there isn't much text there a need for much text there.

348
00:46:13.600 --> 00:46:22.140
Ralf Koller: It would be simply the same as on the status reports, page composer, version, the version and

349
00:46:22.670 --> 00:46:24.980
Ralf Koller: the path that is currently used.

350
00:46:31.720 --> 00:46:32.780
benji: And

351
00:46:33.020 --> 00:46:39.499
benji: I think the the version might be helpful on this page as well as on the status page. But.

352
00:46:41.810 --> 00:46:47.169
benji: I don't feel strongly about whether the version information is here as well.

353
00:46:50.320 --> 00:46:57.609
Ralf Koller: Me neither, but at least on the issue. It was mentioned that also out in case of outdated versions.

354
00:46:58.990 --> 00:47:05.639
Ralf Koller: wasn't there outdated? Yeah. Yeah. Version was still out to date.

355
00:47:10.400 --> 00:47:17.610
Ralf Koller: anyway, also not as strong about it from my end.

356
00:47:18.260 --> 00:47:18.950
benji: Okay.

357
00:47:20.420 --> 00:47:21.410
benji: Then we're done.

358
00:47:23.240 --> 00:47:23.910
Ralf Koller: Oh!

359
00:47:35.020 --> 00:47:37.920
benji: So where else can you leave a comment on the issue?

360
00:47:39.440 --> 00:47:42.579
Ralf Koller: Oh, yeah, I just haven't made any notes.

361
00:47:43.470 --> 00:47:44.490
Ralf Koller: One sec.

362
00:47:52.000 --> 00:47:55.649
benji: I I plan to leave for the weekend in a couple of hours, so

363
00:47:56.290 --> 00:48:00.420
benji: I can do it when I get back. But I probably won't have time to do it today.

364
00:48:08.500 --> 00:48:18.330
Ralf Koller: Instead of status message, leave the fields empty by default.

365
00:48:26.500 --> 00:48:29.489
Ralf Koller: Oh, and what was the other thing.

366
00:48:33.100 --> 00:48:37.250
benji: Let the site administrator enter any value they want.

367
00:48:47.070 --> 00:48:50.899
Ralf Koller: What was the reason behind in case of config?

368
00:48:51.070 --> 00:48:52.310
Ralf Koller: That was the reason.

369
00:48:54.090 --> 00:49:00.609
benji: Right. They they might want to enter on local value that will be used on production.

370
00:49:11.360 --> 00:49:12.230
Ralf Koller: Okay?

371
00:49:23.110 --> 00:49:24.380
Ralf Koller: Okay, yeah.

372
00:49:25.400 --> 00:49:27.829
Ralf Koller: So text, instead of status message.

373
00:49:27.990 --> 00:49:33.830
Ralf Koller: leave the fields per empty per default and let the site administrator enter any value

374
00:49:35.030 --> 00:49:36.939
Ralf Koller: they might want to enter local

375
00:49:37.160 --> 00:49:43.170
Ralf Koller: on local something that is used in production later on. Okay, assigned Batch.

376
00:49:45.090 --> 00:49:46.160
Ralf Koller: Nothing else.

377
00:49:52.560 --> 00:49:53.465
benji: Hey?

378
00:50:03.450 --> 00:50:06.569
benji: So maybe I'll share my screen.

379
00:50:23.000 --> 00:50:29.350
benji: okay. So we will always have the link in the usability issues to

380
00:50:30.550 --> 00:50:35.910
benji: needs review and Rtvc issues that are marked for usability. Review.

381
00:50:44.870 --> 00:50:47.639
benji: Ralph, I think you looked at this one recently.

382
00:50:47.760 --> 00:50:53.449
benji: Disallow dangerous file names EG. Command injection characters.

383
00:50:58.830 --> 00:51:00.750
benji: And we looked at this one.

384
00:51:01.310 --> 00:51:04.569
benji: the current theme condition of a few weeks ago.

385
00:51:05.653 --> 00:51:08.850
benji: I I need to follow up on that.

386
00:51:12.370 --> 00:51:14.849
benji: Shall we look at the dangerous file names, issue.

387
00:51:15.970 --> 00:51:23.750
Ralf Koller: Oh, I haven't looked at it myself yet. I only posted it and set it on the

388
00:51:25.240 --> 00:51:26.420
Ralf Koller: to do list.

389
00:51:29.660 --> 00:51:30.270
benji: No.

390
00:51:30.460 --> 00:51:32.910
benji: Do you wanna look at the different issue, or shall we.

391
00:51:32.910 --> 00:51:33.790
Ralf Koller: And

392
00:51:34.540 --> 00:51:40.680
Ralf Koller: we can look at it. I just wanted to say I'm not prepared for it. That's the only detail I wanted to say.

393
00:51:41.300 --> 00:51:46.970
benji: Well, we have almost 15 min left. Let's let's see what we can see.

394
00:51:48.707 --> 00:51:55.860
benji: Following discussion with the drupal Security team. It was agreed. This could be handled in a public security improvements issue.

395
00:51:56.570 --> 00:51:59.869
benji: At present, drupal's file Api

396
00:52:00.250 --> 00:52:05.529
benji: allows file names to be created which could be dangerous if they're not handled safely.

397
00:52:06.320 --> 00:52:14.800
benji: This is not a directly exploitable vulnerability, but improvements could be made that would reduce the likelihood of file names being used as part of a chained attack.

398
00:52:15.670 --> 00:52:24.039
benji: Command. Injection is a specific concern here, and some links to what command injection is

399
00:52:25.080 --> 00:52:33.350
benji: steps to reproduce. In some cases browsers will escape or encode certain characters in a normal file upload.

400
00:52:33.560 --> 00:52:39.089
benji: but it may be possible to avoid that escaping, using a tool like burp suite. Blah blah blah.

401
00:52:39.790 --> 00:52:42.480
benji: an example of a dangerous file name

402
00:52:43.330 --> 00:52:50.549
benji: which I believe a normal file field will currently accept is Foo quote, semicolon, echo, space.

403
00:52:50.910 --> 00:52:59.700
benji: back tick. Who am I? Back? Tick, semicolon space, sharp dot txt

404
00:53:01.390 --> 00:53:08.020
benji: fairly recent improvement to file name handling which we could build upon is described in this change record.

405
00:53:08.470 --> 00:53:12.599
benji: Let's have a look at the change record at least the title,

406
00:53:15.610 --> 00:53:23.510
benji: new file name, sanitization settings during upload via ui, or rest, new sanitization event

407
00:53:23.830 --> 00:53:27.260
benji: changes to file upload resource constructor.

408
00:53:29.200 --> 00:53:31.840
benji: Okay. So the proposed resolution.

409
00:53:32.280 --> 00:53:42.130
benji: one or more of always remove or replace specific characters that may be used for command, injection, for example.

410
00:53:42.320 --> 00:53:50.750
benji: double quote, semicolon, pound or Octothorpe, whatever you want to call it, pipe, back, tip.

411
00:53:51.310 --> 00:53:54.829
benji: and, if possible, single quote, and Ampersand

412
00:53:56.210 --> 00:54:03.109
benji: disallow spaces by default in file. Names makes it quite a lot harder to achieve meaningful command, injection.

413
00:54:03.530 --> 00:54:09.090
benji: review defaults for file name, transliteration to make a command, injection as hard as possible.

414
00:54:11.650 --> 00:54:15.449
benji: remaining tasks, user interface changes.

415
00:54:18.390 --> 00:54:23.349
benji: And why was the usability tag added, here

416
00:54:26.650 --> 00:54:29.230
benji: needs review, needs review.

417
00:54:32.950 --> 00:54:38.430
benji: There we go. It's this comment, number 23, that adds the needs usability review tag.

418
00:54:41.230 --> 00:54:47.310
benji: I agree. It's likely stripping spaces from file name on uploads may not be universally welcomed.

419
00:54:49.100 --> 00:54:52.869
benji: It would, however, have benefits in terms of security hardening.

420
00:54:55.570 --> 00:54:58.850
benji: and he's acknowledging the comment, number 20,

421
00:55:01.010 --> 00:55:07.020
benji: that if command, injection, vulnerability, if somewhere exists, this is not the only fix that's needed.

422
00:55:07.910 --> 00:55:14.259
benji: There are other benefits like making it easier to iterate over batches of files in the shell. But that's out of scope.

423
00:55:15.260 --> 00:55:23.620
benji: I personally love spaces and file names, but I'm probably not representative of a broad cross section of users. I think that's fair.

424
00:55:25.870 --> 00:55:31.999
benji: I think there's some consensus that stripping special characters from file names likely provides enough benefit

425
00:55:32.110 --> 00:55:38.810
benji: in terms of security to outweigh annoyance. Some users may feel at having punctuation marks removed from their file names.

426
00:55:38.970 --> 00:55:42.350
benji: but stripping spaces may be seen as a step too far

427
00:55:43.200 --> 00:55:47.869
benji: it could be a default that site owners could disable in the options.

428
00:55:52.530 --> 00:56:02.260
benji: Previous comments include some light research. On how other Cms's or frameworks do this wordpress and typo 3, both strip or substitute most punctuation by default.

429
00:56:02.740 --> 00:56:07.410
benji: and it looks like they both swap out spaces for either an underscore or dash.

430
00:56:08.850 --> 00:56:13.710
benji: Drupal already has an option to replace whitespace, and file names with underscore or dash

431
00:56:13.890 --> 00:56:18.209
benji: right then, but it's not enabled by default. I'd like to turn that on by default

432
00:56:18.450 --> 00:56:20.160
benji: as part of this issue.

433
00:56:20.880 --> 00:56:22.989
benji: What does the Ux team think

434
00:56:23.590 --> 00:56:28.330
benji: about having mandatory stripping of special characters from file names.

435
00:56:28.890 --> 00:56:32.060
benji: plus enabling swapping spaces out by default.

436
00:56:33.290 --> 00:56:39.770
benji: I've not yet updated the issue summary to eliminate any proposed options. As I don't think we've eliminated any yet.

437
00:56:40.790 --> 00:56:43.489
benji: so I guess that's the question.

438
00:56:46.870 --> 00:56:51.069
benji: should we allow spaces? Should we

439
00:56:52.230 --> 00:56:57.960
benji: replace them with underscores by default, but allow the site admin to override that.

440
00:57:02.280 --> 00:57:09.439
Simo Hellsten / Druid: I think we should have sensible defaults, but allow override. There might be some integrations

441
00:57:09.620 --> 00:57:15.290
Simo Hellsten / Druid: that for some reason I'd some special characters

442
00:57:18.020 --> 00:57:22.490
Simo Hellsten / Druid: to the file names, or if they are like A,

443
00:57:22.840 --> 00:57:25.429
Simo Hellsten / Druid: so there might be some cases. But

444
00:57:25.590 --> 00:57:28.189
Simo Hellsten / Druid: problem is not so much so. It should be.

445
00:57:28.430 --> 00:57:36.579
Simo Hellsten / Druid: I think, allowed to override, but with a warning about security. I think we have some of those somewhere.

446
00:57:37.800 --> 00:57:43.079
Simo Hellsten / Druid: and but my biggest concern, I think, is backwards compatibility.

447
00:57:43.680 --> 00:57:44.620
Simo Hellsten / Druid: So

448
00:57:46.880 --> 00:57:52.589
Simo Hellsten / Druid: What happens to the existing files? Is it supported everywhere? Is it only on upload?

449
00:57:52.830 --> 00:57:57.919
Simo Hellsten / Druid: And what if a user uploads the same file again?

450
00:57:58.200 --> 00:58:04.200
Simo Hellsten / Druid: Well, not normally doesn't replace the old one. It just adds underscore number.

451
00:58:04.450 --> 00:58:08.399
Simo Hellsten / Druid: So that maybe isn't a problem with default settings.

452
00:58:11.160 --> 00:58:14.180
benji: Yeah, I'm just searching the page for the word existing.

453
00:58:14.940 --> 00:58:25.959
benji: existing functionality, existing options, existing options. So there's there's no discussion of what to do with files that have already been uploaded?

454
00:58:27.113 --> 00:58:32.929
benji: So my guess is that this would only affect

455
00:58:33.250 --> 00:58:37.020
benji: newly uploaded files. But that's just a guess.

456
00:58:42.230 --> 00:58:45.729
Ralf Koller: Thing, I wonder, is, are there any

457
00:58:46.140 --> 00:58:51.680
Ralf Koller: user interface changes, or any ui for adjusting.

458
00:58:53.310 --> 00:58:54.730
Simo Hellsten / Druid: Error messages

459
00:58:56.490 --> 00:59:00.489
Simo Hellsten / Druid: And then, if there is override.

460
00:59:05.770 --> 00:59:10.320
Ralf Koller: Okay, but you are unable to adjust those constraints.

461
00:59:12.880 --> 00:59:18.700
Ralf Koller: The question is simply, I was just looking in. I've applied. I've checked out

462
00:59:20.313 --> 00:59:23.070
Ralf Koller: the branch at the merge request, and

463
00:59:23.430 --> 00:59:27.119
Ralf Koller: was looking of there. Any changes in the Ui.

464
00:59:35.370 --> 00:59:41.940
benji: I'm going to guess that they are not going to provide a

465
00:59:42.340 --> 00:59:47.410
benji: an admin form, that this will have to be changed in settingsphp.

466
00:59:48.090 --> 00:59:48.770
Ralf Koller: Okay.

467
00:59:49.770 --> 00:59:52.030
benji: It's a sort of a

468
00:59:54.370 --> 00:59:55.330
benji: Yeah.

469
00:59:59.600 --> 01:00:03.927
benji: I I can't think of the metaphor that that I'm looking for, but

470
01:00:04.780 --> 01:00:09.209
benji: if you're allowed to change it through the user interface that

471
01:00:09.770 --> 01:00:16.060
benji: opens up the security hole again because someone just has to figure out how to change that configuration setting.

472
01:00:16.250 --> 01:00:21.499
benji: and then they can defeat the security hardening.

473
01:00:21.840 --> 01:00:26.229
benji: So it it makes sense to

474
01:00:27.230 --> 01:00:36.220
benji: only set it in settingsphp. So if you've looked at the merge request, have they changed default settingsphp.

475
01:00:43.660 --> 01:00:45.730
benji: Is there a draft change record.

476
01:00:48.790 --> 01:00:50.889
Ralf Koller: Searching for default has no match.

477
01:00:51.410 --> 01:00:52.070
benji: Ha!

478
01:01:10.000 --> 01:01:18.019
benji: The only change to configuration is file dot settings where we're changing the default.

479
01:01:22.542 --> 01:01:24.549
benji: A bunch of tests.

480
01:01:33.220 --> 01:01:34.700
benji: And so.

481
01:01:38.290 --> 01:01:45.390
benji: okay, there's a rather long list of special characters that are hard coded. You're not, you cannot add to

482
01:01:45.930 --> 01:01:47.980
benji: or or

483
01:01:48.300 --> 01:01:59.270
benji: can't add to that list. You can't remove anything from that list. It's it's hard coded. The only thing you can change in configuration is whether to replace spaces.

484
01:02:00.961 --> 01:02:15.288
Ralf Koller: Benji, may I quickly share my screen again? Just to illustrate, I've just renamed one file and uploaded it. I've had a carrot, or what is don't know the word in English.

485
01:02:16.710 --> 01:02:17.830
benji: Shift, 6.

486
01:02:18.620 --> 01:02:25.440
Ralf Koller: Know that one second I'll post the

487
01:02:28.070 --> 01:02:35.370
Ralf Koller: file name in the chat I've used, and oops sure there's again

488
01:02:38.700 --> 01:02:41.620
Ralf Koller: I've added space and that one.

489
01:02:41.990 --> 01:02:45.110
Ralf Koller: and, as you can see, your upload has been renamed to.

490
01:02:49.050 --> 01:02:49.780
benji: Right.

491
01:02:49.920 --> 01:02:56.729
benji: So there are many names for that character. I think the most official one is Octothorpe, but it's also called

492
01:02:57.050 --> 01:02:59.979
benji: pound or hash or number sign.

493
01:03:04.520 --> 01:03:06.030
benji: I've never heard of it.

494
01:03:09.600 --> 01:03:11.680
Ralf Koller: Yeah. But yeah, that way.

495
01:03:12.440 --> 01:03:15.910
Ralf Koller: The feature takes an effect.

496
01:03:29.840 --> 01:03:37.189
benji: All right. So if the the main usability question is whether to allow people to override it.

497
01:03:39.790 --> 01:03:44.400
benji: Semo already said, and I and I think I agree that we should

498
01:03:44.810 --> 01:03:49.390
benji: use the more secure default. So by default, replace spaces.

499
01:03:50.640 --> 01:03:53.760
benji: Let let people override. And Ralph agrees.

500
01:03:53.870 --> 01:03:55.419
benji: So we're unanimous on that.

501
01:03:57.410 --> 01:03:58.270
benji: Okay.

502
01:04:04.450 --> 01:04:06.880
Ralf Koller: What looks like a reasonable change, definitely.

503
01:04:10.320 --> 01:04:11.250
benji: Okay,

504
01:04:12.540 --> 01:04:18.249
benji: 2 min left again. I will not be here next week. The zoom link will be available.

505
01:04:18.700 --> 01:04:20.529
benji: Any other parting words.

506
01:04:25.400 --> 01:04:26.480
benji: All right, then.

507
01:04:26.480 --> 01:04:27.200
Ralf Koller: Command.

508
01:04:27.910 --> 01:04:28.719
benji: I'll I'll be back.

509
01:04:28.720 --> 01:04:29.640
Ralf Koller: Conference.

510
01:04:29.790 --> 01:04:31.659
benji: Thank you. I'll be back in 2 weeks.

511
01:04:33.350 --> 01:04:34.810
Ralf Koller: Bye, bye, have a nice weekend.

512
01:04:34.810 --> 01:04:35.410
Simo Hellsten / Druid: But.