GSoC17 : Community Bonding wrap-up

Posted by Tameesh Biswas | Blog - 30 May 2017 at 14:55 UTC
GSoC17 : Community Bonding wrap-up

gsoc

tameeshb Tue, 05/30/2017 - 20:25 Tags GSoC Google Summer of Code 2017 Drupal Drupal Blog

/kəˈmjuːnɪti/ 'Having a particular characteristic in common.'

Posted by Sudhanshu Gautam | Blog - 30 May 2017 at 14:39 UTC

I have often wondered what would the world look like without communities. Actually, to me, a 18yr old teenager diving into the vast ocean of life and experience, the very thought of it is terrifying. Some opinions are that there will be no tension, while some say that there will be no love. Me? Well, I guess it's better not to disturb the balance of life. Community is something that we all evolved into. Community is the underlying principle of human existence.

Now, let's dive out of this philosophical ocean of thoughts and look at some stuffs I did in the past month. I'd very much like to document it. P.S.: I'll still get wacky in between ;P

Drupal. Hmm, it's quite a familiar term to me now. But it has evolved into something much greater than just a tool I use to build websites for my freelance clients, it has become a family to me. A family with thousands of members. And to be honest, nobody knows me :P. But hey! That's how it works right? In large families? People from India can relate, I guess xD. Nobody knows the youngest member, yet he is assured that he will be supported when needed. So, I am that youngest great grand son of the community who is trying very hard to prove his caliber and commitment. And I am proud to be a part of the community.
Note: it shines the brightest on my resume. Special-mention: Google

Not more than a month ago, I was selected for Google Summer of Code 2017. For those of know who don't know what it is, please go here because I am really tired explaining to people what it means.
I was selected because people at Drupal and Google liked my project proposal. This was the first part of the competition and quite exciting in my case. I converted drafts into a proposal just 1 day before deadline, got it reviewed superfast and submitted it minutes before the deadline. It was quite thrilling. I was sweating that day (not to mention Indian summers) Special thanks to the mentors who took some time from their weekend and reviewed my proposal. It really did put smile on my face when you guys said that my proposal is good to go.
Tip to future students: Contact mentors minimum 20 days before the contest and discuss the project thoroughly. I guess, i was at a little fault on my behalf, being careless. And do contribute to the drupal issue queue regularly.

Getting to the main point, let me introduce to my community. Matthew Lechleider aka Slurpee, he's the principal. Jk, he is the org admin and oversees all the projects. Then we have my old friends gvso(mentor too :)) and Suryansh Singh aka Lord of Codes. And I discovered some amazingly new people this year namely Tameesh, Himanshu, Chiranjeev, Abhishek, Boby, Dibyajyoti and Marcin. And my two lovely mentors Marco aka marvil07 and Palash Vijay who will be guiding me through this summer and teaching me their 'ways' :D I look forward to a summer full of code and that to-do spirit. My mentors and I have agreed that we'll be communicating thrice a week on hongouts and will use Github and drupal.org collectively.

My project title is "Porting Vote Up/Down module to Drupal 8". Currently, it is available for Drupal 7 and since Drupal 8 is the latest version, I have to port it. Vote Up/Down is a module for Drupal which when installed on a Drupal site, provides the functionality of voting or several components.
Going technical, I have to change the deprecated APIs of the module to make it compatible with the latest version. Along with it, I have to change the module architecture a little by removing the previously existing sub modules.

So yeah, that about sums up my journey with Drupal and Google till now. Let's see how the future mends out to be. If you have any questions or views or anything, please let me know in the comments.

Thanks for tolerating this blogpost till the end. I bet, you are gonna change the world :P

Signing off,
Sudhanshu Gautam
http://sudhanshug.com

(I just love this sign off)

Tags: drupal

How to Get the Most Out of Drupal Project Retrospectives

Posted by Promet Source - 30 May 2017 at 14:33 UTC
“Agile Retrospectives: A meeting where a team looks back on a past period of work so that they can learn from their experience and apply this learning to future work.” - Rachel Davis, Team Driven Improvements with Retrospectives  

Drupal 8 - Form API, options we have in #states ?

Posted by heykarthikwithu - 30 May 2017 at 13:16 UTC
Drupal 8 - Form API, options we have in #states ?

Drupal 8, Form API #states allow us to create form elements that change state (show, hide, enable, disable, etc.) depending on certain conditions

heykarthikwithu Tue, 05/30/2017 - 18:46

AGILEDROP: DrupalCon sessions about Site Building

Posted by Agiledrop.com Blog - 30 May 2017 at 02:32 UTC
Last time, we gathered together DrupalCon Baltimore sessions about Drupal Showcase. Before that, we explored the area of Coding and Development, Project Management and Case Studies. And that was not our last stop. This time, we looked at sessions that were presented in the area of Site Building. Beyond the Solr Eclipse - Building blazing fast Drupal 8 search with Solr and no code by Tanay Sai and Jayakrishnan Jayabal from Acquia In this session, the authors discussed Apachesolr - an open source search platform that can be easily integrated with Drupal 8. They did not write any code, so… READ MORE

Drupal 8 - Simple Redirect Module, Redirect from one url to another url.

Posted by heykarthikwithu - 27 May 2017 at 10:10 UTC
Drupal 8 - Simple Redirect Module, Redirect from one url to another url.

This is a light weight Drupal 8 Module provide User to have Redirects in the Website.

heykarthikwithu Sat, 05/27/2017 - 15:40

Drupal 8 Migration: It’s All About The Data

Posted by FFW Agency - 26 May 2017 at 23:21 UTC
Drupal 8 Migration: It’s All About The Data Ray Saltini Fri, 05/26/2017 - 23:21

Last week we released our latest white paper, 4 Reasons to Fast Track Your Move to Drupal 8. In it we talk about Drupal 8’s APIs, the inevitability of digital transformation, the freedom to design anytime, its strong and stable codebase and just how easy it has become to migrate from earlier versions of Drupal and other platforms.

Today we focus on Drupal 8’s powerful APIs

100 Million Reasons to Fast Track Your Move to Drupal 8

We are in the midst of a data revolution. Every website, marketplace, phone and sensor on a machine and every wearable on your person is collecting data every minute of every day. Last year Google used 100 million gigabytes of disk space just to index an estimated 30 trillion surface web pages. The trend toward code as a commodity and data becoming the real currency of the digital economy started years ago. Today’s winners are organizations that can master the ability to effectively access, parse, target and distribute data. Doing so is both the great challenge and promise of the digital economy.

The most significant factor in the distribution and commercialization of data has been the reimagining of the API (Application Programming Interface) and their rapid proliferation. Modern APIs enable organizations to collect, compute and monetize data, pivot and build cost effective customer centered product and service iterations.

"2017 is the year APIs help complete the transformation of organizations into truly digital enterprises."    Tom Smith, Dec. 20, 2016, Integration Zone

As Smith writes in API Trends for 2017, APIs are no longer considered to be separate products and instead will form the core of a platform upon which new development will occur. 

Enter Drupal 8

With 30 pre-built APIs shipping with Drupal 8, they do indeed form the core of a powerful application building platform that can help organizations free their data from the limitations of the browser.

The fastest way to help you understand the advantages of Drupal 8’s API infrastructure is to begin with its core RESTful Web Services API.  REST in core includes all your favorite CRUD operations to create, read, update and delete content entities including the ability to read configuration entities. For more information read this detailed overview of web service solutions in Drupal 8 by Acquia CTO and Drupal founder Dries Buytaert. 

Like what you saw in core REST? Next take a serious look at the core Migrate API and its supporting core modules. You’ll find that upgrading from Drupal 6, Drupal 7 and even other platforms will help you design a clear and straight forward path to getting your data into Drupal 8 where you can begin to take advantage of it’s full range of API goodness. Visit this overview on upgrading from Drupal 6 or 7 to Drupal 8 for a step by step peak at the process. 

Links to all of Drupal 8’s core modules are provided below. Let us know what you think and download our new Drupal 8 Migration white paper for more information. 

 

Computer displaying code Tagged with Comments

See You at Texas Camp 2017 in Austin

Posted by LevelTen Interactive - 26 May 2017 at 18:07 UTC
texascamp

The time has come for the LevelTen Team to trek it down to Austin for this year's Texas Camp. Our intention for when we decided to organize the state-wide Drupal Camp last year was for it to move around the state, which is why it is in Austin. We are proud to be Silver Sponsors for the camp and helping co-sponsor the Saturday Night Party!

There is still time to sign up to attend the camp! Tickets are $50 for Saturday and Sunday sessions. Each attendee will also get drink tickets in their badges for the Saturday Night Party, but don't fret;...Read more

Passwords and Drupal: some useful hints and cool modules

Posted by InternetDevels - 26 May 2017 at 09:31 UTC
 some useful hints and cool modules

As you may remember from the fairy-tales, knowing the secret words helps you to move even the mountains and open treasure caves. The words “Open, Sesame” from "Ali Baba and the Forty Thieves” work somewhat similarly to modern website passwords. However, making passwords work perfectly is a complex art, and it is one of the touchstones of Drupal website security.

Read more

Creating a Custom Context Reaction in Drupal 7

Posted by Third & Grove - 26 May 2017 at 06:30 UTC
Creating a Custom Context Reaction in Drupal 7 curtis Fri, 05/26/2017 - 02:30

Manage your Drupal 8 site configurations

Posted by ADCI Solutions - 26 May 2017 at 05:04 UTC

Deployment and configuration management in Drupal 7: what do these words make you feel? Probably a lot of pain. Drupal 7 stores all configurations in database together with content.

But what does a good guy Drupal 8 do? Right you are: it provides a completely different way of managing configurations. It is based on the idea that almost all configurations can be stored in files rather than in a database. It allows developers to move settings between development and live sites easily.

In this article we’re going to develop a basic workflow which will help to keep your configurations synchronized between environments.

 

Discover what a Configuration management in Drupal 8 is.

 

Development and live Drupal 8 websites get synchronized.

Various ways to set variables

Posted by Platform.sh - 25 May 2017 at 16:23 UTC
Various ways to set variables Crell Thu, 05/25/2017 - 16:23 Blog variables

Platform.sh has always prided itself on offering our customers as much flexibility to control their own projects as we can. What language to use, what services to use, how the server should be configured, what applications to run, all of these are under the user's control. We even allow users to set various control variables and environment variables per-environment.

And now there's even another way to set them, via your application configuration file.

Platform.sh's variable support is designed to allow users to set per-environment configuration (such as API keys for 3rd party services) as well as to control aspects of the environment. Some applications, though, have their own environment variables they rely on for various reasons, such as to set a dev/prod toggle or control a build process. Those generally shouldn't vary by environment.

For that reason it's now possible to set variables from .platform.app.yaml. Those values will be tracked in Git just like the rest of your code base, keeping all of the important bits in the same place.

If you're using PHP, you can even use this system to set php.ini values. Need to change your memory limit? Set a prepend file? Control the error reporting level? That can all be done now directly from the .platform.app.yaml file.

For environment variables that should change per-environment or contain sensitive information the current mechanism (setting variables through the UI or using the CLI tool) nothing changes. Your current workflow is fine.

Larry Garfield Larry Garfield 9 Jun, 2017

3 Great SEO tools for Drupal content managers

Posted by Code Positive - 25 May 2017 at 13:06 UTC
SEO tools for content managers

Here's three tools that work straight out of the box to quickly and dramatically improve the SEO of the content on your Drupal website.

READ MORE

 

AGILEDROP: DrupalCon sessions about Drupal Showcase

Posted by Agiledrop.com Blog - 25 May 2017 at 08:05 UTC
Last time, we gathered together DrupalCon Baltimore sessions about Coding and Development. Before that, we explored the area of Project Management and Case Studies. And that was not our last stop. This time, we looked at sessions that were presented in the area of Drupal Showcase. Ain’t No Body: Not Your Mama’s Headless Drupal by Paul Day from Quotient, Inc. This session explores disembodied Drupal, also known as bodiless Drupal- an application that uses Drupal’s powerful framework to do things it does well while storing the actual domain data in a remote repository. Moreover, it explores… READ MORE

Blockchain, GDPR, Migrate API... Videos from DrupalCamp Nordics 2017 are live!

Posted by Kristian Polso - 25 May 2017 at 07:15 UTC
I have just finished editing the session videos from the very first DrupalCamp Nordics. DrupalCamp Nordics 2017 was held in Helsinki, on 11th to 12th of May 2017. The event was a great success, with over 120 participants from more than 10 different countries! The topics of the sessions ranged from more high-level technology-related like Blockchain and GDPR to more practical developer-oriented matters like using the Migrate API and introduction to Drupal 8 caching.

Drupal 6 security update for Site Verify

Posted by myDropWizard.com - 24 May 2017 at 20:06 UTC

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for the Site Verify module to fix an Cross Site Scripting (XSS) vulnerability.

The Site Verify module enables privilege users to verify a site with services like Google Webmaster Tools using meta tags or file uploads.

The module doesn't sufficiently sanitize input or restrict uploads.

See the security advisory for Drupal 7 for more information.

Here you can download the Drupal 6 patch.

If you have a Drupal 6 site using the Site Verify module, we recommend you update immediately.

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Invaders! Securing "Smart" Devices on a Home Network

Posted by Lullabot - 24 May 2017 at 16:00 UTC

As a part of Lullabot’s security team, we’ve been keeping track of how the Internet of Things plays a role in our company security. Since we’re fully distributed, each employee works day-to-day over their home internet connection. This subreddit reminds us that most “smart” devices are actually quite dumb as far as security goes. With malware like Mirai actively focusing on home IoT devices including cameras, we know that anything we plug in will be under constant assault. However, there can be significant utility in connecting physical devices to your local network. So, my question: is it possible to connect an “IoT” device to my home network securely, even when it has known security issues?

An opportunity presented itself when we needed to buy a new baby monitor that supported multiple cameras. The Motorola MBP853CONNECT was on sale, and included both Wifi and a “regular” proprietary viewer. Let’s see how far we can get.

The Research

Before starting, I wanted to know if anyone else had done any testing with this model of camera. After searching for “motorola hubble security” (Hubble is the name of the mobile app), I came across Push To Hack: Reverse engineering an IP camera. This article goes into great detail about the many flaws they found in a different Motorola camera aimed at outdoor use. Given that both cameras are made by Binatone, and connect to the same remote services, it seemed likely that the MBP853 was subject to similar vulnerabilities. The real question was if Motorola updated all of their cameras to fix the reported bugs, or if they just updated a single line of cameras.

These articles were also great resources for figuring out what the cameras were capable of, and I wouldn’t have gotten as far in the time I had without them:

Goals

I wanted to answer these three questions about the cameras:

  1. Can the cameras be used in a purely “local” mode, without any cloud or internet connectivity at all?
  2. If not, can I allow just enough internet access to the camera so it allows local access, but blocks access to the cloud services?
  3. If I do need to use the Hubble app and cloud service, is it trustworthy enough to be sending images and sounds from my child’s bedroom?
The Infrastructure

I recently redid my home network, upgrading to an APU2 running OPNSense for routing, combined with a Unifi UAP-AC-PRO for wireless access. Both software stacks support VLANs—a way to segregate and control traffic between devices on the same ‘physical’ network. For WiFi, this means creating a separate SSID for the cameras, and assigning it a VLAN ID in the UniFi controller. Then, in OPNSense, I created a new interface with the same VLAN ID. On that interface, I enabled DHCP, and then set up basic firewall rules to block all traffic. That way, I could try setting up the camera while using Wireshark on my laptop to sniff the traffic, without worrying that I was exposing my real network to anything nefarious.

Packet Sniffing

One of the benefits of running a “real” operating system on your router is that all of our favorite network debugging tools are available, including tcpdump. Since Wireshark will be running on our local workstation, and not our router, we need to capture the network traffic to a separate file. Once I knew the network interface name using ifconfig, I then used SSH along with -w - to reroute the packet dump to my workstation. If you have enough disk space on the router, you could also dump locally and then transfer the file after.

$ ssh root@router-ip-or-hostname tcpdump -w - -i igb0_vlan3000 > packet-dump.pcap

After setting this up, I realized that this wouldn't show traffic of the initial setup. That’s because, in setup mode, the WiFi camera broadcasts an open WiFi network. You then have to use the Android or iOS mobile app to configure the camera so it has the credentials to your real network. So, for the first packet dump, I joined my laptop to the setup network along with my phone. Since the network was completely open, I could see all traffic on the network, including the API calls made by the mobile app to the camera.

undefined Verifying the setup vulnerability
Let's make sure this smart camera is using HTTPS and keeps my WiFi password secure.

I wanted to see if the same setup vulnerability documented by Context disclosing my WiFi passwords applied to this camera model. While I doubt anyone in my residential area is capturing traffic, this is a significant concern in high-density locations like apartment buildings. Also, since the cameras use the 2.4GHz and not the 5GHz band, their signal can reach pretty far, especially if all you’re trying to do is read traffic and not have a successful communication. In the OPNSense firewall, I blocked all traffic on the “camera” VLAN. Then, I made sure I had a unique, but temporary password on the WiFi network. That way, if the password was broadcast, at least I wasn’t broadcasting the password for a real network and forcing myself to reset it.

Once I started dumping traffic, I ran through the setup wizard with my phone. The wizard failed as it tests internet connectivity, but I could at least capture the initial setup traffic.

In Wireshark, I filtered to https traffic:

undefined

Oh dear. The only traffic captured is from my phone trying to reach 66.111.4.148. According to dig -x 66.111.4.148, that IP resolves to www.fastmail.com - in other words, my email app checking for messages. I was expecting to see HTTPS traffic to the camera, given that the WiFi network was completely open. Let’s look for raw HTTP traffic.

undefined

This looks promising. I can see the HTTP commands sent to the camera fetching it’s version and other information. Wireshark’s “Follow HTTP stream” feature is very useful here, helping to reconstruct conversations that are spread over multiple packets and request / response pairs. For example, if I follow the “get version” conversation at number 3399:

GET /?action=command&command=get_version HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.1.1; Nexus 6P Build/N4F26O)
Host: 192.168.193.1
Connection: Keep-Alive
Accept-Encoding: gzip

HTTP/1.1 200 OK
Proxy-Connection: Keep-Alive
Connection: Close
Server: nuvoton
Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0
Pragma: no-cache
Expires: 0
Content-type: text/plain

get_version: 01.19.30

Let’s follow the setup_wireless command:

GET /?action=command&command=setup_wireless_save&setup=1002000071600000000606blueboxthisismypasswordcamera000000 HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.1.1; Nexus 6P Build/N4F26O)
Host: 192.168.193.1
Connection: Keep-Alive
Accept-Encoding: gzip

HTTP/1.1 200 OK
Proxy-Connection: Keep-Alive
Connection: Close
Server: nuvoton
Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0
Pragma: no-cache
Expires: 0
Content-type: text/plain

setup_wireless_save: 0

That doesn't look good. We can see in the GET:

  1. The SSID of the previous WiFi network my phone was connected to (“bluebox”).
  2. The password for the “camera” network (thisismypassword).
  3. The SSID of that network.

Presumably, this is patched in the latest firmware update. Of course, there’s no way to get the firmware without first configuring the camera. So, I opened up the Camera VLAN to the internet (but not the rest of my local network), and updated.

That process showed another poor design in the Hubble. When checking for firmware updates, the app fetches the version number from the camera. Then, it compares that to a version fetched from ota.hubble.in… over plain HTTP.

undefined

In other words, the firmware update itself is subject to a basic MITM attack, where an attacker could block further updates from being applied. At the least, this process should be over HTTPS, ideally with certificate pinning as well. Amusingly, the OTA server is configured for HTTPS, but the certificate expired the day I was writing this section.

undefined

After the update had finished, I reset the camera to factory defaults and checked again. This time, the setup_wireless_save GET was at the least not in cleartext. However, I don’t have any trust that it’s not easily decryptable, so I’m not posting it here.

Evaluating Day-to-Day Security

Assuming that the WiFi password was at least secure from casual attackers, I proceeded to add firewall rules to allow traffic from the camera to the internet, so I could complete the setup process. This was a tedious process. tcpdump along with the OPNSense list of “blocked traffic” was very helpful here. In the end, I had to allow:

  • DNS
  • NTP for time sync
  • HTTPS
  • HTTP
  • UDP traffic

I watched the IPs and hostnames used by the camera, which were all EC2 hosted servers. The “aliases” feature in OPNSense allowed me to configure the rules by hostname, instead of dealing with constantly changing IPs. Of course, given the above security issues, I wonder how secure their DNS registrations are.

Needing to allow HTTP was a red flag to me. So, after the setup finished, I disabled all rules except DNS and NTP. Then, I added a rule to let my normal home LAN access the CAMERA VLAN. I could then access the camera with an RTSP viewer at the URL:

rtsp://user:pass@camera-ip:6667/blinkhd/

Yes, the credentials actually are user and pass.

And tada! It looked like I had a camera I could use with my phone or laptop, or better yet at the same time as my wife. Neat stuff!

It All Falls Apart

After a fresh boot, everything seemed fine with the video streams. However, over a day or two, the streams would become more and more delayed, or would drop, and, eventually, I’d need to restart the camera. Wondering if this had something to do with my firewall rules, I re-enabled the HTTP, HTTPS, and UDP rules, and started watching the traffic.

Then, my phone started to get notification spammed.

At this point, I’d been using the cameras for about two weeks. As soon as I re-enabled access to Hubble, my phone got notifications about movement detected by the camera. I opened the first one… and there was a picture of my daughter, up in her room, in her jammies.

It was in the middle of the day, and she wasn’t home.

What I discovered is that the camera will save a still every time it detects movement, and buffer them locally until they can be sent. And, looking in Wireshark, I saw that the snapshots were being uploaded with an HTTP POST to snap.json without any encryption at all. Extracting the conversation, and then decoding the POST data (which was form data, not JSON!), I ended up with a picture.

I now had proof the camera was sending video data over the public internet without any security whatsoever. I blocked all internet access, including DNS, hoping that would still let local access work. It did!

Then, my wife and I started hearing random beeps in the middle of the night. Eventually, I tracked it to the cameras. They would beep every 15 minutes or so, as long as they didn’t have a working internet connection. This killed the cameras for home use, as they’d wake the whole family. Worse yet, even if we decided to allow internet access, if it was down in the middle of the night (our cable provider usually does maintenance at 3AM), odds are high we’d all be woken up. I emailed Motorola support, and they said there was no way to disable the beeping, other than to completely reset the cameras and not use the WiFi feature at all.

We’re now happily using the cameras as “dumb” devices.

Security Recommendations and Next Steps

Here are some ideas I had about how Motorola could secure future cameras:

  1. The initial setup problem could have been solved by using WPA2 on the camera. I’ve seen routers from ISPs work this way; the default credentials are unique per device, and printed on the bottom of the device. That would significantly mitigate the risk of a completely open setup process. Other devices include a Bluetooth radio for this purpose.
  2. Use encryption and authentication for all APIs. Of course, there are difficulties from this such as certificate management, hostname validation, and so on. However, this might be a good case where the app could validate based on a set of hardcoded properties, or accept all certificates signed by a custom CA root.
  3. Mobile apps should validate the authenticity of the camera to prevent MITM attacks. This is a solved problem that Binatone simply hasn’t implemented.
  4. Follow HTTP specifications! All “write” commands for the camera API use HTTP GETs instead of POSTs. That means that proxies or other systems may inadvertently log sensitive data. And, since there’s no authentication, it opens up the API to CSRF vulnerabilities.

In terms of recommendations to the Lullabot team, we currently recommend that any “IoT” devices be kept on completely separate networks from devices used for work. That’s usually as simple as creating a “guest” WiFi network. After this exercise, I think we’ll also recommend to treat any such devices as hostile, unless they have been proven otherwise. Remember, the “S” in “IoT” stands for “secure”.

Personally, I want to investigate hacking the camera firmware to remove the beeps entirely. I was able to capture the firmware from my phone (the app stores them in Android’s main storage), and since there’s no authentication, I’m guessing I could replace the beeps with silence, assuming they are WAV or MP3 files.

In the future, I’m hoping to find an IoT vendor with a security record that matches Apple’s, who is clearly the leader in mobile security. Until then, I’ll be sticking with dumb devices in my home.

What’s new on Drupal.org? - April 2017

Posted by Drupal.org blog - 24 May 2017 at 15:20 UTC

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

DrupalCon Baltimore logo Apr 24-28

At the end of April we joined the community at DrupalCon Baltimore. We met with many of you there, gave our update at the public board meeting, and hosted a panel detailing the last 6 months worth of changes on Drupal.org. If you weren't able to join us for this con, we hope to see you in Vienna!

Drupal.org updates

DrupalCon Vienna Full Site Launched!

DrupalCon Vienna logo Sep 26-29 2017

Speaking of Vienna, in April we launched the full site for DrupalCon Vienna which will take place from September 26-29th, 2017. If you're going to join us in Europe you can book your hotel now, or submit a session. Registration for the event will be opening soon!

DrupalCon Nashville Announced with new DrupalCon Brand

DrupalCon Nashville logo Apr 9-13 2018

Each year at DrupalCon the location of the next conference is held as closely guarded secret; the topic of speculation, friendly bets, and web crawlers looking for 403 pages. Per tradition, at the closing session we unveiled the next location for DrupalCon North America - Nashville, TN taking place from April 9-13th in 2018. But this year there was an extra surprise.

We've unveiled the new brand for DrupalCon, which you will begin to see as the new consistent identity for the event from city to city and year to year. You'll still see the unique character of the city highlighted for each regional event, but with an overarching brand that creates a consistent voice for the event.

Starring Projects

Users on Drupal.org may now star their favorite projects - making it easier to find favorite modules and themes for future projects, and giving maintainers a new dimension of feedback to judge their project's popularity. Users can find a list of the projects they've starred on the user profile. Over time we'll begin to factor the number of star's into a project's ranking in search results.

Starring Projects

At the same time that we made this change, we've also added a quick configuration for managing notification settings on a per-project basis. Users can opt to be notified of all issues for a project, only issues they've followed, or no issues. While these notification options have existed for some time, this new UI makes it easier than ever to control issue notifications in your inbox.

Project Browsing Improvements

One of the important functions of Drupal.org is to help Drupal site builders find the distributions, modules, and themes, that are the best fit for their needs. In April, we spent some time improving project browsing and discovery.

Search is now weighted by project usage so the most widely used modules for a given search phrase will be more likely to be the top result.

We've also added a filter to the project browsing pages to allow you to filter results by the presence of a supported, stable release. This should make it easier for site builders to sort out mature modules from those still in initial development.

Better visual separation of Documentation Guide description and contents

Better Documentation Guide Display

In response to user feedback, we've updated the visual display of Documentation Guides, to create a clearer distinction between the guide description text and the teaser text for the content within the guides.

Promoting hosting listings on the Download & Extend page

To leverage Drupal to the fullest requires a good hosting partner, and so we've begun promoting our hosting listings on the Download and Extend page. We want Drupal.org to provide every Drupal evaluator with all of the tools they need to achieve success—from the code itself, to professional services, to hosting, and more.

Composer

Sub-tree splits of Drupal are now available

Composer Façade

For developers using Composer to manage their projects, sub-tree splits of Drupal Core and Components are now available. This allows php developers to use components of Drupal in their projects, without having to depend on Drupal in its entirety.

DrupalCI

Automatic Requeuing of Tests in the event of a CI Error

DrupalCI logo

In the past, if the DrupalCI system encountered an error when attempting to run a test, the test would simply return a "CI error" message, and the user who submitted the test had to manually submit a new test. These errors would also cause the issues to be marked as 'Needs work' - potentially resetting the status of an otherwise RTBC issue.

We have updated Drupal.org's integration with DrupalCI so that instead of marking issues as needs work in the event of a CI Error, Drupal.org will instead automatically queue a retest.

Bugfix: Only retest one environment when running automatic RTBC retests

Finally, we've fixed a bug with the DrupalCI's automatic RTBC retest system. When Drupal HEAD changes, any RTBC patches are automatically retested to ensure that they still apply. It is only necessary to retest against the default or last-used test environment to ensure that the patch will work, but the automatic retests were being tested against every configured environment. We've fixed this issue, shortening queue times during a string of automatic retests and saving testing resources for the project.

———

As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects. In particular we want to thank:

If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.

Follow us on Twitter for regular updates: @drupal_org, @drupal_infra

Drupal 6 security update for AES

Posted by myDropWizard.com - 24 May 2017 at 14:30 UTC

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Critical security release for the AES encryption module.

The AES module provides an API for encrypting and decrypting data via AES. It also allows storing Drupal passwords encrypted in the database (rather than hashed) which can allow site administrators with high enough permissions to view user passwords.

Previously, the module implemented AES poorly, such that the encryption was weakened and could have potentially made it easier for an attacker to decrypt given enough examples of the encrypted data.

(A note about the timing of this release: the AES module was unsupported on March 1st, and we started working on a fix right away in the D6LTS queue. We usually release D6LTS patches the same day the D7/D8 patches are posted or two weeks after a module is unsupported, however, in this case we had only a single Enterprise customer using AES and so we worked on it according to a timeline dictated by them, which involved testing their custom modules using the AES API with their team. So, we're releasing this after it's been fully tested and deployed for our one affected customer - if more customers had been affect it would have been released same-day, as usual.)

Here you can download the Drupal 6 patch.

If you have a Drupal 6 site using the AES module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal VM does Docker

Posted by Jeff Geerling's Blog - 24 May 2017 at 13:57 UTC

Drupal VM on Docker Hub

Drupal VM has used Vagrant and (usually) VirtualBox to run Drupal infrastructure locally since its inception. But ever since Docker became 'the hot new thing' in infrastructure tooling, I've been asked when Drupal VM will convert to using Docker.

The answer to that question is a bit nuanced; Drupal VM has been using Docker to run its own integration tests for over a year (that's how I run tests on seven different OSes using Travis CI). And technically, Drupal VM's core components have always been able to run inside Docker containers (most of them use Docker-based integration tests as well).

But Docker usage was always an undocumented and unsupported feature of Drupal VM. But no longer—with 4.5.0, Drupal VM now supports Docker as an experimental alternative to Vagrant + VirtualBox, and you can use Drupal VM with Docker in one of two ways:

Pages

Subscribe with RSS Subscribe to Drupal.org aggregator - Planet Drupal