MD Systems blog: Drupal 8 security features: Cross site request forgery (XSRF)

Planet Drupal - Tue, 2017/03/21 - 10:27am
Recently, we had to create a security report for one of our clients about their Drupal 8 project. We described how Drupal 8 protects against most common vulnerabilities and added some project specific tests to secure as good as possible that it cannot be attacked. This resulted in a document that we thought is worth to be transferred into a series of blog posts.

Web Omelette: Storing user data such as preferences in Drupal 8 using the UserData service

Planet Drupal - Tue, 2017/03/21 - 9:30am

Have you ever needed to persist some irregular data relating with a user account? Things like user preferences or settings that are kinda configuration but not really? Storing them as configuration means having to export them, and that’s no option. Storing them in State is an option, but not a good one as you’d have to maintain a State value map with each of your users and who wants to deal with that…

In Drupal 7, if you remember way back when, we had this data column in the user table which meant that we could add to the $user->data array whatever we wanted and it would get serialised and saved in that column (if we saved the user object). So what is the equivalent of this in Drupal 8?

I’m happy to say we have the exact same thing, but of course much more flexible and properly handled. So not exactly the same. But close. We have the service provided by the User module and the users_data table for storage. So how does this work?

First of all, it’s a service. So whenever we need to work with it, we have to get an instance like so:

/** @var UserDataInterface $userData */ $userData = \Drupal::service('');

Of course, you should inject it wherever possible.

The resulting object (by default) will be UserData which implements UserDataInterface. And using this object we can store as many pieces of data or information for a given user as we want. Let’s explore this a bit to learn more.

The interface has 3 methods or handling data: get(), set(), delete(). But the power comes in the method arguments. This is how we can store some data for User 1:

$userData->set('my_module', 1, 'my_preference', 'this is my preference');

So as you can see, we have 4 arguments:

  • The module name we want this piece of data to be findable by
  • The user ID
  • The name of the piece of data
  • The value of the piece of data

This is very flexible. First, we can have module specific data. No more colluding with other modules for storing user preferences. Stay in your lane. Second, we can have multiple pieces of data per user, per module. And third, the value is automatically serialised for us so we are not restricted to simple strings.

Retrieving data can be done like so:

$data = $userData->get('my_module', 1, 'my_preference');

This will return exactly this is my preference (in our case). And deserialisation also happens automatically if your data got serialised on input.

Deleting data is just as easy:

$userData->delete('my_module', 1, 'my_preference');

Moreover, most of the arguments of the get() and delete() methods are optional. Meaning you can load/delete multiple pieces of data at once. Check out UserDataInterface to see how omitting some arguments can return/delete sets of records rather than individual ones.

And that is pretty much it. And in true Drupal 8 form, there’s nobody stopping you from overriding the service and using your own UserDataInterface implementation that has that little extra something you are missing. So no, you probably don’t have to create that custom table after all.


PreviousNext: Lifting the Lid on our Containers

Planet Drupal - Tue, 2017/03/21 - 4:19am

We have been running containers in production for more than a year now and want to share some of the lessons learnt, by open sourcing our container suite.


Drupal Modules: The One Percent: Drupal Modules: The One Percent — Alert to Administrator (video tutorial)

Planet Drupal - Mon, 2017/03/20 - 11:01pm
Drupal Modules: The One Percent — Alert to Administrator (video tutorial) NonProfit Mon, 03/20/2017 - 17:01 Episode 24

Here is where we bring awareness to Drupal modules running on less than 1% of reporting sites. Today we'll take a look at Alert to Administrator, a module which displays an alert every time a user logs in as an administrator.


Third & Grove: The accumulation of technical debt, or how a recently opened critical core bug is 15 years old

Planet Drupal - Mon, 2017/03/20 - 1:05pm
The accumulation of technical debt, or how a recently opened critical core bug is 15 years old catch Mon, 03/20/2017 - 08:05

Matt Glaman: Setup Drupal Commerce for CI and Behat testing

Planet Drupal - Mon, 2017/03/20 - 1:17am

I can proudly say that we have been on top of our test coverage in Drupal Commerce. Back in June of 2016 we had removed any trace of Simpletest based tests and . Once using PhantomJS for JavaScript testing landed in core we jumped ship. Test coverage is great for the individual project because we can ensure that we ship an (assumedly, mostly) bug-free product. But I believe we should do more than that. So I built my own .

What is a project template? Well you can pass it to Composer and have a set up Drupal 8 project skeleton. You'd run something like

composer create-project mglaman/commerce-project-template some-dir --stability dev --no-interaction

The end result is a built Drupal 8 site, with Drupal Commerce. You will also have a configuration for using Behat testing out of the box, with existing Drupal Commerce coverage provided. This means you can just tweak and add along the way. I have also added and integration, providing an example of how to ship your Drupal Commerce project with continuous integration to make sure you deliver a functioning project.

Running Tests

The project comes with a phpunit.xml.dist which has been set up to allow you to run any PHPUnit tests provided by Drupal or contrib from the root directory. Here's an example to how to run the Commerce Unit and Kernel test

./bin/phpunit --testsuite unit --group commerce ./bin/phpunit --testsuite kernel --group commerce

This makes it simpler for you to write your own PHPUnit tests for client code. The PHPUnit file shipped with Drupal core assumes it'll say in the root core directory, meaning it can get lost on any Drupal core update. Which is annoying. I use this setup to provide basic unit and kernel tests for API integrations on our Drupal Commerce projects.

The best part is Behat, of course!

Scenario: Anonymous users can access checkout When anonymous checkout is enabled And I am on "/product/1" Then I should see "Commerce Guys Hoodie" When I press "Add to cart" Then I should see "Commerce Guys Hoodie - Cyan, Small added to your cart." And I click "your cart" Then I press "Checkout"

This allows us to make sure a user can visit the product and add it to cart and reach the checkout. It's obviously quite simple but is also an important check. You can see more examples here:

Docker ready

In order to have a reproducible testing environment, the repository also contains my Docker setup. It is contained in a docker-composer.yml.dist so that it can be modified and changed. The config/docker directory contains the PHP, nginx, and MariaDB configurations. It ships with MailHog as an SMTP server so that you can debug emails easily. I used the MailHog SMTP server when working on the order receipts we provide in Drupal Commerce 2. And customer communication is a big deal with e-commerce.

Docker also provides a simpler way to ship a way to test Search API backed by Solr.

A way to provide a demo

The project has a script to install my mglaman/commerce_demo project, which provides base products and other configuration to try out Drupal Commerce. This is the base content for the Behat tests. So, if you want to try out Drupal Commerce 2 or pitch it to a client, CxO, or a friend this project makes it pretty simple to spin up an example Drupal Commerce 2 site.

What's next?

Next steps are to add an example catalog backed by Search API into the demo module using the database storage. Once that's set I'll work to have it using Solr as storage and test that, along with custom Solr configuration examples. I'd also like to show some deployment step examples in circleci.yml .


DrupalEasy: DE Live: Drupal 9 Reaction

Planet Drupal - Sun, 2017/03/19 - 2:07am

Direct .mp3 file download.

A quick live podcast featuring a reaction from Mike and Ryan about Dries' Drupal 9 Blog Post. Recorded on YouTube Live, and this audio version is reposted to our podcast channel for your convenience.

DrupalEasy News Follow us on Twitter Subscribe

Subscribe to our podcast on iTunes, Google Play or Miro. Listen to our podcast on Stitcher.

If you'd like to leave us a voicemail, call 321-396-2340. Please keep in mind that we might play your voicemail during one of our future podcasts. Feel free to call in with suggestions, rants, questions, or corrections. If you'd rather just send us an email, please use our contact page.


DrupalEasy: DrupalEasy Podcast 192 - 8+ Reasons to Love Drupal 8+

Planet Drupal - Sun, 2017/03/19 - 1:15am

Direct .mp3 file download.

Almost all of the DrupalEasy Podcast hosts congregate to take a look back and a look forward at Drupal 8. We discuss some of our favorite things about Drupal 8 as well as what we're looking forward to the most in the coming year. Also, Anna provides us with a first-person look at DrupalCamp Northern Lights (Iceland), and Ted leads a discussion on Drupal 8.3.


Our favorite things about Drupal 8 (so far).

  • Mike - everything you can do with just core, plugins.
  • Ted - object-oriented codebase, experimental modules.
  • Ryan - configuration management, migrate in core.
  • Anna - module and theme libraries in core and base themes in core, view modes.
  • Andrew - Restful services in core, Composer all the things.

What are we looking forward to the most in the Drupal universe in 2017?

DrupalEasy News Three Stories Sponsors Upcoming Events Follow us on Twitter Five Questions (answers only)
  1. Brewing beer.
  2. Windows Subsystem for Linux.
  3. Hiking the Appalachian trail (Jim Smith's blog).
  4. Giraffe.
  5. Doing three Drupal sites in three months, the first Orlando Drupal meetups.
Intro Music Subscribe

Subscribe to our podcast on iTunes, Google Play or Miro. Listen to our podcast on Stitcher.

If you'd like to leave us a voicemail, call 321-396-2340. Please keep in mind that we might play your voicemail during one of our future podcasts. Feel free to call in with suggestions, rants, questions, or corrections. If you'd rather just send us an email, please use our contact page.


clemens-tolboom opened pull request schickling/dockerfiles#71

On github - Sat, 2017/03/18 - 7:48pm
Mar 18, 2017 clemens-tolboom opened pull request schickling/dockerfiles#71 Fixed typo 1 commit with 4 additions and 4 deletions blog: Goodbye Project Applications, Hello Security Advisory Opt-in

Planet Drupal - Fri, 2017/03/17 - 11:12pm

Any user on who has accepted our Git usage policy may now create full projects with releases. This is a big change in policy for the Drupal project, representing an evolution of the contribution ecosystem in the past half a decade.

What was the Project Application Process?

Ever since the days when Drupal's code was hosted in CVS there has been some form of project application process in the Drupal Community. To prevent duplicate, low-quality, insecure, or otherwise undesirable projects from flooding Drupal, users would submit sandbox projects to an application queue to be reviewed by a group of volunteers.

After resolving any issues raised in this review process, the user would be given the git vetted role, allowing them to promote their sandbox to a full project, claim a namespace, and create releases. Once a user had been vetted for their first project, they would remain vetted and be able to promote any future projects on their own, without submitting an additional application.

The Problem

Unfortunately, though the project application process was created with the best of intentions, in the long term it proved not to be sustainable. Drupal grew too fast for a group of volunteer reviewers to keep up with reviewing new projects, and at times there were applications waiting in queue for 6 months to 1 year, or even more. That is much too slow in the world of software development.

This put Drupal in a difficult situation. After years of subjecting new projects and contributors to a rigorous standard of peer review, Drupal has a well-deserved reputation for code quality and security. Unlike many open source projects, we largely avoided the problem of having many duplicate modules that exist to serve the same purpose. We unified our community’s effort, and kept up a culture of collaboration and peer review. At the same time, many would-be contributors were unable or unwilling to navigate the application process and so simply chose not to contribute.

The question became, how could we preserve the emphasis on quality while at the same time removing the barrier to contribution that the application process had become?

Constraints on a solution

Opening the contribution gates while retaining strong signals about code quality and security was a tricky problem. We established three constraints on a solution:

  1. We need to welcome new contributors, and eliminate the walls that prevent contribution.
  2. We need to continue to send strong signals about security coverage to users evaluating whether to use modules from
  3. We need to continue our strong emphasis on quality and collaboration through changes to project discovery that will provide new signals about code quality, and by providing incentives and credit for peer review.
The Solution

In collaboration with the community, the security team, members of the board, and staff we outlined a solution in four phases:

Phase 1: Send strong signals about security advisory coverage.
  • We updated project pages to include messaging and a shield icon to indicate whether a project received security advisory coverage from the security team.
  • We now serve security advisory coverage information in the Updates status information provided by, and we're working on a patch to display that information directly on the updates page of users' Drupal sites.

Here are some examples of what these security signals look like on project pages:

If a project is not opted in to security advisory coverage, this message will appear at the top of the project page:

And this one will appear near the download table:

If a project has opted in, this message will appear near the download table:

And covered releases will show the coverage icon (note how the stable 7.x release has coverage and the 8.x release candidate does not):

Phase 2: Set up an opt-in process for security advisory coverage
  • Previously any project with a stable release would receive security advisory coverage from the security team. As we opened the gates for anyone to promote full projects, the security team needed an opt in process so that they could enforce an extra level of vetting on projects that wish to receive advisory coverage.
  • We agreed to repurpose the project application queue to be a queue for vetting users for the ability to opt their projects in to receive security advisory coverage. Now that this process has been decoupled from creating full projects, the security team may revise it in future–in collaboration with staff and the community.
  • Now a project maintainer must opt in their project to receive advisory coverage and make a stable release in order to receive security advisory coverage from the security team.

Once a maintainer has been vetted by the security advisory opt in process, they can edit their project and use this field set to opt-in:

Phase 3: Open the gate to allow users to create full projects with releases without project applications.

This is the milestone we've just reached!

Phase 4: Provide both automated code quality signals, as well as incentives for peer review of projects - and factor these into project discovery
  • We are working on this phase of the project in the issue queues, and we appreciate your feedback and ideas!
What is the new process?

So in the end - what is the new process if you want to make a contribution by hosting a project on

  1. You must have a account, and you must accept the git terms of service.
  2. You can create a sandbox or a full project
  • Note: We still strongly recommend that project maintainers begin with sandbox projects, until they are sure they will be able to commit to supporting the project as a full project, and until the code is nearly ready for an initial release.
  • That said, you can promote a sandbox project to a full project at any time, to reserve your name space and begin making releases.

At this point, you will have a full project on, and will be able to make releases that anyone can use on their Drupal site. The project will not receive security advisory coverage, and a warning that the project is not covered will appear on the project page and in the updates information.

If you want to receive security advisory coverage for your project, you will need to take these additional steps:

  1. You must apply for vetted status in the security advisory coverage queue.
  2. Members of the security team or other volunteers will review your application - and may suggest changes to your project.
  3. Once feedback is resolved, you will be granted the vetted role and be able to opt in this project, and any future projects you create, to receive security advisory coverage.
    • Note: Only *stable* releases receive security advisory coverage, so even after opting your project in you will not receive the advisory coverage shield except on stable releases.
What comes next?

Now that the project application process is no more, the gates are open. We are already seeing an uptick in projects created on, and have seen some projects that had migrated to other places (like GitHub) migrate back to We can expect to see contributions from some great developers who previously felt gate-kept out of the community. We will also see an uptick in contributions that need work, from new developers and others who are still learning Drupal best practices.

That is why our next focus will be on providing good code quality signals for projects on We want to provide both automated signals of code quality, and new incentives for peer review from existing members of the community. We're outlining that plan in the issue queues, and we welcome your feedback and contributions.

We also still have work to do to communicate this well. This is a big change for the Drupal community and so we want to make people aware of this change in every channel that we can.

Finally, after such a significant change, we're going to need to monitor the contrib ecosystem closely. We're going to learn a lot about the project in the next several months, and it's likely there will be additional follow ups and other changes that we'll need to make.  

Special Thanks

There are many, many contributors on who have put in time and effort to help make the contribution process better for new contributors to Drupal - the deepest thanks to all of you for your insight and feedback. We'd also like to specifically thank those who participated in the Project Application Revamp, including:

Categories: JQuery.cookie in Drupal 7

Planet Drupal - Fri, 2017/03/17 - 9:14pm

A quick tip for all Drupalistas outhere: if you want to use jQuery.cookie in your project, you actually don't have to download and install the library. jQuery.cookie is a part of Drupal 7 and can be included as easy as typing: 

  1. drupal_add_library('system', 'jquery.cookie');

Wondering to ...

Read now


MidCamp - Midwest Drupal Camp: MidCamp 2017 Session Schedule

Planet Drupal - Fri, 2017/03/17 - 7:33pm

The MidCamp session team has been hard at work placing all of our selected sessions in the perfect place.  Checkout the Friday and Saturday session schedules!

View all Friday sessions View all Saturday sessions

Call for Volunteers

Want to give back to the Drupal Community without writing a line of code? Volunteer to help out at MidCamp 2017.  We’re looking for people to help with all kinds of tasks including: 

  • Setup/Teardown

    • For setup, we need help making sure registration is ready to roll, and getting T-shirts ready to move.

    • For teardown, we need to undo all the setup including packing up all the rooms, the registration desk, cleaning signage, and making it look like we were never there.

  • Registration and Ticketing

    • We need ticket scanners, program dispersers, and people to answer questions.

  • Room Monitors

    • Pick your sessions and count heads, make sure the speakers have what they need to survive, and help with the in-room A/V

If you’re interested in volunteering or would like to find out more, please contact us.


Thursday is Training Day

On Thursday, we have four great full day Training sessions planned.  We have lined up a group of incredible trainers who are going to donate their time to lead full day, in depth training sessions.  Each session is $40, and is additional to the price of the camp.

View all trainings sessions

View all of the individual trainings: Sprints

At MidCamp 2016, the Sprint room was always abuzz with activity.  There was so much activity on those who work on the Frontend of Drupal, and a concentrated effort to get Drupal Commerce to it's first Release candidate.

If you want to sprint, stop by these rooms any of the days.  If you are interested in mentoring, or leading sprints, please contact  We ask if you are coming on Thursday and Sunday that you get a free ticket so we can make sure to get enough food and coffee.

  • Thursday sprints will take place in Room 220, with room for 80 people
  • Sprinting during sessions Friday and Saturday will take place in Room 120AB, starting after the keynote
  • Sunday sprints will take place in Room 314A and 314B, with room for 60 people in each room

Thanks for reading this far!  We hope to see you at the camp!


DrupalCon News: The Government Summit Returns

Planet Drupal - Fri, 2017/03/17 - 6:49pm

Annnnnnnd we are back for round 2! Last year’s Government Summit was such a success that we offering it again, and this year we have managed to pack even more content and conversations into the day for y’all! We are still catering to the same government audience, so if you find yourself working for the government in some capacity (fed, state, local or contracting), then this Summit for you!


Acquia Developer Center Blog: 253: Mumbai Memories - Abhishek Anand

Planet Drupal - Fri, 2017/03/17 - 6:04pm

My trusty microphone, camera, and I recorded a few great conversations in Mumbai that have never been released until now. Today, talking about full-time contribution to Drupal 8 while building the Acquia Lightning distribution, passion for community and paying it forward in open source, and Drupal in India with Abhishek Anand.

At the time of recording, Abhishek had been a Drupalist "for seven years and two months." He started using Drupal to prepare for a job interview for an internship while he was still studying and said he wished he'd discovered it sooner. It would have saved him a lot of coding to make websites for his college. Later on, Abhishek even turned down jobs at bigger companies to stay where he was and doing Drupal, "I just loved this job. And seven years later this journey in Drupal has been exciting."

Though he is a capable coder, Drupal's toolset made his life and work easier, "For doing anything else, you had to write a lot of code, even for small things. With Drupal, I can sit with someone who knows nothing about PHP or coding and they can build a website. At the same time, the biggest thing was that I can also be a part of this community that's build this. Whatever I'm building, can go back to the Drupal community. Having code written by me on is exciting for me. Someone else will use my code ... When someone files an issue [on one of my modules], I know that they are using it. It's a great feeling knowing other people are using the code I am writing. It's an amazing feeling."

DrupalCon Asia Mumbai 2016 was almost exactly a year ago now. Of all the conferences I have been to, Mumbai was probably my favorite. I met an incredible, active, enthusiastic Drupal community that welcomed everyone with open arms, incredible food (!), and a LOT of selfies :-)

Subscribe to the podcast!

Subscribe to the Acquia Podcast in iTunes and rate this episode!

Subscribe via our RSS feed.


Dries Buytaert: How the YMCA uses Drupal to accelerate its mission

Planet Drupal - Fri, 2017/03/17 - 6:00pm

The YMCA is a leading nonprofit dedicated to strengthening communities through youth development, healthy living and social responsibility. Today, the YMCA serves more than 58 million people in 130 countries around the world. The YMCA is a loose federation, meaning that each association operates independently to best meet the needs of the local community. In the United States alone, there are 874 associations, each with their own CEO and board of directors. As associations vary in both size and scale, each YMCA is responsible for maintaining their own digital systems and tools at their own expense.

In 2016, the YMCA of Greater Twin Cities set out to develop a Drupal distribution, called Open Y. The goal of Open Y was to build a platform to enable all YMCAs to operate as a unified brand through a common technology.

Features of the Open Y platform

Open Y strives to provide the best customer experience for their members. The distribution, developed on top of Drupal 8 in partnership with Acquia and FFW, offers a robust collection of features to deliver a multi channel experience for websites, mobile applications, digital signage, and fitness screens.

On an Open Y website customers can schedule personal training appointments, look up monthly promotions, or donate to their local YMCA online. Open Y also takes advantage of Drupal 8's APIs to integrate all of their systems with Drupal. This includes integration with Open Y's Customer Relationship Management (CRM) and eCommerce partners, but also extends to fitness screens and wearables like Fitbit. This means that Open Y can use Drupal as a data repository to serve content, such as alerts or program campaigns, to digital signage screens, connected fitness consoles and popular fitness tracking applications. Open Y puts Drupal at the core of their digital platform to provide members with seamless and personalized experiences.

Philosophy of collaboration

The founding principle of Open Y is that the platform adopts a philosophy of collaboration that drives innovation and impact. Participants of Open Y have developed a charter that dictates expectations of collaboration and accountability. The tenets of the charter allow for individual associations to manage their own projects and to adopt the platform at their own pace. However, once an association adopts Open Y, they are expected to contribute back any new features to the Open Y distribution.

As a nonprofit, YMCAs cannot afford expensive proprietary licenses. Because participating YMCAs collaborate on the development of Open Y, and because there are no licensing fees associated with Drupal, the total cost of ownership is much lower than proprietary solutions. The time and resources that are saved by adopting Drupal allows YMCAs around the country to better focus on their customers' experience and lean into innovation. The same could not be achieved with proprietary software.

For example, the YMCA of Greater Seattle was the second association to adopt the Open Y platform. When building its website, the YMCA of Greater Seattle was able to repurpose over a dozen modules from the YMCA of the Greater Twin Cities. That helped Seattle save time and money in their development. Seattle then used their savings to build a new data personalization module to contribute back to the Open Y community. The YMCA of the Greater Twin Cities will be able to benefit from Seattle's work and adopt the personalization features into its own website. By contributing back and by working together on the Open Y distribution, these YMCAs are engaging in a virtuous cycle that benefits their own projects.

The momentum of Open Y

In less than one year, 18 YMCA associations have committed to adopting Open Y and over 22 other associations are currently evaluating the platform. Open Y has created a platform that all stakeholders under the YMCA brand can use to collaborate through a common technology and a shared philosophy.

Open Y is yet another example of how organizations can challenge the prevailing model of digital experience delivery. By establishing a community philosophy that encourages contribution, Open Y has realized accelerated growth, feature development, and adoption. Organizations that are sharing contributions and embracing collaboration are evolving their operating models to achieve more than ever before.

Because I am passionate about the Open Y team's mission and impact, I have committed to be an advisor and sponsor to the project. I've been advising them since November 2016. Working with Open Y is a way for me to give back, and it's been very exciting to witness their progress first hand.

If you want to help contribute to the Open Y project, consider attending their DrupalCon Baltimore session on building custom Drupal distributions for federated organizations. You can also connect with the Open Y team directly at


Acquia Developer Center Blog: ES6 for Drupal Developers: Spread, Default Values, and Destructuring

Planet Drupal - Fri, 2017/03/17 - 3:46pm

In the first installment of this blog series, we set up a workflow that allows us both to transpile arbitrary ES6 into JavaScript legible to all modern browsers and to bundle that JavaScript into browser-ready assets. We also explored how working with variable scope has improved in ES6 and working with let and const statements. In this second installment, we’ll be digging deeper into assigning values to variables as well as the spread (or rest) operator.

Tags: acquia drupal planet

Valuebound: Installation & Configuration of Apache solr server 4.6 on Windows Machine

Planet Drupal - Fri, 2017/03/17 - 3:30pm

I was working on one of the project where client was not satisfied with existing drupal search as it was not able to meet their requirement on the site. So they decided to go with Apache solr.

Those who are not aware of what exactly it is, I would like to give them a very basic introduction or a description about what it does.
Apache solr is an open source search platform built upon java library. It’s one of the most popular search platform used by most websites so that it can search and index across the site and return related content based on search query.  

For more detailed information, please visit

So let’s begin with solr installation. To install Solr on windows…


Drupal core announcements: Drupal core key topic meetings at Drupal Developer Days Seville

Planet Drupal - Fri, 2017/03/17 - 11:35am

At major Drupal events when various interested parties are in attendance, we usually organize meetings around a few key shared interests, to ensure we are on the same page and make progress on important areas for the benefit of all. At Drupal Developer Days Seville (March 21st to March 25th), we are planning the following meetings:

  • Media Entity core patch review meeting: Tuesday 11:30am to 1:30pm (and likely more)
  • Drupal Product Management team meetings: Wednesday 12:30pm to 3:30pm and Thursday 3:30pm to 5pm
  • Settings tray meeting: Wednesday 4:30pm to 5:30pm
  • File deletion critical issues meeting: Thursday 10am to 11am
  • Major entity issues triage meeting: Friday 11:30am to 12:30pm

There are also 12 focused sprints organized with 50-70 sprinters signed up on any given day throughout the week to advance both core and contributed projects. Interested to join any of the sprints? Look for the leaders and other members of the sprint teams.