Drupal.org blog: Goodbye Project Applications, Hello Security Advisory Opt-in

Planet Drupal - Fri, 2017/03/17 - 11:12pm

Any user on Drupal.org who has accepted our Git usage policy may now create full projects with releases. This is a big change in policy for the Drupal project, representing an evolution of the contribution ecosystem in the past half a decade.

What was the Project Application Process?

Ever since the days when Drupal's code was hosted in CVS there has been some form of project application process in the Drupal Community. To prevent duplicate, low-quality, insecure, or otherwise undesirable projects from flooding Drupal, users would submit sandbox projects to an application queue to be reviewed by a group of volunteers.

After resolving any issues raised in this review process, the user would be given the git vetted role, allowing them to promote their sandbox to a full project, claim a namespace, and create releases. Once a user had been vetted for their first project, they would remain vetted and be able to promote any future projects on their own, without submitting an additional application.

The Problem

Unfortunately, though the project application process was created with the best of intentions, in the long term it proved not to be sustainable. Drupal grew too fast for a group of volunteer reviewers to keep up with reviewing new projects, and at times there were applications waiting in queue for 6 months to 1 year, or even more. That is much too slow in the world of software development.

This put Drupal in a difficult situation. After years of subjecting new projects and contributors to a rigorous standard of peer review, Drupal has a well-deserved reputation for code quality and security. Unlike many open source projects, we largely avoided the problem of having many duplicate modules that exist to serve the same purpose. We unified our community’s effort, and kept up a culture of collaboration and peer review. At the same time, many would-be contributors were unable or unwilling to navigate the application process and so simply chose not to contribute.

The question became, how could we preserve the emphasis on quality while at the same time removing the barrier to contribution that the application process had become?

Constraints on a solution

Opening the contribution gates while retaining strong signals about code quality and security was a tricky problem. We established three constraints on a solution:

  1. We need to welcome new contributors, and eliminate the walls that prevent contribution.
  2. We need to continue to send strong signals about security coverage to users evaluating whether to use modules from Drupal.org.
  3. We need to continue our strong emphasis on quality and collaboration through changes to project discovery that will provide new signals about code quality, and by providing incentives and credit for peer review.
The Solution

In collaboration with the community, the security team, members of the board, and staff we outlined a solution in four phases:

Phase 1: Send strong signals about security advisory coverage.
  • We updated project pages to include messaging and a shield icon to indicate whether a project received security advisory coverage from the security team.
  • We now serve security advisory coverage information in the Updates status information provided by Drupal.org, and we're working on a patch to display that information directly on the updates page of users' Drupal sites.

Here are some examples of what these security signals look like on project pages:

If a project is not opted in to security advisory coverage, this message will appear at the top of the project page:

And this one will appear near the download table:

If a project has opted in, this message will appear near the download table:

And covered releases will show the coverage icon (note how the stable 7.x release has coverage and the 8.x release candidate does not):

Phase 2: Set up an opt-in process for security advisory coverage
  • Previously any project with a stable release would receive security advisory coverage from the security team. As we opened the gates for anyone to promote full projects, the security team needed an opt in process so that they could enforce an extra level of vetting on projects that wish to receive advisory coverage.
  • We agreed to repurpose the project application queue to be a queue for vetting users for the ability to opt their projects in to receive security advisory coverage. Now that this process has been decoupled from creating full projects, the security team may revise it in future–in collaboration with staff and the community.
  • Now a project maintainer must opt in their project to receive advisory coverage and make a stable release in order to receive security advisory coverage from the security team.

Once a maintainer has been vetted by the security advisory opt in process, they can edit their project and use this field set to opt-in:

Phase 3: Open the gate to allow users to create full projects with releases without project applications.

This is the milestone we've just reached!

Phase 4: Provide both automated code quality signals, as well as incentives for peer review of projects - and factor these into project discovery
  • We are working on this phase of the project in the issue queues, and we appreciate your feedback and ideas!
What is the new process?

So in the end - what is the new process if you want to make a contribution by hosting a project on Drupal.org?

  1. You must have a Drupal.org account, and you must accept the git terms of service.
  2. You can create a sandbox or a full project
  • Note: We still strongly recommend that project maintainers begin with sandbox projects, until they are sure they will be able to commit to supporting the project as a full project, and until the code is nearly ready for an initial release.
  • That said, you can promote a sandbox project to a full project at any time, to reserve your name space and begin making releases.

At this point, you will have a full project on Drupal.org, and will be able to make releases that anyone can use on their Drupal site. The project will not receive security advisory coverage, and a warning that the project is not covered will appear on the project page and in the updates information.

If you want to receive security advisory coverage for your project, you will need to take these additional steps:

  1. You must apply for vetted status in the security advisory coverage queue.
  2. Members of the security team or other volunteers will review your application - and may suggest changes to your project.
  3. Once feedback is resolved, you will be granted the vetted role and be able to opt in this project, and any future projects you create, to receive security advisory coverage.
    • Note: Only *stable* releases receive security advisory coverage, so even after opting your project in you will not receive the advisory coverage shield except on stable releases.
What comes next?

Now that the project application process is no more, the gates are open. We are already seeing an uptick in projects created on Drupal.org, and have seen some projects that had migrated to other places (like GitHub) migrate back to Drupal.org. We can expect to see contributions from some great developers who previously felt gate-kept out of the community. We will also see an uptick in contributions that need work, from new developers and others who are still learning Drupal best practices.

That is why our next focus will be on providing good code quality signals for projects on Drupal.org. We want to provide both automated signals of code quality, and new incentives for peer review from existing members of the community. We're outlining that plan in the issue queues, and we welcome your feedback and contributions.

We also still have work to do to communicate this well. This is a big change for the Drupal community and so we want to make people aware of this change in every channel that we can.

Finally, after such a significant change, we're going to need to monitor the contrib ecosystem closely. We're going to learn a lot about the project in the next several months, and it's likely there will be additional follow ups and other changes that we'll need to make.  

Special Thanks

There are many, many contributors on Drupal.org who have put in time and effort to help make the contribution process better for new contributors to Drupal - the deepest thanks to all of you for your insight and feedback. We'd also like to specifically thank those who participated in the Project Application Revamp, including:


TimOnWeb.com: JQuery.cookie in Drupal 7

Planet Drupal - Fri, 2017/03/17 - 9:14pm

A quick tip for all Drupalistas outhere: if you want to use jQuery.cookie in your project, you actually don't have to download and install the library. jQuery.cookie is a part of Drupal 7 and can be included as easy as typing: 

  1. drupal_add_library('system', 'jquery.cookie');

Wondering to ...

Read now


MidCamp - Midwest Drupal Camp: MidCamp 2017 Session Schedule

Planet Drupal - Fri, 2017/03/17 - 7:33pm

The MidCamp session team has been hard at work placing all of our selected sessions in the perfect place.  Checkout the Friday and Saturday session schedules!

View all Friday sessions View all Saturday sessions

Call for Volunteers

Want to give back to the Drupal Community without writing a line of code? Volunteer to help out at MidCamp 2017.  We’re looking for people to help with all kinds of tasks including: 

  • Setup/Teardown

    • For setup, we need help making sure registration is ready to roll, and getting T-shirts ready to move.

    • For teardown, we need to undo all the setup including packing up all the rooms, the registration desk, cleaning signage, and making it look like we were never there.

  • Registration and Ticketing

    • We need ticket scanners, program dispersers, and people to answer questions.

  • Room Monitors

    • Pick your sessions and count heads, make sure the speakers have what they need to survive, and help with the in-room A/V

If you’re interested in volunteering or would like to find out more, please contact us.


Thursday is Training Day

On Thursday, we have four great full day Training sessions planned.  We have lined up a group of incredible trainers who are going to donate their time to lead full day, in depth training sessions.  Each session is $40, and is additional to the price of the camp.

View all trainings sessions

View all of the individual trainings: Sprints

At MidCamp 2016, the Sprint room was always abuzz with activity.  There was so much activity on those who work on the Frontend of Drupal, and a concentrated effort to get Drupal Commerce to it's first Release candidate.

If you want to sprint, stop by these rooms any of the days.  If you are interested in mentoring, or leading sprints, please contact midcampsprints@gmail.com.  We ask if you are coming on Thursday and Sunday that you get a free ticket so we can make sure to get enough food and coffee.

  • Thursday sprints will take place in Room 220, with room for 80 people
  • Sprinting during sessions Friday and Saturday will take place in Room 120AB, starting after the keynote
  • Sunday sprints will take place in Room 314A and 314B, with room for 60 people in each room

Thanks for reading this far!  We hope to see you at the camp!


DrupalCon News: The Government Summit Returns

Planet Drupal - Fri, 2017/03/17 - 6:49pm

Annnnnnnd we are back for round 2! Last year’s Government Summit was such a success that we offering it again, and this year we have managed to pack even more content and conversations into the day for y’all! We are still catering to the same government audience, so if you find yourself working for the government in some capacity (fed, state, local or contracting), then this Summit for you!


Acquia Developer Center Blog: 253: Mumbai Memories - Abhishek Anand

Planet Drupal - Fri, 2017/03/17 - 6:04pm

My trusty microphone, camera, and I recorded a few great conversations in Mumbai that have never been released until now. Today, talking about full-time contribution to Drupal 8 while building the Acquia Lightning distribution, passion for community and paying it forward in open source, and Drupal in India with Abhishek Anand.

At the time of recording, Abhishek had been a Drupalist "for seven years and two months." He started using Drupal to prepare for a job interview for an internship while he was still studying and said he wished he'd discovered it sooner. It would have saved him a lot of coding to make websites for his college. Later on, Abhishek even turned down jobs at bigger companies to stay where he was and doing Drupal, "I just loved this job. And seven years later this journey in Drupal has been exciting."

Though he is a capable coder, Drupal's toolset made his life and work easier, "For doing anything else, you had to write a lot of code, even for small things. With Drupal, I can sit with someone who knows nothing about PHP or coding and they can build a website. At the same time, the biggest thing was that I can also be a part of this community that's build this. Whatever I'm building, can go back to the Drupal community. Having code written by me on Drupal.org is exciting for me. Someone else will use my code ... When someone files an issue [on one of my modules], I know that they are using it. It's a great feeling knowing other people are using the code I am writing. It's an amazing feeling."

DrupalCon Asia Mumbai 2016 was almost exactly a year ago now. Of all the conferences I have been to, Mumbai was probably my favorite. I met an incredible, active, enthusiastic Drupal community that welcomed everyone with open arms, incredible food (!), and a LOT of selfies :-)

Subscribe to the podcast!

Subscribe to the Acquia Podcast in iTunes and rate this episode!

Subscribe via our RSS feed.


Dries Buytaert: How the YMCA uses Drupal to accelerate its mission

Planet Drupal - Fri, 2017/03/17 - 6:00pm

The YMCA is a leading nonprofit dedicated to strengthening communities through youth development, healthy living and social responsibility. Today, the YMCA serves more than 58 million people in 130 countries around the world. The YMCA is a loose federation, meaning that each association operates independently to best meet the needs of the local community. In the United States alone, there are 874 associations, each with their own CEO and board of directors. As associations vary in both size and scale, each YMCA is responsible for maintaining their own digital systems and tools at their own expense.

In 2016, the YMCA of Greater Twin Cities set out to develop a Drupal distribution, called Open Y. The goal of Open Y was to build a platform to enable all YMCAs to operate as a unified brand through a common technology.

Features of the Open Y platform

Open Y strives to provide the best customer experience for their members. The distribution, developed on top of Drupal 8 in partnership with Acquia and FFW, offers a robust collection of features to deliver a multi channel experience for websites, mobile applications, digital signage, and fitness screens.

On an Open Y website customers can schedule personal training appointments, look up monthly promotions, or donate to their local YMCA online. Open Y also takes advantage of Drupal 8's APIs to integrate all of their systems with Drupal. This includes integration with Open Y's Customer Relationship Management (CRM) and eCommerce partners, but also extends to fitness screens and wearables like Fitbit. This means that Open Y can use Drupal as a data repository to serve content, such as alerts or program campaigns, to digital signage screens, connected fitness consoles and popular fitness tracking applications. Open Y puts Drupal at the core of their digital platform to provide members with seamless and personalized experiences.

Philosophy of collaboration

The founding principle of Open Y is that the platform adopts a philosophy of collaboration that drives innovation and impact. Participants of Open Y have developed a charter that dictates expectations of collaboration and accountability. The tenets of the charter allow for individual associations to manage their own projects and to adopt the platform at their own pace. However, once an association adopts Open Y, they are expected to contribute back any new features to the Open Y distribution.

As a nonprofit, YMCAs cannot afford expensive proprietary licenses. Because participating YMCAs collaborate on the development of Open Y, and because there are no licensing fees associated with Drupal, the total cost of ownership is much lower than proprietary solutions. The time and resources that are saved by adopting Drupal allows YMCAs around the country to better focus on their customers' experience and lean into innovation. The same could not be achieved with proprietary software.

For example, the YMCA of Greater Seattle was the second association to adopt the Open Y platform. When building its website, the YMCA of Greater Seattle was able to repurpose over a dozen modules from the YMCA of the Greater Twin Cities. That helped Seattle save time and money in their development. Seattle then used their savings to build a new data personalization module to contribute back to the Open Y community. The YMCA of the Greater Twin Cities will be able to benefit from Seattle's work and adopt the personalization features into its own website. By contributing back and by working together on the Open Y distribution, these YMCAs are engaging in a virtuous cycle that benefits their own projects.

The momentum of Open Y

In less than one year, 18 YMCA associations have committed to adopting Open Y and over 22 other associations are currently evaluating the platform. Open Y has created a platform that all stakeholders under the YMCA brand can use to collaborate through a common technology and a shared philosophy.

Open Y is yet another example of how organizations can challenge the prevailing model of digital experience delivery. By establishing a community philosophy that encourages contribution, Open Y has realized accelerated growth, feature development, and adoption. Organizations that are sharing contributions and embracing collaboration are evolving their operating models to achieve more than ever before.

Because I am passionate about the Open Y team's mission and impact, I have committed to be an advisor and sponsor to the project. I've been advising them since November 2016. Working with Open Y is a way for me to give back, and it's been very exciting to witness their progress first hand.

If you want to help contribute to the Open Y project, consider attending their DrupalCon Baltimore session on building custom Drupal distributions for federated organizations. You can also connect with the Open Y team directly at OpenYMCA.org.


Acquia Developer Center Blog: ES6 for Drupal Developers: Spread, Default Values, and Destructuring

Planet Drupal - Fri, 2017/03/17 - 3:46pm

In the first installment of this blog series, we set up a workflow that allows us both to transpile arbitrary ES6 into JavaScript legible to all modern browsers and to bundle that JavaScript into browser-ready assets. We also explored how working with variable scope has improved in ES6 and working with let and const statements. In this second installment, we’ll be digging deeper into assigning values to variables as well as the spread (or rest) operator.

Tags: acquia drupal planet

Valuebound: Installation & Configuration of Apache solr server 4.6 on Windows Machine

Planet Drupal - Fri, 2017/03/17 - 3:30pm

I was working on one of the project where client was not satisfied with existing drupal search as it was not able to meet their requirement on the site. So they decided to go with Apache solr.

Those who are not aware of what exactly it is, I would like to give them a very basic introduction or a description about what it does.
Apache solr is an open source search platform built upon java library. It’s one of the most popular search platform used by most websites so that it can search and index across the site and return related content based on search query.  

For more detailed information, please visit http://lucene.apache.org/solr/

So let’s begin with solr installation. To install Solr on windows…


Drupal core announcements: Drupal core key topic meetings at Drupal Developer Days Seville

Planet Drupal - Fri, 2017/03/17 - 11:35am

At major Drupal events when various interested parties are in attendance, we usually organize meetings around a few key shared interests, to ensure we are on the same page and make progress on important areas for the benefit of all. At Drupal Developer Days Seville (March 21st to March 25th), we are planning the following meetings:

  • Media Entity core patch review meeting: Tuesday 11:30am to 1:30pm (and likely more)
  • Drupal Product Management team meetings: Wednesday 12:30pm to 3:30pm and Thursday 3:30pm to 5pm
  • Settings tray meeting: Wednesday 4:30pm to 5:30pm
  • File deletion critical issues meeting: Thursday 10am to 11am
  • Major entity issues triage meeting: Friday 11:30am to 12:30pm

There are also 12 focused sprints organized with 50-70 sprinters signed up on any given day throughout the week to advance both core and contributed projects. Interested to join any of the sprints? Look for the leaders and other members of the sprint teams.


Drupal Modules: The One Percent: Drupal Modules: The One Percent — Security of Modules Hosted on D.O. (video tutorial)

Planet Drupal - Thu, 2017/03/16 - 11:47pm
Drupal Modules: The One Percent — Security of Modules Hosted on D.O. (video tutorial) NonProfit Thu, 03/16/2017 - 17:47 Episode 23

Here is where we typically bring awareness to Drupal modules running on less than 1% of reporting sites. Today we're off on a rabbit trail considering the security implications of a change on drupal.org which allows everyone with a user account to create full projects.


Lullabot: The Drupal.org Infrastructure Team

Planet Drupal - Thu, 2017/03/16 - 9:00pm
Matt and Mike sit down with the Drupal.org infrastructure team and talk the ins and outs of what it takes to keep drupal.org's web properties and services (such as composer, git, testing suite, etc) up and running.

Jeff Geerling's Blog: Discussing Open Source project maintenance ('how to not drown') at DrupalCon Baltimore

Planet Drupal - Thu, 2017/03/16 - 3:28pm

I'm excited to be presenting at this year's DrupalCon Baltimore on a topic near and dear to my heart: I'll be presenting Just Keep Swimming: Don't drown in your open source project! at DrupalCon next week.

On a basic level, I'll outline ways I deal with rage-inducingly-vague bug reports, hundreds of GitHub notifications per day, angry and entitled users, and keep a positive attitude that allows me to continue to contribute on a daily basis.


Acquia Developer Center Blog: Making a splash, 2017 German Drupal Awards

Planet Drupal - Thu, 2017/03/16 - 2:46pm

Hamburg, March 15, 2017 - Members of the German Drupal community — contributors, service providers, end users — came together to celebrate their successes in 2016 with the world’s leading open source content management system and application platform at the 2017 German Splash Awards.

Tags: acquia drupal planetSplash AwardsGermanyDeutschland

OSTraining: How to setup Mollom on Drupal 8

Planet Drupal - Thu, 2017/03/16 - 1:56pm

An OSTraining member asked how to set up the Drupal 8 "Mollom" module.

In this tutorial, I'll show you how to go through the process of its installation and setting up.

If you are using Drupal 7 we have the How to use the Mollom Module in Drupal 7 class that covers how to do this in detail.

Let's get started.


Roman Agabekov: Drupal-powered websites security audit

Planet Drupal - Thu, 2017/03/16 - 10:45am
Drupal-powered websites security audit Submitted by admin on Thu, 03/16/2017 - 09:45

Security of a website is a crucial thing that sometimes does not receive the attention it should.

Today, I’d like to share the routines we apply when checking up security of a Drupal-powered website. For the most part, this article is a summary of the report Dmitry Kochetov, our Drupal security specialist, made at DrupalCamp Krasnodar 2016.  


Agiledrop.com Blog: AGILEDROP: Drupal Logos Taking Part in Outdoor Activities

Planet Drupal - Thu, 2017/03/16 - 8:47am
After some time, our series of various Druplicons continue. We already presented you Drupal Logos in Human and Superhuman forms, Drupal Logos as Fruits and Vegetables and Druplicons in the shapes of Animals. Since winter is now gone for some time, more things can now be done outside. Therefore, we will look at Druplicons taking part in the outdoor activities. Druplicon taking part in parachuting (DrupalCamp Dharamshala 2013)     Druplicon taking part in scuba-diving (Drupal Camp Florida)     Druplicon taking part in baseball with the hat from team Boston Red Sox (DrupalCon Boston 2008… READ MORE

tanay.co.in: Prasad Shir for Drupal Association Director At Large

Planet Drupal - Thu, 2017/03/16 - 6:29am

If there is anything in which #Drupal 7 is better than Drupal 8, it is the learning ecosystem that D7 had around it, which D8 lacks.

But there is a way you can help make the situation better, like I just did. I voted for Prasad Shirgaonkar who is running for the "Director At-Large' position on the board of the Drupal Association!


Prasad Shir, fondly called "Prasad Sir” by most people that know him, is one of the best technical trainers and technical content creators that I have ever seen.

He has been involved in building over 200 Drupal projects worldwide, trained hundreds of developers and several corporate teams to bring them onto the Drupal platform, has been a part of the core team at Acquia that built Drupal Certification. He has been a speaker at multiple DrupalCons and DrupalCamps.

Besides designing and running the Drupal certifications, Prasad has produced some of the best technical resources available for D8, some of which you might have already consumed unknowingly, if you have used one of those Drupal certification guides published by Acquia. He leads all our training effort in Acquia India, and is also a regular trainer at most of the community training programs that happen in India camps.

Prasad has volunteered to nominate himself for the Drupal Board's Directory At-Large position on the insistence of a large number of his fans like myself in the Drupal community, and I sincerely believe he can give the much-needed push that the Drupal Learning Ecosystem requires at this point of time.

Should he be elected, he will be the right guy, at the right place to make Drupal learning a better experience for the large and ever-growing Drupal community.

You can vote @ https://assoc.drupal.org/…/2017-directo…/post/director-large by moving Prasad's pic to the top above the orange line!


Hook 42: Stanford Drupal Camp - What a Difference a Year Makes

Planet Drupal - Thu, 2017/03/16 - 12:48am

Stanford Drupal Camp is a great camp for people new to Drupal; it offers an intimacy that larger camps and cons can’t achieve. Last year's camp was my first Drupal event and this year's second time around offered me a pleasant retrospective.