Drupal.org blog: What’s new on Drupal.org - Q2 to Q4 2023

Read our roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community. You can also review the Drupal project roadmap.

Drupalcon Lille 2023

Did you miss DrupalCon Europe in Lille in October? It was a great event, with close to 1300 attendees. Image removed.

Check out our general event recap for more details: DrupalCon Lille 2023 Recap – Getting Together With the Drupal Community 

Driesnote Lille 2023

The #Driesnote provided a great summary of progress on Drupal's strategic initiatives since DrupalCon Pittsburgh in May.

On top of that, this keynote hides a surprise on the format. Dries the storyteller. If you haven´t watched it yet, just go ahead before you continue reading this.


MVP organisation of the month

As we are heading towards the end for most or all of the projects, and some of them are starting to hand over their final deliveries, I would like to highlight the huge meaningful contribution that the PitchBurgh donors mean for the innovation in Drupal. Let me highlight those organisations that contributed to the project of this, in particular:

MVP individual of the month

This month my MVP of the month is AmyJune. Everyone at PitchBurgh has been fantastic, but in particular AmyJune has been a joy to work with. She is extremely committed and passionate about what she does, very easy to work with and always ahead of what was needed. Even when she was busy with other issues, she would find the time to come back to you and give you a hand with whatever was needed. Thanks AmyJune, you are a star and a great person.

Would you like to nominate a fantastic individual or organisation for our next update? Email me with your candidates: alex.moreno@association.drupal.org

Project Browser

Project browser refers to all infrastructure work related to supporting the Project Browser Initiative.

When the Project Browser is available in production, it can be included in the next Drupal 10 release, and then Drupal end users will be able to browse and install Drupal extensions directly from the admin ui -- and all the composer steps are done for them in the background.

The current path to production is:
Finish Secure Signing infrastructure
Migrate/update Drupal.org database
Configure CDN to allow routing of
D7 vs D10 paths
Configure data sync from D7->D10 endpoints
Deploy Package Endpoints to production

Automatic Updates

Automatic updates is a strategic initiative. Once completed it should make Drupal maintenance easier for many small and medium sites.

Both automatic updates & project browser will be making it easier to change the code of your Drupal site. This makes it even more important to trust the supply chain providing that code. 

In order to make Drupal's automatic updates secure, we are implementing the TUF standard for package signing.

We are increasing supply-chain security with The Update Framework - TUF. We were not able to find an implementation of the TUF standard which supported automated signing. We solved it using Rugged, a Python project built by Consensus Enterprises which uses the TUF reference implementation and takes care of that automation.

We are integrating signing metadata from packages.drupal.org,
packagist.org for Drupal core, and the packaged zip files Composer installs

Currently we have a proof of concept deployed in a staging environment

What is done or mostly done:

  • Contrib signing
  • Core signing
  • Server side security review
  • Drupal side security review

Next steps:

  • Server side signing system being readied for production. 
  • Framework manager review
  • Release manager review

Supply chain security 

Image removed.

Goal: The Update Framework, TUF, is a standard for signing metadata that provides defence against a number of attacks against software update systems.


  • Using TUF (The Update Framework)
  • We are integrating signing metadata from packages.drupal.org, packagist.org for Drupal core, and the packaged zip files Composer install

The Update Framework, TUF, is a standard for signing metadata that provides defence against a number of attacks against software update systems. 

That’s only a standard, we needed an implementation. That’s been done by a contract with Consensus Enterprises, who built Rugged. 

The remaining piece is telling Rugged what to sign. In TUF, something that’s signed is a target. Everything in the software update process should be signed. Both automatic updates and project browser are using Composer, so we are integrating signing of packages.drupal.org metadata, Drupal core metadata on Packagist.org, and the packaged zip files that Composer installs. 

As per Q3 2023 we have a proof of concept of the stack deployed, successfully signing what we have. We’re filling the last gaps, including signing metadata about security releases. And we’re working to make it production-ready, including getting a security audit by a 3rd party.

Security Audit

We have partnered with Open Source Technology Improvement Fund, connected to a security auditing firm: Include security

They have previously worked in auditing other TUF implementations.

Audit process has kicked off. Scope:

  • php-tuf
  • Rugged
  • Prod deployment best practices

Gitlab acceleration initiative

Image removed.

Gitlab acceleration pursues multiple goals:

Make Code contribution to the Drupal project easier. 
Adopt standard tools and adapt for the Drupal ecosystem. 
Preserve the collaborative nature of Drupal.
Helps Drupal.org update past Drupal 7.


We are now feature complete with DrupalCI and we are turning off some DrupalCI features in favour of GitLab CI. It must work with core & contrib, for both Current Drupal & Legacy D7. Contrib testing for modern Drupal versions is available today.

In progress: 

  • single sign on,
  • simplifying drupal.org (commit pages,  profiles, credit system),
  • issue collaboration,
  • issue credit.

Image removed.

Gitlab CI

If you are a project maintainer, GitLab CI is a tool you can enable to run automated tests whenever you make changes to your code, or whenever a contributor submits a merge request.

Core testing is now 5x times faster. What used to take 50 minutes, now takes less than 10 minutes.

Improved speed and performance have a direct translation into improved productivity


Remaining tasks:

  • Finalise the last testing combinations
  • Ensure private security testing process works in GitLab CI
  • Deprecate DrupalCI

What is left to have all sites in Drupal 10

Image removed.

Goal: Harmonising the whole portfolio of sites of the Drupal Association to the same Drupal version will help spending the resources better.


  • Drupal 7 EOL is finally arriving in January 2024.
  • auth/SSO. Migration code is ready for review
  • Bluecheese theme. Port mostly complete
  • Production infrastructure. Major DB migrations for drupal.org

Next sites to move to Drupal 10:


Social events listing feature being developed by our intern Haroms Terfasa 

The site has been upgraded from D9 to D10, which means that it now has sites hosted ranging from D6😱 to D10.

Drupal.org Update to Drupal 10

  • SSO (D7/D10) - Q4’24
  • CDN Config for partial migration - Q4’24
  • Homepage and key marketing pages - Q4’24
  • Drupal Association section/site - Q4’24


  • https://events.drupal.org/ DONE
  • Api.Drupal.org (Migration written, awaiting deployment) - Q4’24
  • Localize.drupal.org (Migration written, awaiting SSO & deployment) - Q1 '24
  • jobs.drupal.org (needs strategic decision) - Q3 '24
  • security.drupal.org (being replaced by private GitLab) - Q3 '24
  • groups.drupal.org (largely replaced by /community/events) Still needs multilingual and interest groups - Q2 '24

Next milestones

  • First D10 Marketing Pages
  • Project Browser Endpoints
  • Telemetry Initiative? (Pending core alignment)
  • Deprecate DrupalCI - Summer '24
  • Deprecate Drupal.org issues (bulk migrate remaining) - Fall '24

Drupal 7 End of Life

As we all (should?) know, Drupal 7 support comes to an end. New landing page finished and published: https://www.drupal.org/about/drupal-7/d7eol/partners

The purpose of this landing is to provide all the information about the EOL, what it means, the timelines, etc and what is more important, your options as a site owner.

The landing gives some guidance as well to some partners that can help migrating to the last version of Drupal, see https://www.drupal.org/about/drupal-7/d7eol/partners#mid-scale-migration-partners 

You can as well became Certified Migration Partners, visit this link if you are interested: https://www.drupal.org/about/drupal-7/d7eol/partner-program 

If you are not sure what resources you may need or even if you need a partner, the D7EOL landing page offers guidance as well, just go to the “Understanding your options as a Drupal 7 site owner” form.

Contribution Health Dashboards

The contribution Health Dashboards is an initiative we took on the last quarter of 2023 and we published our findings and statistics here. Read the blog post with all the information explained here.

Thanks to the Contribution Health Dashboards we can track what is happening in our community in terms of contribution, and take actions towards improving, amongst other things, how innovation happens in Drupal