Drupal's Webform module is great. It allows users to create forms with all sorts of field types through a UI that's easy to use. It's a great friend to marketers. We use it to power our contact form, collect webinar registrations, and as a lead capture for ebooks.

But data trapped in Drupal doesn't do much good. Data needs to move and flow. It needs to be exported and imported and analyzed and followed up with. It needs to be used.

This is going to be the first of what I hope many more updates regarding the Pitchburgh initiative and the projects involved. Some months, and depending on interest, I’ll be talking about innovation in Drupal as well, and I’d love to see this as a space for dialog and discussion. If this feels like something you are interested in, keep reading and watch this space.

Just as a recap, the innovation initiative, Pitch-burgh was held last month in DrupalCon Pittsburgh, and we can confirm it was a success. We received 35 submissions, which ideas and videos the judges reviewed and voted on. This resulted in 7 finalists.

We even got last-minute funding during the Driesnote itself, Lee Walker at Code Journeymen, and Jonathan at Daggerhart Lab, who offered to fund AmyJune Hineline‘s project, 'Contributing and Mentoring the Mentor'.

But the biggest surprise to me was still to come after DrupalCon dust settled. Matt Mullenweg, (Co-Founder of WordPress) contacted Dries, excited about the initiative and about the fact that we are funding Gutenberg, a project born and linked to the WordPress community. In response, Matt committed to funding the full 20,000 dollars requested by the initiative. I can’t imagine a better example of the spirit of Open Source. What in the paper are competing projects, Drupal and WordPress, in practice open source has made them partners, sharing resources towards a common better goal. And the one who benefits more here is, guess who? The final user. Thanks, Matt! This is a great example of what open source needs to be.

Coming back to the goal of this post, providing Pitch-burgh updates, it was noted by the judges and the Drupal Association leadership (as well as the conversations I could hear in Pittsburgh), that two of the projects are following the same goal, modernizing and improving Drupal’s editorial experience. However, they do it in different ways, be it architecture, data model, user experience, etc. I am talking about the 'Gutenberg in Drupal', and the 'Decoupled Layout Builder initiatives'. There is hence an interest, from the stakeholders in this initiative, but from the community as well, for both projects to align.

This has been received pretty well and agreed upon the project leads, and we just started holding regular meetings between both projects, with the idea to share updates, align goals and look for synergies. I hope to provide more updates on this in my next pitch-burgh update.

In the meantime, you can vote or send me your thoughts on this topic.

Talking about Mentor the Mentor, AmyJune is starting a new role, for which we are excited and we wish her much success. Unfortunately, that means as well that she will be potentially stepping back from her countless contributions to the Drupal community. Said that, this is actually good timing, because her work on this project (Mentor the Mentor) is geared towards giving other mentors the tools to continue her work. I have to say that from the DA we have been impressed with her dedication and commitment from the very beginning of the project and the quality of what she's doing.

As it’s as well the quality of what Brian Perry is doing, with incredibly detailed scope and deliverables on his project: 'Drupal API Client'.

The two last projects worth mentioning are 'JSON data and schemas', and 'Policy-based access in core'. Because both of them are requesting merge requests to happen in Drupal core in the scope of their Statements of Work, we are going to need to align with the core team, pretty much from the start. This could potentially prove a challenge, as some MR against core can sometimes take lots of conversations with months or even years involved, which could be completely misaligned with the project goals and timelines. For this, I am grateful to count on Lauri Eskola’s generosity in his new role as Core Product Manager. We are going to need a good flow of communication between the core team and those initiatives where a merge in core is needed, and Laurii is already providing so much value and help on this.

All in all, all projects are progressing well and as expected. To sum up, during the current phase all projects are aligning on goals, timelines, and deliverables with the Drupal Association. This will result in an agreement between both parties, the DA and the awardees, and it will be reflected in a contract between said parties. The final goal is to make sure the interests of the DA and those of the Drupal community are well represented. We would like to have this phase done and dusted, at some point between July and August (and having into consideration that we're entering the holiday season).

Good news as well! If you want to follow on a weekly or even daily basis what’s happening in Pitch-burgh, all the projects decided unanimously that all conversations and documentation should be happening or published in public slack channels and public Drupal.org issues. You are more than welcome to join and follow the conversations, or just wait for my next update where I’ll share all my highlights.

I don’t want to finish this week's updates without mentioning some great catch-ups and conversations that I’ve had with people like Anoop John and Javier Prada from the association “Drupalera” in Spanish. They are all aligned on teaching and or promoting Drupal. What makes me realize as well that those initiatives and the Promote Drupal one are incredibly aligned with AmyJune's Mentor the Mentor. It would be great to find potential synergies and collaboration opportunities. Projects grow old, and contributors get busy with other things, so sometimes it’s good to get help from new contributors with fresh new ideas, if anything at least to keep the original ideas up and running, and stronger than ever, but hopefully to bring as well new ones, and inject new enthusiasm and speed to the original projects and initiatives.

All in all, a very busy start to the Pitch-burgh initiative, everyone feels excited, very committed, and eager to start, and we can’t wait to see what they are all going to achieve for Drupal.

Date: 2023-July-11Description: 

Beginning today, Drupal core issues reported to the Security Team with risk levels that are "Not Critical", "Less Critical", or "Moderately Critical" may be treated as bugs in the public issue queue, not as private security issues requiring a security advisory and CVE.

Policy Change

The Security Team will use its discretion to handle some issues in public depending on the risk score, the severity of the impact, the difficulty to exploit, and any other mitigating factors.

We still encourage all security researchers to start by filing a private issue that can then be moved public later. Members of the Security Team also will sometimes unpublish a public issue and move it private as needed.

Drupal core issues with risk levels of "Critical" or "Highly Critical" will continue to be private security issues. Some issues with lower risk scores will also be handled privately at Security Team discretion, depending on their impact.

What are some examples?

Exactly which issues are moved into the public queue will be at the discretion of the Security Team members triaging the issue. Some examples of common categories follow.

Information disclosure

Information disclosure is when information that should be private can be seen outside of the intended private context.

A key difference between this and other kinds of security issues is that the circumstances in which it is a security risk often greatly reduce the risk of information being disclosed publicly.

Sometimes, the information being disclosed is already public on the internet without any explicit action from users. For example, if unpublished article teasers accidentally show in a listing accessible to anonymous users, these will be visible to anyone visiting the page including search engines and other crawlers. Keeping the information disclosure bug private does not keep the information itself private in these cases; it is already public.

Other times, metadata about an article like its title or URL is leaked only to users who already have content editing or similar permissions on a site, and via their normal workflows. The potential audience for the leaked information is very small, they may already be seeing it, the impact of learning that secret is likely low.

These issues often require significant active effort against an individual site to exploit. The amount of effort and individual-site nature make them less likely to be exploited.

Scenarios that would make the issue a security vulnerability are extremely uncommon. For example, a vulnerability might expose the content of a field under very specific circumstances. The contents of that field might only be considered important in rare circumstances. In those situations we would tend toward fixing the bug in public.

In scenarios when the information disclosure would represent a great risk to many sites we will not disclose publicly. For example, if you could get access to the passwords of users, or secret keys as an anonymous user, those issues would be handled privately with a security advisory.

Content injection

Content injection vulnerabilities exist when information from a URL ends up reflected in the HTML page, which can result in unwanted content being accessible from a domain. While these bugs are embarrassing, they do not allow other kinds of access unless paired with a cross-site scripting (XSS) or similar vulnerability.

Denial of service

Denial of service is an attack intended to render a site unusable, usually by saturating it with traffic. Certain categories of bugs sometimes make these attacks easier (for example, triggering code that takes a long time to run). However, they are often symptoms of scalability issues or type checking errors, which are routinely fixed in public.

What if sites I manage are concerned about these kinds of issues?

You should monitor the Drupal core issue queue for the 'Security' and 'Security improvements' tags and dedicate resources to helping fix those issues.

What should I do if I find a security issue that might fall under the above?

You should still report the issue privately to the Security Team so that they can verify it is not a symptom of a different security issue (such as access bypass or privilege escalation) and that it meets the guidelines above that allow it to be handled in public. The Security Team may then have you open a public issue and close the private report.

What will happen to issues meeting these criteria that are already open in the private issue tracker?

These will be transferred to the public issue queues for their respective projects over time.

Coordinated By: 

The following people contributed to this public service announcement.

• xjm of the Drupal Security Team
• Michael Hess of the Drupal Security Team
• Nathaniel Catchpole of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team
• Lee Rowlands of the Drupal Security Team
• cilefen of the Drupal Security Team
• Cathy Theys of the Drupal Security Team

In this interview with The Drop Times, Sibu Stephen delves into his connection with Drupal, career and various other aspects.

Automation has simplified almost everything today and Drupal development is no exception. Drupal developers can now leverage the power of automation to create websites effortlessly and take Drupal development services to a whole new sphere. With automation, it is possible to perform a majority of operations such as managing modules, users, and generating code with a single command. Imagine the extent of productivity boost you’ll accomplish as a Drupal developer if you automate some processes. Besides, companies now prefer to hire Drupal developers with the power of automation in their arsenal.

Given that, if you aspire to get hired by a top-notch Drupal development company, you should begin experimenting with the following tools.

It’s been over a year since we joined 1% for the Planet, becoming part of a global network of businesses committed to putting the planet and people over profit. Joining the community was a longtime dream for Oomph, and it’s honestly been a blast so far. We spent Year 1 building bridges, flexing our strategy skills, and investing in sustainable businesses to meet our commitment as a whole company — donating 1% of our gross annual sales to environmental causes. We learned a ton, and we pinpointed a few things we could do better. Now that Year 2 is in full swing, here’s how we’re making our…

Today, Drupal follows a rapid upgrade process. There was just a two and a half years gap between the release of Drupal 10 in December 2022 and Drupal 9 in June 2020. Whereas, past Drupal versions were released with a gap of around four to five years between them. The need for frequent Drupal migration has left a majority of users grumbling and asking why the CMS releases new versions so rapidly. After all, the migration process is usually complicated, and availing of Drupal migration services involves the expenditure of money and time. 

If you are also tormented by the same question, this blog will act as a beacon and help you get acquainted with the answer. 

Why You Should Consider Migrating from Drupal 7 to Backdrop CMS kanapatrick Tue, 07/11/2023 - 10:29

In the world of content management systems (CMS), Drupal has long been recognized as a powerful and flexible platform for building websites. Drupal 7, released in 2011, has been a popular choice for many businesses due to its robust features and extensive community support.

There is never a dull moment in the life of a marketer. From crafting compelling campaigns to staying on top of the latest trends, we thrive on the constant buzz of innovation and creativity. While marketing strategies are always evolving, one thing remains constant: the necessity of a website. It's the hub where our storytelling comes to life, where we showcase our services, and establish meaningful connections with our customers. We’ve revealed it already but if you’re new to our blogs, website, or social media presence, we have revamped our Drupal website! Beyond a mere design overhaul, we have taken our website transformation a step further by amping up our content presentation, giving more power to the marketing team. If you find yourself in the same boat as we once were, desiring a website revamp but hesitant about adopting change, don’t let that fear of change hold you back. Embracing this transformation can be a pivotal moment for your online presence. Especially with a powerful CMS like Drupal, where the possibilities for innovation are truly endless. Read on to learn why we wanted a website overhaul and why our customers often request one. We'll give you the inside scoop on some cool features we've implemented that we totally love. So, grab a seat and get ready for some web transformation talk! Why we wanted it In today's short-attention-span world, staying competitive means captivating our audience with a visually appealing and high-performing website. Although our previous website served us well, it was getting old and gritty. Here’s why we decided it was time for a refreshed website: As marketers, the older site limited our ability to implement some of our dynamic strategies and launch new campaigns easily while maintaining brand consistency.  The whispers of outdated design and lackluster user experience were becoming impossible to ignore. Our messaging and prioritization changed over time but that did not reflect on our website. Needed an improved performance, which was reflected in our analytics reports. Gradually increasing bounce rates. That’s when we decided we needed a complete website overhaul. Change can be hard, but we're so glad we took the plunge! For the marketing team including content editors, SEO specialists and designers, life is much easier now. Top 5 reasons why customers ask for a website overhaul As part of our marketing and sales process, we research our customer's pain points to determine the specific triggers that prompt them to seek a website redesign. And here’s the top 5 pain points commonly experiences by our customers: Current UX stinks. Unable to edit and publish content easily because of an ineffective editorial system. Cannot launch new marketing campaigns while ensuring brand compliance. The need to depend on the IT person every time you want to make minor site edits. Unable to add new features or integrate with existing third-party tools. Unboxing the features 1. A Better Design In retrospect, I think we played it safe with our old site. Safe colors, safe style, safe fonts, basically a safe design. It was time for a change; this time, we wanted to go bold! We dared to experiment with vibrant colors that caught the eye and big bold fonts that made a statement. Component-based development has enabled us to give our site a consistent look and feel. Before After 2. Accelerated Performance We harnessed Drupal’s features to the fullest to improve our website’s performance. We have almost halved our page load time after launching the new site. Features like the Native Lazy-Loading of images helped us speed up the page loading time. With Drupal’s core support for WebP, all our images are rendered lighter than they actually are. Our component-based approach has helped us reduce a ton of styles, thanks to its reusable nature. We have removed the usage of jQuery so we don’t have to sacrifice our performance. Quicklinks module helped in improving page load speed by prerendering in-viewport links. Lazy Loading Custom Components 3. Search and Filtering With a constantly growing repository of blog posts, we needed to implement an effective search and filtering system to efficiently navigate through our extensive collection of content released over the years. We leveraged Drupal’s Views Filter and Database Search to develop a robust solution for seamless content exploration and granular filtering. 4. Improved Page Building For marketers, creating and modifying pages swiftly, without relying on developers, is a true boon! With Layout Builder and some custom-built functionality, life is much easier for us now. Storm, a Drupal installation developed and maintained by Specbee, is also being used to enhance Layout Builder’s experience. Now, I am in complete control of my pages, including their granular details. Right from selecting the width of my layout to dragging and moving around my blocks from one region to another to changing the color of my CTA box, it just takes me a click! Controlling the Layout Width, Color, and Alignment 5. Improved Authoring Experience with CKEditor 5 and Embedding Media I've been waiting to get my hands on CKEditor 5 since I heard about it early this year. The rich text editor offers easy and clean ways to autoformat text, add or remove links, drag and drop content within the editor, add inline code, and so much more. Of course, the premium features like Collaborative working, tracking, commenting, uploading a Word document content - all of this is as easy as enabling the plugins once registered. Adding new media and selecting existing media to enhance the effectiveness of our content is simple and intuitive. CKEditor 5 Selecting from a Media Library Embedding Media Final Thoughts The list of things-I-love-about-my-new-website goes on, but I'll explore some of those features in detail in my future posts. The new website has given us so much more control over our content and the way we want to showcase it. Too early to talk about results but so far, they’re already looking good. We’re seeing a good 30% decrease in bounce rate and a more than 100% increase in incoming traffic! If you’ve been contemplating a website change or restructure, I want to assure you that there’s no need to worry. Trust the process and find a reputable Drupal development company to help facilitate a smooth and empowering transition for your website. I would like to extend a heartfelt appreciation to our exceptional development team, led by our Drupal practice head, Malabya, for making our website dreams come true and exceeding our expectations!

The Drupal Association is pleased to announce that Julia Kranzthor (she/her) has joined the team as our new Director of Philanthropy as of July 2023! We are thrilled to bring Julia’s talent and experience in the Drupal Community to the team. 

Julia enjoys connecting changemakers with resources to achieve community-centric philanthropy. With eight years of experience in the nonprofit sector, Julia seeks to undo the damage done by systemic inequity. Her most recent roles as Sr. Development Director at Healthy Futures of Texas and the Texas Campaign to Prevent Teen Pregnancy, focused on improving adolescent health and using storytelling to accurately portray challenges from the perspective of lived experience. Previously, she worked at the Workers Defense Project, building power for working families.

Prioritizing technology infrastructure to do her job, Julia is a self proclaimed nerd. She has built multiple open source CRMs and loves collecting, analyzing, and tracking data. After graduating from San Diego State University, she received an MBA from St. Edward’s University in Austin, Texas. Julia still lives in Austin with her Great Dane Rex and housecat/demon Mildred Louise. Originally from the Bay Area in California, Julia can be found watching the Sharks during the hockey season!

I am thrilled to be part of the Drupal Association. As a long time open source supporter it means so much to me to join the community at Drupal and work to advance the values and goals that make it so special.

Welcome to the Drupal Association team, Julia!