If this tutorial is not what you were looking for, you still have any questions, suggestions or concerns - feel free to let us know. Please help us to serve you better!

Your Name

Your Email

Your Message (required)

captcha

Drupal News and Updates

This page will show you the most recent Drupal templates updates and Drupal Community news.

Drupal Templates News and Updates

December 3, 2012. The New Word In Creating Drupal Stores

December 03 2012 | Category: Drupal Updates

The creators of Drupal Commerce decided to bring their favorite CMS to masses. When speaking with one of TemplateHelp’s Drupal developers, he said: “I can’t understand, why users don’t use Drupal, it’s so simple…” Commerce Guys, those who created Drupal Commerce stores, got to be thinking that way.

Read More

May 03, 2012 – Drupal 7.14 released

May 09 2012 | Category: Drupal Updates

(Russian) В этой заметке вы узнаете о проблемах сопутствующих обновлению ядра Drupal 7.14.

Read More

Responsive Drupal templates

April 09 2012 | Category: Drupal Updates

Responsive Drupal templates include several layout options – each is optimized for proper screen resolution.

Read More

Drupal 6.19 templates

April 26 2011 | Category: Drupal Updates

Drupal templates starting from #30278 are compatible Drupal 6.19

Drupal 6.19 release anouncement is available here. You can also check the release notes to see the updates

Drupal templates starting from #30278 are compatible Drupal 6.19

Drupal 6.19 извещение о релизе доступно здесь. Вы также можете ознакомиться с с релиз нотами чтобы увидеть обновления.…

Read More

Drupal 7 templates are available

April 26 2011 | Category: Drupal Updates

Drupal templates starting from #32668 are compatible with Drupal 7

Drupal 7 features:

  • Vastly improved administrative user interface thanks to the D7UX movement
  • Flexible content and custom fields
  • Better visual presentation and theming with Render API
  • Accessibility is greatly improved
  • Image support is now included
  • Automated code testing
  • Improved database support
  • Better distribution support
  • Support for the Semantic Web through
Read More

Drupal 6.17 compatible templates

June 22 2010 | Category: Drupal Updates

Drupal templates starting from #29476 are compatible with Drupal 6.17

Drupal 6.17, a maintenance release fixing issues reported through the bug tracking system, is now available for download. There are no security fixes in this release. Upgrading your existing Drupal 6 sites is recommended. For more information about the Drupal 6.x release series, consult the Drupal 6.0 release announcement.

Highlights …

Read More

Drupal Themes are Now Available!

April 04 2008 | Category: Drupal Updates

After having launched Joomla and Mambo CMS templates last fall we have noticed that even though these two product types are strikingly popular the audience still wants more. Therefore in response to this growing demand for various CMS products we have decided to be so kind and to launch a new CMS designs range which we have chosen to be …

Read More

Drupal News and Updates

Back in December, as part of our ongoing efforts to improve Drupal.org, we kicked off a content strategy project with Forum One. Drupal Association engineering and marketing/communication staff partnered with the Drupal.org Content Working Group and met for a two-day workshop to help get the project team from Forum One (content strategists and user experience designers) up to speed on Drupal.org and the ecosystem of sites and services that our community uses to build and use Drupal.

Over the past month, we have pulled together many detailed documents to help guide our work. While we are only about halfway through this project, we wanted to share a bit of the work-in-progress that will influence Drupal.org’s content strategy in the coming months.

What is Content Strategy

Content strategy is the practice and process of planning content creation, delivery, and governance. Its purpose is to create a repeatable system that defines the entire editorial content development process for a website.

Drupal.org is a very unique website. It serves many purposes:

  • Drupal.org is the home of our community. That makes different things to different people, but at its heart, Drupal.org is about the collaboration that allows us to build Drupal the software.
  • Drupal.org is the canonical source for Drupal the software. Drupal.org binds together the respositories for Drupal core and contributed projects, issue queues for requesting features and reporting bugs, and packaging for automated building of releases that are tied to an integrated update process.
  • Drupal.org is the hub of our commercial ecosystem. Companies that sell Drupal services and/or Drupal hosting are brought together with customers of Drupal the software—organizations using Drupal to power their websites.
  • Drupal.org is a communication channel and it feeds other communication channels. We link to a lot of content on Drupal.org and the homepage gets lots of unique traffic.
  • Drupal.org is a source of information. The site provides information about Drupal the software, Drupal.org the site, and the Drupal Association.
  • Drupal.org is a place where people go to evaluate Drupal. Developers, Designers, CTOs, CIOs, and more go to Drupal.org to read about features and success stories to make a decision to use the Drupal the platform to build their content management solutions.
  • Drupal.org is a starting point for support. Many users ask their first questions to the community using the Drupal forums or issue queues. The find answers by searching the Internet and being pointed back to the answer on Drupal.org.
  • Drupal.org is a collection of documentation. Our canonical API documentation is generated from the repositories associated with Drupal.org. Our community has built pages upon page of documentation to help users understand how to build with Drupal and how to contribute to building Drupal.

With so many purposes and competing objectives, a cohesive content strategy that takes in input from many contributors and users of Drupal.org is critcal.

Setting a Content Strategy Vision

To keep us aligned, we outlined three major areas to keep measuring our work against: the big ideas, key messages, and our objectives for content on the site.

Key Messages

  • Drupal.org is the home of Drupal and the Drupal community. It is the source of code, information and collaboration, which enables people all over the world to build flexible and scalable technology solutions together.
  • We are a global community of web practitioners—from project managers and writers, to designers and developers—contributing our unique skillsets to building and growing the adoption of the free and open source software that is Drupal.
  • Drupal is used by nonprofits, government, and Fortune 500 companies to architect customized, appropriate solutions for a wide array of organizational needs.

Content Strategy Objectives

  • Improve quality and findability of relevant content so that users can efficiently move through proficiency levels.
  • Reframe Drupal.org around all user roles and proficiencies so that all audiences are addressed.
  • Develop content governance for Drupal.org to improve the overall quality of content.
  • Improve user engagement within the Drupal.org community so that members form deeper relationships and become Drupal promoters and contributors.

Identifying Content Types and Gaps in our Content

1.2 million nodes, 2.4 million commentsWe have 17 active content types and over 1.2 million pieces of content on Drupal.org. (Really, this is just nodes, we have even more taxonomy terms and views that also represent displays of data.) That’s a lot of content. It’s more than 29,000 projects (modules, themes, distributions, etc.) and over 789,000 issues posted to those projects. We also have over 330,000 forum topics being discussed.

The Curious Case of the Book

With all of that content, 17 types does not quite give us the flexibility or degree of classification that we need to provide truly structured content. We have some content types that are used for so many different kinds of content that they're virtually meaningless. We have over 12,000 nodes in our “book page" content type. Our book pages can be anything from documentation to landing pages to resource guides to topical pages to module comparisons… really we use them for just about everything.

During the content strategy project, we will explore ways to break our book pages into more meaningful content types that help new users find what they need.

What’s in a Forum

92,029 users have created a forum postAnother content type that gets used for more than it should is the forum topic. We use forums to post news, security announcements, discussions and even support requests. Yet at the same time, it is clear that forums are used far less now than several years ago. We had over 50,000 forum posts in 2008. We had only 11,000 in 2014.

For support and questions, our forums do not have comparable functionality to systems like Drupal Answers—powered by Stack Exchange. Many community members that provide support have already moved to that site to answer questions. Drupal.org is still a starting point for many newcomers to Drupal. One goal of the content strategy project is to make some decisions about where we can best direct newcomers for support.

Where are the Marketing Materials to Help People Choose Drupal?

A key classification of content that we are missing in our information architecture on Drupal.org is marketing materials. We create tons of documentation and handbooks, but we do not have a ton of great materials that tell business evaluators (CIOs, CTOs, managers, and decision makers) why they should choose Drupal. We have a good start with content created to promote Drupal 8, but there is a lot more we can do to help sell the qualities of Drupal.

These are just a couple of the gaps that we have found and are working with the Drupal.org Content Working Group and the Documentation Working Group to address.

Auditing What We Have and Mapping What We Want

We took the time to map our community’s content production over time and the totals were amazing.

The height of our community’s content creation was in 2012, when we created more than 195,000 nodes on Drupal.org and Drupal Groups. As Drupal 7 has matured, we have slowed down a bit. In 2014, we created 116,514 nodes on those two sites. That is still a huge amount of content.

55% of Drupal.org book pages were created before Drupal 7. 32% have been updated since its launch in 2011.Nearly 39% of all of the content on Drupal.org and Drupal Groups was created before 2010. More specifically, 55% of all book pages were created prior to the launch of Drupal 7 in 2011—that’s 5,665 book pages. Only 32% of those book pages have been updated since. That gap of 23% of all book content is a good place to begin an audit.

We are working now to finalize a process for identifying what content could be archived or removed and what content needs to be updated. The community has done admirable job of classifying our documentation by page status, but there is more work to be done. We need an automated process for regularly auditing our content.

We need a better map of related content—content we have and content we need—that can be used to build a better information architecture for new users.

One of the key deliverables for our content strategy project is a site map of what we want the site to look like in 3 months, 6 months and 1 year.

Creating a Governance Plan to Better Support our Community of Creators

We are hard at work reviewing and documenting community processes for maintaining content on Drupal.org. If users have been around for a while, they might have found their way into the content issue queue and wondered at the process and how to start helping. 6,452 users have edited 12,326 book pages over 92,000 times.They may also have jumped in and helped edit a documentation page in one of our numerous books. (6,452 of community members have edited 12,326 book pages over 92,000 times.)

The problem is that these processes are not well known and not built into our tools at a level that helps users know what they should and should not do in the system. Learning the “right way" to contribute requires finding policy documentation that is often difficult to get to, and sometimes out of date. Therefore, along with our new content types, we are assessing and testing the user experience for creating, curating and maintaining all of the content on Drupal.org.

As we document the existing rules that govern how contributions are made, it’s become clear that one of the greatest barriers to contribution, especially for new users, is the sheer difficulty of learning the “right way" to make a contribution. We want to change the way these users interact with the site, so that the correct process and procedure for each type of contribution is baked right into the workflow.

Making our Communications Count

blogs, @drupal, Drupal.org, webcasts, Planet, Groups, newsletters, issuesThe last key deliverable that is being finalized as part of our content strategy is our communications plan. We have 50+ channels that are used by Drupal Association, working groups, social media volunteers, and maintainers to communicate with the community—everything from Twitter to newsletters to the Drupal.org homepage. We do not want to flood you with too much information, but we would like to be able to give you the information you want to see when you want to see it.

Right now, Drupal Association staff and the Drupal.org Content Working Group are mapping our messages to our audiences, our message to our channels and our channels to our audiences. It will be easier than ever to subscribe to the information you want—both email and on the site itself—in the coming year.

Next Steps

We will be wrapping up our content strategy work as March comes to a close.

We will publish more findings along the way. Stay tuned for new content types on Drupal.org—including news, posts, topic-based taxonomy term pages, and better ways to access and help write documentation.

It’s time for another community spotlight, and this month, we’re highlighting a community member who has made huge contributions to the success of the Drupal project and of DrupalCon — and not only through code.

Paul Johnson at DrupalCon AmsterdamPaul Johnson (pdjohnson) of Manchester is currently the Drupal Director of CTI Digital, and is the social media lead for most DrupalCons. He also maintains the @Drupal Twitter account. Paul has grown the DrupalCon social media program from a small following on twitter to a set of huge, engaged channels. (Image credit to Frank Crijns on Flickr. Thanks, Frank!)

The Drupal Association sat down with Paul in late January to talk about some of his accomplishments and passions.

DA: How did you get involved with Drupal and volunteering with DrupalCon?

Paul: I got involved in 2005 or 2006 by accident when I found it on Google, though I don’t really remember the exact moment. The company I worked for at the time wanted to move from their own homegrown CMS to something else, so I was looking for other solutions. While doing research I came across Drupal, and before I knew it I’d gone to DrupalCon Barcelona [in 2007].

Not long after that, I got really in to twitter. I was going to DrupalCon London in 2011 and I was fiercely excited about going, and I was expressing it on Twitter. Out of the blue, Isabel Schulz -- a nice woman who worked for the Drupal Association at the time -- reached out to me. She said, “it sounds like you want to get more involved.” It was like lighting a touch paper. Before I knew it they’d given me the username and password to the DrupalCon account and said “right, get on with it."

DA: That’s a big responsibility!

Paul: At that time social media wasn’t so prevalent, and I don’t think anyone in the Drupal community realised how it could make a big contribution to the success of the conference— how it could reach a wider audience and get help in executing the conference.

I had no rules, and I made mistakes… I was really quite daunted by the prospect. Looking back, I might have destroyed my reputation with Drupal but thankfully I didn’t! I grew and learned, and then in Portland the social media aspect started to grow more quickly. I began writing formal processes to help myself, but it became apparent that as DrupalCon was growing, the success of the social media was perhaps leading towards other people getting involved.

I suppose I’m an unusual person — I find it difficult to find my place in the Drupal community. There are a lot of people out there who are better developers than I am, and I have this thing in my head that held me back from getting involved. I suppose it was quite a long time before I realised I had something valuable to contribute to the community. There has been this idea that contributing modules or contributing to core is cool, but there are lots of us who fall outside that immediate group of people, and who have-- until recently-- felt orphaned from contribution.

I’ve always thought about when the Association reached out to me. It was a small bit of recognition, but it felt very empowering. It had a big influence on me, and because of it, I’ve always tried to shout for these people who have enthusiasm, and try to ignite it.

DA: Do you have any good examples of that?

Paul: Sure. DrupalCon Portland took place at the same time as that awful Oklahoma tornado. Before it happened, I had always wanted to use social media to watch out for these kinds of things, because… with a very large audience, we can do things and help people very quickly by using the broadcast mechanism.

When the tornado hit, I saw guys in our coder lounge hacking together a solution to help people on the ground, and I used social media to draw attention to it. It snowballed, and before we knew it, FEMA was involved, and that sends shivers down my spine. I love it when social media translates from something that’s just a conversation on the internet to something with a positive, real-world impact.

DA: Switching tracks a little bit, can you tell us about some of the challenges you’ve faced when working on the DrupalCon social media?

Paul: I’ve grown up with the Drupal Association and the project, but in many respects, the biggest attraction is also one of the biggest challenges. The diversity of the Drupal community is… well, in being responsible for representing the Drupal Association and the project and the community, you have to be quite careful. You’re an ambassador, and you have to have to have the highest level of conduct. You can’t always speak your mind.

Sometimes I’ve gotten upset. It’s a big part of my life, Drupal, and people will say things to the official accounts that are upsetting, and you have to rise above that. And sometimes, people will say things from within or without the community that can be quite cutting, and I suppose that’s one of the hardest things. But, ultimately you can draw many positives from that because it becomes a question of, how do you work towards enhancing the minds of people who think like that.

Another challenge was that, in the early days, nobody knew it was me behind the accounts. It does take a reasonable amount of my time — a half an hour or more a day every day, oftentimes more. I didn’t mind [not being known] necessarily, but it’s really nice to get recognition — and, if anyone writes anything valuable I try to give them credit on social media, to encourage and celebrate people who make the effort, and put them on a pedestal so that it spurs others to do the same.

Along those lines, I so often hear, “I don’t go to local meet-ups,” or "I’m not good enough," or "people will think I’m not clever enough or that my contribution isn’t sufficient.” I think it’s really important that people appreciate that, no matter where you are in your Drupal journey, you know more than the person who just started. You don’t have to be chx or morten or webchick-- they all started at nothing, too, but they started a long time ago.

DA: What’s your favorite thing about the Drupal community?

Paul: When our community gets behind an idea, stuff really happens, and it happens really fast. Whether that’s code, or whether it would be to crowd source some funding for a blind man who lives in Italy and wants to go to DrupalCon Portland, it is just magnificent how fast things can happen if the will of the community is drawn.

And, you know, the Drupal community gives me the opportunity to meet or converse with people I would never imagine having the chance to do so with otherwise. It makes my life so much richer. It’s not about the code, Drupal is providing me with the most unimaginable opportunities. It has allowed me -- in my career and my personal life — to take on challenges that would never have been available to me before.

Drupal has allowed me to be brave and to take a few risks, like interviewing Dries at the end of his keynote. I like to hide behind social media.. but then I’m projecting it onto a stage. And another thing about the community is, rarely do you meet someone who’s not nice.

DA: What’s your favorite thing about volunteering?

Paul: The thing that I enjoy the very most of volunteering is making a difference. There have been a few things where, I don’t know, I’ve seen a small smoldering fire and I’ve been able to ignite it into a bigger thing.

I was given the keys to DrupalCon, and then in the last few years I’ve taken ownership of the Drupal twitter account. Previously, it had become an abandoned channel, but under my stewardship it has gone from 30k followers to over 55k. And, you know, there are lots of people in media who are watching Drupal and who might be loosely interested. The Drupal twitter has so much opportunity to reach a wider audience with big achievements. So I love to use social media to show that Drupal is more than just America, more than just Europe — there’s a lot going on in India and in Africa and elsewhere.

I welcome anyone to approach me with news of things that they are doing in their local community that we can celebrate on official channels. I love to help grow something that’s a great idea into something that’s really big, because I think we’ve succeeded in growing the community in the USA and Australia and Europe. For me, the next big thing is to support the community in those regions that are about to flourish. How can we help them to make things happen more quickly?

DA: Who are you when you aren’t online?

Paul: I do seek solitude, and I really have a strong appreciation of wilderness. I’m a dad, and I love kids, and I suppose most of my time is spent cycling with my family. We go to The Lake District quite often in the UK, which is a beautiful and mountainous area.

I am passionately into road cycling on my bike, and mountaineering too. I like challenging myself — in everything I do, I always like to push myself. I’m always trying to climb higher or go faster. I’m no happier than when I’m in a mountaintop in the snow, even — especially — if it’s in a blizzard. I love being in a hostile environment where perhaps other people wouldn’t be able to cope. I love to explore places and trek the untrodden path. So even if I go back to the same place, I’ll take a different road.

DA: Do you have any final thoughts to share with us today?

Paul: With Drupal 8 on the way, I started a twitter account called @drupal8iscoming. It’s starting to grow and grow and grow now: it celebrates all things Drupal 8 on the internet — you know, articles, tutorials, events, and also how to help to get the word out to organisations about Drupal. Please check it out!

It’s a great time to be part of the Drupal Association. We’ve done some amazing work in the last few years, and we’re in a great position to work with the community to continue to improve and grow fully into our mission. As a Drupal Association At-Large Director, you’d be in the center of the action. The At-large Director position is specifically designed to ensure community representation on the Drupal Association board and we strongly encourage anyone with an interest to nominate themselves today.

Nominate Yourself Today

The Board of Directors of the Drupal Association are responsible for financial oversight and setting the strategic direction of the Drupal Association. New board members will contribute to the strategic direction of the Drupal Association. Board members are advised of, but not responsible for matters related to the day to day operations of the Drupal Association, including program execution, staffing, etc. You can learn more about what’s expected of a board member in this post and presentation.

Directors are expected to contribute around five hours per month and attend three in-person meetings per year (financial assistance is available if required). All board members agree to meet the minimum requirements documented in the board member agreement.

Today we are opening the self-nomination form that allows you to throw your hat in the ring. We're looking to elect one candidate this year to serve a two-year term.

Log in first and...

To nominate yourself, you should be prepared to answer a few questions:

  • About Me: Tell us about yourself! Your background, how you got into Drupal, etc.
  • Motivation: Why are you applying for a board position? What initiatives do you hope to help drive, or what perspectives are you going to try and represent?
  • Experience: What Drupal community contributions have you taken part in (code, camps, etc.)? Do you have experience in financial oversight, developing business strategies, or organization governance?
  • Availability: I am able to travel to three in-person board meetings per year (either self-funded, or with financial sponsorship)
  • IRC Handle
  • Twitter Handle

We will also need to know that you are available for the next step in the process, meet the candidate sessions. We are hosting 2 sessions: 

Session One

  • Tuesday, 24 February 2015 at:
  • 8 AM PST in the US and Canada
  • 11 AM EST in the US and Canada
  • 1 PM in Sao Paulo Brasil
  • 4 PM in London
  • 12 AM Wednesday, 25 February in Beijing
  • 3 AM Wednesday, 25 February Sydney Australia

Session Two

  • Wednesday 25 February 2015 at:
  • 4 PM PST in the US and Canada
  • 7 PM EST in the US and Canada
  • 9 PM in Sao Paulo Brasil
  • 1 AM Thursday, 26 February in London
  • 8 AM Thursday, 26 February in Beijing
  • 10 AM Thursday, 26 February in Sydney Australia

Session Three

  • Thursday 26 February 2015 at:
  • 12:30 PM PST in the US and Canada
  • 3:30 PM EST in the US and Canada
  • 5:30 PM in Sao Paulo Brasil
  • 8:30 AM Friday, 27 February in London
  • 4:30 AM Friday, 27 February in Beijing
  • 7:30 AM Friday, 27 February in Sydney Australia

The nomination form will be open February 1, 2015 through February 20, 2015 at midnight UTC. For a thorough review of the process, please see our announcement blog post.

If you have any questions, please contact Holly Ross, Drupal Association Executive Director.

Flickr photo: Kodak Views

Front page news: 

I was hired by the Drupal Association in October 2014 to develop a new revenue stream from advertising on Drupal.org. For some time we’ve been trying to diversify revenue streams away from DrupalCon, both to make the Association more sustainable and to ensure that DrupalCons can serve community needs, not just our funding needs. We’ve introduced the Drupal Jobs program already and now, after conversations with the community, we want to put more work into Drupal.org advertising initiatives.

This new revenue stream will help fund various Drupal.org initiatives and improvements including better account creation and login, organization and user profile improvements, a responsive redesign of Drupal.org, issue workflow and Git improvements, making Drupal.org search usable, improving tools to find and select projects, and the Groups migration to Drupal 7.

We spent time interviewing members of the Drupal Association board, representatives of the Drupal Community, Working Groups, Supporting Partners, and Drupal Businesses, both large and small to help develop our strategy and guidelines. Our biggest takeaways are:

  • Advertising should not only appeal to advertisers, but also be helpful to our users and/or our mission.
  • When possible, only monetize users who are logged out and not contributing to the Project. If you’re on Drupal.org to do work and contribute, we don’t want you to see ads.
  • Don’t clutter the site, interfere with navigation or disrupt visitors, especially contributors.
  • Do not put ads on pages where users are coming to work, like the issue queue.
  • Advertising products should be inclusive, with low cost options and tiered pricing. We want to make sure that small businesses without huge marketing budgets have the opportunity to get in front of the Drupal Community.
  • Create high impact opportunities for Partners that already support the Community.
  • Address the industry-wide shift to Programmatic Advertising, which is the automated buying and selling of digital advertising.

There are already advertising banners on Drupal.org, however we need to expand their reach to hit our goals. We’re trying to address challenges for our current advertisers, including a relatively low amount of views on pages with ads, which makes it difficult for them to reach their goals.

We’re also facing industry-wide challenges in Digital Advertising. Advertisers are looking for larger, more intrusive ads that get the users’ attention, or at the very least use standard Interactive Advertising Bureau (IAB) ad sizes, which are larger than the ads we offer on Drupal.org.

We came up with a new line of products that we feel will help us reach our goals, but not disrupt the Drupal.org experience, or the Drupal Association Engineering Team roadmap. We want our Engineering Team to fix search on Drupal.org, not spend time developing and supporting major advertising platforms.

2015 Advertising Initiatives:

  • The ongoing development of curated content with banner ads including resource guides, content by industry and in the future, blog posts.
  • Continued display of banner ads on high profile pages like the Homepage, Marketplace and Case Studies Section.
  • Sponsored listings from Supporting Technology Partners (similar to Hosting Listings).
  • Opt-in email subscriptions with special offers from our Supporters.
  • Audience Extension: a secure, anonymous, non-interruptive way to advertise to Drupal.org visitors. It allows advertisers to programmatically reach the Drupal.org audience while on other websites through Ad Networks and Exchanges.

I wanted to spend most of my time explaining Audience Extension, since its unlike anything we’ve done in the past, and it may prompt questions. This product makes sense because it addresses all of the challenges we’re facing:

  • It’s affordable for small businesses; they can spend as little as $200 on a campaign
  • We don’t need to flood the site with ads and disrupt the user experience.
  • It’s relatively easy to implement - we won’t interrupt the engineering team or their efforts to improve Drupal.org.
  • We will only target anonymous (logged out) users.
  • We will support “Do Not Track” browser requests.
  • This is an industry-wide standard that we’re adopting.
  • Anonymous users will have the option to opt-out.
  • This improves the ad experience on other sites with more relevant, useful ads that also support the community.

How does Audience Extension Work?

We’re partnering with Perfect Audience, a company that specializes in retargeting, and offers a unique audience extension solution called Partner Connect.  We add a Perfect Audience JavaScript tag to the Drupal.org source code. This tag will be loaded on the page to logged out users. The tag places a Perfect Audience cookie in the visitor's browser that indicates that they recently visited Drupal.org. Once that cookie is in place, an advertiser looking to reach out to the Drupal.org community can advertise to those visitors on Facebook, Google's ad network, and many other sites that participate in major online ad networks. Advertisers create and manage these campaigns through their Perfect Audience accounts. They pay for the ads through Perfect Audience and we split the revenue with Perfect Audience and the ad networks that serve the ads.

  • The program is anonymous. No personally identifiable information (such as email address, name or date of birth) is gathered or stored.
  • No data is sold or exchanged, this merely gives advertisers the opportunity to buy a banner ad impression within the Perfect Audience platform.
  • It's easy to opt-out. You can just click over to the Perfect Audience privacy page and click two buttons to opt out of the tracking. Here's the link.
  • Drupal.org will support “Do Not Track” browser requests and only users who have not logged in (anonymous) will be included in the program.
  • It does not conflict with EU privacy rulings. Advertiser campaigns for Partner Connect can only be geotargeted to the United States and Canada right now.
  • Only high quality, relevant advertisers who have been vetted by an actual human will be able to participate in this program. Some good examples of Perfect Audience advertisers would be companies like New Relic and Heroku.
  • Perfect Audience is actually run by a Drupaler! The first business started by founder Brad Flora back in 2008 was built on Drupal. He spent countless hours in the IRC channel talking Drupal and posting in the forums. He understands how important it is to keep sensitive pages on Drupal.org an ad-free experience and he’s very excited to be able to help make that happen.
  • This program has the potential to generate significant revenue for the Drupal Association and Project over time as more advertisers come on board.

It’s important that we fund Drupal.org improvements, and that we do so in a responsible way that respects the community. We anticipate rolling out these new products throughout the year, starting with Audience Extension on February 5th.  Thanks for taking the time to read about our initiatives, and please tell us your thoughts!

Predictions for 2015

18 January 2015, 9:33 pm

Now the new year has started, it's time for our community to think about the future. It has become a tradition for for years now to predict what the year ahead will bring for us -- so share your thoughts!

It's time to reflect on our previous predictions and start dreaming away for the year ahead. What will the year ahead bring for our community and our product, and how can we make this reality by working together? Share your thoughts and your predictions for 2015 as a comment, and let's look back in a year's time to see how we scored on making those dreams a reality.

Previous predictions: 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014.

Happy birthday to Drupal! On this day in 2001, Drupal 1.0 was released.

This milestone is the perfect time to talk about some of the findings of our recent community survey. The survey findings offer a window into what community members are thinking as the project matures and evolves. It also gives us at the Drupal Association a way to better understand what we're doing right and what we could be doing better. There aren't many surprises (and that's a good thing), but all of the findings are educational. Here are three results we thought were particularly interesting and insightful.

Drupal 8 Will Be Broadly Adopted

In the survey, about 80% of respondents said they either plan to start using Drupal 8 as soon as it is released, or plan to adopt it at some point after release. Another 8% said they did not have specific plans to adopt, but do plan to evaluate Drupal 8.

 


drupal8adoption

 

 

Drupal.org Remains an Important and Heavily-Used Tool

The overwhelming majority of respondents said they use Drupal.org more than once per week. Most also say they are satisfied or somewhat satisfied with the site. While that result is encouraging, it does not change the important mission to improve the experience of the site and make it a better tool for everyone from first time visitors to those who spend the majority of their working time on the site.

 

 


dosatisfaction

 

 

We Need to Create Broader Awareness of Drupal Association Programs

Community members who took the survey have great awareness of DrupalCons. Awareness of the work we are doing on Drupal.org seems to be steadily growing. But awareness is relatively low for Community Grants and our Supporter Programs that provide a way for organizations to give back to the Project. That awareness is clearly something we need to improve to promote transparency.

 

 


awareness

 

 

If you would like to read the full results, you can access them here (2.8M PDF). Thanks for reading, and thanks for being a part of this amazing community.

 

On October 29, the Drupal Security Team issued a Public Service Announcement (PSA) as a follow-up to Security Advisory SA-CORE-2014-005, which disclosed a serious SQL Injection vulnerability in Drupal 7. Our goals with the PSA were to:

  1. Provide an update on the time window between disclosure and first-known exploits
  2. Provide guidance for users who patched or upgraded outside that window
  3. Reiterate the severity of the vulnerability and the importance of upgrading or patching

(Speaking of which, if you have not remediated yet, please stop reading and do so.)

While we feel those goals were accomplished, the PSA also resulted in a large volume of press coverage – in fact much more coverage than the original disclosure of the vulnerability on October 15th. Not surprisingly, the general tone of the press coverage was quite negative. Unfortunately, some of the coverage was also inaccurate which we’d like to address here as well as provide additional context regarding our security processes.

While we don’t know the total number of Drupal sites affected, the number is not near 12 million as stated in several publications. Unless disabled, individual Drupal sites report their existence back to Drupal.org and this system reports around 1 million total Drupal sites. While this is not an exact measure of live Drupal sites we can infer that the affected number of specifically vulnerable Drupal 7 sites is more likely to be under 1 million.

SA-CORE-2014-005 was certainly a severe issue, if not the most severe issue in Drupal’s history; but it’s important to recognize all software has bugs and security issues that require a remediation process. Finding, fixing and announcing security patches is evidence of a healthy security process and Drupal is one of the few content management systems with a dedicated security team that covers both Drupal core and contributed code.

The above said, there are lessons from both the original disclosure and the follow-up PSA that might result in some changes to the Drupal Security Team policy and process, however we want to reinforce that we are deeply committed to keeping Drupal secure. We encourage you to read this whitepaper that explains our processes, policies and contains a good overview of Drupal security.

If you ever have questions, please use the public discussion area for general topics at https://groups.drupal.org/security or contact us (security@drupal.org). Or better yet, get involved. You can find more information on the Drupal Security Team page.

-Drupal Security Team

Drupal 7.34 and 6.34 released

19 November 2014, 6:39 pm

Drupal 7.34 and Drupal 6.34, maintenance releases which contain fixes for security vulnerabilities, are now available for download. See the Drupal 7.34 and Drupal 6.34 release notes for further information.

Upgrading your existing Drupal 7 and 6 sites is strongly recommended. There are no new features or non-security-related bug fixes in these releases. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement. More information on the Drupal 6.x release series can be found in the Drupal 6.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 and 6 include the built-in Update Status module (renamed to Update Manager in Drupal 7), which informs you about important updates to your modules and themes.

Bug reports

Both Drupal 7.x and 6.x are being maintained, so given enough bug fixes (not just bug reports) more maintenance releases will be made available, according to our monthly release cycle.

Changelog

Drupal 7.34 is a security release only. For more details, see the 7.34 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Drupal 6.34 is a security release only. For more details, see the 6.34 release notes. A complete list of all bug fixes in the stable 6.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 7.34 and 6.34 were released in response to the discovery of security vulnerabilities. Details can be found in the official security advisory:

To fix the security problem, please upgrade to either Drupal 7.34 or Drupal 6.34.

Known issues

None.

Front page news: 
Drupal version: 

Drupal 7.33 released

7 November 2014, 3:37 pm

Update: Drupal 7.34 is now available.

Drupal 7.33, a maintenance release with numerous bug fixes (no security fixes) is now available for download. See the Drupal 7.33 release notes for a full listing.

Upgrading your existing Drupal 7 sites is recommended. There are no major new features in this release. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 includes the built-in Update Manager module, which informs you about important updates to your modules and themes.

There are no security fixes in this release of Drupal core.

Bug reports

Drupal 7.x is being maintained, so given enough bug fixes (not just bug reports), more maintenance releases will be made available, according to our monthly release cycle.

Changelog

Drupal 7.33 contains bug fixes and small API/feature improvements only. The full list of changes between the 7.32 and 7.33 releases can be found by reading the 7.33 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Update notes

See the 7.33 release notes for details on important changes in this release.

Known issues

See the 7.33 release notes for a list of known issues affecting this release.

Front page news: 
Drupal version: 

Drupal.org is an amazing installation of Drupal. At nearly 13 years old, it is one of the largest, continuously operating examples of Drupal. It is difficult to fathom, but Drupal.org has been upgraded in place from version to version for this entire timespan. I can think of no other site that has gone this long without a significant content and structure migration.

Over the years, Drupal.org has grown from a single server owned by a contributor to multiple racks at the OSL data center, plus cloud resources and content distribution networks spread across the globe. Drupal.org is more than a single site. There are over 20 services and subsites that make up the ecosystem that powers the Drupal community. Each month, over 20 TB of data passes through the Drupal.org infrastructure.

With such a huge impact, it is important that we have a strong plan for the direction of Drupal.org. With that, we would like to introduce you to the Drupal.org Roadmap.

Drupal.org Roadmap

Read on to find out how we set this strategic direction.

History

Volunteers built up these systems focusing on their passions with community initiatives. Many times these volunteers gave up days of their life - unpaid - to make sure that people could continue to build websites with Drupal and to build Drupal and its contributed projects.

While the result is impressive, there are many areas of Drupal.org that received little or no attention in this model of development. If a developer burned out, or there was no one in the community with a passion for the area of needed improvements, that area remained unmaintained.

For several years, the Drupal Association has funded the infrastructure that runs Drupal.org. The Association pays for the hosting facilities and the hardware to keep Drupal.org running.

The evolving role of the Drupal Association

In 2013, the Drupal Association board made the decision to begin building up an engineering team. This team would support both the infrastructure and software development activities behind Drupal.org. Our goal is to accelerate the development of the new features and to help build a cohesive roadmap so that Drupal.org would help unite a global community to build the best of the Web with Drupal. (Hint: that is the mission of the Drupal Association.)

Hired in March of 2014, the Drupal Association CTO was tasked with building a team and gathering feedback from Working Groups and the Board of Directors to set a strategic direction for Drupal.org.

Prioritizing the work

There are three primary working groups that guide the development of Drupal.org: Drupal.org Content Working Group (DCWG), Drupal.org Software Working Group (DSWG) and Drupal.org Infrastructure Working Group (DIWG).

New development of features for the Drupal.org community of sites and services was determined through weeks of careful deliberation and research:

  • Previous years of feature ideation
  • Working group feature ideation
  • User research project
  • Working group prioritization
  • Board of Directors input and feedback
  • Staff ideation on maintenance and performance improvements

One of the key influences in our prioritization process was the user research that was conducted during and after DrupalCon Austin in June of 2014. We interviewed over 30 individuals that represented a wide range of Drupal.org users from those that were just starting with Drupal, to longtime members of the community, and even those that had once used Drupal and had transitioned their careers to different technologies.

This gave us four key areas in which to focus:

Sustaining support and maintenance

These efforts are the ongoing work that keeps the servers up and running and performing well. The Drupal.org Infrastructure issue queue is the primary place for this work, but there are several other related queues where staff and volunteers from the infrastructure team are focusing their work. Work that staff is tackling will be assigned to a staff member and tagged with d.o support.

  • Support for users: Drupal.org issue queues and email support
  • Performance: uptime, page response, ongoing testbot deployments and maintenance
  • Improving automated tests to make development and deployment reliable
  • Maximize hardware and migrate to cloud services where appropriate

Fund Drupal.org and future tools

While the majority of funds supporting Drupal.org come from our partner programs (Supporting Partner, Technology Partner, Hosting Partner), we are looking for ways to diversify where we raise funds.

Board and Working Group Priorities: Drupal.org Staff Initiatives

These initiatives represent the work that Drupal Association technology and engineering staff will be focused on in the near term through 2015. By being focused on these initiatives, we will get the related features launched on Drupal.org faster. We will still need help to vet and test these features, so follow the issue tags you are interested in and get involved in the related issues.

  • Better account creation and login
  • Organization and user profile improvements
  • Responsive Redesign of Drupal.org
  • Issue workflow and Git improvements
  • Make Drupal.org Search Usable
  • Improved tools to find and select projects
  • Groups migration to Drupal 7

The Drupal.org Roadmap provides much more detail about these key initiatives.

Community Initiatives

There is always more work to do on Drupal.org. We need committed and active volunteers to help with key initiatives that showed up in both our user research and the prioritization from the working groups. These are projects that we can support the efforts of contributors that have the time and skills to push these initiatives forward. Three examples with strong community leadership include:

  • Support localize.drupal.org
  • Next generation testbots (DrupalCI)
  • Two-factor authentication

You can help

In addition to these initiatives, we would love to support a community member that would be willing to step up and lead an initiative to organize our Q&A and support on Drupal.org. There is a huge need for people to be able to find answers to their Drupal questions. Stack Overflow fills part of this role, but there are many more opportunities on Drupal.org itself.

We will also need a community driven effort to help us establish project ratings and reviews once these tools are in place. It will take a group effort to make these affective quickly.

All of our initiatives need community involvement. Whether it is commenting on issues posted to these projects or joining in at sprints to move these initiatives forward, we can use your time and commitment.

Thank you

This planning and work would not have been possible without the financial support from our partners, the direction and leadership of the board, the time commitment of our Working Group members, and an incredibly dedicated Drupal Association staff.

Cheers!

Description

This Public Service Announcement is a follow up to SA-CORE-2014-005 - Drupal core - SQL injection. This is not an announcement of a new vulnerability in Drupal.

Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

Simply updating to Drupal 7.32 will not remove backdoors.

If you have not updated or applied this patch, do so immediately, then continue reading this announcement; updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website. If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised - some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.

Data and damage control

Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack.

Take a look at our help documentation, ”Your Drupal site got hacked, now what”

Recovery

Attackers may have created access points for themselves (sometimes called “backdoors”) in the database, code, files directory and other locations. Attackers could compromise other services on the server or escalate their access.

Removing a compromised website’s backdoors is difficult because it is not possible to be certain all backdoors have been found.

The Drupal security team recommends that you consult with your hosting provider. If they did not patch Drupal for you or otherwise block the SQL injection attacks within hours of the announcement of Oct 15th, 4pm UTC, restore your website to a backup from before 15 October 2014:

  1. Take the website offline by replacing it with a static HTML page
  2. Notify the server’s administrator emphasizing that other sites or applications hosted on the same server might have been compromised via a backdoor installed by the initial attack
  3. Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. (Keep a copy safe for later analysis.)
  4. Restore the website (Drupal files, uploaded files and database) from backups from before 15 October 2014
  5. Update or patch the restored Drupal core code
  6. Put the restored and patched/updated website back online
  7. Manually redo any desired changes made to the website since the date of the restored backup
  8. Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with.

While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch.

For more information, please see our FAQ on SA-CORE-2014-005.

Written by

Coordinated by

Contact and More Information

We've prepared a FAQ on this release. Read more at FAQ on SA-CORE-2014-005.

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: 

UPDATE:
Terms of Service are now finalized and located at https://www.drupal.org/terms.
Privacy Policy is now finalized and located at https://www.drupal.org/privacy


Thanks to the hard work of staff and the Drupal.org Content Working Group, we have completed another round of updates to our draft privacy policy and terms of service. We were able to respond to much of the feedback provided in our earlier announcement.

The biggest issues pointed out by the community had to do with the tone of the language in the documents. Many pointed out that it did not match the values of our community. We took a closer look at organizations such as the Wikimedia Foundation and Mozilla, incorporating some of the approaches they took to make our terms a bit more human. We trimmed and shortened what we could. We clarified where things were ambiguous. The end result is much more in line with our community values.

Some examples of changes include the following:

  • When possible, we changed the tone of both documents to make them more friendly.
  • We removed capital letters and used other means to make specific parts of the document noticeable.
  • We deleted a couple of references to collecting data that we do not actually collect.
  • We clarified that we won’t block accounts “for any and no reason”, but only in cases of Terms of Service, Code of Conduct and Git access policy violations.
  • We clarified active notification of users about material changes to policy. We will send an email at least 72 hours prior to changes going into effect. This will give users time to delete their accounts if they don’t want to accept new policies.
  • We added contact info and updated all phone numbers, addresses etc. to be formatted according to international standards.
  • We clarified that you don’t need to create an account to access the Website, just some parts of it.
  • We clarified how to notify us in case of unauthorized access to user account.
  • We clarified how long do we store data after it has been removed from user profile.

We did leave some things from the previous draft without major changes, such as bullet points under section C, for example. And we did it for a reason. One of our goals is to make Drupal.org a place where everyone feels comfortable. Additionally, we have to ensure that Drupal.org is protected if a legal issue does arise. Those bullet points are there not because we want to be able to police or censor the activity on the site. This language exists because it protects Drupal.org if one user takes issue with content from another user. We will still use the process outlined in the Drupal Code of Conduct to resolve any issues whenever we can.

With that in mind, please take a look at the latest drafts:

Terms of Service
Privacy Policy

We will be putting these documents into place on Wednesday, 5 November, 2014. All comments added to this thread will be included in our planning for the next revision. We hope to review the Terms of Service and Privacy Policy quarterly and update them with community feedback.

Thank you for all your help in building these documents.

Drupal 7.32 released

15 October 2014, 12:47 pm

Update: Drupal 7.33 is now available.

Drupal 7.32, a maintenance release which contain fixes for security vulnerabilities, is now available for download. See the Drupal 7.32 release notes for further information.

Upgrading your existing Drupal 7 is strongly recommended. There are no new features or non-security-related bug fixes in this release. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 and 6 include the built-in Update Status module (renamed to Update Manager in Drupal 7), which informs you about important updates to your modules and themes.

Bug reports

Both Drupal 7.x and 6.x are being maintained, so given enough bug fixes (not just bug reports) more maintenance releases will be made available, according to our monthly release cycle.

Changelog

Drupal 7.32 is a security release only. For more details, see the 7.32 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 7.32 was released in response to the discovery of critical security vulnerabilities. Details can be found in the official security advisory:

To fix the security problem, please upgrade to Drupal 7.32.

Known issues

None.

Front page news: 
Drupal version: 

Drupal 8.0.0 beta 1 released

1 October 2014, 6:30 am
Update: The latest Drupal 8 beta release is available with important security fixes.

Drupal 8.0.0-beta1 has just been released for testing and feedback! This key milestone is the work of over 2,300 people who have contributed more than 11,500 committed patches to 15 alpha releases, and especially the 234 contributors who fixed 177 "beta blocker" issues. To read about the new features in Drupal 8, see Drupal.org's Drupal 8 landing page.

Drupal 8 beta 1 for testers

Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs, and who are prepared to rebuild their test sites from scratch if necessary. Beta releases are not recommended for non-technical users, nor for production websites.

Start by downloading Drupal 8.0.0-beta 1 and installing it! Drupal 8 definitely still has bugs, and we need your help to discover them. Let us know what bugs you find in the Drupal core issue queue. (Please search the known issues before filing.)

Drupal 8 beta 1 for module and core developers

The main differences between the previous Drupal 8 alphas and the new beta are:

  • The fundamental APIs in Drupal 8 (like the entity, configuration, and menu APIs) are now stable enough so that contributed module and theme authors can start (or resume) their #D8CX pledges and port their projects to Drupal 8.
  • We have locked down Drupal 8's data model enough that developers should generally not need to perform data migrations between beta releases of Drupal 8. We will start providing a beta-to-beta upgrade path in a later beta release.
  • Limited API and data model changes will still happen, though core maintainers will try to isolate these changes to only non-fundamental APIs or critical bug fixes.

We need your help to fix critical bugs by reviewing patches and creating patches.

If you're new to core development, check out Core contribution mentoring, a twice-weekly IRC meeting where you can get one-on-one help getting set up and finding a Drupal 8 task.

Drupal 8 beta 1 for designers, translators, and documentation writers

Drupal 8's user interface, interface text, and markup are not finalized until the first release candidate, so it's too early to focus on user-facing documentation, translations, or themes (though by all means, adventurous contributors should start now to provide feedback while we can still fix things). Note that localize.drupal.org does not yet support the full Drupal 8 API and does not have all translatable strings.

When does 8.0.0 get released?

Beta 1 will be followed by a series of additional beta releases with bug fixes, performance improvements, and improved stability.

The release version of Drupal 8.0.0 will be ready after there are no more critical issues (as of today, there are 97 remaining) and we've had at least one release candidate (RC) without adding any more critical issues to the list.

When will that be? "When it's ready." The more people help, the faster we can find and fix bugs, and the faster 8.0.0 gets released. The faster 8.0.0 gets released, the faster we can start adding new features for Drupal 8.1.0. So help out where you can, and let's deliver the best release of Drupal ever! :)

Thank you!

A massive thank-you to everyone who helped get Drupal 8 beta 1 done, especially the contributors who have focused on beta-blocking issues (pictured below).

Tag cloud of contributors to Drupal 8 beta blocker issues

Front page news: 
Drupal version: 

Drupal Security Team update.

18 September 2014, 6:07 pm

Joint Security release with WordPress

In big news, we had our first joint release with WordPress. We collaborated together with the WordPress team on a PHP security issue discovered by a security researcher. We’re thrilled that we had an opportunity to work together with others in the open source CMS community. We shared a few tips and tricks and it was great working with the WordPress team.

Keeping Drupal Secure

In keeping with our mission to showcase security best practices at Drupal’s online home, we’ve upgraded https://security.drupal.org to Drupal 7. This ensures we’re on a supported platform. We also took the opportunity to add some new features that help us enhance our team’s efficiency by automating a number of routine tasks.

As part of our dedication to keeping Drupal users safe, we’ve written and announced the Long Term support (LTS) plan for Drupal 6 (https://www.drupal.org/d6-lts-support). This is an important step as we look forward to the release of Drupal 8. Soon we will be introducing two-factor authentication to Drupal.org, thanks to hard work from security team members Ben Jeavons, Greg Knaddison , Neil Drumm, and Michael Hess. (https://groups.drupal.org/node/439868 and https://drupal.org/node/2239973)

And here’s one last, fun note: Security.Drupal.org issues now show up on the drupal.org dashboard if you add the widget. You can get it clicking on dashboard after logging in and adding the widget.


Securing Drupal E-Commerce

Some Drupal security team members were recently involved in putting together a compliance White paper for keeping track of PCI compliance. Anyone who runs a Drupal site and takes credit cards should read the whitepaper. Here’s a little more information:

Version 3.0 of the PCI compliance standard becomes mandatory on January 1st, 2015 and will be a complete game changer for many Drupal eCommerce sites. This includes triple the number of security controls if your website touches credit card information and more. The community supported Drupal PCI Compliance White Paper (http://drupalpcicompliance.org/) will give you a high level overview of what PCI compliance is, why you need to comply, and (most importantly) how to get started. This paper was written and reviewed by several members of the Drupal security team, including Rick Manelius, Greg Knaddison, Ned McClain, Michael Hess, and Peter Wolanin.

Simplifying Security

We’ve redesigned our Security Advisory system to make evaluating and analyzing security threats easier and more intuitive. This came about after several core contributors informed us that they wanted a better way to address security threats. We sent out a survey through Twitter to learn more about how people write and read the Security Advisories. Based on the responses we put together a new Security Advisory system that takes much of the guesswork out of the process of evaluating threats. We’ve added and reordered elements on the Security Advisory’s criticality scale and added explanations to help people understand where a security problem is on the spectrum of potential threats.

Our Growing Team

We’ve brought a number of new members onto the security team. Please help us give a very warm welcome to our newest security team members:

Alex Pott (alexpott) - IRC nick: alexpott, Organization: Chapter Three
Cash Williams (cashwilliams) - IRC nick: CashWilliams, Organization: Acquia
Dan Smith (galooph) - IRC nick: galooph, Organization: Code Enigma
David Snopek (dsnopek) - IRC nick: dsnopek, Organization: MVPcreator
Rick Manelius (rickmanelius) - IRC nick: rickmanelius, Organization: NewMedia!

We’re always looking for more qualified people who place a high priority on security. If you’d like to join the security team: https://security.drupal.org/join

Drupal version: 

This week, we added a feature to projects on Drupal.org to help highlight the contributions made by supporting organizations. Maintainers of distributions, modules, and themes can give credit to organizations that have materially contributed to projects on Drupal.org using the new “Supporting Organizations” field.

Supporting organizations field

How do you use this field? When an organization funds the development of a project or when a company takes on maintainership of a key module in the community, the maintainers of that project can add a reference to one or more of them on the project node. Maintainers may chose to give this credit to any organization that contributes significant code or support to a project.

We noticed that many projects would manually follow this pattern in the project description, but wanted to take it a step further. Not only will this provide a link to the organization, it will also show up on the organization’s marketplace page.

Projects supported field on organization display

This is just the first step, we are also looking for community feedback and help in providing credit to companies, organizations and customers that contribute to the development of Drupal. Implementing this step will be a key way to show how organizations are giving code and support to Drupal Core. Look for it in the coming months.

Dries has written an excellent post on how we might give credit to organizations and another on the value of hiring a core contributor to help push Drupal forward that were a basis for much of this work.

If you are a project maintainer, take a moment to give some credit to the organizations that have helped build the Drupal ecosystem.

Front page news: 

UPDATE:
Terms of Service are now finalized and located at https://www.drupal.org/terms.
Privacy Policy is now finalized and located at https://www.drupal.org/privacy


Almost half a year ago, with the help of the Drupal.org Content Working Group and lawyers, the Drupal Association started working on a Drupal.org Terms of Service (ToS) and Privacy Policy. After a number of drafts and rewrites, we are now ready to introduce both documents to Drupal.org users.

Why do we need a ToS?

Drupal.org has grown organically for many years. Currently the site has thousands of active users that generate lots of content every day. Our current Terms of Service are limited to a short line on the account creation form:

“Please note: All user accounts are for individuals. Accounts created for more than one user or those using anonymous mail services will be blocked when discovered.”

This line is an insufficient ToS for a website of our size. In fact, Drupal.org is probably the only website of this size which operates without a published Terms of Service. This situation is uncomfortable, and even dangerous, for both Drupal community and the Drupal Association, which is legally responsible for Drupal.org and its contents.

In the absence of a ToS, a lot of rules—“do’s and don’ts”—regarding the website are just “common knowledge” of users who have a long memory and accounts created in the early days of Drupal.org. This might result in new users making mistakes and misbehaving only because they do not know what the unwritten rules are. Website moderators often lack guidance on how to react in specific situations, because those policies are not written anywhere. Some policies, such as organization accounts policy or account deletion policy still need to be defined. Lastly, absence of clearly defined Terms of Service and Privacy Policy could lead to legal disputes regarding the site.

What’s next?

The new Drupal.org Terms of Service and Privacy Policy are published now for the community review. We'll continue refining them based on community feedback and announce the 'official' implementation day additionally. On that day all existing users will have to accept these ToS and Privacy Policy to continue using the website. All new users starting on that day will have to accept the ToS and Privacy Policy upon account creation.

Click to review Drupal.org Terms of Service

Click to review Drupal.org Privacy Policy

In the future, we will make sure to keep ToS and Privacy Policy up-to-date and update them every time policies or functionality of the website changes. We will proactively notify users of all modifications to both documents.

Thanks

We’d like to say thanks to the Drupal.org Content Working Group members and community members who already reviewed proposed documents and provided us with their valuable feedback.


UPDATE: Edits to the original drafts were made on 21st of August, 2014, based on feedback in comments to this post.

UPDATE #2 (03.09.2014): We are postponing ToS/PP official launch and will come back with an updated draft shortly.

Drupal 7.31 and 6.33 released

6 August 2014, 5:35 pm

Update: Drupal 7.32 and Drupal 6.34 are now available.

Drupal 7.31 and Drupal 6.33, maintenance releases which contain fixes for security vulnerabilities, are now available for download. See the Drupal 7.31 and Drupal 6.33 release notes for further information.

Upgrading your existing Drupal 7 and 6 sites is strongly recommended. There are no new features or non-security-related bug fixes in these releases. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement. More information on the Drupal 6.x release series can be found in the Drupal 6.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 and 6 include the built-in Update Status module (renamed to Update Manager in Drupal 7), which informs you about important updates to your modules and themes.

Bug reports

Both Drupal 7.x and 6.x are being maintained, so given enough bug fixes (not just bug reports) more maintenance releases will be made available, according to our monthly release cycle.

Changelog

Drupal 7.31 is a security release only. For more details, see the 7.31 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Drupal 6.33 is a security release only. For more details, see the 6.33 release notes. A complete list of all bug fixes in the stable 6.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 7.31 and 6.33 were released in response to the discovery of security vulnerabilities. Details can be found in the official security advisory:

To fix the security problem, please upgrade to either Drupal 7.31 or Drupal 6.33.

Update notes

See the 7.31 and 6.33 release notes for details on important changes in this release.

Known issues

None.

Front page news: 
Drupal version: 

Drupal 7.30 released

24 July 2014, 10:12 pm

Update: Drupal 7.31 is now available.

Drupal 7.30, a maintenance release with several bug fixes (no security fixes), including a fix for regressions introduced in Drupal 7.29, is now available for download. See the Drupal 7.30 release notes for a full listing.

Upgrading your existing Drupal 7 sites is recommended. There are no new features in this release. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 includes the built-in Update Manager module, which informs you about important updates to your modules and themes.

There are no security fixes in this release of Drupal core.

Bug reports

Drupal 7.x is being maintained, so given enough bug fixes (not just bug reports), more maintenance releases will be made available, according to our monthly release cycle.

Changelog

Drupal 7.30 is a bug fix only release. The full list of changes between the 7.29 and 7.30 releases can be found by reading the 7.30 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Update notes

See the 7.30 release notes for details on important changes in this release.

Known issues

None.

Front page news: 
Drupal version: 

Drupal 7.29 and 6.32 released

16 July 2014, 8:37 pm

Update: Drupal 7.30 and Drupal 6.33 are now available.

Drupal 7.29 and Drupal 6.32, maintenance releases which contain fixes for security vulnerabilities, are now available for download. See the Drupal 7.29 and Drupal 6.32 release notes for further information.

Upgrading your existing Drupal 7 and 6 sites is strongly recommended. There are no new features or non-security-related bug fixes in these releases. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement. More information on the Drupal 6.x release series can be found in the Drupal 6.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 and 6 include the built-in Update Status module (renamed to Update Manager in Drupal 7), which informs you about important updates to your modules and themes.

Bug reports

Both Drupal 7.x and 6.x are being maintained, so given enough bug fixes (not just bug reports) more maintenance releases will be made available, according to our monthly release cycle.

Changelog

Drupal 7.29 is a security release only. For more details, see the 7.29 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Drupal 6.32 is a security release only. For more details, see the 6.32 release notes. A complete list of all bug fixes in the stable 6.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 7.29 and 6.32 were released in response to the discovery of security vulnerabilities. Details can be found in the official security advisory:

To fix the security problem, please upgrade to either Drupal 7.29 or Drupal 6.32.

Known issues

(Drupal 7 only) This release introduced a serious regression, the biggest effect of which is to cause files or images attached to taxonomy terms to be deleted when the taxonomy term is edited and resaved. See the release notes for more details. The solution is to upgrade to Drupal 7.30 or higher.

Front page news: 
Drupal version: