News feed

Drupal.org Maintenance: Dec 15th 17:00 PST (01:00 UTC, 1 day after)

Drupal.org - 2014, December 14 - 21:00

Drupal.org will be affected by maintenance Monday, December 15th 17:00 PST, 01:00 UTC (1 day after).

New database servers are being deployed for Drupal.org. This hardware refresh should greatly improve database query performance on Drupal.org. The deployment should require less than 15 minutes of downtime on Drupal.org if no major issues are encountered.

Please follow the @drupal_infra Twitter account for any issues encountered during the maintenance window.

Thanks for your patience!

Categories: News

Follow up on Drupal SA-2014-005, SQL Injection

Drupal.org - 2014, December 5 - 00:50

On October 29, the Drupal Security Team issued a Public Service Announcement (PSA) as a follow-up to Security Advisory SA-CORE-2014-005, which disclosed a serious SQL Injection vulnerability in Drupal 7. Our goals with the PSA were to:

  1. Provide an update on the time window between disclosure and first-known exploits
  2. Provide guidance for users who patched or upgraded outside that window
  3. Reiterate the severity of the vulnerability and the importance of upgrading or patching

(Speaking of which, if you have not remediated yet, please stop reading and do so.)

While we feel those goals were accomplished, the PSA also resulted in a large volume of press coverage – in fact much more coverage than the original disclosure of the vulnerability on October 15th. Not surprisingly, the general tone of the press coverage was quite negative. Unfortunately, some of the coverage was also inaccurate which we’d like to address here as well as provide additional context regarding our security processes.

While we don’t know the total number of Drupal sites affected, the number is not near 12 million as stated in several publications. Unless disabled, individual Drupal sites report their existence back to Drupal.org and this system reports around 1 million total Drupal sites. While this is not an exact measure of live Drupal sites we can infer that the affected number of specifically vulnerable Drupal 7 sites is more likely to be under 1 million.

SA-CORE-2014-005 was certainly a severe issue, if not the most severe issue in Drupal’s history; but it’s important to recognize all software has bugs and security issues that require a remediation process. Finding, fixing and announcing security patches is evidence of a healthy security process and Drupal is one of the few content management systems with a dedicated security team that covers both Drupal core and contributed code.

The above said, there are lessons from both the original disclosure and the follow-up PSA that might result in some changes to the Drupal Security Team policy and process, however we want to reinforce that we are deeply committed to keeping Drupal secure. We encourage you to read this whitepaper that explains our processes, policies and contains a good overview of Drupal security.

If you ever have questions, please use the public discussion area for general topics at https://groups.drupal.org/security or contact us (security@drupal.org). Or better yet, get involved. You can find more information on the Drupal Security Team page.

-Drupal Security Team

Categories: News

Call for Volunteers: Licensing Working Group

Drupal.org - 2014, December 4 - 20:30

There are a growing number of licensing-related issues on Drupal.org that are unresolved. Additionally, volunteers who have been tackling licensing issues believe that the policies are often applied inconsistently. The result is that contributors are often left in a difficult situation, unsure if they should contribute their code or not, and the Drupal project is left at risk when non-compliant code is uploaded to Drupal.org.

To solve this problem, several of the key volunteers met in July and determined that a Licesning Working Group, modeled after other Drupal and Drupal.org governance bodies and supported by training from the Drupal Association law firm, could provide more consistent oversight. At the 21 November meeting, the Drupal Association Board of Directors approved the draft charter written by those volunteers.

Now it's your turn! We're looking for 4-5 individuals to serve on the Working Group. You'll receive lots of support from the Drupal Association when you need it, and you'll be making a direct impact on the happiness of our contributors and the safety of the Drupal project. Just fill out the form below and we'll get back to you. We expect to approve a slate of candidates during the 21 January board meeting. Questions? Email the Drupal Association Executive Director, Holly Ross, at holly@association.drupal.org.

Nominate Yourself!

Front page news: Drupal News
Categories: News

Drupal 7.34 and 6.34 released

Drupal.org - 2014, November 19 - 20:39

Drupal 7.34 and Drupal 6.34, maintenance releases which contain fixes for security vulnerabilities, are now available for download. See the Drupal 7.34 and Drupal 6.34 release notes for further information.

Download Drupal 7.34
Download Drupal 6.34

Upgrading your existing Drupal 7 and 6 sites is strongly recommended. There are no new features or non-security-related bug fixes in these releases. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement. More information on the Drupal 6.x release series can be found in the Drupal 6.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 and 6 include the built-in Update Status module (renamed to Update Manager in Drupal 7), which informs you about important updates to your modules and themes.

Bug reports

Both Drupal 7.x and 6.x are being maintained, so given enough bug fixes (not just bug reports) more maintenance releases will be made available, according to our monthly release cycle.

Changelog

Drupal 7.34 is a security release only. For more details, see the 7.34 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Drupal 6.34 is a security release only. For more details, see the 6.34 release notes. A complete list of all bug fixes in the stable 6.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 7.34 and 6.34 were released in response to the discovery of security vulnerabilities. Details can be found in the official security advisory:

To fix the security problem, please upgrade to either Drupal 7.34 or Drupal 6.34.

Known issues

None.

Front page news: Planet DrupalDrupal version: Drupal 6.xDrupal 7.x
Categories: News

Unplanned Outage (China Region): Thu Nov 13, 2014 - Wed Nov 19, 2014

Drupal.org - 2014, November 19 - 20:01

On Thursday, November 13th, 2014, Chinese censorship authorities DNS poisoned Drupal.org's Content Distribution Network, EdgeCast. The Drupal Association and EdgeCast have been working together to fix connection issues to Drupal.org, and believe the issues have been resolved.

  • On Thursday (2014-11-13) we were notified of Drupal.org being blocked in China.
  • On Friday (2014-11-14) EdgeCast acknowledged network issues in China.
  • On Monday (2014-11-17) Drupal Association staff began implementing changes to DNS, in coordination with EdgeCast, to resolve the connection issues in China.
  • Yesterday (2014-11-18 16:00 UTC) DNS entries for Drupal.org sites were updated and pushed out.
  • Today (2014-11-19) the DNS updates appear to have resolved the issue.

Related Issue: https://www.drupal.org/node/2375023
More Information: https://en.greatfire.org/blog/2014/nov/china-just-blocked-thousands-webs...

Categories: News

Drupal 7.33 released

Drupal.org - 2014, November 7 - 17:37

Update: Drupal 7.34 is now available.

Drupal 7.33, a maintenance release with numerous bug fixes (no security fixes) is now available for download. See the Drupal 7.33 release notes for a full listing.

Download Drupal 7.33

Upgrading your existing Drupal 7 sites is recommended. There are no major new features in this release. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 includes the built-in Update Manager module, which informs you about important updates to your modules and themes.

There are no security fixes in this release of Drupal core.

Bug reports

Drupal 7.x is being maintained, so given enough bug fixes (not just bug reports), more maintenance releases will be made available, according to our monthly release cycle.

Changelog

Drupal 7.33 contains bug fixes and small API/feature improvements only. The full list of changes between the 7.32 and 7.33 releases can be found by reading the 7.33 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Update notes

See the 7.33 release notes for details on important changes in this release.

Known issues

See the 7.33 release notes for a list of known issues affecting this release.

Front page news: Planet DrupalDrupal version: Drupal 7.x
Categories: News

Strategic Initiatives for Drupal.org in 2015

Drupal.org - 2014, November 4 - 01:27

Drupal.org is an amazing installation of Drupal. At nearly 13 years old, it is one of the largest, continuously operating examples of Drupal. It is difficult to fathom, but Drupal.org has been upgraded in place from version to version for this entire timespan. I can think of no other site that has gone this long without a significant content and structure migration.

Over the years, Drupal.org has grown from a single server owned by a contributor to multiple racks at the OSL data center, plus cloud resources and content distribution networks spread across the globe. Drupal.org is more than a single site. There are over 20 services and subsites that make up the ecosystem that powers the Drupal community. Each month, over 20 TB of data passes through the Drupal.org infrastructure.

With such a huge impact, it is important that we have a strong plan for the direction of Drupal.org. With that, we would like to introduce you to the Drupal.org Roadmap.

Drupal.org Roadmap

Read on to find out how we set this strategic direction.

History

Volunteers built up these systems focusing on their passions with community initiatives. Many times these volunteers gave up days of their life - unpaid - to make sure that people could continue to build websites with Drupal and to build Drupal and its contributed projects.

While the result is impressive, there are many areas of Drupal.org that received little or no attention in this model of development. If a developer burned out, or there was no one in the community with a passion for the area of needed improvements, that area remained unmaintained.

For several years, the Drupal Association has funded the infrastructure that runs Drupal.org. The Association pays for the hosting facilities and the hardware to keep Drupal.org running.

The evolving role of the Drupal Association

In 2013, the Drupal Association board made the decision to begin building up an engineering team. This team would support both the infrastructure and software development activities behind Drupal.org. Our goal is to accelerate the development of the new features and to help build a cohesive roadmap so that Drupal.org would help unite a global community to build the best of the Web with Drupal. (Hint: that is the mission of the Drupal Association.)

Hired in March of 2014, the Drupal Association CTO was tasked with building a team and gathering feedback from Working Groups and the Board of Directors to set a strategic direction for Drupal.org.

Prioritizing the work

There are three primary working groups that guide the development of Drupal.org: Drupal.org Content Working Group (DCWG), Drupal.org Software Working Group (DSWG) and Drupal.org Infrastructure Working Group (DIWG).

New development of features for the Drupal.org community of sites and services was determined through weeks of careful deliberation and research:

  • Previous years of feature ideation
  • Working group feature ideation
  • User research project
  • Working group prioritization
  • Board of Directors input and feedback
  • Staff ideation on maintenance and performance improvements

One of the key influences in our prioritization process was the user research that was conducted during and after DrupalCon Austin in June of 2014. We interviewed over 30 individuals that represented a wide range of Drupal.org users from those that were just starting with Drupal, to longtime members of the community, and even those that had once used Drupal and had transitioned their careers to different technologies.

This gave us four key areas in which to focus:

Sustaining support and maintenance

These efforts are the ongoing work that keeps the servers up and running and performing well. The Drupal.org Infrastructure issue queue is the primary place for this work, but there are several other related queues where staff and volunteers from the infrastructure team are focusing their work. Work that staff is tackling will be assigned to a staff member and tagged with d.o support.

  • Support for users: Drupal.org issue queues and email support
  • Performance: uptime, page response, ongoing testbot deployments and maintenance
  • Improving automated tests to make development and deployment reliable
  • Maximize hardware and migrate to cloud services where appropriate
Fund Drupal.org and future tools

While the majority of funds supporting Drupal.org come from our partner programs (Supporting Partner, Technology Partner, Hosting Partner), we are looking for ways to diversify where we raise funds.

Board and Working Group Priorities: Drupal.org Staff Initiatives

These initiatives represent the work that Drupal Association technology and engineering staff will be focused on in the near term through 2015. By being focused on these initiatives, we will get the related features launched on Drupal.org faster. We will still need help to vet and test these features, so follow the issue tags you are interested in and get involved in the related issues.

  • Better account creation and login
  • Organization and user profile improvements
  • Responsive Redesign of Drupal.org
  • Issue workflow and Git improvements
  • Make Drupal.org Search Usable
  • Improved tools to find and select projects
  • Groups migration to Drupal 7

The Drupal.org Roadmap provides much more detail about these key initiatives.

Community Initiatives

There is always more work to do on Drupal.org. We need committed and active volunteers to help with key initiatives that showed up in both our user research and the prioritization from the working groups. These are projects that we can support the efforts of contributors that have the time and skills to push these initiatives forward. Three examples with strong community leadership include:

  • Support localize.drupal.org
  • Next generation testbots (DrupalCI)
  • Two-factor authentication
You can help

In addition to these initiatives, we would love to support a community member that would be willing to step up and lead an initiative to organize our Q&A and support on Drupal.org. There is a huge need for people to be able to find answers to their Drupal questions. Stack Overflow fills part of this role, but there are many more opportunities on Drupal.org itself.

We will also need a community driven effort to help us establish project ratings and reviews once these tools are in place. It will take a group effort to make these affective quickly.

All of our initiatives need community involvement. Whether it is commenting on issues posted to these projects or joining in at sprints to move these initiatives forward, we can use your time and commitment.

Thank you

This planning and work would not have been possible without the financial support from our partners, the direction and leadership of the board, the time commitment of our Working Group members, and an incredibly dedicated Drupal Association staff.

Cheers!

Categories: News

Drupal Core - Highly Critical - Public Service announcement - PSA-2014-003

Drupal.org - 2014, October 29 - 16:39
Description

This Public Service Announcement is a follow up to SA-CORE-2014-005 - Drupal core - SQL injection. This is not an announcement of a new vulnerability in Drupal.

Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

Simply updating to Drupal 7.32 will not remove backdoors.

If you have not updated or applied this patch, do so immediately, then continue reading this announcement; updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website. If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised - some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.

Data and damage control

Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack.

Take a look at our help documentation, ”Your Drupal site got hacked, now what”

Recovery

Attackers may have created access points for themselves (sometimes called “backdoors”) in the database, code, files directory and other locations. Attackers could compromise other services on the server or escalate their access.

Removing a compromised website’s backdoors is difficult because it is not possible to be certain all backdoors have been found.

The Drupal security team recommends that you consult with your hosting provider. If they did not patch Drupal for you or otherwise block the SQL injection attacks within hours of the announcement of Oct 15th, 4pm UTC, restore your website to a backup from before 15 October 2014:

  1. Take the website offline by replacing it with a static HTML page
  2. Notify the server’s administrator emphasizing that other sites or applications hosted on the same server might have been compromised via a backdoor installed by the initial attack
  3. Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. (Keep a copy safe for later analysis.)
  4. Restore the website (Drupal files, uploaded files and database) from backups from before 15 October 2014
  5. Update or patch the restored Drupal core code
  6. Put the restored and patched/updated website back online
  7. Manually redo any desired changes made to the website since the date of the restored backup
  8. Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with.

While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch.

For more information, please see our FAQ on SA-CORE-2014-005.

Written by Coordinated by Contact and More Information

We've prepared a FAQ on this release. Read more at FAQ on SA-CORE-2014-005.

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x
Categories: News

Next Steps for the Drupal.org Terms of Service and Privacy Policy

Drupal.org - 2014, October 29 - 15:11

UPDATE:
Terms of Service are now finalized and located at https://www.drupal.org/terms.
Privacy Policy is now finalized and located at https://www.drupal.org/privacy

Thanks to the hard work of staff and the Drupal.org Content Working Group, we have completed another round of updates to our draft privacy policy and terms of service. We were able to respond to much of the feedback provided in our earlier announcement.

The biggest issues pointed out by the community had to do with the tone of the language in the documents. Many pointed out that it did not match the values of our community. We took a closer look at organizations such as the Wikimedia Foundation and Mozilla, incorporating some of the approaches they took to make our terms a bit more human. We trimmed and shortened what we could. We clarified where things were ambiguous. The end result is much more in line with our community values.

Some examples of changes include the following:

  • When possible, we changed the tone of both documents to make them more friendly.
  • We removed capital letters and used other means to make specific parts of the document noticeable.
  • We deleted a couple of references to collecting data that we do not actually collect.
  • We clarified that we won’t block accounts “for any and no reason”, but only in cases of Terms of Service, Code of Conduct and Git access policy violations.
  • We clarified active notification of users about material changes to policy. We will send an email at least 72 hours prior to changes going into effect. This will give users time to delete their accounts if they don’t want to accept new policies.
  • We added contact info and updated all phone numbers, addresses etc. to be formatted according to international standards.
  • We clarified that you don’t need to create an account to access the Website, just some parts of it.
  • We clarified how to notify us in case of unauthorized access to user account.
  • We clarified how long do we store data after it has been removed from user profile.

We did leave some things from the previous draft without major changes, such as bullet points under section C, for example. And we did it for a reason. One of our goals is to make Drupal.org a place where everyone feels comfortable. Additionally, we have to ensure that Drupal.org is protected if a legal issue does arise. Those bullet points are there not because we want to be able to police or censor the activity on the site. This language exists because it protects Drupal.org if one user takes issue with content from another user. We will still use the process outlined in the Drupal Code of Conduct to resolve any issues whenever we can.

With that in mind, please take a look at the latest drafts:

Terms of Service
Privacy Policy

We will be putting these documents into place on Wednesday, 5 November, 2014. All comments added to this thread will be included in our planning for the next revision. We hope to review the Terms of Service and Privacy Policy quarterly and update them with community feedback.

Thank you for all your help in building these documents.

Categories: News

Drupal.org Maintenance: Oct 23rd 14:00 PDT (21:00 UTC)

Drupal.org - 2014, October 22 - 18:58

Drupal.org will be affected by maintenance Thursday, October 23rd 14:00 PDT, 21:00 UTC.

An increase of the MySQL innodb_buffer_pool_size will cause a short downtime for Drupal.org while MySQL is restarted. We plan on a 30 minute window of potential instability, though the actual outage should be 5 minutes or less.

Please follow the @drupal_infra Twitter account for any issues encountered during the maintenance window.

Thanks for your patience!

Categories: News

Drupal 7.32 released

Drupal.org - 2014, October 15 - 14:47

Update: Drupal 7.33 is now available.

Drupal 7.32, a maintenance release which contain fixes for security vulnerabilities, is now available for download. See the Drupal 7.32 release notes for further information.

Download Drupal 7.32

Upgrading your existing Drupal 7 is strongly recommended. There are no new features or non-security-related bug fixes in this release. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 and 6 include the built-in Update Status module (renamed to Update Manager in Drupal 7), which informs you about important updates to your modules and themes.

Bug reports

Both Drupal 7.x and 6.x are being maintained, so given enough bug fixes (not just bug reports) more maintenance releases will be made available, according to our monthly release cycle.

Changelog

Drupal 7.32 is a security release only. For more details, see the 7.32 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 7.32 was released in response to the discovery of critical security vulnerabilities. Details can be found in the official security advisory:

To fix the security problem, please upgrade to Drupal 7.32.

Known issues

None.

Front page news: Planet DrupalDrupal version: Drupal 7.x
Categories: News

Drupal 8.0.0 beta 1 released

Drupal.org - 2014, October 1 - 08:30
Update: The latest Drupal 8 beta release is available with important security fixes.

Drupal 8.0.0-beta1 has just been released for testing and feedback! This key milestone is the work of over 2,300 people who have contributed more than 11,500 committed patches to 15 alpha releases, and especially the 234 contributors who fixed 177 "beta blocker" issues. To read about the new features in Drupal 8, see Drupal.org's Drupal 8 landing page.

Drupal 8 beta 1 for testers

Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs, and who are prepared to rebuild their test sites from scratch if necessary. Beta releases are not recommended for non-technical users, nor for production websites.

Start by downloading Drupal 8.0.0-beta 1 and installing it! Drupal 8 definitely still has bugs, and we need your help to discover them. Let us know what bugs you find in the Drupal core issue queue. (Please search the known issues before filing.)

Drupal 8 beta 1 for module and core developers

The main differences between the previous Drupal 8 alphas and the new beta are:

  • The fundamental APIs in Drupal 8 (like the entity, configuration, and menu APIs) are now stable enough so that contributed module and theme authors can start (or resume) their #D8CX pledges and port their projects to Drupal 8.
  • We have locked down Drupal 8's data model enough that developers should generally not need to perform data migrations between beta releases of Drupal 8. We will start providing a beta-to-beta upgrade path in a later beta release.
  • Limited API and data model changes will still happen, though core maintainers will try to isolate these changes to only non-fundamental APIs or critical bug fixes.

We need your help to fix critical bugs by reviewing patches and creating patches.

If you're new to core development, check out Core contribution mentoring, a twice-weekly IRC meeting where you can get one-on-one help getting set up and finding a Drupal 8 task.

Drupal 8 beta 1 for designers, translators, and documentation writers

Drupal 8's user interface, interface text, and markup are not finalized until the first release candidate, so it's too early to focus on user-facing documentation, translations, or themes (though by all means, adventurous contributors should start now to provide feedback while we can still fix things). Note that localize.drupal.org does not yet support the full Drupal 8 API and does not have all translatable strings.

When does 8.0.0 get released?

Beta 1 will be followed by a series of additional beta releases with bug fixes, performance improvements, and improved stability.

The release version of Drupal 8.0.0 will be ready after there are no more critical issues (as of today, there are 97 remaining) and we've had at least one release candidate (RC) without adding any more critical issues to the list.

When will that be? "When it's ready." The more people help, the faster we can find and fix bugs, and the faster 8.0.0 gets released. The faster 8.0.0 gets released, the faster we can start adding new features for Drupal 8.1.0. So help out where you can, and let's deliver the best release of Drupal ever! :)

Thank you!

A massive thank-you to everyone who helped get Drupal 8 beta 1 done, especially the contributors who have focused on beta-blocking issues (pictured below).

Front page news: Planet DrupalDrupal version: Drupal 8.x
Categories: News

Drupal.org Maintenance: Sep 23rd 14:00 PDT (21:00 UTC)

Drupal.org - 2014, September 22 - 22:50

Drupal.org will be affected by maintenance Tuesday, September 23rd 14:00 PDT, 21:00 UTC.

Switching version control systems for Drupal.org deployment will cause a short downtime as docroot files are migrated. We plan on a 30 minute window of potential instability.

Please follow the @drupal_infra Twitter account for any issues encountered during the maintenance window.

Thanks for your patience!

Categories: News

Drupal Security Team update.

Drupal.org - 2014, September 18 - 20:07
Joint Security release with WordPress

In big news, we had our first joint release with WordPress. We collaborated together with the WordPress team on a PHP security issue discovered by a security researcher. We’re thrilled that we had an opportunity to work together with others in the open source CMS community. We shared a few tips and tricks and it was great working with the WordPress team.

Keeping Drupal Secure

In keeping with our mission to showcase security best practices at Drupal’s online home, we’ve upgraded https://security.drupal.org to Drupal 7. This ensures we’re on a supported platform. We also took the opportunity to add some new features that help us enhance our team’s efficiency by automating a number of routine tasks.

As part of our dedication to keeping Drupal users safe, we’ve written and announced the Long Term support (LTS) plan for Drupal 6 (https://www.drupal.org/d6-lts-support). This is an important step as we look forward to the release of Drupal 8. Soon we will be introducing two-factor authentication to Drupal.org, thanks to hard work from security team members Ben Jeavons, Greg Knaddison , Neil Drumm, and Michael Hess. (https://groups.drupal.org/node/439868 and https://drupal.org/node/2239973)

And here’s one last, fun note: Security.Drupal.org issues now show up on the drupal.org dashboard if you add the widget. You can get it clicking on dashboard after logging in and adding the widget.


Securing Drupal E-Commerce

Some Drupal security team members were recently involved in putting together a compliance White paper for keeping track of PCI compliance. Anyone who runs a Drupal site and takes credit cards should read the whitepaper. Here’s a little more information:

Version 3.0 of the PCI compliance standard becomes mandatory on January 1st, 2015 and will be a complete game changer for many Drupal eCommerce sites. This includes triple the number of security controls if your website touches credit card information and more. The community supported Drupal PCI Compliance White Paper (http://drupalpcicompliance.org/) will give you a high level overview of what PCI compliance is, why you need to comply, and (most importantly) how to get started. This paper was written and reviewed by several members of the Drupal security team, including Rick Manelius, Greg Knaddison, Ned McClain, Michael Hess, and Peter Wolanin.

Simplifying Security

We’ve redesigned our Security Advisory system to make evaluating and analyzing security threats easier and more intuitive. This came about after several core contributors informed us that they wanted a better way to address security threats. We sent out a survey through Twitter to learn more about how people write and read the Security Advisories. Based on the responses we put together a new Security Advisory system that takes much of the guesswork out of the process of evaluating threats. We’ve added and reordered elements on the Security Advisory’s criticality scale and added explanations to help people understand where a security problem is on the spectrum of potential threats.

Our Growing Team

We’ve brought a number of new members onto the security team. Please help us give a very warm welcome to our newest security team members:

Alex Pott (alexpott) - IRC nick: alexpott, Organization: Chapter Three
Cash Williams (cashwilliams) - IRC nick: CashWilliams, Organization: Acquia
Dan Smith (galooph) - IRC nick: galooph, Organization: Code Enigma
David Snopek (dsnopek) - IRC nick: dsnopek, Organization: MVPcreator
Rick Manelius (rickmanelius) - IRC nick: rickmanelius, Organization: NewMedia!

We’re always looking for more qualified people who place a high priority on security. If you’d like to join the security team: https://security.drupal.org/join

Drupal version: Drupal 7.x
Categories: News

Drupal.org Maintenance: Sep 16th 16:00 PDT (23:00 UTC)

Drupal.org - 2014, September 16 - 00:34

Drupal.org will be affected by maintenance Tuesday, September 16th 16:00 PDT, 23:00 UTC.

A regular module update will alter some larger tables, which will block other queries. We plan on up to 30 minutes of downtime while these updates run.

Please follow the @drupal_infra Twitter account for any issues encountered during the maintenance window.

Thanks for your patience!

Front page news: Drupal News
Categories: News