TL;DR: Both the community and Dries Buytaert, Project Lead, see a need to evolve Drupal community governance. The Drupal Association can help in a support role. We will start by hosting mediated community discussions so everyone around the world can participate, be heard and understood, and share their ideas. Creating a new governance model will take many months and will require an agile approach as we all feel our way through the proper steps. The Drupal Association will continue to find ways to support this process as we all move through it together.
Over the last several weeks, the Drupal Association has been in listening mode — and we still are. We’re hearing community members say they need clarity and understanding, and that our community governance needs to change. As we process what we’re hearing, we want to find the best way to help the community address the issues being raised, within the boundaries of the Drupal Association charter.
The Drupal Association’s mission is to unite the global community to help build and promote the software. We do that in two very specific ways: DrupalCon and Drupal.org. We’re determining how best to meet the community’s needs as it relates to these two key community homes. In the near future, I will publish blogs with ideas on how we might address the various needs we are hearing.Evolving Community Governance
There is one need that we hear loud and clear that we can address today: The community needs support to evolve community governance structures and processes. Both the community at large, and Dries Buytaert, Project Lead, have expressed this need, and we are glad to see this alignment.
It’s important to note that the Drupal Association has a very limited role in community governance. Our only role in governance stems directly from our charter to manage DrupalCon and Drupal.org.
It’s not within our charter to oversee community governance or drive its evolution. The last thing the Drupal Association wants is to step outside of our charter or accidentally take away the community’s agency in self-organizing to create the new community governance model. However, we do want to facilitate forward movement. And so, we can take a support role.
We hear that many in the community want to come together to talk. We can support this by providing a meeting place (both in person and online), and a mediator for community discussions.
We have asked Whitney Hess, a coach who has worked with the Drupal community before, to facilitate and mediate community discussions, where people can come together to talk about current community issues and explore ideas for improved governance. These discussions will start at DrupalCon Baltimore and continue in a series of online meetings, scheduled at different times so members around the world can participate. [see more details below]
To provide transparency for those who cannot attend the discussion sessions, we will post meeting minutes and summaries from each community discussion here: https://drupal.org/community/discussions.
As facilitator of these community discussions, Whitney Hess will provide a summary to give us a broad perspective on the “voice of the community.” We hope these conversations will ground the community as it begins architecting its new governance model.
Once we have had these discussions we can decide together on the appropriate next steps, and how the Association can help the community continue to move forward, together.Join Community Discussions
We hope you'll join the conversation as these discussions begin. Again, our overarching aim is to support the community so it can be healthy and continue to thrive. We believe that open conversation is essential to the wellbeing of any community and we look forward to hosting Community Discussions mediated by Whitney Hess. Please join fellow community members to talk through recent community issues and to be part of co-creating Drupal’s new governance model.
Here are the discussions you can join. Please note the ground rules below:At DrupalCon Baltimore
Location: Pratt Street Show Office
Tuesday, 12-1pm, max 45 participants
Tuesday, 2:15-3:15pm, max 15
Tuesday, 5-6pm, max 15
Wednesday, 2:15-3:15pm, max 15
Wednesday, 3:45-4:45pm, max 15
Thursday, 10:45-11:45am, max 15
Thursday, 1-2pm, max 45
Sign Up Here: https://events.drupal.org/virtual/community-discussions
Tuesday, May 9: 4pm EDT / 1pm PDT / 9pm BST / 10pm CEST / 6am +1 AEST
Wednesday, May 10: 8am EDT / 1pm BST / 2pm CEST / 5:30pm IST / 10pm AEST
Thursday, May 11: 9:30am EDT / 2:30pm BST / 3:30pm CEST / 7pm IST / 11:30pm AEST
Friday, May 12: 2pm EDT / 11am PDT / 7pm BST / 8pm CEST / 11:30pm IST
Tuesday, May 16: 8pm EDT / 5pm PDT / 10am AEST
Wednesday, May 17: 12pm EDT / 9am PDT / 5pm BST / 6pm CEST / 9:30pm IST
Thursday, May 18: 3pm EDT / 12pm PDT / 8pm BST / 9pm CEST
Key Principles of Nonviolent Communication
Responsibility for Our Feelings: We aim to move away from blame, shame, judgment, and criticism by connecting our feelings to our own needs. This recognition empowers us to take action to meet our needs instead of waiting for others to change.
Responsibility for Our Actions: We aim to recognize our choice in each moment, and take action based on seeing how it would meet our needs to do so; we aim to move away from taking action based on fear, guilt, shame, the desire for reward, or any “should” or “have to.”
Prioritizing Connection: We aim to focus on connection instead of immediate solutions, and to trust that connecting with our own and others’ needs is more likely to lead to creating solutions that meet everyone’s needs.
Equal Care for Everyone’s Needs: We aim to make requests and not demands; when hearing disagreement with our request, or when disagreeing with another’s request, we aim to work towards solutions that meet everyone’s needs, not just our own, and not just the other person’s.
Self-Expression: When expressing ourselves, we aim to speak from the heart, expressing our feelings and needs, and making specific, doable requests rather than demands.
Empathic Hearing: When we hear others, we aim to hear the feelings and needs behind the expressions, even when they express judgments or demands.
Protective Use of Force: We aim to use force only to protect, not to punish others or get our way without the other’s agreement, and only in situations where the principles above were not sufficient to meet immediate needs for safety. We aim to return to dialogue as soon as safety is re-established
How These Ground Rules Work
Ground rules will be stated at the beginning of each session.
If you are not in agreement with the ground rules, please do not participate in the session.
- If a participant is repeatedly disruptive of respectful, productive discussion, they will be asked to leave; if they do not leave, the session will be terminated immediately.
- Advisory ID: DRUPAL-SA-CORE-2017-002
- Project: Drupal core
- Version: 8.x
- Date: 2017-April-19
- CVEID: CVE-2017-6919
- Security risk: 17/25 ( Critical) AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default
- Vulnerability: Access bypass
This is a critical access bypass vulnerability. A site is only affected by this if all of the following conditions are met:
- The site has the RESTful Web Services (rest) module enabled.
- The site allows PATCH requests.
- An attacker can get or register a user account on the site.
While we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we have also provided an 8.2.x release to ensure that sites that have not had a chance to update to 8.3.0 can update safely.
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
- Drupal 8 prior to 8.2.8 and 8.3.1.
- Drupal 7.x is not affected.
- If the site is running Drupal 8.2.7 or earlier, upgrade to 8.2.8.
- If the site is running Drupal 8.3.0, upgrade to 8.3.1.
Also see the Drupal core project page.Reported by
- Alex Pott of the Drupal Security Team
- xjm of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
- Wim Leers
- Sascha Grossenbacher
- Daniel Wehner
- Tobias Stöckler
- Nathaniel Catchpole of the Drupal Security Team
- The Drupal Security team
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.
The Drupal Association team is gearing up for DrupalCon Baltimore. We're excited to see you there and we'll presenting a panel giving an update on our work since Dublin, and our plans for the coming months.Drupal.org updates Project application revamp
As we announced in mid-March, new contributors on Drupal.org can now create full projects and releases! Contributors no longer have to wait in the project application queue for a manual review before they are able to contribute projects.
This is a very significant change in the Drupal contribution landscape, and it's something we approached carefully and will continue to monitor over the coming months. Drupal has always had a reputation for a high quality code, and we want to make sure that reputation is preserved with good security signals, project quality signals, and continued incentives for peer code review.
That said, we're very excited to see how this change opens up Drupal to a wider audience of contributors.
Please note that the removal of project applications to create full projects and releases means a change in the security advisory policy (see below for details).Security Advisory Opt-in and new Security Signals for Projects Are you responsible for the security of your clients' Drupal sites?
Please note that Drupal's security advisory coverage policy has changed. Security advisory coverage for contributed projects is now only available for projects that have both opted in to receive coverage and made a stable release. You can see which projects have opted in by checking their project pages. If you have questions, please contact email@example.com.
Because users may now create full projects and releases without opting in to security advisory coverage, it's critically important that we provide good security signals to users evaluating projects on Drupal.org. This is why we've added a security coverage warning to projects that aren't opted in to coverage.
- Opened up the opt-in process, allowing any maintainer of a project (not just the node author) to opt in to receive security advisory coverage
- Added a confirmation step when a user goes to make a stable release - this encourages users to be sure the project is ready for a release, and to opt-in to coverage if they haven't already
- Blocked security advisory opt-in if a project has an open, public security issue
- Started displaying info about public security issues on project pages that haven't opted into advisory coverage
- Added a filter to project browsing pages to make it easier to find projects with supported stable releases
The 2017 elections for the community-at-large seat on the board were held successfully in March. Drupal Association community board elections are conducted with the Instant Runoff Voting system. This voting methodology requires that voters rank their preferred candidates on their ballot, and we've heard that this system has been somewhat unwieldy in the past.
Each year we try to improve the voter experience and so this year we deployed a new drag-and-drop ballot.
Finally, we want to congratulate our newest board member Ryan Szrama!Better international datetime support throughout Drupal.org
Drupal.org has grown organically over the course of more than a decade, and as features have been built out they were not always consistent in their display of datetime information. While it sometimes makes sense to have a few different formats for displaying date and time, many of the formats in use were simply arbitrary historical decisions.
As a quality of life improvement, especially for users outside of the USA, we've standardized the datetime format used on Drupal.org. That format is: DD MMM YYYY - hh:mm (UTC±h). For example: 11 Aug 2016 - 16:42 (UTC+8)DrupalCI CSS Lint check style results
When we implemented coding standards testing in DrupalCI in February we were not able to add CSS Lint testing until the CSSLint configuration file in core was fixed. That issue was fixed in late February and so we added CSSLint to support coding standards testing for CSS at the beginning of March.Cleaning up coding standards results
The addition of coding standards results to DrupalCI means that Drupal.org is now storing even more test data about the code we test on Drupal.org. Our initial implementation of coding standards testing did not include clean up of older results, and so to preserve database space and testing resources, we implemented some clean-up routines in March. In particular we are now:
- Cleaning up all results for closed issues
- For custom one-off tests, keeping results for 30 days to match what is shown on project’s automated testing tab
- For tests triggered on a schedule or commit, keeping the most recent per-environment per-branch, and keeping anything less than 24h old
We experienced some minor Git outages in March, due to malicious authentication attempts. To mitigate these issues in the future, we've implemented fail2ban rules to protect Git authentication. This should improve the stability and uptime of Git services for all developers on Drupal.org.
We want to thank Drupal.org infrastructure volunteer mlhess for his assistance with this.Community Initiatives Contrib Documentation Migration
New tools for Documentation have been available on Drupal.org for more than half a year. While most of the core documentation has been migrated to the new system, we are still encouraging Contrib maintainers to migrate their docs.
To make it easier for contrib project maintainers to migrate their documentation to the new documentation tools, we've made two improvements:
- Maintainers may now attach Documentation guides directly to their project pages.
- The Documentation Guides that a user maintains are now listed on their user profile.
As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects. In particular we want to thank:
- CivicActions - *NEW* Supporting Partner
- HS2 Solutions - *NEW* Supporting Partner
- Cheeky Monkey Media - Renewing Supporting Partner
- Cybage Software - Renewing Supporting Partner
- Digital Circus - Renewing Supporting Partner
- Message Agency - Renewing Supporting Partner
- QED42 - Renewing Supporting Partner
- Srijan Technologies - Renewing Supporting Partner
- Evolving Web - Renewing Supporting Partner
- Brightcove - *NEW* Technology Supporter Partner
- SiteGround - Renewing Hosting Supporter Partner
- Smartling - *NEW* Technology Supporter Partner
- Sevaa Group - *NEW* Technology Supporter Partner
If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.
- Advisory ID: DRUPAL-PSA-2017-001
- Project: Drupal core
- Version: 8.x
- Date: 2017-Apr-17
There will be a security release of Drupal 8.3.x and 8.2.x on April 19th 2017 between
17:00 - 18:00 UTC that will fix a critical vulnerability. While we don't normally provide security releases for unsupported minor releases, given the potential severity, the 8.2.x release includes the fix for sites which have not had a chance to update to 8.3.0. The Drupal Security Team urges you to reserve time for core updates at that time because exploits are expected to be developed within hours or days. Security release announcements will appear at the standard announcement locations.
This vulnerability does not affect all Drupal 8 sites; it only affects sites with certain configurations. It requires authenticated user access to exploit. The security release announcement made on April 19th 2017, will make it clear which configurations are affected. If this vulnerability affects your site, you will need to update. Please set aside time on Wednesday to look into this update.
Neither the Security Team, nor Security Team members, nor any Drupal-related company are able to release any more information about this vulnerability until the announcement is made in accordance with our security policies and responsible disclosure best practices.
We provide pre-release warnings when we believe the security risk is high and the steps to exploit are scriptableDrupal 7 core is not affected by this issue. Contact and More Information
The Drupal security team can be reached at security at Drupal.org or via the contact form at https://www.drupal.org/contact.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity.