On April 15th, a change to a Drupal.org website permission inadvertently allowed a small segment of users to view a report listing the email addresses of recently logged in users. No passwords were involved. The problem was mitigated within 13 hours of being introduced and within 3 hours of being reported. The problem was completely resolved within 24 hours of introduction. The number of affected email addresses is relatively small – fewer than 500. Those users are being contacted directly if their email was affected. Users with maintainer access or the community role and above were not affected by this incident.
The users with permission to see this report were limited to community members that have shown frequent contribution to Drupal.org. The possible exposure time was also limited to between April 15, 2015 20:53 UTC to April 16, 2015 9:00 UTC. There were approximately 44 IP addresses that accessed the information during that time. These users are mostly administrators of Drupal.org and the community members who first reported the incident.
Even though the exposure of email addresses was limited as described above, we recommend all users to be cautious of any email that asks you for personal information.
We want to thank the community members who moved quickly to alert the Drupal Security and Drupal.org infrastructure teams about the problem.Front page news: Drupal NewsDrupal version: Drupal 7.x
The first initiative on the Drupal.org 2015 roadmap is ‘Better account creation and login’. One of the listed goals for that initiative is “Build a user engagement path which will guide users from fresh empty accounts to active contributors, identifying and preventing spammers from moving further.” This is something Drupal Association team has been focusing on in the last few weeks.
The first change we rolled out a few days ago was a ‘new’ indicator on comments from users whose Drupal.org accounts are fewer than 90 days old. The indicator is displayed on their profile page as well. We hope this will help make conversations in the issue queues and forum comments more welcoming, as people will be able to easily see that someone is new, and probably doesn’t know yet a lot about the way community works.
Today we are taking another step towards making Drupal.org more welcoming environment for new users. But first, a bit of background.New users and spam
It is not a surprise for anyone that a big number of user accounts registering on the site are spam accounts. To fight that and prevent spam content from appearing on Drupal.org, we have a number of different tools in place. Of course, we don’t want these tools to affect all active, honest users of the site, and make their daily experience more difficult. To separate users we are sure about from those we aren’t sure about yet, we have a special ‘confirmed’ user role.
All new users start without such a role. Their content submissions are checked by Honeypot and Mollom, their profiles are not visible to anonymous visitors of the site, and the types of content they may create are limited. Once a user receives a ‘confirmed’ role, his or her submissions will not be checked by spam fighting tools anymore; their profile page will be visible to everyone, and they will be able to create more different types of content on the site.
This system works pretty well, and our main goal is to ensure that valid new users get the ‘confirmed’ role as quickly as possible, to improve their experience and enable them to fully participate on the site.
The best way to identify someone as not a spammer is have another human look at the content they post and confirm they are not spammers. Previously, we had a very limited number of people who could do that-- about 50. Because of that, it usually took quite some time for new user to get the role. This was especially noticeable during sprints.
Today we’d like to open a process of granting a ‘confirmed’ role to the thousands of active users on the site.‘Community’ user role
Today, we are introducing a new ‘Community’ role on the site. It will be granted automatically to users who have been around for some time and reached a certain level of participation on Drupal.org. Users who have this role will be able to ‘confirm’ new users on the site. They will see a small button on comments and user profile of any user who has not yet been confirmed. If you are one of the users with ‘Community’ role, look out for this new Confirm button, and when you see one next to a user - take another look at what the person posted. If their content looks valid, just click ‘confirm’. By doing so, you will empower new users to fully participate on Drupal.org and improve their daily experience on the site.
With expect to have at least 10,000 active users with the ‘Community’ role. With so many people to grant the ‘confirmed’ role, new users should be confirmed faster than ever before.
If you aren’t sure if you have the ‘community’ role or not, don’t worry. We will send an email notification to every user whose account receives the new role. The email will have all the information about the role and how to use it.
Thanks for helping us make Drupal.org a better place!
One of the Drupal Association's primary missions is to grow the adoption of Drupal. We are about to launch a new program on April 15th called Try Drupal. The program will make it easy and fast for evaluators to try Drupal and have a simple, great experience while on Drupal.org.
We’ve created Try Drupal with our Premium Hosting Supporters to make it easier for CMS evaluators and Drupal.org newcomers to test and work with a Drupal demo site. The Program will showcase a selection of Hosting Companies where a new user can quickly (in less than 20 minutes) sign up and have a Drupal demo site up and running for them to use for free.
This is part of the Drupal Association’s initiative to develop a new revenue stream through advertising programs on Drupal.org. This revenue will help fund various site initiatives by the Association to improve Drupal.org performance, and make it easier to use and more secure. After interviewing many members of the community, we determined that new advertising products should be useful to Drupal.org visitors, support our mission to grow the adoption of Drupal, and should not interfere with visitors contributing to the project.
To ensure a positive Drupal experience, partners need to adhere to the following guidelines:
- Users are directed to a self-serve sign up platform
- Users can create a free account for the demo site that accommodates a trial installation of Drupal 7 or 8
- Users can create a website in 20 minutes or less
- The demo site should be available to the user for a minimum of one day upon sign up
- The partner cannot include a paywall or require a credit card upon sign up
The Try Drupal program will be featured on the homepage of Drupal.org. It will launch with a larger iterative change to the homepage, with an emphasis on helping users move from newcomer, to learner, to skilled Drupal community members.
It’s important that we fund Drupal.org improvements, and that we do so in a responsible way that respects the community. We anticipate rolling out more key advertising programs throughout 2015, stay tuned for more updates. Thanks for taking the time to read about our initiatives, and please tell us your thoughts!