Drupal news

S'abonner à flux Drupal news
Come for the software, stay for the community Drupal is an open source content management platform powering millions of websites and applications. It’s built, used, and supported by an active and diverse community of people around the world.
Mis à jour : il y a 55 min 39 sec

A new look for Drupal.org

mer, 09/21/2016 - 22:09

As you can see we've put a fresh coat of paint on Drupal.org - but the changes run below the surface. This latest iteration of the front page brings the key concepts of our design system to the forefront: Clean, Modern, Technical.

This change also brings new editorial tools for Drupal.org content editors. The new home page provides us more flexibility with content and presentation, and so you'll see more frequent updates, more information about DrupalCon, and more editorial flexibility on the home page than you've seen in the past. These tools are also helping us to build cleaner, modern landing pages - like you've just seen with our Fall Membership Campaign.

We've previewed this work with several key members of the community and the board, and we want to say thank you to everyone who's given us their feedback on this first step for our new home page. We also want to give an extra special thank you to dyannenova for her contributions to this effort.

This is just the beginning - very soon we'll have a new visual look for the case studies that are featured on the home page, and then shortly after that we'll begin promoting solutions to Drupal evaluators in specific industries, like Higher Education, Media & Publishing, and Government.

If Drupal.org is the home of the community, than the front page is our front door. We want to welcome new users and evaluators of Drupal, highlight the project's strengths, and promote news and happenings from throughout the ecosystem.

We hope you like the changes, and we think you'll like the upcoming iterations even more. We'd love to hear your feedback!

Drupal 8.1.10 released

mer, 09/21/2016 - 19:33

Drupal 8.1.10, a maintenance release which contains fixes for security vulnerabilities, is now available for download.

See the Drupal 8.1.10 release notes for further information.

Download Drupal 8.1.10

Upgrading your existing Drupal 8 sites is strongly recommended. There are no new features nor non-security-related bug fixes in this release. For more information about the Drupal 8.x release series, consult the Drupal 8 overview.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 8 includes the built-in Update Manager module, which informs you about important updates to your modules and themes.

Bug reports

This is the final security release for the 8.1.x series. Future maintenance releases will be made available in the 8.2.x series, according to our monthly release cycle.

Change log

Drupal 8.1.10 is a security release only. For more details, see the 8.1.10 release notes. A complete list of all changes in the upcoming 8.2.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 8.1.10 was released in response to the discovery of security vulnerabilities. Details can be found in the official security advisories:

To fix the security problem, please upgrade to Drupal 8.1.10. (Sites testing the 8.2.x release should update to 8.2.0-rc2.)

Update notes

See the 8.1.10 release notes for details on important changes in this release.

This is the final security release of the 8.1.x series. Sites should prepare to update to 8.2.0 following this release.

Known issues

See the 8.1.10 release notes for known issues.

Can Drupal outdo native applications?

mer, 09/14/2016 - 10:00

Republished from buytaert.net

I've made no secret of my interest in the open web, so it won't come as a surprise that I'd love to see more web applications and fewer native applications. Nonetheless, many argue that "the future of the internet isn't the web" and that it's only a matter of time before walled gardens like Facebook and Google — and the native applications which serve as their gatekeepers — overwhelm the web as we know it today: a public, inclusive, and decentralized common good.

I'm not convinced. Native applications seem to be winning because they offer a better user experience. So the question is: can open web applications, like those powered by Drupal, ever match up to the user experience exemplified by native applications? In this blog post, I want to describe inversion of control, a technique now common in web applications and that could benefit Drupal's own user experience.

Native applications versus web applications

Using a native application — for the first time — is usually a high-friction, low-performance experience because you need to download, install, and open the application (Android's streamed apps notwithstanding). Once installed, native applications offer unique access to smartphone capabilities such as hardware APIs (e.g. microphone, GPS, fingerprint sensors, camera), events such as push notifications, and gestures such as swipes and pinch-and-zoom. Unfortunately, most of these don't have corresponding APIs for web applications.

A web application, on the other hand, is a low-friction experience upon opening it for the first time. While native applications can require a large amount of time to download initially, web applications usually don't have to be installed and launched. Nevertheless, web applications do incur the constraint of low performance when there is significant code weight or dozens of assets that have to be downloaded from the server. As such, one of the unique challenges facing web applications today is how to emulate a native user experience without the drawbacks that come with a closed, opaque, and proprietary ecosystem.

Inversion of control

In the spirit of open source, the Drupal Association invited experts from the wider front-end community to speak at DrupalCon New Orleans, including from Ember and Angular. Ed Faulkner, a member of the Ember core team and contributor to the API-first initiative, delivered a fascinating presentation about how Drupal and Ember working in tandem can enrich the user experience.

One of Ember's primary objectives is to demonstrate how web applications can be indistinguishable from native applications. And one of the key ideas of JavaScript frameworks like Ember is inversion of control, in which the client side essentially "takes over" from the server side by driving requirements and initiating actions. In the traditional page delivery model, the server is in charge, and the end user has to wait for the next page to be delivered and rendered through a page refresh. With inversion of control, the client is in charge, which enables fluid transitions from one place in the web application to another, just like native applications.

Before the advent of JavaScript and AJAX, distinct states in web applications could be defined only on the server side as individual pages and requested and transmitted via a round trip to the server, i.e. a full page refresh. Today, the client can retrieve application states asynchronously rather than depending on the server for a completely new page load. This improves perceived performance. I discuss the history of this trend in more detail in this blog post.

Through inversion of control, JavaScript frameworks like Ember provide much more than seamless interactions and perceived performance enhancements; they also offer client-side storage and offline functionality when the client has no access to the server. As a result, inversion of control opens a door to other features requiring the empowerment of the client beyond just client-driven interactions. In fact, because the JavaScript code is run on a client such as a smartphone rather than on the server, it would be well-positioned to access other hardware APIs, like near-field communication, as web APIs become available.

Inversion of control in end user experiences

When a user clicks a teaser image on the homepage of an Ember-enhanced Drupal.com, the page seamlessly transitions into the full content page for that teaser, with the teaser image as a reference point, even though the URL changes.

In response to our recent evaluation of JavaScript frameworks and their compatibility with Drupal, Ed applied the inversion of control principle to Drupal.com using Ember. Ed's goal was to enhance Drupal.com's end user experience with Ember to make it more application-like, while also preserving Drupal's editorial and rendering capabilities as much as possible.

Ed's changes are not in production on Drupal.com, but in his demo, clicking a teaser image causes it to "explode" to become the hero image of the destination page. Pairing Ember with Drupal in this way allows a user to visually and mentally transition from a piece of teaser content to its corresponding page via an animated transition between pages — all without a page refresh. The animation is very impressive and the animated GIF above doesn't do it full justice. While this transition across pages is similar to behavior found in native mobile applications, it's not currently possible out of the box in Drupal without extensive client-side control.

Rather than the progressively decoupled approach, which embeds JavaScript-driven components into a Drupal-rendered page, Ed's implementation inverts control by allowing Ember to render what is emitted by Drupal. Ember maintains control over how URLs are loaded in the browser by controlling URLs under its responsibility; take a look at Ed's DrupalCon presentation to better understand how Drupal and Ember interact in this model.

These impressive interactions are possible using the Ember plugin Liquid Fire. Fewer than 20 lines of code were needed to build the animations in Ed's demo, much like how SDKs for native mobile applications provide easy-to-implement animations out of the box. Of course, Ember isn't the only tool capable of this kind of functionality. The RefreshLess module for Drupal by Wim Leers (Acquia) also uses client-side control to enable navigating across pages with minimal server requests. Unfortunately, RefreshLess can't tap into Liquid Fire or other Ember plugins.

Inversion of control in editorial experiences

In CardStack Editor, an editorial interface with transitions and animations is superimposed onto the content page in a manner similar to outside-in, and the editor benefits from an in-context, in-preview experience that updates in real time.

We can apply this principle of inversion of control not only to the end user experience but also to editorial experiences. The last demos in Ed's presentation depict CardStack Editor, a fully decoupled Ember application that uses inversion of control to overlay an administrative interface to edit Drupal content, much like in-place editing.

CardStack Editor communicates with Drupal's web services in order to retrieve and manipulate content to be edited, and in this example Drupal serves solely as a central content repository. This is why the API-first initiative is so important; it enables developers to use JavaScript frameworks to build application-like experiences on top of and backed by Drupal. And with the help of SDKs like Waterwheel.js (a native JavaScript library for interacting with Drupal's REST API), Drupal can become a preferred choice for JavaScript developers.

Inversion of control as the rule or exception?

Those of you following the outside-in work might have noticed some striking similarities between outside-in and the work Ed has been doing: both use inversion of control. The primary purpose of our outside-in interfaces is to provide for an in-context editing experience in which state changes take effect live before your eyes; hence the need for inversion of control.

Thinking about the future, we have to answer the following question: does Drupal want inversion of control to be the rule or the exception? We don't have to answer that question today or tomorrow, but at some point we should.

If the answer to that question is "the rule", we should consider embracing a JavaScript framework like Ember. The constellation of tools we have in jQuery, Backbone, and the Drupal AJAX framework makes using inversion of control much harder to implement than it could be. With a JavaScript framework like Ember as a standard, implementation could accelerate by becoming considerably easier. That said, there are many other factors to consider, including the costs of developing and hosting two codebases in different languages.

In the longer term, client-side frameworks like Ember will allow us to build web applications which compete with and even exceed native applications with regard to perceived performance, built-in interactions, and a better developer experience. But these frameworks will also enrich interactions between web applications and device hardware, potentially allowing them to react to pinch-and-zoom, issue native push notifications, and even interact with lower-level devices.

In the meantime, I maintain my recommendation of (1) progressive decoupling as a means to begin exploring inversion of control and (2) a continued focus on the API-first initiative to enable application-like experiences to be developed on Drupal.

Conclusion

I'm hopeful Drupal can exemplify how the open web will ultimately succeed over native applications and walled gardens. Through the API-first initiative, Drupal will provide the underpinnings for web and native applications. But is it enough?

Inversion of control is an important principle that we can apply to Drupal to improve how we power our user interactions and build robust experiences for end users and editors that rival native applications. Doing so will enable us to enhance our user experience long into the future in ways that we may not even be able to think of now. I encourage the community to experiment with these ideas around inversion of control and consider how we can apply them to Drupal.

Special thanks to Preston So for contributions to this blog post and to Angie ByronWim LeersKevin O'LearyMatt Grill, and Ted Bowman for their feedback during its writing.

What's new on Drupal.org? - August 2016

mar, 09/13/2016 - 17:44

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

Our latest update about Drupal.org comes as the Drupal Association has moved out of our central office in Portland, OR, and gone to an all-distributed team. A move of that sort always creates some upheaval but amidst the move we've continued to push forward on several initiatives to improve Drupal.org.

At the same time we've been pushing forward towards DrupalCon Dublin at the end of September- and we hope to see you there!

Drupal.org updates A new home page, coming soon

As we recently previewed on the Drupal.org blog, some changes are coming to the home page. We're building some new editorial tools to allow for more flexibility with the home page content, and to enable an increased focus on the adoption journey for visitors to Drupal.org. You'll see styles reminiscent of the Drupal 8 release announcement pages, and a continued modernization of theme.

The launch of the new home page is coming soon, but as a precursor we've been making some small improvements. The new user menu which we launched in July has been updated for better keyboard accessibility, and to show a user picture as an indicator that a user has logged in. We've also moved the search feature into an icon in the top navigation. This gives us more flexibility with the header, which can be customized per-page type or per-section with the overall site search box still being present. For example, the header in the new documentation section features search box specific to this particular section, so while you are there you can search for other documentation without having to go through the full-site search and then filtering down. Lastly, we've merged the 'Get Started' and 'Download & Extend' pages. 90% of the content on these pages was duplicated with each other - and the new page presents a cleaner experience with the essential details needed for getting started with Drupal.

The new front page is beginning editorial review, with the help of DA staff, a marketing task-force from the Drupal Association board, and a few key community members.

We've also just launched our fall membership campaign, and we've used this opportunity to beta test some of these new editorial tools to build the campaign landing page. Your support makes our work possible. Thank you!

Documentation

There's some news to report on the documentation front as well. Firstly, as mentioned above, we've updated the header of the documentation section to default to a documentation-specific search box. While not so important for other areas of the site,, we want to preserve and improve the highly-visible, in context search for Documentation.

We've also made some updates to the new system for Documentation maintainers. Authors of new documentation guides will now automatically become maintainers of those guides and automatically 'follow' the guide content so that they will receive notifications of activity in that guide. Any user following a guide can modify notifications settings at any time from their user profile. Within the notification settings a user can select their prefered method of receiving updates - via email or via their tracker page.

Tvn has continued to spearhed the migration of documentation from the old book pages, to our new documentation system.

We have completed the migration of the majority of the 'general' documentation. While that is done, there is still a lot of work to do to make the documentation content better using the new tools that are now available.

We need community volunteers to take on small sub-sets of documentation to clean them up post-migration and to maintain going forward.

If you don't want to commit to maintaining a guide, you can still help out by doing some of the pending tasks for any of the documentation pages.

Lastly, if any Drupal developers are interested in contributing code to the new documentation system to clean up a few minor bugs and features, please contact tvn. And if you are going to be at DrupalCon Dublin, consider joining us at the sprints!

Quality of Life Improvements

We also took the time in August to make a few quality of life improvements, both for our end users, and for our own team. Firstly, we've made it easier than ever to download a copy of your invoice for DrupalCon. Any user can now log into events.Drupal.org and any time, go to "My Account" -> "Orders" and download a pdf of their invoice for any past event. If your company is sending you to DrupalCon, this makes the process easier than ever. (And if they're not, here are some tools to convince your boss!)

Behind the scenes, we've made some additional improvements to our sophisticated spam prevention system, which focuses on preventing bad actors from even registering on Drupal.org in the first place. For those few bad actors that do get through, the system is also tuned to allow us to prevent those users from making multiple account registrations, as one of the primary methods for targeting Drupal.org in the past has been to make a large number of 'sleeper' account registrations that can be later updated with spam links. Unfortunately, on rare occasions this tool can make it difficult for legitimate users to register an account, so we've updated the system with a whitelisting system that allows legitimate to register, without opening the floodgates to the bad actors.

Infrastructure Virtualization and better Drupal.org dev sites

On the infrastructural side we've been focused on improving the maintainability, stability, and portability of our infrastructure with our smaller engineering team. In particular we've been focusing on virtualizing all the components of our infrastructure.

In August in particular we completed the virtualization of pre-production services. We've optimized the snapshotting and whitelisting process that allows us to create staging and development environments to make that process more efficient and easier to manage. We've also replaced our drupal.org dev site architecture with a new architecture that is no longer vulnerable to docker-fs faults which have multiple times resulted in data loss on our development environments. Drupal.org contributors who've been affected by dev site fragility should find dev sites to be much more robust moving forward.

Community Initiative Updates

Finally, here are some updates on our active community initiatives. Community initiatives are a collaboration; with dedicated community volunteers building improvements to Drupal.org with the architectural guidance and oversight of the Drupal Association engineering team.

Drupal 8 User Guide

The Drupal.org user guide is an effort lead by jhodgdon and a number of other contributors to create a highly produced, tightly editorially controlled guide to using Drupal 8. This user guide has been written to the standard of an industry publication, and uses a custom editorial workflow with git + asciidoc. Jhodgdon has been building out functionality to publish the user guide to a Documentation guide on Drupal.org.

Security

A few interrelated initiatives are in progress to improve how information about project security is displayed on Drupal.org. Mlhess has been working on a new security advisory content type for Drupal.org, which will allow security advisory content to be more easily related to project releases, among other things.

With the input and collaboration of quite a few community members, including the security working group, we've also deployed an update to project pages.

This update adds a shield icon next to stable releases. This shield icon indicates which releases are covered by the security advisory policy. This small change is also part of the groundwork for a project application revamp.

Community initiatives are not work that the Drupal Association can tackle on our own. Our mandate requires us to remain focused. That said, whenever the community has arrived at a strong plan and individual volunteers are ready to contribute code, the engineering team can provide architectural advice, code review, and deployment support.

———

As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects.

If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.

Follow us on Twitter for regular updates: @drupal_org, @drupal_infra