Yesterday, the City of Boston launched its new website, Boston.gov, on Drupal. Not only is Boston a city well-known around the world, it has also become my home over the past 9 years. That makes it extra exciting to see the city of Boston use Drupal.
As a company headquartered in Boston, I'm also extremely proud to have Acquia involved with Boston.gov. The site is hosted on Acquia Cloud, and Acquia led a lot of the architecture, development, and coordination. I remember pitching the project in the basement of Boston's City Hall, so seeing the site launched less than a year later is quite exciting.
The project was a big undertaking, as the old website was 10 years old and running on Tridion. The city's digital team, Acquia, IDEO, Genuine Interactive, and others all worked together to reimagine how a government can serve its citizens better digitally. It was an ambitious project as the whole website was redesigned from scratch in 11 months; from creating a new identity, to interviewing citizens, to building, testing and launching the new site.
Along the way, the project relied heavily on feedback from a wide variety of residents. The openness and transparency of the whole process was refreshing. Even today, the city made its roadmap public at http://roadmap.boston.gov and is actively encouraging citizens to submit suggestions. This open process is one of the many reasons why I think Drupal is such a good fit for Boston.gov.
More than 20,000 web pages and one million words were rewritten in a more human tone to make the site easier to understand and navigate. For example, rather than organize information primarily by department (as is often the case with government websites), the new site is designed around how residents think about an issue, such as moving, starting a business or owning a car. Content is authored, maintained, and updated by more than 20 content authors across 120 city departments and initiatives.
The new Boston.gov is absolutely beautiful, welcoming and usable. And, like any great technology endeavor, it will never stop improving. The City of Boston has only just begun its journey with Boston.gov—I’m excited see how it grows and evolves in the years to come. Go Boston!
Last night, there was a launch party to celebrate the launch of Boston.gov. It was an honor to give some remarks about this project alongside Boston mayor, Marty Walsh (pictured above), as well as Lauren Lockwood (Chief Digital Officer of the City of Boston) and Jascha Franklin-Hodge (Chief Information Officer of the City of Boston).
Drupal 8.1.7, a maintenance release which contains fixes for security vulnerabilities, is now available for download.
See the Drupal 8.1.7 release notes for further information.Download Drupal 8.1.7
Upgrading your existing Drupal 8 sites is strongly recommended. There are no new features nor non-security-related bug fixes in this release. For more information about the Drupal 8.1.x release series, consult the Drupal 8 overview.Security information
We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.
Drupal 8 includes the built-in Update Manager module, which informs you about important updates to your modules and themes.Bug reports
Drupal 8.1.x is actively maintained, so more maintenance releases will be made available, according to our monthly release cycle.Change log
Drupal 8.1.7 was released in response to the discovery of security vulnerabilities. Details can be found in the official security advisories:
To fix the security problem, please upgrade to Drupal 8.1.7.Update notes
See the 8.1.7 release notes for details on important changes in this release.Known issues
See the 8.1.7 release notes for known issues.
- Advisory ID: DRUPAL-SA-2016-002
- Project: Drupal core
- Version: 8.x
- Date: 2016-July-18
- Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Proof/TD:Default
- Vulnerability: Injection
Drupal 8 uses the third-party PHP library Guzzle for making server-side HTTP requests. An attacker can provide a proxy server that Guzzle will use. The details of this are explained at https://httpoxy.org/.
- Drupal core 8.x versions prior to 8.1.7
Install the latest version:
- If you use Drupal 8.x, upgrade to Drupal core 8.1.7
- If you use Drupal 7.x, Drupal core is not affected. However you should consider using the mitigation steps at https://httpoxy.org/ since you might have modules or other software on your server affected by this issue. For example, sites using Apache can add the following code to .htaccess:
<IfModule mod_headers.c> RequestHeader unset Proxy </IfModule>
We also suggest mitigating it as described here: https://httpoxy.org/
Also see the Drupal core project page.What if I am running Drupal core 8.0.x?
Drupal core 8.0.x is no longer supported. Update to 8.1.7 to get the latest security and bug fixes.Why is this being released Monday rather than Wednesday?
The Drupal Security Team usually releases Security Advisories on Wednesdays. However, this vulnerability affects more than Drupal, and the authors of Guzzle and reporters of the issue coordinated to make it public Monday. Therefore, we are issuing a core release to update to the secure version of Guzzle today.Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurityFront page news: Planet DrupalDrupal version: Drupal 8.x
- Advisory ID: DRUPAL-PSA-2016-002
- Project: Drupal
- Version: 8.x
- Date: 2016-July-17
- Security risk: TBD
- Vulnerability: TBD
We will be doing a Drupal 8 core patch release on Monday, July 18th. This will occur between 14:15 UTC and 19:00 UTC.
There will not be a Drupal 7 release during this window.Why is this release being issued?
The Drupal security team has learned that a third-party Drupal 8 dependency will be making a security release on Monday, July 18th and in accordance we will be making a Drupal 8 release soon after. We will not disclose details of the third-party update in advance of that release and cannot respond to requests for further information. This security release is for the dependency only and does not affect Drupal 7 sites. Other mitigating factors will be included with our published SA.What about the regularly scheduled release window on Wednesday, July 20?
We are moving the regularly scheduled window two days earlier to provide the third-party dependency update, so this replaces that window.
There will not be another core release on Wednesday, July 20th.Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurityDrupal version: Drupal 8.x
Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.
In June the Drupal Association had our annual staff retreat, where the remote team members joined the Portland, OR team for a three day retreat. This year's retreat was particularly important as we found our feet as a smaller, leaner team, and focused on our organizational roadmap for the next twelve months.
For the engineering team in particular, our focus will be on maintaining the critical systems that make project successful: issue queues, updates, testing, packaging, etc, while at the same time finding new ways to support and enable Drupal's evolution.
These were some heady days, but even as we worked through the best ways to continue serving the Drupal community on a strategic level in June, we also found the time to keep making Drupal.org a better home.Drupal.org updates Documentation Migration
A long running initiative this year has been the creation of a new Documentation system for Drupal.org, a topic we've touched on in many prior updates as it has begun to come online. We are very happy to say that we are moving to the next stage of the documentation project: moving from development to migration.
In June tvn recruited several volunteers to join our documentation migration team, and to become some of the first maintainers for the new Documentation Guides. General documentation, such as Understanding Drupal, Structure Guide, etc. will be migrated first. Documentation for contributed projects will follow in the coming weeks.
Maintainers of contributed projects, who currently have their documentation on Drupal.org, will be added as maintainers to respective documentation guides and are encouraged to clean/tidy up their documentation post-migration.
if you are interested in helping, or sign up as a maintainer for some of the new documentation guides.Composer Repositories are now in Beta
Drupal.org's Composer repositories allow developers building sites with Drupal to use the Composer command line tool for dependency management. In June we collected feedback from a variety of users, as well as the community volunteers who assisted us with the Composer Community Initiative.
We spent the month iterating quickly on the alpha implementation: fixing bugs and rebuilding the meta data to ensure that users get consistent and expected results. Because of those fixes, and after gathering yet more feedback from the community, we were able to move the Drupal.org Composer repositories to beta.
We encourage you to begin transitioning your composer based workflows to use Drupal.org's composer facade. Package names are stable, and downtimes will be planned and announced. For more information on how to use Drupal.org's Composer repositories, read our documentation.Better issue credit tools for maintainers
The Drupal.org issue credit system is a unique innovation of our community. By allowing users to attribute their contributions as volunteers, to their employers, or to client customers, we have an insight into the contribution ecosystem for Drupal that is unparalleled among open source projects. We've also already seen the impact of incentivizing organizations to give back to Drupal, by using the credit system as the basis for organization rankings in the marketplace.
In June we added two new tools for maintainers to improve how they grant credit to users. Firstly, maintainers can now deselect the automatic credit attribution for users who have submitted patches. This change was important to prevent gaming the credit system. Secondly, we've given the maintainers the ability to credit users who have not commented in the issue. Whether that help was provided in IRC, Slack, on a video call, or in a sprint room, maintainers can now ensure that those users who helped resolve an issue receive credit for their contributions. Any user who is credited this way can edit their credit attribution if they want to extend that attribution to a supporting organization or customer.Friendly path aliases for release nodes
We also made a relatively small change that will have a big impact. Path auto is now enabled for project releases, so you for any project a specific release can now be found at:
And you can also find a list of all the releases for a project at:
Take, for example, the Token module:
You can find the complete index of releases for this project at: https://www.drupal.org/project/token/releases and individual releases now have friendly urls, like this one: https://www.drupal.org/project/token/releases/8.x-1.0-alpha2Spam Fighting Improvements
Fighting spam on Drupal.org is a never ending battle, but in June we deployed a refinement to our spam fighting tools that helps us to find patterns in registration behavior and prevent spam registrations before they've even started. After flipping on our latest iteration of this spam fighting tool we saw an immediate and dramatic drop-off in suspicious account registrations. With the additional data we've been able to collect we already see ways to improve this even further, so we hope to continue make Drupal.org a cleaner home for the community.Highlighting Supporting Technologies
Drupal is many things to many different people, but one central function of Drupal is to be the hub of interconnected and complementary technologies. Several of the companies that build these technologies have chosen to support the Drupal project by becoming supporters. To better highlight some of these supporting technologies that work well with Drupal, we've added a supporting technologies listing to the marketplace.Sustaining support and maintenance DrupalCon
DrupalCon Dublin is coming up soon, from September 26 - 30th. This year we smashed all our previous records for session submissions, and the caliber of speakers and topics is higher than ever before.
In June we opened registration for the event. We encourage you to buy your tickets now! Early bird registration will end soon.Infrastructure
Infrastructure is the bedrock of Drupal.org - and we're continuing to tune the infrastructure for efficiency, economy, and performance. Alongside the launch of registration for DrupalCon Dublin, we implemented APDQC to improve the performance of the Events website under heavy load.
We've also been upgrading our configuration management from Puppet 3 to Puppet 4, and continuing to standardize our configuration across all of our environments to make our infrastructure durable, consistent, and portable.
As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects.
If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.