Software

Acquia: PHP is getting Faster

Drupal Planet - Mon, 2014-11-03 18:05

Competition is helping to drive big performance gains in PHP. Alternative ways of running PHP are becoming viable and with them is coming accelerated speed.

Categories: Software

OhTheHugeManatee: Drupalgeddon: Best Practices Aren't Good Enough Anymore

Drupal Planet - Mon, 2014-11-03 17:30

Last week’s Public Service Announcement from the Drupal security team caused a lot of attention. And rightfully so – it told us that the vast majority of Drupal 7 sites around the world are considered compromised. A mere 7 hours after critical security patch SA-CORE-2014-005 was released, robots were spotted in the wild, bulk-hacking Drupal 7 sites with this vulnerability. This is something that’s never happened to the Drupal community before, and it is extremely serious. In some way it’s our own version of Heartbleed and other highly-publicized critical vulnerabilities in open source software.

This issue should not reflect badly on the Drupal community, or the Drupal product at all. Vulnerabilities happen to every software project – particularly the large and complex ones like Drupal! In this case it was the result of a choice in the database abstraction layer to use emulated prepared statements. There’s a great dissection of the whole vulnerability at ircmaxell, but the point here is that it was an intentional decision. We were aware of a theoretical security risk, just as we are in making lots of decisions. But theoretical risks don’t mean much compared with real, measurable losses from the available alternatives. As I said before, this can happen to any software project, and Drupal is a relatively responsible, well written one. What’s interesting now, is the response.

First of all, I am amazed to read responses from many Drupal users who are panicked at having to run a diff of their sites, because they don’t have appropriate tools in place. If you are developing without a VCS and automated backups, you are doing more harm than good. Just stop. Take a week to learn the basic requirements of a development environment, and start employing them. End of story.

I’m not concerned for those people – their sites were disasters waiting for an excuse anyway. What’s frightening about this particular situation is that even if you are working with backups and a VCS, even if you patch critical security vulnerabilities on an aggressive schedule, it still wasn’t good enough.

All of my Drupal 7 sites are affected by this PSA. I work for a large, well-respected agency, with access to leading-edge workflows and tools. We follow best practices. All of my sites are secured well beyond PCI requirements. But PCI requirements say that critical security patches have to be applied within 30 days of release. Our best practices include patch review from the tech lead, and validating patches on test environments before pushing them live. With only 7 hours between patch release and exploits in the wild, there isn’t time for any of that.

I’ve heard people complain that it’s too difficult to update Drupal. “drush up —security-only” seems pretty simple to me, or at least simple enough that further simplification won’t address the real problem. That’s because the real problem isn’t that it’s difficult to apply updates – it’s that a human be ing has to initiate them. I live in the Central European timezone, GMT+6. The patch was released at 10PM for me, and bots were exploiting it by 5AM the following morning. I went to work that day and initiated the patching process, so that my patches could be “responsibly” deployed to live with 24-48 hours of client validation time on my dev and staging environments. Despite being relatively on top of patches and responding relatively quickly, the fact that I’m human, and my clients are human, meant we never stood a chance of patching this issue fast enough. Even if we skipped validation, and even if the update process was just one button (rather than two commands), we would still have failed to update in time. I find myself reminded of the Battlestar Galactica pilot, where the Cylon robots are chasing the humans. After each hyperspace jump, the humans have 33 minutes to complete the calculations for another jump before the machines catch up with them. After 130 hours and 237 jumps, it becomes apparent that the humans’ need for sleep is a critical vulnerability.

The only solution is automated patching. It’s hard to figure out a workflow that allows it; indeed you’re forced into post-hoc testing, which means engineering an easy rollback solution. The truth is that 99% of security patches will not affect any of the functionality you’ve customized or upon which you rely, so hopefully this will be an edge case. But it’s a problem that actually has to be addressed. Here’s how I’m adapting my own projects over the coming weeks:

Every wednesday, every hour, my Jenkins instance runs a script which checks modules and core for each project for security updates. When an update is available, it automatically creates a branch off of Stable (my staging branch), applies the updates, and pushes the result up to the server. My git scripts already create a new subdirectory environment for every pushed branch. Once the environment is ready, Jenkins runs all available behat tests against the new branch. If all tests pass, the branch is automatically merged back into Master, Stage, and Live, and pushed. This push operation triggers a normal Jenkins deployment, which takes a backup anyway. An email is generated to the project administrator advising them which security updates were automatically applied, and linking to the relevant changefiles.

I’m excited about implementing this new layer of automation, because it builds on the best practice workflows I already like (test driven development, git flow VCS organization, automated deployment and backups…) to produce a tangible time savings and security improvement for my sites. At the same time, I can’t say that this is something I recommend for EVERYONE, precisely because it requires such a high level of environment maintenance. When you’re a one-person development shop, it’s hard to afford the time to set up the perfect development environment. It’s hard to convince those bottom-of-the-food-chain clients to pay for things like automated testing and deployment. And certainly once you have those things set up, you don’t get paid for maintaining them!

I’m going to be keeping my eyes open for better solutions that can be applied by the “developer on the street.” Something relatively easy, but which allows the same kind of automated, fast response time for security patches. I’m interested in any ideas you want to post in the comments!

Categories: Software

Phase2: Learn The Hard Things About Project Management At BADCamp!

Drupal Planet - Mon, 2014-11-03 16:53

I’ll be giving a talk at BadCamp called “Mistakes I have Made: Collected Project Management Failures.” It’ll be funny, and true, and probably reference a few different stories from the past. However, when I look at what the real truth is to a talk about project management mistakes, I go to the source. What are the hardest things about project management?

If you google this, you’re likely to get the answer of ‘everything’.

For me, when I look at this, I separate this out into five different areas of hard:

  1. Team
  2. Clients
  3. Services
  4. Alignment / Mission  
  5. General Sucking: Hard decisions

1. Team

Around the area of team, I think this is one of the biggest things that you’re hired to watch over as a project manager. It’s your job to make sure that you’re engaging the team to make sure that the problems get solved, that you’re building what you set out to build. It’s so common in my own work that when I feel like there is friction or struggle, I have to lean back and ask myself if I’ve actually worked on really engaging the team – or if I’ve just charged ahead full bore.  (Mistake #543)

Do I have the right team?

I have definitely been on projects or working with teams that just didn’t have the right fit. There had never been a conversation about if the people working on that particular ‘thing’ were right for it. (Mistake #324) Or they were being used in ways that didn’t suit them personally, they were being asked to use their weakest skills in a really strong way, and it was burning them out. (Mistake #221)

Did I give everyone enough time?

This is where people will use Agile to its best advantage. Agile, when you’re actually tracking story points and estimating, will give you enough space to be able to understand if you’ve crammed too much in. (Mistake #112) Did we ask too much in that space from people? (Mistake #14) Are we working under a really silly timeline (Mistake #87) and did we not find out until too late? (Mistake #98.) Even more to the point, once we know the problem, are we not willing to correct it? (Mistake #465)

2. Clients

Do we have the right clients? Are we, the people building things for them, the right people to do it? Do we understand their mission? Did we do enough to make sure they understood when, how, and where we were going to build? Do they understand what we’re not doing? Are they ok with their role here? Do they understand ‘scarcity’ in action? Does that shock them?

The list goes on, but in order to be the best technology partner, and you’re helping to lead everything to the finish line, everyone has to agree.

3. Services

This is the day-to-day stuff and where new project managers that are client facing get tripped up. Answering for the developers when you shouldn’t. “That should be easy.” Making estimates with having no idea what you’re doing. Estimating things in general. Making the expectations that you’re going to be available all the time. Or not setting the expectations at all.

Services isn’t the hardest-hardest part of this, but it generally adds to it.

4. Alignment / Mission

There’s a statement running around the internet right now that working on things that aren’t aligned with your values is just stressful. Working on things that are is called passion. You’ll notice when it’s just not working, because you can’t get rid of that pit in your stomach, that sinking feeling. Not listening to it is a big mistake.

5. General Sucking: Hard decisions

Part of your job is being the person that says no, that continually tries to find a way to make the project a success. You’ll sometimes be in the place where everything, all of these 4 things above are collapsing around you. And it sucks. And it happens to a lot of us that do this, because you are the one that’s pulling the threads together.

It gets better.

You are not always going to have these weeks. I refer to them as ‘hell weeks’. Please keep your hands and arms inside the hell week until it comes to a full and complete stop. In these weeks, it’s even more important for you to pay attention to you. Get some sleep. If you can’t get some sleep, talk to your team about how you are feeling, and figure out how to articulate what the problem is so that everyone can solve it together. (Also, ask yourself how you’re working with your team!)

Internalize the idea that you are no good to us dead, and take care of what you can. Projects end, one way or another, and you’ll get through it – one email, one day at a time. These things are hard, projects are hard, building things is hard – but hard things are worth doing.

Hope to see you at BADCamp for my session “Mistakes I have Made: Collected Project Management Failures.” Check out all of the Phase2 thought leaders at BADCamp!

Categories: Software

Singlebrook Technology: Super Simple Drupal Layout with Region View Modes

Drupal Planet - Mon, 2014-11-03 15:28

by Jeff Amaral

Combining Drupal core’s view modes and theme regions with a small home-grown module created a new way to lay out node pages.

The resulting module, Region View Modes, places copies of nodes, rendered through specific view modes, into theme regions. Yes, those are the same regions into which you would normally place blocks. There’s no new layout system here. You use the one you already have: your theme.

Once enabled, using the module is pretty easy:

  • Visit the Manage Display page for any content type (e.g. Article)
  • Expand the Custom Display Settings section
  • Check the view mode for one or more theme:region combinations. For example, Bartik theme: Sidebar first region
  • Click Save at the bottom of the page
  • You’ll now see the activated view mode(s) near the top of the page. Click on one.
  • Reorder, hide, or change the settings for any fields
  • View a node of that content type

Here’s a demo:

That’s all you need to know to use the module, but if you’re curious about how it works, read on!...

Categories: Software

Drupal.org Featured Case Studies: Greenpeace Greenwire global community

Drupal Planet - Mon, 2014-11-03 15:21
Greenpeace Greenwire global Drupal community Completed Drupal site or project URL: https://greenwire.greenpeace.org/An international community for a greener future

Nalini lives in a small city in India. To save money, all school books and student papers are copied or printed at the local print shop. Nalini is immensely annoyed with her classmates when they choose to print on a single side of paper. If everyone used both sides, she reasons, it would reduce their paper use by half. Nalini sends a message to Greenpeace International through Facebook: "I have an idea for a campaign you should run!"

Greenpeace International is an worldwide independent nonprofit organisation that aims to protect the environment and promote world peace. Originally founded in 1971, the organisation is now active in 44 countries and has 2.8 million supporters. With nearly 2 million Facebook likes and millions of site visitors worldwide, Greenpeace International receives suggestions like Nalini’s thousands of times per year, and because they simply can’t take on every new campaign idea, they wanted to find a way to empower its supporters to run their own campaigns, in their own communities.

In addition, Greenpeace International already had an active volunteer base of 20,000 volunteers, organised in about 400 local groups - each local group, or national volunteer network, had it’s own management and communication tools - a true global volunteering ‘database’ was non-existent, with the data instead spread across lots of individual spreadsheets and google-docs, making it hard to track and measure.

Challenges like these spurred Greenpeace International to create Greenpeace Greenwire, its own online community for employees and volunteers. It’s a meeting place where people can connect with other volunteers, activists and groups working on environmental campaigns in their country. When Greenpeace Greenwire rolls out to more offices, it will allow international connections too.

As well as helping activists find and participate in Greenpeace-led volunteer groups and events, Greenpeace Greenwire lets users create their own events and organize their own activities. Users can start groups, host events, run campaigns, share photos and videos, and write blogs.

Greenpeace Greenwire is a unique project in that it serves a worldwide community - so it needs to be able to scale up to hundreds of thousands of global users - but it also serves each element of that community’s specific set of needs. Flexibility is another key element of the project: allowing users to have different roles in different domains for national and regional offices, and also allowing for flexibility regarding which languages each user could choose. It was also crucial that each user feel comfortable providing their personal data in order to take full advantage of the Greenpeace Greenwire community, but on the other hand, the data must be kept secure and limited only to certain authorized users.

Greenpeace Greenwire - USA homepage

Key modules/theme/distribution used: Domain AccessOrganic groupsSearch APIUniversally Unique IDentifierContextEntity referenceMessageMessage SubscribeLanguage fieldMediaCDNEntity cacheSimpleTest FixtureUser RelationshipsViewsAutomated LogoutOrganizations involved: GoalGorillaTeam members: jaapjanbramtenhovejochemvnstefanotabarellironaldtebrakekevinmuller7gipsy
Categories: Software

Jonathan Brown: Drupal / Bitcoin BIP 70 / PKI certificates

Drupal Planet - Mon, 2014-11-03 15:00

Previously: Update on Drupal / Bitcoin Payment Protocol (BIP 70) integration

BIP 70 provides a mechanism so that a customer can be sure that they are sending a Bitcoin payment to the correct place. Before BIP 70, the customer would simply be presented with a Bitcoin address to send the amount to. This address could potentially be tampered with so the funds get sent to someone else. It is also not very user-friendly to be sending money to a random collection of letters and numbers.

Now public key infrastructure (PKI) is used to present the customer with cryptographic proof that they are making the correct payment. The payment information that the Bitcoin wallet receives is supplied with a certificate and is digitally signed. The wallet can then present a "human-readable, secure payment destination" to the customer, i.e. the name of the company or a verified email address.

This functionality is now implemented in Coin Tools.

To start using it you need to obtain a certificate. The easiest way to do this is to create a free account at StartSSL. Once they have verified that you own your email address they will put a certificate to this effect into your web browser.

You need to extract this certificate (and private key). Here is how to do it using Firefox, but other browsers are similar. First you need to view your certificates.

Then backup the certificate for your email address provided by StartCom Ltd.

Make sure you save the file with .p12 extension, i.e. jbrown@bluedroplet.com.p12 - P12 is an "archive file format for storing cryptographic objects like private keys and certificates." You will be prompted for a password to encrypt this file.

Next you need to extract your certificate and public key from this file like so:

openssl pkcs12 -in jbrown@bluedroplet.com.p12 -clcerts -nokeys -out publicCert.pem
openssl pkcs12 -in jbrown@bluedroplet.com.p12 -nocerts -out privateKey.pem

Each of these commands will require you to enter the password you encrypted the P12 file with. When extracting the private key you must provide a passphrase it should be encrypted with.

Next you need to add the certificate to your payment type (or create a new one). With the latest version of Coin Tools 8.x-1.x there are additional fields on the payment type form for this. Paste the contents of publicCert.pem into the "Certificate" field.

And paste the contents of privateKey.pem into the "Private key" field. Select "Private key is encrypted" and enter the passphrase you encrypted it with.

When making a payment, the customer's wallet will now display the certificate's Common Name. In this case it is a verified email address.

Categories: Software

a-fro.com: Ansible and Drupal Development - Part 2

Drupal Planet - Mon, 2014-11-03 13:00
Ansible and Drupal Development - Part 2

In part 1 of this tutorial, we covered how to configure and use Ansible for local Drupal development. If you didn't have a chance to read that article, you can download my fork of Jeff Geerling's Drupal Dev VM to see the final, working version from part 1. In this article, we'll be switching things up quite a bit as we take a closer look at the 2nd three requirements, namely:

Mon, 11/03/2014 - 07:00 aaron
Categories: Software

Drupal Aid: How to quickly add SSL to your Drupal Site

Drupal Planet - Mon, 2014-11-03 12:09

Something that new Drupalers struggle with is getting their site secured with SSL, the little lock in the browser or https://. Their first reaction is, “There has to be a module for that” and there are a few modules for getting your site HTTPS friendly, but there is a much easier solution. Read on to find out how to do it simply through your .htaccess file.

Categories: Software

Blue Drop Shop: Update: Drupal Camp A/V Kit REBOOT!

Drupal Planet - Sun, 2014-11-02 22:56

In my initial test of a new session recording kit, some records were lost due to lack of audio. Also, the test setup used powered lav mics, which don't fly too well with multiple presenters. 

As a follow up, I tested the Zoom H2N digital voice recorder because it just so happens to have a line out jack. So the question was whether that line out would be compatible with the HD PVR for audio. I'm happy to report that it is!

This is fantastic news for many reasons: 

  • Co-presenters or panels: Standing several feet away from the unit for the test resulted in great sound quality
  • No microphone cords: Speakers are free to roam, if that is their style
  • Redundancy: If the voice recorder is powered and hooked up correctly, the PVR will spit out a finished MP4, but should that audio fail for any reason, there will be a backup record on an SD card

At $160, the recorder definitely costs more than the original lav mic tested at DrupalCamp Fox Valley. With the suggested accessories (A/C power, tripod, wired remote, case, 32 MB SD Card, audio cable) the audio component comes up to about $225. This brings the total kit cost to just approximately $425 per room, which should accept a full day of recording and accommodate most laptops.

I'll be attending BADCamp and plan to bring the full kit with me, if anyone wants to check it out. Hell, if I get the chance, I will try to test it in the wild. Next steps are testing dongles for various portable devices, as well as contacting the Drupal Association to see what is needed to make these available for camps.

Huzzah!

Tags:
Categories: Software

Open Source Training: 7 Things to Know about the Drupal Security Issue

Drupal Planet - Sun, 2014-11-02 11:24

autoupdate or dieBy now you've probably heard about the extremely serious Drupal security issue from mid-October.

The Drupal security team issued a new warning two weeks later that, if possible, escalated the severity of the issue.

Here's an overview of the issue and its impact.

Categories: Software

Modules Unraveled: Why doesn't Drupal offer an auto update feature like Wordpress?

Drupal Planet - Sat, 2014-11-01 19:30
Drupal Auto Update Feature?

Let me start out by stating that I don't know the technical implications of an autocomplete feature. Okay? I don't have the answer. I'm just looking for information. Best case, I can help get something started that will benefit the entire Drupal community in the future.

With that out of the way, I firmly believe that anything is possible with Drupal. And with the "Drupageddon" of late, an auto update feature would be greatly appreciated by many, I'm sure. (I certainly would have benefited from one.)

I was recently discussing the security update with some friends, and one of them asked "Does Drupal have an auto update?"

And I was like "...no."

Immediately, I thought about all of the updates I don't immediately apply to contrib projects because they change a configuration option, or otherwise modify the way I've set up the site.

So I thought "I don't really want an auto update because it might break things.

That said, why can't Drupal automatically update security fixes - at least in core - automatically? If it did, Drupageddon could have never been a widespread issue.

It's easy to think, "Well, it's fixed now, so there's nothing to worry about."

But I think that's shortsighted.

The particular vulnerability that caused "Drupageddon" has been around since the inception of Drupal 7, which was officially released in 2011. So, for at least 3 years, every time we've fixed a security flaw, we've thought, "It's fixed now, so there's nothing to worry about." ... until the next issue was found, and this last one was a pretty gigantic one!

Wordpress introduced auto update in version 3.7 on October 24, 2013. They also included options in their configuration file that can be set to disable auto updates, as well as choose which types of updates should be performed automatically: none, major and minor or minor only.

You can read more about it on the Configuring Automatic Background Updates page:
http://codex.wordpress.org/Configuring_Automatic_Background_Updates

I'm just curious if this is something that can be added in a point release of D8 (like 8.5 or something).

Also, I've ready a few posts saying that auto updates would not fit their workflow. They use Drush, Git, etc. to manage their development workflow. And if that's you, I'd say that turning the auto update setting to off would mean that you can continue to work the way you currently do.

However, small business owners, churches, non-profits and the like that have volunteers (with little to no development background) managing their sites don't have the luxury of utilizing Git, Drush etc. In those scenarios, I think the case could be made that an autoupdate feature (as long as the updates are tested before release) could be a much more stable way of maintaining a site than having a volunteer FTP files to a server without really knowing what they are doing.

If you have thoughts, please add them below. I'd love to hear them!

Updates

  1. After doing some more research, I've found that some people tried to do this in D7, but postponed to D8. However, there hasn't been any movement since April 28, 2013. https://www.drupal.org/node/606592
  2. There's also a post explaining why auto updates would be a very bad idea from September 1, 2011. http://www.freelock.com/blog/john-locke/2011-09/why-auto-updates-are-very-bad-idea I'm not sure that I agree with everything he says though.
Tags: Drupal CoreSecurityAuto-Updateplanet-drupal
Categories: Software

Bryan Ruby: Drupal Security: Not Shocking but Responsible

Drupal Planet - Sat, 2014-11-01 17:24

Over the years, I've made it an unwritten policy not to sensationalize bug fixes and security vulnerabilities in content management systems. While there may be great interest in such stories, I believe such stories have a tendency to cause more harm than good. When sensationalized, such articles tend to cause customers to address security concerns with emotion instead of logic which is never a good thing. So, when the security vulnerability known as "Drupageddon" broke and Drupal developer Bevan Rudge posted "Your Drupal website has a backdoor", I knew this story was going to eventually reach mainstream media. In the meantime, I've been struggling on how best to write this article and what story need to be told.

For those that don't know, Drupageddon is the highly critical SQL injection vulnerability in Drupal 7 core and was fully disclosed by the Drupal Security Team in SA-CORE-2014-005.  Since the dawn of time when databases were introduced to websites, SQL injection vulnerabilities have been discovered and in the majority of cases when found are patched by their developers and system administrators. What makes Drupageddon particularly nasty is the vulnerability can be exploited by users not even logged into your site (in Drupal they're called anonymous users). Worse, if you didn't update your site quickly enough, your site may still be compromised even after applying the fix (in Drupal 7.32 or later versions).

It took two weeks, but the media have finally begun to use this Drupal event to sell their headlines. A recent BBC article claims that "up to 12 million websites may have been compromised by attackers who took advantage of a bug in the widely used Drupal software". While there is the potential for every single Drupal site on this earth to be compromised, I tend to believe Bevan Rudge's assessment that the real world numbers are more likely in the "hundreds of thousands". But the author of the article also found someone to state that this vulnerability and the need to audit your system for additional vulnerabilities is "shocking".

Having managed various software applications and websites for two decades, I find myself annoyed and angry that once again I'm patching and auditing my websites with extreme effort. We've all seen these type of security exploits in a wide range of software applications from a wide range of software developers. Ten years ago I discovered an ecommerce website that I managed hacked due to a SQL injection exploit. What upset me the most wasn't that the site was hacked but that the application's developers were aware of the problem for months but failed to publicly disclose the information to users. While the software industry has gotten better to disclose vulnerabilities and provide fixes for their software there is a lot of improvement than can still be made.

Perhaps what is shocking for those that don't know Drupal's open source community isn't the security exploit itself, but observing Drupal's willingness to fully disclose and take responsible steps to fix what is broken. It has been my experience that too many software vendors attempt to "soften the blow" in their disclosures to please the marketing arm of their company no matter how serious the exploit. Drupal on the other hand often takes the opposite approach. As a CMS critic I don't think I could write stronger words of warning in an article than what Drupal's community already does.

Drupal Security Team:  A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users. [October 15, 2014]

Bevan Rudge, Drupal.Geek.NZ: I estimate hundreds of thousands of Drupal websites now have backdoors; between ten and ninety percent of all Drupal websites. Automated Drupageddon exploits were in the wild within hours of the announcement. Updating or patching Drupal does not fix backdoors that attackers installed before updating or patching Drupal. Backdoors give attackers admin access and allow arbitrary PHP execution.

If your Drupal 7 (and 8) website is not updated or patched it is most likely compromised. If your website was not updated within a day of the announcement, it is probably compromised. Even if your website was updated within a day, it may be compromised. [October 22, 2014]

Drupal Security Team: While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch. [October 29, 1014]

I'm not a software developer, but I understand the news cycle for covering content management systems very well. Although this is a two week story for the Drupal community, we can expect to see more articles from authors and experts claiming their shock and dismay that such vulnerabilities in the Drupal software can exist. My spin is simply this, the media is only aware of this story because Drupal takes ownership and responsibility to disclose and address security issues in its own software. I personally find news of the vulnerability a non-story. The real story out there are the companies and software developers pointing fingers at Drupal and are not so forthcoming with their own security vulnerabilities. Those are the stories that need to be told.

This article was originally posted on CMS Report.

Tags: 
Categories: Software

Károly Négyesi: MongoDB and Drupal 8: what and why?

Drupal Planet - Sat, 2014-11-01 16:22

Now that we have a fairly good idea how Drupal 8 and data looks let's discuss what can MongoDB provide and why would you want to run it. In Drupal 8, every kind of data can be stored independently. I fully expect that people will indeed mix storages. For example, D8 by default runs a config query on every page to find the blocks to be displayed for the current theme. Again, by default, config entities are stored as serialized PHP arrays so the only way a query like that can run is to load every single block entity from the database and iterate over them. This can get quite slow with hundreds of blocks -- don't forget that a block entity just stores the placement of a block and the same block can be placed several times. Also, after finding the blocks for the current theme, visibility rules (path, node types, roles) are applied again in PHP. If the configuration is stored in MongoDB then all this can become an indexed, practically instant query. Configuration storage, after all, is just storing and querying and retrieving arrays and MongoDB is really, really good at that. Because of this, I expect many sites to pick MongoDB for their configuration storage. I also expect that because of the simplicity of cross-entity type JOINs, many people will stick with SQL for their content storage. Although it must be noted that the choice can be made per entity type and as MongoDB stores complete entities it is able to index even those queries that the SQL storage can not.

There are some simpler storages which are also a good fit for MongoDB: sessions because of the write performance and logging because MongoDB has a capped collection (a circular buffer) feature so you will always have the latest N messages and never too much.

Categories: Software

Paul Booker: 5 commands that help with drupalgeddon

Drupal Planet - Sat, 2014-11-01 00:41

Showing files that have changed on the live server:

git status

Looking for code execution attempts via menu_router:

select * from menu_router where access_callback = 'file_put_contents'

Showing which files are on the live server and not in version control:

diff -r docroot repo | grep docroot | grep 'Only in docroot'

Finding PHP files in the files directory:

find . -path "*php"

Checking the amount of time between when a user logged into your site and their most recent page visit:

select (s.timestamp - u.login) / 60 / 60 / 24 AS days_since_login, u.uid from sessions s inner join users u on s.uid = u.uid;

Hotfix: (SA-CORE-2014-005)

curl https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch | patch -p1

Sorry , that was 6. Please add others in the comments.

If you need help regarding the recent drupal vulnerability feel free to contact me.

Tags:
Categories: Software

Stauffer: Drupal Internationalization

Drupal Planet - Sat, 2014-11-01 00:32
The need to translate sites to other languages continues to increase with each passing year. Businesses seeking expansion in new markets are incorporating additional languages to their sites as a way to further drive growth. Developers in the Drupal community recognized this shift and have taken action. The following questions arise when one begins the process of internationalizing a website: Do we have to override everything in the additional language(s)? Is there a way for citizens of other countries to have the whole configuration and administration of Drupal in their language? Is there any support for their language? If so, what does this translate? Only Content? GUI? Both? How can this best be achieved? Luckily, Drupal has the ability to expand its core benefits using modules. Modules are a very powerful tool that allows Drupal users and developers to add new functionality to their site. In the case of creating an international website, we know we must have two or more languages available on the site. In order to make this happen, one must use the appropriate list of modules in order to not only get the administration in the other language, but to also make the  content and the whole site in the desired language(s).   The Drupal modules for this are: Internalization, Pathauto, Token, Transliteration, Variable, Chaos Tools, Views, Internalization Views, Localization Update and Administration Language.  For more details on how to install a module see Installing Modules (Drupal 7). After installing each module, you should enable each one under Administer > Modules, or if you're familiar with command line, use drush. For more information on how to use drush see: Managing a site from the command line using Drush. The next step will be configuring each module to make our international site live. For more information regarding the steps to do on each module after installing them visit HowTo: Basic Internationalization setup. Tags: Drupal , internationalization , international , translate , multilingual website , website , Planet Drupal
Categories: Software

Drupal core announcements: What changes are allowed during the Drupal 8 beta phase?

Drupal Planet - Fri, 2014-10-31 22:00

Now that Drupal 8 is in beta, we are narrowing the changes we allow to Drupal 8 core to accelerate our progress toward Drupal 8's release. The Drupal 8 branch maintainers have established a policy on the allowed changes during the Drupal 8 beta to help contributors understand what changes are no longer allowed. All core contributors should review this policy and try to apply it in each issue.

Key updates for core contributors
  1. To take full advantage of the sprints at DrupalCon Amsterdam, we allowed one month after the initial beta release for many changes to go in. The deadline for those issues was October 27, so now all issues are subject to the beta policy.
  2. Many changes will now be postponed to a later release, especially many types of normal tasks that do not directly help make Drupal 8 releasable. See the policy issue for specifics.
  3. We will also be more rigorous about issue priority settings. For example, many issues that are currently major tasks will be reassessed and possibly downgraded to normal (and subsequently may be postponed).
Flowchart for evaluating issues

See the beta changes policy for details.

Flowchart of how to assess changes during the D8 beta

Next steps for core contributors

Read over the new policy, and take special note of how to evaluate issues. Help by posting on your issues with where they fall under the policy.

Categories: Software

Acquia: Acquia’s Response to the October 15 Drupal Security Alert

Drupal Planet - Fri, 2014-10-31 19:22

Acquia is committed to ensuring the security and performance of our customers’ sites.

Categories: Software

Appnovation Technologies: AJAXify Your Links

Drupal Planet - Fri, 2014-10-31 18:57

You can apply AJAX to any elements on the page by adding the use-ajax class to that element. Typically we apply this to link elements.

var switchTo5x = false;stLight.options({"publisher":"dr-75626d0b-d9b4-2fdb-6d29-1a20f61d683"});
Categories: Software

Chris Hall on Drupal 8: Drupageddon a chance to prove the calibre of Drupal community

Drupal Planet - Fri, 2014-10-31 16:39

I doubt that many people who read this will be unaware of the extremely severe security vulnerability that was discovered reported and patched a couple of weeks ago or the later realease and many related blog posts pointing out exactly how critical early updates and patching are

If this has ruined a little of your free time recently and/or entailed your agency really earning the costs of any maintenance contracts you offer consider how terrifying some of the press and implications are for owners of unsupported Drupal sites many of whom will be small charities and local organisations.

I would like to think that local Drupal groups etc. and the 'Drupal community' in general would step up and help out, if enough of us do that then we could generate some positive press. Yes we have a security team etc that is good, but how are we going to help out?

My local Drupal group will attempt to answer questions and find people to provide a little support (anybody else??), 

Appreciate that many people are not in the position to provide a lot of effort for free, even a small amount of advice could get people on the right track and Drupal groups are likely to know good freelancers that can afford to help a small company for considerably less than typical agency fees. 

All those hackthons, sprints, efforts to drive D8 forward, anybody brave enough to divert some of that effort towards auditing/fixing local sites?? I hope so.

BTW I have slight doubts about this site although I did fix by hand based on this commit (this is an old alpha). I will be trashing this server shortly and migrating to a new Beta 2 site and fresh server. 

 

Tags:
Categories: Software

Acquia: Acquia, Investors and Teaming Up to Build Greatness

Drupal Planet - Fri, 2014-10-31 16:30

In the summer of 2007, I received an email from Michael Skok of Northbridge Venture Partners, who I had known for 12 years at that time. I had recently exited Mercury Interactive after its acquisition by HP. He suggested that I meet with a entrepreneur around a project he was looking at. When I met with Jay Batson, and short thereafter with Dries Buytaert, I was intrigued. It was Michael's vision about the possibilities however that really grabbed my attention. The three asked me later that year to join the yet unnamed company as its founding CEO.

Categories: Software

Pages