The Drupal.org Security Team and Infrastructure Team has discovered unauthorized access to account information on Drupal.org and groups.drupal.org.

This access was accomplished via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself. This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally.

Information exposed includes usernames, email addresses, and country information, as well as hashed passwords. However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly. As a precautionary measure, we've reset all Drupal.org account holder passwords and are requiring users to reset their passwords at their next login attempt. A user password can be changed at any time by taking the following steps.

1. Go to https://drupal.org/user/password
2. Enter your username or email address.
3. Check your email and follow the link to enter a new password.
   • It can take up to 15 minutes for the password reset email to arrive. If you do not receive the e-mail within 15 minutes, make sure to check your spam folder as well.

All Drupal.org passwords are both hashed and salted, although some older passwords on some subsites were not salted.

See below recommendations on additional measure that you can take to protect your personal information.

What happened?

Unauthorized access was made via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself. We have worked with the vendor to confirm it is a known vulnerability and has been publicly disclosed. We are still investigating and will share more detail when it is appropriate. Upon discovering the files during a security audit, we shut down the association.drupal.org website to mitigate any possible ongoing security issues related to the files. The Drupal Security Team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability.

The suspicious files may have exposed profile information like username, email address, hashed password, and country. In addition to resetting your password on Drupal.org, we are also recommending a number of measures (below) for further protection of your information, including, among others, changing or resetting passwords on other sites where you may use similar passwords.

What are we doing about it?

We take security very seriously on Drupal.org. As attacks on high-profile sites (regardless of the software they are running) are common, we strive to continuously improve the security of all Drupal.org sites.

To that end, we have taken the following steps to secure the Drupal.org infrastructure:

• Staff at the OSU Open Source Lab (where Drupal.org is hosted) and the Drupal.org infrastructure teams rebuilt production, staging, and development webheads and GRSEC secure kernels were added to most servers
• We are scanning and have not found any additional malicious or dangerous files and we are making scanning a routine job in our process
• There are many subsites on Drupal.org including older sites for specific events. We created static archives of those sites.

We would also like to acknowledge that we are conducting an investigation into the incident, and we may not be able to immediately answer all of the questions you may have. However, we are committed to transparency and will report to the community once we have an investigation report.

If you find that any reason to believe that your information has been accessed by someone other than yourself, please contact the Drupal Association immediately by sending an email to password@association.drupal.org. We regret this occurred and want to assure you we are working hard to improve security.

Thank you,
Holly Ross
Drupal Association Executive Director

FAQ

What happened?

The Drupal.org Security Team and Infrastructure Team has identified unauthorized access to user information on Drupal.org and groups.drupal.org, which occured via third-party software installed on the Drupal.org server infrastructure.

What information of mine was exposed?

The information includes username, email address, hashed passwords, and country for some users. However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly.

Was my credit card information exposed?

We do not store credit card information on our site and have uncovered no evidence that card numbers may have been intercepted. However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly.

Were projects or hosted drupal.org code altered?

We have no evidence to suggest that an unauthorized user modified Drupal core or any contributed projects or packages on Drupal.org. Software distributed on Drupal.org is open source and bundled from publicly accessible repositories with log histories and access controls.

Does this affect my own Drupal site?

This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally. However, we recommend that you follow best practices and follow any security notices from Drupal.org or third party integrations to keep your site safe. Resources include the following sites:

• https://drupal.org/security
• https://drupal.org/writing-secure-code
• https://drupal.org/security/secure-configuration

How did the access happen?

Unauthorized access was made via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself. We have worked with the vendor to confirm it is a known vulnerability and has been publicly disclosed. We are still investigating and will share more detail when it is appropriate.

What has been done to prevent this type of unauthorized access in the future?

There have been several infrastructure and application changes including:

• Open Source Lab, the group that hosts the servers for Drupal and infrastructure teams rebuilt production, staging, and development webheads
• GRSEC secure kernels were added to most servers
• An anti-virus scanner was run over file servers, and run routinely to detect malicious files being uploaded to the Drupal.org servers.
• We hardened our Apache web server configurations
• We made static archives of any site that has been end-of-lifed and will not be updated in the future
• Sites that were no longer going to receive feature or content updates were converted to static copies to minimize maintenance.
• We removed old passwords on sub-sites and non-production installations

Do you have any information about the identity of the person or group who did this?

At this point there is no information to share.

What is the security team doing to investigate the unauthorized access?

We have a forensics team made up of both Drupal Association staff and trusted community volunteers who are security experts investigating.

How is my Drupal.org password protected?

Passwords on Drupal.org are stored in a hashed format. Currently, passwords are both hashed and salted using multiple rounds of hashing (based on PHPass). Passwords on some subsites were not salted.

Who maintains the Drupal.org site?

The Drupal Association is responsible for maintaining the site, with the assistance of many trusted Drupal community volunteers.

How can I delete my profile rather than create a new password?

Please email password@association.drupal.org with the request.

What else can I do to protect myself?

First, we recommend as a precaution that you change or reset passwords on other sites where you may use similar passwords, even though all passwords on Drupal.org are salted and hashed. Some older passwords on some subsites were not salted. To make your password more secure:

• Do not use passwords that are simple words or phrases
• Never use the same password on multiple sites or services
• Use different types of characters in your password (uppercase letters, lowercase letters, numbers, and symbols).

Second, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not our practice to request personal information by e-mail. Also, beware of emails that threaten to close your account if you do not take the "immediate action" of providing personal information.

Although we do not store credit card information, as a precaution we recommend you closely monitor your financial accounts if you made a transaction on association.drupal.org or if you use a password with your fianancial institution that is similar to your Drupal.org password. If you see unauthorized activity (in the U.S.), we also suggest that you submit a complaint with the Federal Trade Commission ("FTC") by calling 1-877-ID-THEFT (1-877-438-4338).

Based on the results of the investigation into this incident, we may update the FAQs and may recommend additional measures for protecting your personal information.

Scott Reynen has done some fun things in the Drupal community. Some notable examples:

• Coordinated many meetups in Denver ensuring they happen, with interesting topics, and tasty pizza options
• Helped to organize several Drupalcamps in Colorado (which will be June 29th/30 in 2013)
• Presents on various topics at Drupalcamps
• Helps as one of the 3 site maintainers for groups.drupal.org
• Is an active Project Application queue reviewer heavily interested in new-contributor-onboarding and project quality
• Takes care of abandoned projects and ownership requests in the Webmasters queue
• And does a pretty darn good job as the maintainer for modules like @font-your-face.

How did you get involved with Drupal?

About 4 years ago, I took a job as a developer with Aten Design Group, where we do mostly Drupal projects. At the time, I was pretty skeptical of content management systems, after frustrating experiences with both WordPress and Joomla. But I quickly grew to appreciate Drupal’s modular architecture.

What do you do with Drupal these days?

Most of my Drupal time is spent building websites for clients. I’m fortunate to be able to work on projects I really care about, like the International Center for Transitional Justice, the National Center for Women & Information Technology, and the United Nations Development Programme. Apart from client work, I use Drupal as a platform to explore new ideas. With a wide variety of code and a huge active community, Drupal serves as a great incubator.

You’re involved with the Drupal community locally and internationally - can you describe some of the things you do and why you like them?

I co-maintain Drupal Groups (groups.drupal.org), deal with abandoned projects on Drupal.org, do some work on project review applications, help organize the local Denver Drupal meetup, actively mentor a few people, and contribute some modules. I think I like all of this because I feel like I’m actively building the future, either through directly improving the web, or by enabling other people to improve the web.

What got you started in the project application review process?

I didn’t go through the application review process to get my own Git (previously CVS) access, and didn’t realize the process existed for a long time. So I think some feeling of debt played a part in my getting involved. But I also believe the future of Drupal depends on people who aren’t yet involved, and the application process, if not handled well, can very easily be a point where we turn away this next generation of contributors.

What are some of your favorite moments from that process?

It’s always nice to get thanks from new contributors for my feedback, or to discover a cool new module before it even has a release. But I think my favorite moment was when klausi arrived. Before that, I felt like I had to stay actively involved or the whole process might fall apart. When klausi started doing a superhuman number of reviews, I could comfortably step away from the queue for a short (or even long) period of time and avoid both catastrophe and burnout.

Read a previous Community Spotlight about Klaus Purer (klausi).

Are there any cool projects you’ve learned about through that process?

Commerce Registration is, I think, a great example of why the review process is important to the wider community. After some quick minor bug fixes in the review process, that project was approved and is now part of the Conference Organizing Distribution, used in every DrupalCon site. And the maintainer has gone on to contribute several other modules, a few to Drupal Commons that will be part of the next version of the Drupal Groups site. A more frustrating project review could have easily meant the Drupal community losing all of this.

What changes do you hope will come in the project review process?

Mostly I think we just need more people with the right mindset. Right now, the “needs review” backlog is gradually disappearing, largely thanks to a lot of new reviewers. I think we just need to keep more of these reviewers involved and make sure they know, as jthorson recently wrote, “the role of reviewers in this process is that of a 'mentor', not 'traffic cop'”.

What is your favorite part about the Drupal community?

It’s rare to hear someone say “I don’t care” in the Drupal community. There’s plenty of work that goes off the rails on passionate debate over what color to paint the bike shed, and that can grow tedious. But our bike sheds are the best-painted on the web (12 coats!), because people really care. I like that.

Tell us a little about your background or things that interest you outside Drupal?

When I was young, I hit myself in the forehead with a boomerang. I wasn’t entirely unfamiliar with the concept, but I’d never had one actually come back. This one did, just as I was turning to see where it had landed. Stitches weren't great back then, so I still have a scar. I still have problems with tools doing what I say rather than what I expect.

Drupal 7.22, a maintenance release with numerous bug fixes (no security fixes) is now available for download. See the Drupal 7.22 release notes for a full listing.

Upgrading your existing Drupal 7 sites is recommended. There are no major new features in this release. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement.

Update: Drupal 7.22 is now available.

Drupal 7.21, a maintenance release which fixes incompatibilities introduced in the Drupal 7.20 security release, is now available for download. See the Drupal 7.21 release notes for further information.

Upgrading your existing Drupal 7 sites is strongly recommended, especially if you encountered problems with Drupal 7.20. There are no new features in this release. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement.

Update: Drupal 7.21 is now available.

Drupal 7.20, a maintenance release which contains fixes for security vulnerabilities, is now available for download. See the Drupal 7.20 release notes for further information.

Upgrading your existing Drupal 7 sites is strongly recommended. There are no new features or non-security-related bug fixes in this release. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement.

Update: Drupal 7.20 is now available.

Drupal 7.19 and Drupal 6.28, maintenance releases which contain fixes for security vulnerabilities, are now available for download. See the Drupal 7.19 and Drupal 6.28 release notes for further information.

Upgrading your existing Drupal 7 and 6 sites is strongly recommended. There are no new features or non-security-related bug fixes in these releases. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement. More information on the Drupal 6.x release series can be found in the Drupal 6.0 release announcement.

Ever since node 4877 in 2003 we have a “prediction” post up on Drupal.org, where Drupal coders and users can share their vision on what will happen the year ahead with their beloved tool. Ever? Well, we skipped 2012, so we can not look back to the predictions you made last year on this site.

But that should not stop you from making some predictions for 2013. And you are welcome to do so in the comments below. Will parts of Drupal end up in another CMS or framework? Will "WSCCI first” be the slogan or will the consolidation in the CMS landscape and the trend to leave our small island make new bridges towards other PHP projects or even make a new Pangaea, beyond PHP and the web? Will Drupal be the answer in Jeopardy on the question “what is the best CMS?”. Time will tell.

Or you.. In the comments below

Update: Drupal 7.19 and Drupal 6.28 are now available.

Drupal 7.18 and Drupal 6.27, maintenance releases which contain fixes for security vulnerabilities, are now available for download. See the Drupal 7.18 and Drupal 6.27 release notes for further information.

Upgrading your existing Drupal 7 and 6 sites is strongly recommended. There are no new features or non-security-related bug fixes in these releases. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement. More information on the Drupal 6.x release series can be found in the Drupal 6.0 release announcement.

We will be having a very short downtime at 5PM PST (01:00 UTC) this Thursday December 13th. The outage should be no more than 2-3 minutes while we reboot a switch. Thank you.

On Nov 1 2012, we tested the Views UI (7.x-3.5) with intermediate-level Drupal users at the BADCamp UX/UI Summit to provide the community with a clear picture of the usability bottlenecks in the Views UI, which is now in development in Drupal 8. We have identified a number of major problems and a large number of small ones, each of which now has an issue in the Drupal Core issue queue, where we discuss solutions, provide code patches with screenshots of the changes, come to agreement and put these changes into Drupal 8.

The study planning, participant profile, findings, videos and more are explained below.

Contents

Overall findings
Study summary
Screeners and study guide
Findings from study
Next steps
Video recordings (YouTube)

Overall findings

Participants thought that Views was “powerful” but complained about the steep learning curve to understand the concept and using the Views UI when they were first introduced to it. They relied on extensive Googling, face to face explanations from colleagues and video tutorials to learn Views. When they were thrown into unknown territories, their frustrations with using the UI were palpable.

Study summary

• Number of participants: 8 (1 advanced user, 6 intermediate users, 1 beginner user)
• Session length: 45 minutes
• Study Focus: Using Views in Drupal 7
• Understand existing user’s views usage & experience [behavior focused]
• Uncover critical/major issues with existing users [UI focused]
• How users navigate and operate the advanced settings
• Gather data quickly so that actionable improvements can be incorporated into Drupal core before the feature freeze
• Compensation offered: Google Open Source t-shirt
• Recruitment method: Twitter (from BADCamp, @lisarex, @dcmistry), email to BADCamp UX Summit attendees. The email was quite successful.
• Date: November 1, 2012
• Type of study: Moderated usability study (in-person)
• The sessions moderated by Dharmesh Mistry (dcmistry) and Lisa Rex (lisarex). Our volunteer note takers were Olga Biasotti, Angie Byron, Neerav Mehta, Lewis Nyman, Bojhan Somers, and Brian Young. Other volunteer contributors to the usability study planning include Bohjan Somers, Becky Gessler and Garen Checkley. Special thanks to Jen Lampton for coordinating the UX/UI Summit and putting up with us!
• All the sessions were streamed live on Google+ and are available on YouTube (linked below)

Screeners and study guide

Potential participants filled in a screener survey to see if they matched our profile, and a followup screener was used to help us clarify, when the scope of the study was narrowed.

We wrote a Views usability study guide (like a script), with the input from the Views in Core team.

Participant profile

• Participants were targeted to be intermediate users who have done Drupal site building and have familiarity with Views (They have created basic Views and have dabbled with the advanced views). To keep the data focused, this is a report of findings of 6 intermediate users and 1 advanced user only. Data from the beginner participant will be added to future beginner level study data.
• All participants were screened to be fluent in English.
• Participants are comfortable with technology in their personal and professional lives.

Detailed findings

Positive comments

• The first screen of Views UI get’s the user’s foot in the door
• Participants rated their experience ratings higher as they got more exposure to views
• Participants like the ability to preview and create custom CSS
• Participants found theme template information useful

Critical, major and moderate usability issues

1. Critical Lack of guidance: The views UI wizard page helps participants get the foot in the door but provides little guidance when they land on the second page. This is because the terminology is unclear and the visual hierarchy is flat. The problem gets severe under “Advanced” section.

   Possible solutions:

   • Use the Views UI wizard anytime a new display type is created.
   • More visual hierarchy on labeling and/or positioning
   • Contrib module with guided tour of Views
   • tooltip on hover of difficult labels

   [needs exploration + design]

2. Major Too many items under configuration options for fields/ filters/contextual filters/ relationships: Participants feel “overwhelmed” when they see the long scrolling list of options. The problem gets worse because the participants do not necessarily see the “Search” option. The search option is visible only when you are on the top of the modal.

   

   Possible solutions:

   • Limit initial list to user created fields/filters.
   • Reduce visual clutter caused by descriptions.
   • Divide ‘filter’ (e.g. content, global) and criteria (e.g. Body, Comment count) into two columns, making the criteria more scannable
   • Search box has no visual weight and/or fixed positioning.

   #1832862: Users feel overwhelmed by handler listings

3. Major Using “Contextual Filter” is difficult: When a participant selects a field in contextual filter, they are presented with a lot of options in a flat structure making them unsure how to proceed. This is mostly because of lack of workflow. The expectation was to select a default argument first and then move into related steps based on the choice. A related issue is the help text was unclear “Also look for node and node author ID” The advanced tools like contextual filter, relationship, exposed form require more guidance because it is a harder thing to do.

   Possible solutions:

   • Progressively disclose the functionality instead of all at once
   • Revise the text to be less Boolean, more human
   • Provide short UI / help text in a standard help block on these section to explain what they are

   [needs exploration + design]

4. Major Several participants forgot to save/didn’t realise they need to save in order to see their changes to the view when they click “view page”. On smaller screens you can’t see the drupal_set_message() warning of unsaved changes.

   Possible solutions:

   • Provide an ‘Unsaved changes’ signal/notification within the main area of the Views UI, where they are looking [needs design]
   • Move save to button towards the bottom of the page (between preview, or at the end, or both)

   #1831894: Users miss "save" button and can't distinguish "editable" and "preview" areas

5. Major Participant had difficulty determining where the view showed up. If it’s a Page you can see the path. If it’s any other display type, you have no way of knowing where those displays appear on the site (P4).

   Possible solutions:

   • Show on the views listing the region where the block appears
   • Show in the views ui where the block appears (Attachment does this!)
   • Show when there’s an attachment in the Views listing (Block, Feed, Page appear in alphabetical order)

   #1834576: Improve details on the Views listing page

6. Major Disconnect in the workflow of adding a block, as you have to create the block display, then save, then go out to the Blocks UI.

   Possible solutions:

   • Add “place block in region’ to the Views wizard.
   • Add “place block in region”to the advanced views.

   #1836390: Add “place block in region’ to the Views wizard to help workflow and #1836394: Add “place block in region’ to the Blocks settings in Views UI

7. Moderate People often forget to add a path on a page, and if they hit save, they don’t see see the dsm() letting them know. If they haven’t saved, they still don’t realise the path is missing because the default / is very small and subtle. It’s also a very small target area for such a critical step in creating a page view. (P3)

   

   Possible solution:

   • Replace the / with text such as ‘path is undefined’

   #1831142: Path is never empty in option summary.

8. Moderate ‘View page’ link goes to the home if the path isn’t set, causing confusion because people think that is what they created when in fact its not.

   Possible solution:

   • ‘View page’ is not an active link until the view has been saved

   #1831696: View page link goes nowhere, if you have not saved

9. Moderate ‘All displays” is the default option, even when there’s only a single display. This is unnecessary and is one more decision a new user has to fret over.

   Possible solutions:

   • Hide “all display/This page” options e.g. filtering when there is only one.
   • Significantly decrease the visual importance of this functionality.

   #1836384: The views UI should display "All Displays" option only when there are more 1 displays.

10. Moderate Other related issue to “All displays”/ “Override this display”: In order to override a display you have to go to the drop down on the top left of the modal and to apply the display you have to go to the bottom right. As users are focused on the task at hand, they don’t realize that they have to change the filter and may accidentally apply to all displays. What makes the matter worse is that when it is changed to "Override this display", the label changes to "Apply (this display)" but the difference is so subtle that the user did not register the difference.
    #1836392: In the Views UI, the interaction pattern of “All displays”/ “Override this display” is confusing
11. Moderate Participant did not understand the Preview was updated automatically. They didn't use it, and just went straight to 'view page'.

    Possible solution:

    • Show when the last time the preview was updated

    #1836470: Participant did not understand the Preview was updated automatically

12. Moderate On Views listing, participants have trouble determining what’s active and what’s disabled.

    Possible solutions:

    • Split them into two tables, with disabled underneath
    • Have the inactive views on a separate page, which is a gallery of possible views.
    • Change them to a tabbed display, with Active being the default tab
    • Fix the accessibility of the listing:

    #1830822: Split the Views UI listing into two tables for enabled and disabled

13. Moderate The More section only contains the Administrative title. The “More” area is perceived as this magical area, where you might find something magical. Participants opened it and were disappointed to only find the administrative title.

    Possible solutions:

    • Move it out of this section until there’s more than one item, or label it with something less vague.:
    • Only show it upon clicking a checkbox using states, e.g. Add administrative title.

    #1831080: Remove the "More" area from the bottom of handler configuration

14. Moderate 'Theme: information' label is misleading.

    “Theme information name is misleading because we are talking about templates. I have been on this page so many times and it’s still complicated. How are you supposed to know that this has theme’s real output?” (P4)

    Another participant didn't know what Theme: information meant.

    Possible solution:

    • It should be relabeled to something like Theming: templates (P4)

    #1833834: Theme: information label is unclear

15. Moderate People often click the “Settings” link when they see “HTML list | Settings” which causes them to miss how to change the main formatter settings.

    Possible solutions:

    • Merge the two settings
    • Make settings a tab of HTML list.
16. Moderate When adding a field, “Create a label” is checked by default but we observed most people deselecting this. It’s only mostly useful for table display. (P4, P6, P7, P3). Needs more discussion to determine if this observation is accurate.

    Possible solution:

    • Deselect by default, collapse options. Limit # of items isn’t labeled so participant was unsure how to limit items on a block display. Assumed Pager label was specific to pages.

    #1831674: "Create a label" should be off by default, with an opt-in for style plugins

Less-actionable issues

• There are 3 places the user sees for titling the page. (P2) http://screencast.com/t/S3BL6wdcflj
• Medium: Help text is not helpful “also look for node and node author” (P4)
• Large: Participants arent’ clear on what contextual filters are or when to use them (P2, P4)
• Large: Participants arent’ clear on what relationships are or when to use them (P2, P4)
• Medium: Grouping on fields is not widely understood
• Grid display is not responsive because it is table based (P1)
• Format level doesn’t signal about display (HTML/settings) (P6 & P7)
• Preview contextual filter doesn’t have format settings (P6)
• Large: observed people applying changes to All displays when they meant to override

Next steps

We will discuss the issues and explore other alternatives in the Drupal core issue queue. Relevant issues are tagged BADCamp2012UX.

Video recordings (YouTube)

Participant 1
Participant 2
Participant 3
Participant 4
Participant 5
Participant 6
Participant 7
Participant 8 (new user)

The OSL's network provider is preparing to upgrade a core router. This is a large upgrade, but they have devised a plan to limit impact to us. All network outages should be short (5-10Min), but there will be a few of them. The first will be Saturday Nov. 10th at 10PM PST (0600 UTC). This will be a single outage to setup the new core. Following this, there will be scheduled move windows for individual sets of servers. This will impact us 4 times (we have a few servers). The first will have an "impact window" of Monday Nov. 12th 5PM PST (0100 UTC) and the window will stretch for an hour and a half. Each individual server port move should take less than 10Min, so this is certainly not a downtime window, but the network will be unstable during this period as servers are moved. We will have a similar window at 8PM PST (0400 UTC) on the same day.

The next outage window that will directly impact us will be Wed. Nov 14th from 8-11PM PST (0400-0700 UTC). Again, this shouldn't be considered a downtime, there will just be some network instability during this period. The last window is Friday Nov 16th from 8-9:30PM (0400-0530 UTC). This window includes two of our servers, but more importantly includes several important central services. This last window may have more impact than the proceeding ones. We plan to work with our provider to reduce impact.

This upgrade is quite exciting for us and we hope it goes smoothly. The following is a brief summary of the windows:

11/10 at 10PM PST (0600 UTC): Cut NERO connection to OSU 5k's; 5 minute outage
11/12 at 5-6:30pm PST (0100-0230 UTC): Move ports from old 10/100 card to OSL 2K switch
11/12 at 8-9:30pm PST (0400-0530 UTC): Move ports from line card #3 to new router
11/14 at 8-11pm PST (0400-0700 UTC): Move ports from line card #4 & #8 to new router
11/16 at 8-9:30pm PST (0400-0530 UTC): Move ports from line card #7 to new router
TBA: Cut NERO connection to OSU 7k's with port channels; 5 minute outage

Update: Drupal 7.18 is now available.

Drupal 7.17, a maintenance release with numerous bug fixes (no security fixes) is now available for download. See the Drupal 7.17 release notes for a full listing.

Upgrading your existing Drupal 7 sites is strongly recommended. There are no major new features in this release. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement.

We will be taking Drupal.org down for up to 60 minutes starting Saturday, October 27, 20:00 PDT (Oct 28 0300 UTC). This outage is to deploy Apache Solr 6.x-3.x. Search results will be incomplete following the downtime as we catch up indexing. Please follow @drupal_infra on Twitter for updates.

Update: Drupal 7.17 is now available.

Drupal 7.16, a maintenance release which contains fixes for security vulnerabilities, is now available for download. See the Drupal 7.16 release notes for further information.

Upgrading your existing Drupal 7 sites is strongly recommended. There are no new features or non-security-related bug fixes in this release. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement.

The Marketplace section on Drupal.org has been revamped through major changes. Most of it happened a couple of weeks ago, but some are as recent as this week. This post will give you quick overview of what has changed and what you need to know and do right now to keep your Marketplace listing up-to-date.

If you don't want to read all the details, jump to What is going on next, that is important for your listing.

So what changed?

The structure

When the work was begun the old services pages (part of the handbook) were removed and the new marketplace was titled “Marketplace preview.” That interim title is gone, the old handbooks are gone, and the Marketplace now has 3 sections:

• Drupal Services http://drupal.org/drupal-services
• Hosting http://drupal.org/hosting
• Training http://drupal.org/training

Hosting section stayed completely the same. As for the other two - there are some updates.

Drupal Services now has 2 listings: Featured providers and All providers, with Featured section being the landing page of the Marketplace.

Training section is also now a view of organization nodes similar to the Services section. The fields shown in this view are Title, Training url and Training description, so make sure to fill those if you want to be listed.

The Hosting, Training and Marketplace displays all pull from the same fundamental organization node type.

The rules

After much discussion and weighing of different perspectives and goals we now have new Marketplace guidelines in place, which describe what each section means, what you need to do to get listed, what is the process.

Items to note:

• Contributions back to the community is the first and main requirement to be listed in the Marketplace.
• Organization pages need to be updated at least once per year. If you haven't updated yours for more then 12 month, we will remind you via your company's issue and wait 2 weeks for you to update the node. If 2 weeks passed and node is still not updated, we will remove it from the listing.

What is going on next?

We keep working on marketplace improvements so changes above won't be the last. 2 important things happened just this week:

/drupalgive

Having a /drupalgive page and feed featured on Drupal Planet is now a strong recommendation for those companies wishing to be listed in the Featured section. For more information on /drupalgive initiative please see http://drupal.org/drupalgive.

Issue: #1783768: Proposal: make /drupalgive feed a requirement for getting featured

Locations

“Countries served” vocabulary has been renamed to “Locations”. From now on the purpose of that field is to display only countries where your company has physical offices. The field value was cleared for all companies, everyone is welcome to update their organization pages with the correct Locations.

Issue: #1765610: Change title of "Countries served" vocabulary to "Locations"

We also cleaned up Sectors and Services vocabularies, a lot of duplicate terms are gone, make sure to update those too.

Useful bits

Am I listed?

If you are listed in either Services or Training section you should see 1 or 2 of the following messages on the top of your organization page:

This organization is a Drupal services provider.
This organization is a Featured services provider.
This organization is a Training services provider.

The messages link to the sections of the Marketplace you are listed in.

What if there are no messages for me?

If there are no messages on the top of your organization page it means you are not listed in any section of the Marketplace.

To get listed you need to pass community review process outlined in the Marketplace guidelines.
First step is to request listing. To do so you need to edit your node and check one (or both) of the following:

Request listing in the Drupal services section.
Request listing in the Training section.

Once you save the node an issue will be created automatically in the Webmaster’s queue for each selected checkbox. The issue will indicate that you want to be listed, community members will review your node and comment on the issue. Reviews are performed by volunteers from our community, so please be patient as this process might take some time.

Where I can find an issue for my company?

If you are author of the organization node and you requested a listing - you will see one or both of the following messages on top of your organization page with the links to relevant issues:

Regarding Services listing communicate with webmasters using this issue.
Regarding Training listing communicate with webmasters using this issue.

Links to note:

• We are trying to collect most frequently asked questions and answers in the Marketplace FAQ.
• Issues related to Marketplace improvements have a tag drupal.org marketplace.
• If you have questions or suggestions you can open an issue or come on IRC #drupal-contribute or #drupal-infrastructure channels.

Thanks

Thanks goes to BarisW for his help with the latest improvements.

We are also very grateful to Drupal Association Volunteers and Supporting Partners, who have made all these improvements possible. The Supporting Partner Program crowd sources funds that pay for the development team’s time and Drupal.Org hosting costs. And volunteers are a key part of our team. They donate huge amounts of time and talent to help us make Drupal.org better.

UPDATE: Voting closed 7 Oct 2012.
See https://association.drupal.org/election2013-results

Vote now for community elected "At Large" Directors of the Drupal Association!

In 2011 the Drupal Association was restructured and a new board was appointed. Most of the board are selected by a nominating committee who aim to ensure people on the board bring a range of skills and experience to the table. However, to make sure the community is always well represented there are also two directors chosen directly by the Drupal community "At Large". These community elections are held to fill those two positions.

Voting is Open!

Voting is open until 23:59 UTC 7 Oct 2012 at https://association.drupal.org/vote2013

Who can vote?

You are eligible to vote if you have an account on drupal.org, logged in during the past 12 months, and created your account before 31 August 2012 when the election was announced.

How to vote?

• Login to association.drupal.org
• Go to vote2013.
• Check box and confirm you're eligible to vote.
• Rank the candidates in your order of preference.
  You do not need to rank all candidates.
  Why rank them? Watch this video.
• Save the form.

Meet the candidates

Floh Klare (SirFiChi)
I'm a Sitebuilder. I use Drupal for personal projects. I'm active in the german community and a leader of the German Drupal-Initiative e.V. I can use Drupal for free and want to give something back. I want others to know, that they can do the same.
Blog

Todd Tomlinson (toddtomlinson)
36 years in the IT industry, global experience, prior board positions, non-profits, professor/teacher, live/eat/sleep Drupal.

J. Matthew Saunders (MatthewS)
I bring 17 years from the technology world, 13 years in Opensource, 6 years of highly active participation in the Drupal community, 8 years of nonprofit management in a US based Technology focused nonprofit, two VP board positions in nonprofits including policy development, and two university qualifications - one a Masters - focused on organizational management for nonprofits. I'm passionate about Drupal and adore the Drupal Community.
Blog
Answers

Chris Ward (chrischinchilla)
I got into Drupal several years ago, initially as a developer but more recently as a project manager, evangelist and community builder. I'd be keen on driving several initiatives: Cleaner, more efficient and user friendly documentation. Creating better case studies for Drupal, the whys and the business benefits of using it. Better community building across the wider tech community, i.e. encouraging Drupal experts to talk at relevant more general conferences and events aside from just Drupal related events.
Blog

Valery Lourie (valthebald)
Teaching and course-organizing experience, as well as connection to non-English speaking developer communities in Israel and former Soviet Union (Russian is my mother tongue). I think both communities are "under-penetrated" by Drupal today.
Blog

Aimee Maree Forsstrom (amaree)
A Community perspective from a non rock-star roots level and experience managing Open Source Conferences and Meet-ups, Passion :D

 Narayan Newton (nnewton)
I got into Drupal while I was a student systems administrator at The Oregon State Open Source Lab, the hosting providers for Drupal.org. I hope to represent the Infrastructure Team. A major responsibility of the DA Board is infrastructure and currently there is no voice on the board for that largely volunteer team. I also hope to provide some sensible review of future technical projects funded and managed by the board.

David Stoline (dstol)
I want to be part of the DA Board because I want to help shape the future and growth of the community. Having worked with the DA in the past, through my organizational experience with CapitalCamp, I bring a different perspective that will help the overall governance of the DA.
Blog
Answers

Joseph Bachana (joebachana)
I have been working in technology consulting for my entire adult life. Over the years, I learned not only about how to implement Drupal successfully, but what it means to be committed to an open source project. I want to help and use both my expertise and creative thinking as well as what resources I can apply to help the Drupal project be even more successful in the coming years.
Blog
Answers

Pedro Cambra (pcambra)
I'm a Spanish Drupal Developer very involved with the community since 2008, I've helped to organize 6 different events in Spain since then, including the this year's Drupal Developer Days in Barcelona, my motivations are to represent the Spanish speaking community in the board and help to grow stronger binds between the Drupal Association and the local groups all around the globe, no matter what their current size is. My main objective: having a Drupalcon in South America sooner than later.
Blog
Answers
- Session 1
- Session 2
- Session 3
- Session 4

Jeremy Thorson (jthorson)
I'm an active Drupal hobbyist, and the guy who keeps the testbots running. What I bring to the board is i) passion, drive, and demonstrated initiative, ii) a balanced approach to conflicts and challenges, iii) relevant background and non-profit board experience, and iv) a wide breadth of perspectives, representing multiple roles in the community. See my blog post for specific details!
Blog
Answers
- Session 3
- Session 4

Simon Hobbs (sime)
I'm Simon Hobbs (sime). I'm a Drupal consultant and trainer from Melbourne, Australia. I am a former business owner of a Drupal services company and have been active in the Australian Drupal community. I believe in a stable, conservative Drupal Association with a realistic scope. My personal focus would be on training, how to continue and strengthen the DA's global training initiative.
Blog
Answers

Morten Birch Heide-Jørgensen (mortendk)
I run a small Drupal design & theme shop in Denmark: geek Röyale. We as a board need to shift focus back to the community, reevaluate how the organization operates, clearly define why the organization exists, and for whom it exists, and do better as leaders to support and grow Drupal worldwide.
Blog

Steven De Costa (starl3n)
I'll bring a strategic marketing framework to the Board - but don't confuse this with posters and tweets :) I want to help the DA define its position within a broader economic view of the IT services industry and leverage the flow of value to benefit the Drupal project. 1st up: I'll aim to bring new funds via Govt memberships and a grants funding initiative.
Blog
Answers
- Session 1
- Session 4

Bert Boerland (bertboerland)
Bert has been active as a user, handbook writer, tester and evangelist since the Drupal's early days op on drop.org and has a long standing track record in the Drupal community. He donated the Drupal.org domain to the community. This is ambitious, adding transparency, communicating the value of the DA when it comes to drupal.org, facilitating the diversity of local camps and making sure the DA is for everybody worldwide. I know however that I can help the DA here and am dedicated to do so.

Jeffrey A. 'jam' McGuire (horncologne)
If you're contributing to Drupal, we're on the same side - however and wherever it is that you contribute. I would bring multilingual-, multicultural-, non-US-centric perspective; experience from international community - and business worlds; as well as communication - and marketing skills to the board.
- Nomination statement
- Session 1 answers
- Session 2 answers
- Session 3 answers

Forest Mars (forestmars)
New York based hypermedia architect working with Drupal for over 5 years in business, media, and the non-profit sector. I'd like to see contact fine-tuned between the board and the community-at-large, a task that requires not only impeccable communication, but also a nuanced understanding of the complex mix of divergent goals and even tensions which make up the project and surrounding community. Such an understanding naturally gives rise to the desire to contribute exactly what's needed to bring our stated goals to fruition, reflected in attendance - if not yet participation - at our newly open and, incredibly exciting, DA board meetings.

Voting is Open!

Voting is open until 23:59UTC 7 Oct 2012 at https://association.drupal.org/vote2013

Related:

• Importance of DA Board Community Elections
• Update Election 2013
• 2013 Election Announcement
• Governance

The new Case studies section on Drupal.org has been built and launched. You may not have noticed, since the look of the homepage hasn’t changed, but the case studies have a new home with a new look. This has been a multi-layered effort involving the Drupal Association web team and several community volunteers.

Now we need some great new case study content. We’re looking to feature Drupal sites that have one or more of these qualities:

• Well-maintained
• Visually appealing custom theme
• Stand out for performance optimization, interaction, customization, accessiblity or third-party integration
• Positive and inspiring examples for business owners, site builders and developers to learn from

You can help by writing a case study on your own impressive project, or volunteer your time as a reviewer of case studies.

Why write a case study?

Here's a few reasons:

• Promote a great Drupal site; show the world what Drupal can do
• Recognize your team members for their hard work
• Recognize maintainers of the contributed modules that you’ve used
• Excellent case studies can be promoted to the Featured section and appear on the front page of Drupal.org!

To get started, go to http://drupal.org/case-studies. From here you can see the types of sites that have been promoted, check out the case study guidelines, and submit your own case study.

Help us maintain case studies

The Case studies section (as is most Drupal.org content) maintenance is handled by volunteers. You don’t need to be a programmer or have special knowledge to help out with case studies, just have good judgement and English language/grammar skills.

Regular tasks include:

• Write case studies for your own projects or for others
• Find Drupal sites that deserve to be featured on Drupal.org
• Review requests to be promoted to Featured, suggesting improvements as needed, e.g.
• copy improvements
• taxonomy terms
• screenshots
• review Community case studies for adherence to case study guidelines, as well as for spam posts and comments

Useful links:

Guidelines for writing a case study: http://drupal.org/node/1588136
Guidelines for case study promotion review: http://drupal.org/node/1617960
Requests for promotion to Featured section have a tag case study promotion, just open issue queue and start reviewing!

If you have questions or need some guidance - come to #drupal-marketing IRC channel on Freenode.

Case study sprint at DrupalCamp Brighton

If you happen to be at the DrupalCamp Brighton this weekend, join case study sprint on Sunday.

Update: Drupal 7.16 is now available.

Drupal 7.15, a maintenance release with numerous bug fixes (no security fixes) is now available for download. See the Drupal 7.15 release notes for a full listing.

Upgrading your existing Drupal 7 sites is strongly recommended. There are no major new features in this release. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement.

Hello from Jennifer, your outgoing Drupal Documentation Team leader! As I step down as leader of the Documentation team, I wanted to make one last quarterly status update post for the Documentation Team.

Leadership Change

People in the Drupal project are currently exploring Drupal community governance, and among the questions they'll be thinking about are the leadership and structure of the Documentation Team -- so expect an announcement sometime soon! In the meantime, I'm not going to be hosting Documentation Office Hours, but if someone else wants to schedule an Office Hours, go ahead and post an event to the Documentation groups.drupal.org page.

Milestones, Accomplishments, and Projects in progress

• Lots of content was updated on Drupal.org this quarter. Of particular note:
• The Accessibility team worked on updating documentation at a sprint in Montreal, including the Creating accessible themes section, and the best practices on accessibility for site builders page.
• The Multilingual team updated both in-code API documentation and on-line Community documentation for Drupal's multi-lingual system.
• The Mobile team organized and created a Mobile guide.
• I'm sure there are other notable updates that I didn't mention specifically -- 921 different contributors made more than 5000 revisions to documentation pages on Drupal.org this quarter -- thanks to everyone who made an edit or created new documentation!
• There's a new Community Documentation Moderator group! These dedicated individuals will be overseeing the Community Documentation, and doing tasks that the general Drupal community members do not have the permissions to do (deleting comments, making edits on locked pages, creating URL aliases and redirects, etc.). I'd like to especially thank Boris/batigolix for joining the Moderator group and dealing with so many Documentation project issues in the past few weeks -- I'm sure he'd appreciate some help though, so please join him! (Responsibilities and instructions for how to get started: http://drupal.org/node/1588928)
• The API documentation cleanup sprint from last quarter has continued into this quarter, and a lot of progress has been made! The goal is to bring the Drupal 7 and 8 core API documentation much more in line with our documentation standards. To join in, visit the issue page. There is also a related sprint for general PHP coding standards at http://drupal.org/node/1518116
• Work on the proposed Curated/Official Docs and Help system has picked up! We have an issue to track progress on building the system, and Google Summer of Code participant Gergely Tamás Kurucz (temaruk) is working on a major component this summer. WorldFallz has also just volunteered to work on the workflow piece of the project, so hopefully around the end of the summer, we'll be able to deploy the first phase of the system, and start writing "official/curated" documentation. But we will still need some programming help -- check the tracking issue for more details.
• The "Books about Drupal" section is being revised to have a new content type and a View, instead of being a set of flat HTML pages. Lowell/LoMo has been working on that, and we hope to get it finished and deployed on Drupal.org in the next few weeks. Issue: http://drupal.org/node/1487988
• Many members of the Drupal documentation team collaborated last quarter on proposing an update to the sidebar navigation for the Community Documentation. We reached consensus that we would like to have +/- expand/contract ability on the sidebar, so that people searching for documentation could more easily drill down into the book structure to find pages of interest. But we need some help: evaluating existing modules to see if they will work for us, and if not, building a module that will. If you'd like to help, the issue is: http://drupal.org/node/1508832
• The API module (the module behind http://api.drupal.org, the programmer API documentation reference site) has been ported to Drupal 7. I did the primary port, and several people contributed by testing it out and/or posting patches for bugs they found. api.drupal.org should be running Drupal 7 sometime soon! The next new features planned for the site are to get more contributed modules visible, make it work correctly with PHP namespaces (which are extensively being used in Drupal 8), and replace the hard-to-maintain Form API reference with an automatically-generated page (and in-code comments). If you'd like to help with these efforts, check the API module issue queue.

Next Steps

If you're interested in helping with Drupal documentation:

• New contributors: Check out the tasks in the New Contributor Tasks section, or read http://drupal.org/contribute/documentation to learn all about contributing to documentation. Or come to the weekly office hours (see Events section above) to ask questions and get started.
• Become a Community Documentation Moderator: http://drupal.org/node/1588928
• Drupal Documentation announcements, discussions, and events are always posted on http://groups.drupal.org/documentation-team and sometimes posted on Twitter (@drupaldocs). Why not join the group (you can sign up for email notifications), and follow us on Twitter?
• API documentation cleanup sprint (for programmer-documenters): http://drupal.org/node/1310084
• Work on API module features: http://drupal.org/project/issues/api
• Help evaluate modules or build a new one for better Community Documentation sidebar navigation: http://drupal.org/node/1508832
• Help build the Curated/Official Docs/Help system: http://drupal.org/node/1549580

Olá! Join Drupal project founder Dries Buytaert and core committer Angie Byron this December 6-8 in beautiful Brazil to bring a little Carnaval to Drupal. DrupalCon São Paulo will focus primarily on content for Drupal developers, but there will of course be plenty to offer for designers, themers, project managers, architects, engineers, and those involved with the business side of Drupal. The multi-lingual conference program will feature a sessions in English, Portuguese and Spanish, as well as plenty of opportunities for informal “Birds of a Feather” meetings and a coder lounge that will be open throughout the conference.

Small and intimate, we expect DrupalCon São Paulo to capture the feel of early DrupalCons. Our goal is to make it easier for attendees to meet the people that are deeply involved in the Drupal community and find out how to become involved themselves.

Sprinters wanted!

DrupalCon São Paulo immediately follows the Drupal 8 feature freeze deadline. There will be a hosted sprint focused on getting D8 features polished for core. Lead by Angie Byron and other key core contributors, this will be a dedicated day for crafting code, preparing APIs and tidying the documentation. There will be plenty for everyone to do, and it’s a great time to get involved to help make D8 the best version of Drupal yet. All hands on deck!>

Submit Your Session Proposal Now!

Share what you know and choose your lingo! We are actively soliciting session proposals in Portugese, Spanish, and/or English. Learn more and submit your session proposal today! Tracks that will be offered at DrupalCon São Paulo include:

• Coding + Development
• Backend + Webservices
• Frontend Theming, Design + User Experience
• Business + Strategy
• more to be announced!

Important Dates

Please note that all deadlines are 11:59PM BRT (UTC-3)

• Call for session proposals opens: June 28, 2012
• Call for session proposals closes: August 24, 2012

Other Cool Stuff

• Submit a Pre-Conference Training Session Proposal
• Apply for a Scholarship to DrupalCon
• Find out how you can become a DrupalCon Sponsor