Slashdot Mirror

No it is not!

There are migration scripts available but your mileage may vary especially if you wrote custom stuff. Third party modules may also be a concern.

https://www.drupal.org/docs/8/...

In case you weren't aware, Drupal has well-documented procedures for reporting and/or taking over abandoned projects:

https://www.drupal.org/node/25...

p.s. Many government agencies are required to justify their own funding, and rely on websites heavily for their mission; hence the value of knowing what is working and what is not working (i.e. analytics). Just for example: SAMHSA

I am a Drupal contributor for the past 15 years, so I know Drupal pretty well.

As I mentioned before Drupal 6 (core) has been patched to fully work with PHP 7.2. There is a concerted effort to do the same for Drupal 7.

Yesterday, I tried PHP 7.2 with 4 sites on two servers. One site is Drupal 6, the others are Drupal 7. They all worked without a single code change. One configuration statement had to be omitted, but that was it. The sites in question have the advantage of not being a victim of the open buffet binge syndrome.

There are known examples of modules that don't work (e.g. Rules). For sites that use 200+ modules (a very common thing), there is this thing called testing. If your workflow already has a test server, then test PHP 7.2 there and see if things work as expected. If not, then copy the live site to a test server and reproduce it there.

Regardless of Drupal's market share, it is just an example of a development community getting things working on newer PHP versions, and the process is sure not unique to Drupal at all. It can be done with a concerted group effort.

Drupal 6 was released Feb 2008, so more than a decade ago.

Drupal 6 was released Feb 2008, so more than a decade ago.

Of course, the Drupal installation guide doesn't mention containers or separate VMs.

https://www.drupal.org/docs/8/...

It's like a time capsule from 2008, dressed up to look like something from 2012. They are trying to disguise how far behind the times they are with a Richard Nixon mask.

yeah... there is just 2 in the last 4 years! I hope to hell you aren't a drupal server admin. https://www.drupal.org/securit...

Noice... TFA links back to the 2014 security advisory and completely misses a link to the current 2018 security advisory.

Noice... TFA links back to the 2014 security advisory and completely misses a link to the current 2018 security advisory.

https://www.drupal.org/sa-core...

Saves time clicking through the articles.

> No, I said pick your favorite.

You said "whatever measure you want" and then linked to one YOU picked.

Drupal's own metrics show it holding pretty steady, not on the decline. It's under active development and active use, so I don't see any obvious reason to say it's dead/dying.

Joomla I don't use, so I don't really care about it.

This same SJW death spiral is going on in the Drupal community right now. There's a bunch of self-appointed busybody BDSM police in the organization plus both a board and a committee charged with enforcing the Drupal Code of Conduct being filled with identity politics social justice baizuo types. I'll paste a recent Reddit post and a follow-up post that explains where I'm going with this:

Well, the fact that they adopted the TODO Group's "Open Code of Conduct" screams a lot about the "values" under their cranial hoods. Have a peek at the history of this document. My favorite part is this one:

Our open source community prioritizes marginalized people’s safety over privileged people’s comfort. We will not act on complaints regarding:

‘Reverse’ -isms, including ‘reverse racism,’ ‘reverse sexism,’ and ‘cisphobia’
Reasonable communication of boundaries, such as “leave me alone,” “go away,” or “I’m not discussing this with you”
Refusal to explain or debate social justice concepts
Communicating in a ‘tone’ you don’t find congenial
Criticizing racist, sexist, cissexist, or otherwise oppressive behavior or assumptions


Granted, that has since been removed from the text due to the sour taste it left in the mouths of many, but the choice of this particular Code of Conduct implicates the choosers as endorsing such one-sided beliefs. I'm not even REMOTELY surprised that this kind of anti-inclusive ousting has occurred; in fact, I'd say it was only a matter of time.

The OCOC is at http://todogroup.org/opencodeofconduct/ and https://www.drupal.org/dcoc says "Edited by webchick, danigrrl, kattekrab, tvn." The Community Working Group is charged with enforcement and https://www.drupal.org/governance/community-working-group says they are: George DeMet (Chair), Adam Hill, Michael Anello, Emma Karayiannis, Jordana Fung, Rachel Lawson.

This same SJW death spiral is going on in the Drupal community right now. There's a bunch of self-appointed busybody BDSM police in the organization plus both a board and a committee charged with enforcing the Drupal Code of Conduct being filled with identity politics social justice baizuo types. I'll paste a recent Reddit post and a follow-up post that explains where I'm going with this:

Well, the fact that they adopted the TODO Group's "Open Code of Conduct" screams a lot about the "values" under their cranial hoods. Have a peek at the history of this document. My favorite part is this one:

Our open source community prioritizes marginalized people’s safety over privileged people’s comfort. We will not act on complaints regarding:

‘Reverse’ -isms, including ‘reverse racism,’ ‘reverse sexism,’ and ‘cisphobia’
Reasonable communication of boundaries, such as “leave me alone,” “go away,” or “I’m not discussing this with you”
Refusal to explain or debate social justice concepts
Communicating in a ‘tone’ you don’t find congenial
Criticizing racist, sexist, cissexist, or otherwise oppressive behavior or assumptions


Granted, that has since been removed from the text due to the sour taste it left in the mouths of many, but the choice of this particular Code of Conduct implicates the choosers as endorsing such one-sided beliefs. I'm not even REMOTELY surprised that this kind of anti-inclusive ousting has occurred; in fact, I'd say it was only a matter of time.

The OCOC is at http://todogroup.org/opencodeofconduct/ and https://www.drupal.org/dcoc says "Edited by webchick, danigrrl, kattekrab, tvn." The Community Working Group is charged with enforcement and https://www.drupal.org/governance/community-working-group says they are: George DeMet (Chair), Adam Hill, Michael Anello, Emma Karayiannis, Jordana Fung, Rachel Lawson.

What a shock, all the Drupal Code of Conduct authors are women. Remember when GitHub was about to adopt the TODO Group's Open Code of Conduct that enforces a whole lot of identity politics bullshit? Well, while the most blatantly hateful anti-white anti-male anti-normie items have been cleaned out of it, Drupal's using the current version of the same godforsaken thing. We've seen this formula play out time and time again with SJW infections. Drupal is an SJW infested project with SJWs running everything. Is it any surprise that development is tertiary to micro-aggressive oppression olympics squabbling and Tumblr feminist grade virtue signalling competitions?

No. No it's not. "Social justice" is antithetical to actual work. It is a cancer. Drupal needs some serious anti-feminazi chemo.

While we're remembering "retarded" hurtful word shit, let's also revisit the time GitHub blew away a project for using the word "retard." The GitHub code of conduct drama shitstorm is eye-opening reading while we're looking back at things.

I believe in the iDubbbz position on hurtful words and slurs: either all of it is okay or none of it is.

If you want to see what yutes do, look at Joomla.

If you want to see what experienced people do, look at Drupal.

They both give you a similar site, but have drastically different APIs and development philosophies.

Joomla is shiny and overcomplex, but also has an incredibly arrogant userbase and development team. It's easy to use, and helps people who need to...compansate to feel...bigger.

Drupal is an industrial-strength workhorse. It's not for the faint of heart, but can be used to create massive, powerful and dependable sites.

If you are using Drupal, please read this PSA: https://www.drupal.org/psa-2016-004

Most sites needing extended mailing functionality probably use the SMTP contrib module, fortunately they too are not affected by this.

However, if you are one of the 11,000 (or so) sites reported to be using phpmailer module (and the associated library), you should make sure the library is updated. You can see if you're vulnerable by looking in the sites/all/libraries or sites/default/libraries folders to see if you're using the phpmailer 3rd party library.

If you are using Drupal, please read this PSA: https://www.drupal.org/psa-2016-004

Most sites needing extended mailing functionality probably use the SMTP contrib module, fortunately they too are not affected by this.

However, if you are one of the 11,000 (or so) sites reported to be using phpmailer module (and the associated library), you should make sure the library is updated. You can see if you're vulnerable by looking in the sites/all/libraries or sites/default/libraries folders to see if you're using the phpmailer 3rd party library.

To be fair, the cited (and likely incomplete) list from the summary is "compromise servers and devices running platforms like Drupal, WordPress, Magento, Jetspeed, Exarid, AirOS." The takeaway here is pretty much this: widespread deployment of shitty PHP and Java apps strikes again ... -PCP

This isn't a problem of the "widespread deployment of shitty PHP and Java apps". The vulnerability which this Trojan exploits is CVE-2014-3704 and was patched by Drupal Security Team on the 15th of October in 2014

The circumstances and agents which have led to this Trojan exploiting Linux systems and Drupal frameworks in the wild is, as with many such things, are multiple and varied. They include installations that are underresourced, shops with critical dependencies that cannot easily upgrade, web apps that at first and second glance do not have interfaces outside an intranet, etc. etc. and so on and so forth

The key is to stop pointing fingers and laying blame, unless the fingers point to the creators and distributors of the malware. The exploitation and abuse of computer infrastructure is part of territory. Blaming failures on the vulnerable is a sysadmin's version of victim-blaming and does little to mitigate the problem and much to generate community dysfunction.

Instead of finger pointing, spread the word, inform your unknowing and unwitting colleagues, train junior developers about how to remain secure for multiple computing environments with complex layers of computing infrastructure.

Our great-great-great-great grandchildren will thank you.

No, MVC is no magic bullet. I never said that. But MVC, or any other architecture that offers the same structure, is a basic requirement for writing readable, maintainable and proper code.

You want proof for Drupal not being secure? How about this: https://www.drupal.org/security. I'm sure you've seen it before.

per the TFA "affects Drupal 7.x installations prior to version 7.32." My Drupal site is at 7.43. 7.33 was released in November 7, 2014. This exploit is actually discussed On Drupal's Security advisories page, and they admit "Multiple exploits have been reported in the wild following the release of this security advisory" lol. Then there is a PSA about it too. Not surprised no one has paid on this yet; if you haven't updated your Drupal site in two years you probably don't really care that much about it haha.

per the TFA "affects Drupal 7.x installations prior to version 7.32." My Drupal site is at 7.43. 7.33 was released in November 7, 2014. This exploit is actually discussed On Drupal's Security advisories page, and they admit "Multiple exploits have been reported in the wild following the release of this security advisory" lol. Then there is a PSA about it too. Not surprised no one has paid on this yet; if you haven't updated your Drupal site in two years you probably don't really care that much about it haha.

Below are some quotes of the critical issues from the blog post and the Drupal Security Team’s analysis of the risks: https://groups.drupal.org/node...

Well, not to leave Drupal out too much, it did have https://www.drupal.org/SA-CORE....

Oh yeah, it's deeply embarrassing when your framework intended to stop SQL injection has a SQL injection hole in it. But it's not quite as embarrassing as being a constant source of infection to the rest of the interwebs because you're so supremely easy to exploit as WP. It also got fixed quite promptly...

Well, not to leave Drupal out too much, it did have https://www.drupal.org/SA-CORE....

https://www.drupal.org/project... is a module which pushes your saved content to receive the rich semantic data autotagged from the open calais web service. then you can install a faceted search module ( https://www.drupal.org/project... is an example of the module from Drupal 6 ).

https://www.drupal.org/project... is a module which pushes your saved content to receive the rich semantic data autotagged from the open calais web service. then you can install a faceted search module ( https://www.drupal.org/project... is an example of the module from Drupal 6 ).

Yup, Javascript's == operator is just as fucked up.

* http://strilanc.com/visualizat...

> PHP developers would be wise to read that to see what warts PHP shares with some other popular languages.

You and I wish that but sadly that will never happen based on their past apologists. Too much ego and stupidity at stake such as having a broken ternary operator ?: as opposed to C. (WTF!?) And then you get stupid bugs like this memory leak ... *sigh*

This post sums up the problem with the design of PHP:

http://www.reddit.com/r/lolphp...

The only way to "fix" PHP is to throw it in garbage can where it belongs and start over.

Teach users what entropy is? That is unpossible (as Ralph Wiggins would say).

I have a friend who is clearly quite intelligent, but can't remember how to do cut and paste -- though I bet he knows more people by name than anyone I have ever known. Even a poor quality password meter probably helps password quality more than any single attempt to teach how to make good passwords. After all we have been trying to teach this as an industry for decades without much success.

The problem is that ad-hoc password strength measurement is usually pretty bad because writing a good meter is hard, although again something is usually better than nothing. Best practice would suggest reusing code from someone else, perhaps just as Dropbox did according to the article -- apparently zxcvbn. I am not claiming zxcvbn is actually good, just that the researchers referred to Dropbox favorably in this regard.

I helped cleanup & docs on a GPL project called Integral Community Exchange System (ICES) just approved as full drupal.org project module suite https://www.drupal.org/project... . It is already used by Ecoxarxes (econetworks) around Spain specifically Catalonia to provide timebanking/time credit and needs/offers listings. It feature-replaces closed source CES software used in places like South Africa and Australia.

I think that getting basic needs connected and covered for people and enhancing trust among a web of people, without need for deflated (or low velocity /liquidity fiat currencies like Euro in depressed Spain or Greece), with either timebanking or basic services listed, already helping a lot of people. Exchanges: https://www.integralces.net/ce... developer docs https://docs.integralces.net/ Thanks for considering something practical. No fancy blockchains, but an OAuth / OpenTransaction implementation to exchange crossovers is working in dev. If anyone would like to plugin or translate please check it out...

> just because a language doesn't function the way you are used to, does not mean that it is broken...

*whoosh*

PHP has a *ton* of hate because it does *dumb* things that only an amateur would do.

1. Copying the ternary operator ? : from C, then _reversing_ the order of precedence is idiotic. We have _standard_ _logical_ operations and consistent left-to-right parsing for a reason -- not let's-invent-whatever-shit-we-feel-like because we're too dumb to understand consistency.

And then you have dumb bugs like this memory leak.

2. Only a fanboy makes excuses for why they are too blind to see the many ways it is broken. PHP was designed and developed by a complete fucktard:

echo true . "\n";
echo false . "\n"; // wat
echo TRUE . "\n";
echo FALSE . "\n"; // wat
 
// Note: The online manual is completely useless:
// http://php.net/manual-lookup.php?pattern=true
// http://php.net/manual-lookup.php?pattern=false
// http://php.net/manual-lookup.php?pattern=TRUE
// http://php.net/manual-lookup.php?pattern=FALSE
 
if( 1 == "1" ) echo "ok!\n";
if( 0 == "0" ) echo "ok!\n";
if( "0" ) echo "nope\n";
if( "00" ) echo "wat\n";
if( "-0" ) echo "wat\n";
if( "0.0" ) echo "wat\n";
if( 0 == "" ) echo "wat\n";
if( 0 == " " ) echo "wat\n";
if( 0 == " wat" ) echo "wat\n";
if( 0 == "\t" ) echo "wat\n";
if( 0 == "\r" ) echo "wat\n";
if( 0 == "\n" ) echo "wat\n";

In what bizarro universe would this stupid shit make _any_ sense??

Gee, maybe if '==' is SO fundamentally broken, then you

a) actually _remove_ it from the language, OR gee, here's a idea ...
b) upgrade it to one that actually _works_.

Nah, let's just half-ass because we don't know what the fuck we're doing with types!

> OMG Look how crappy c++ is!

So because everybody else jumps off the bridge you do to ?

Make excusing for why a language sucks because (insert other) language X sucks too just make you look like a tool. Take responsibility for a fucked up design? LOL. The language might actually improve then. Nah, can't have that !

For the record, you won't get any arguments from me that C++ is a complete cluster-fuck of over-engineering. I've worked on a C++ compiler.

The C++ committee has their heads so far up their asses that they refuse to address *practical* matters:

- Standardized Name Mangling
- or at least a standardized API for Name Mangling
- Standardized pragma's
- Forced inlining
- Forced never inlining
- Standardized error messages or at least error codes
- Extend the grammar so that function prototypes (declarations) can be copy-pasted for function definitions
- etc.

Round robin DNS and nginx as load balancers. Then we auto scale cloud servers on the back end to handle the PHP load. Scalable MySQL: http://www.rackspace.com/cloud... File System: https://www.drupal.org/project... Cloud files is really the key here, otherwise you have to use an NFS of some other kind...which kind be a nightmare otherwise.

That's nonsense. Go look at what eventually happened to HB Gary Federal and how all that started, (by using a custom CMS).

Your best bet is to pay close attention to security releases, and be thankful the for the Drupal Security Team which is on top of these issues. For more clarity, read these:

https://www.previousnext.com.au/blog/drupal-732-critical-update-our-response

https://www.acquia.com/blog/learning-hackers-week-after-drupal-sql-injection-announcement

Seriously, compared to the Drupal Security Team which I know about, what other CMS' have such thorough teams and processes? Use Drupal and the same folks that look after the websites for the US Congress, the White House, and many other government websites become your Security Team, for free. Just learn to do your part properly.

... roll-your-own implementations are likely to be broken too.

As far as I can tell, this module uses custom placeholders in queries, and then replaces those with the user supplied values, building a string that can be passed to the DB as SQL without database placeholders. IE. it's not building something like:

        $db->prepare("SELECT name FROM table WHERE something IN (?,?,?)")
        $db->execute( @parameters );

It's building something like:

        $db->prepare("SELECT name FROM table WHERE something IN ($param[0], $param[1], $param[2])")

That's always more risky. DB placeholders are not a silver bullet, but they're damn close. /disclaimer, I didn't thoroughly audit the code, so maybe it is somehow using db placeholders, but the method in question doesn't look like it is.
See line 739 here: http://cgit.drupalcode.org/dru...
Patch for users that don't want to do a full upgrade and are on 7.0 - 7.31: https://www.drupal.org/files/i...

If you are using a well know framework for your site there might already be support for comment spam management. It's not always free as some of them are basically interfaces for a paid service but it may still be worth a look. They would block comment spam in general instead of focusing on comments from a specific set of nodes.

https://www.drupal.org/node/20...
http://wordpress.org/plugins/s...

Ah, the good old days. I started with PHP 1.9s - one step past shell scripting. :) Things have come a long way. Nowadays of course I don't do it for my real job, just some side stuff I do to keep my hand in. One of those is manhandling Drupal - not a fun thing for newbies, but having tried WordPress (the other biggie), I would say Drupal is much more robust, more adaptable to real enterprise applications, more secure, and has a more involved community.

Which reminds me - I'm going to my first Drupal Con June 2-6 in Austin! Shameless plug: my employer Bright Plaza, Inc. is going public at the conference with its Drupal module for Picture Passwords for the Web! We are going to have a cool special offer for websites that install the module and sign up.

Ah, the good old days. I started with PHP 1.9s - one step past shell scripting. :) Things have come a long way. Nowadays of course I don't do it for my real job, just some side stuff I do to keep my hand in. One of those is manhandling Drupal - not a fun thing for newbies, but having tried WordPress (the other biggie), I would say Drupal is much more robust, more adaptable to real enterprise applications, more secure, and has a more involved community.

Which reminds me - I'm going to my first Drupal Con June 2-6 in Austin! Shameless plug: my employer Bright Plaza, Inc. is going public at the conference with its Drupal module for Picture Passwords for the Web! We are going to have a cool special offer for websites that install the module and sign up.

Secure?? you have got to be fucking joking. https://drupal.org/security that is not the record of a product with good security practises. The vulnerabilities in the core alone are bad enough, but add in all the vulnerabilities from common modules and you have a pigs breakfast.

CiviCRM is extremely good at what it does, and works with Drupal, as well as Joomla.

I like Drupal a lot. Drupal is like LEGO bricks you can build anything out of, and if you install CiviCRM on top of Drupal, that's like building the Millennium Falcon Star Wars Edition LEGO along with a spaceport for it. If that interests you, then also add OpenAtrium to your short list of things to check out too. In fact you can combine them if you want and they'll give you complimentary functions, however you might also find OpenAtrium is good enough for your CRM needs. Or you might swap out CiviCRM from your OpenAtrium platform as described, and use RedHen CRM instead.

Whatever direction you choose for CRM, I hope you'll give OpenAtrium consideration towards your requirements, (that is what the White House uses for its workgroup collaboration too). It's a good Space Dock Platform to hold your calendaring, notifications, public/private docs, etc.

http://openatrium.com/
http://redhencrm.com/
http://www.whitehouse.gov/blog...

Pro-Tip: In a lot of places where I have introduced OpenAtrium, when I get around to installing the sheetnode module, and everyone gets collaborative spreadsheets, I often hit a home run. The spreadsheet usefulness and ajax is extremely good.

https://drupal.org/project/she...

The artist, Kimiko Ishizaka, is easily at-or-above par with Juilliard students. The producer, Anne-Marie Sylvestre, is A-OK at what she does. The studio and staff are top-notch. The instrument will be kick-ass. Etc.

And, there's a track record for this project -- the Goldberg Variations recordings they've already done are fine.

Maybe you have an axe to grind with Drupal geeks? ;-)

Drupal.org is built on Drupal 7 and therefore stores passwords salted and hashed with SHA-512. See user_hash_password() in the Drupal API docs.

Clinton was using IBM/Lotus Notes and it was working well. G.W. Bush switched to Microsoft Exchange, arguably so emails would get lost.

http://arstechnica.com/tech-policy/2008/04/bush-lost-e-mails/

Obama's office is now using free open-source Drupal-based groupware, called OpenAtrium.

http://developmentseed.org/blog/2011/feb/14/white-house-using-open-atrium/

https://drupal.org/user/2356044

Exchange and Lotus Notes were used for email. Drupal is a content management system, which can be used for discussions, but it doesn't replace email. What Obama uses now, I don't know, but it certainly isn't Drupal for email. It probably is still Exchange with a proper backup system.

Clinton was using IBM/Lotus Notes and it was working well. G.W. Bush switched to Microsoft Exchange, arguably so emails would get lost.

http://arstechnica.com/tech-policy/2008/04/bush-lost-e-mails/

Obama's office is now using free open-source Drupal-based groupware, called OpenAtrium.

http://developmentseed.org/blog/2011/feb/14/white-house-using-open-atrium/

https://drupal.org/user/2356044

Check out the lastest 8.x version by going to http://simplytest.me/project/drupal and choosing 8.x. The site will install 8.x-dev for you and you can play with it.

Some things to look at:

- In place editing
- CKeditor in core
- Responsive out of the box (check the new admin menu)
- Views in core

There's a heap of scary awesome changes going on in the backend though

- replacing lots of sub systems with Symfony components
- RESTFUL services by checking a checkbox.
- TWIG as a templating engine
- Configuration management initiative
- HTML5 and mobile
- Far better multilingual support than previous versions.

check out http://groups.drupal.org/drupal-initiatives for more info.

Other additions in Drupal 8 include the Backbone.js and Underscore.js JavaScript frameworks in core.
Further information on the changes in Drupal 8 can be found here: http://api.drupal.org/api/drupal/core!CHANGELOG.txt/8

The security setting for Java defaults to High anyway. You would have to either A) change your security settings specifically lower or B) specifically allow an untrusted applet to run for this to (sometimes) work. I'm starting to get tired of the anti-Java FUD, there are a vulnerabilities found all the time in other languages/frameworks, how come all we seem to hear about is lame Java applet sandboxing issues?

Didn't realize I wasn't logged in when I made that post

The security setting for Java defaults to High anyway. You would have to either A) change your security settings specifically lower or B) specifically allow an untrusted applet to run for this to (sometimes) work. I'm starting to get tired of the anti-Java FUD, there are a vulnerabilities found all the time in other languages/frameworks, how come all we seem to hear about is lame Java applet sandboxing issues?

Google block registration hotmail yahoo turns up this request and this request. I guess blocking major webmail providers does two things: 1. it forces users to use paid providers that serve as less-disposable identifiers, which discourages people from registering on a forum or wiki just to post spam, and 2. it warns users against trying to register using an e-mail provider known to incorrectly classify confirmation e-mails sent from a given domain as spam. I just use my catch-all *@pineight.com for these things, which forwards to my address somewhere else, but because I pay Gandi every year for pineight.com, it's not quite as disposable as a big-three webmail account.

forum_access offers a decent performance improvement for mid-large sized forums, it uses the ACL module which helps to reduce number of joins with the node_access table, which is where a lot of performance issues come from. Nanawrimo is a good example of a decently optimized Drupal forum site, they get about 100k nodes/year, not to mention groups.drupal.org or drupal.org, which average about the same.

The truth is that any site with > 10k authenticated users a month and 100k+ user generated posts is going to need performance tuning.

forum_access offers a decent performance improvement for mid-large sized forums, it uses the ACL module which helps to reduce number of joins with the node_access table, which is where a lot of performance issues come from. Nanawrimo is a good example of a decently optimized Drupal forum site, they get about 100k nodes/year, not to mention groups.drupal.org or drupal.org, which average about the same.

The truth is that any site with > 10k authenticated users a month and 100k+ user generated posts is going to need performance tuning.