Mediacurrent: Risks of Staying On Drupal 7 After Its End of Life

1 day 12 hours ago

Drupal 7's end of life is scheduled for November 28, 2022. Up until then, the Drupal Security Team will continue to provide patches to Drupal 7 core and contributed projects should any security threats arise. After that point, however, the Drupal Security team will no longer support Drupal 7.

Is it Safe to Stay on Drupal 7?

If your organization is currently running Drupal 7, you’re faced with a decision on whether to upgrade to Drupal 9 or not.

Crafting a business case can help with your decision because it contains projections for initial costs and ongoing costs for making the upgrade investment vs. maintaining the status quo, as well as projections for revenue and savings. The business case exercise can further forecast the break-even point for your upgrade investment. However, in the case of future security threats, we can’t be confident of what the future ongoing costs will be, because we can’t predict when such security threats will arise, nor will we know the severity of them. 

What we can do, however, is make organizations that use Drupal aware of the risks of not upgrading. There are three general areas of risk: security, integrations, and functionality.

Security Risks

After Drupal 7 reaches the end of life, whenever security issues are identified in core or contributed modules, there won't be very much support to fix them. Site maintainers could find themselves in the position of having to spend a lot of time searching for security holes and fixing them. This risk gets compounded if there are a lot of contributed modules in your Drupal configuration. 

There will be a few agencies that will offer the service of maintaining your Drupal 7 platform post end-of-life. This will help greatly to secure your site if you’re willing to invest in hiring such an agency. One of their main tasks is to backport fixes for core and contrib issues. These fixes will of course not be included in the D7 upgrade path because there won’t be an upgrade path at all. As a point of reference, after Drupal 6 had reached its end of life, there weren't a disproportionate amount of security fixes needed for its core nor contributed modules. Still, the risk is not zero. Every aspect of a Drupal application must be considered to ensure there are no security gaps.

Another aspect of taking this path is that much of the time maintaining a site like this is spent managing and mitigating security risks rather than making improvements or implementing new features. For a good many developers, this is not rewarding work. 

In the history of previous Drupal security fixes, some have been pretty small -- one-line changes that take an hour to review and fix -- while others have taken days or even weeks of development time to analyze and produce a solution for. 

An advantage of choosing to upgrade a Drupal 7 site to Drupal 9 is that you gain all of the advantages of security improvements that were included in Drupal 8 and each subsequent feature upgrade. In this blog post, Peter Wolanin of Acquia details some significant security improvements included in the initial Drupal 8 release. Drupal 9 has additional advantages such as support for PHP 8.0.

Integration Risks

Certainly, security risks will come along, but another risk area in maintaining the status quo is that key integrations will eventually start to fail. For example, your Drupal environment may be integrated with another platform, and a key API on that platform is getting deprecated. Because the Drupal module that connects to it is no longer being actively maintained, you (or an agency you hire) will have to update the module or write a new custom module to keep integration working.

Functionality Risks

As the Drupal community continues to diminish the amount of activity on Drupal 7 core and contributed modules, especially after end-of-life, you basically lose those “free” updates. This is especially so with bug fixes. This forces you to either live with them or to fix them, or again, hire an agency to do it. If you do hire someone, that person won’t be as familiar with the project as one of the maintainers would be, so you’d have to factor in that additional investment. Indeed, some of these risks can be so critical that you end up rewriting large chunks of code to deal with them.

Not only do you miss out on the security improvements of Drupal 8/9 discussed above, not upgrading means you're missing out on many other improvements. Drupal 8 and 9 are built around a modern PHP stack including features such as Composer compatibility, Symfony components, modern OOP coding techniques, and more. While Drupal 7 has served our community well, it is not built upon the latest PHP libraries and development workflows that developers expect. This allows Drupal 8/9+ site owners the advantage of further enhancing their security posture by adding the Guardr security distro or module. While Drupal 8 and 9 have good security features, Guardr adds additional community vetted modules and settings which meet industry security requirements.

Talk To Us

As already mentioned, there are too many future unknowns to create a blanket business case for an upgrade investment. However, we can craft a business case specific to you based on the complexity of your existing Drupal 7 solution. We will factor in the number of modules you’re using, their complexity, the nature of your integrations with external systems, and more. We at Mediacurrent have performed this type of analysis for some of our clients to help them with their technology investment decisions and can do the same for you. Please contact us to learn more!

Talking Drupal: Talking Drupal #299 - Sustainability of the Webform Module

1 day 12 hours ago

Today we chat with our friend Jacob Rockowitz about the sustainability of the webform module and module maintainership sustainability in general.

www.talkingdrupal.com/299

Topics
  • Jacob's 5th appearance
  • John got a new job!
  • Jason launching 6 sites this week
  • Nic went to the drive-in
  • Jacob no more bike rides, just walks in the park
  • Stephen finding Ansible useful

Story: Recording episode 300 - get your recordings into show@talkingdrupal.com

  • Elevator pitch for webform
  • When did Jacob begin maintaining Webform
  • What is sustainability?
  • Open collective
  • How to make Drupal more sustainable
  • Ways to contribute
  • Donations vs time contribution
  • Why open collective?
  • Is there an exit plan
Resources

https://www.jrockowitz.com/blog/webform-open-collective-funds-spent

Open Collective Promotion: https://www.youtube.com/watch?v=MtlFTwZLKpc&t=1s

jrockowitz.com

Guests

Jacob Rockowitz www.jrockowitz.com @jrockowitz

Hosts

Stephen Cross - www.stephencross.com @stephencross

Nic Laflin - www.nLighteneddevelopment.com @nicxvan

John Picozzi - www.oomphinc.com @johnpicozzi

Jason Pamental - rwt.io @jpamental

OSTraining: OSTips - Alternatives to Acquia’s DevDesktop For Local Drupal Development

2 days 10 hours ago

If you've installed or updated Acquia’s DevDesktop lately, you've seen this message:

And so you know that DevDesktop is approaching end of life.  

In this video, I'm going to give you two alternatives to Acquia’s DevDesktop For Local Drupal Development. You know I've used this software for years now and introduced literally thousands and thousands of people to Drupal using Acquia’s DevDesktop. It's a shame that it's going away, but we've got alternatives.

Let's dive in.

Tag1 Consulting: DevOps is a culture, not a Technology

2 days 12 hours ago

DevOps is a word or phrase that’s getting more and more attention as organizations move more towards delivering applications and infrastructure services through automated IT processes. Rather than automate IT staff out of a job, DevOps aims to reduce time spent on repetitive processes and enable personnel to focus on bigger problems as well as developing technologies. DevOps, at its core, aims to build tools to help developers do their work, and deploy it more easily and efficiently.

Read more lynette@tag1co… Thu, 06/17/2021 - 07:34

Lullabot: How to Plan Your Drupal 7 Migration

3 days 7 hours ago

Migrations from Drupal 7 can be as varied and diverse as humanity itself. Goals, audiences, servers, content models, and more all come together to form a unique fingerprint. No two migrations are ever really the same.

But despite the uniqueness of each, there are some commonalities. You can take steps to ensure your migration will be a success, no matter how complex or simple.

Map out your Source

You need to know where you are coming from. This is how you begin to determine the length of the journey and how many supplies you’ll need along the way. 

Ben's SEO Blog: The Hreflang Module

3 days 12 hours ago
The Hreflang Module Have a multilingual #Drupal website? Then the #hreflang module is a must! Search engines use the alternate hreflang tag to serve the correct language -- even pages that don't have translations should have one. Tracy Cooper Wed, 06/16/2021 - 09:09

OpenSense Labs: Business impact of agile transformation

3 days 13 hours ago
Business impact of agile transformation Maitreayee Bora Wed, 06/16/2021 - 18:35

Enterprise agility is one of the most commonly adopted transformation approaches which comes up along with a lot of challenges. The companies need to reshape the organizational structures, make changes in the operational models and reform the old ways of working techniques. The agile transformation includes a big shift in organizational culture and that makes an organization ponder over it or even neglect it. But eventually, organizations realize the importance of it, apply agile transformation techniques, and receive immense benefits that help them evolve and move closer towards their goals and aspirations. This article will guide you through the right approach needed towards adopting the agile transformation in your organization. 

To successfully adopt an agile transformation, you need a plan

To succeed with the agile transformation, you need to clearly understand the fact that why are you making such time and effort to adopt this transformation and what exactly you want to gain from it. It is important to have clarity upon what changes you will have to make so that the desired outcomes can be achieved by your business. For this let’s firstly, understand the importance of preparing a proper business case for adopting agile transformation at your organization. It is important to convince the decision-makers to realize the significance of approaching agility in the work culture with the right business case. Before that, go through what agile development methodology actually means.

Making business case for agile transformation

A business case explains the main objectives of the organization in regards to agile transformation. Generally, adopting agile leads to desired business outcomes but only if it is approached in the right manner. Therefore, it is essential to have some set important goals which will help in the overall growth of the company with agility. Here is an insight into the recommended goals.



The first and foremost goal is to meet customer commitments on time. It helps in building trust between customers and the company leading to customer satisfaction. Secondly, it is essential to maintain high-quality products and services as at times companies fail to deliver suitable services as promised to the customers. This further helps in building a good brand reputation for the company. Thirdly, one of the aims of adopting agility in an enterprise is to efficiently reduce their costs and maximize profits. Lastly, the companies expect an early return on investment with agility as by practicing traditional working methods they struggle with long delivery cycles which do not allow them to receive early return on investment. Read this complete guide on agile transformation to know more.

Now, we will get an overview of the transformation hypothesis to help us approach agility in the right way.

A step closer to agility with Transformation Hypothesis

A Transformation Hypothesis describes the real purpose behind choosing agile transformation. Along with accepting agility, companies have to be flexible enough to embrace change in various working techniques. But sometimes it might not sound comfortable for the employees as they are accustomed to working with the same old traditional techniques. So, in situations where employees aren’t confident enough and are faced with certain challenges, the companies should proactively help them to overcome such difficulties and welcome change. Below are some of the concerns which need to be resolved to strongly practice agility in your organization.



Culture change isn’t the only solution 

It is observed that adopting agility brings a big shift in the work culture of an organization, so we assume that the culture change alone will look after all the necessary steps and efforts required to successfully implement such a transformation within the company. But in reality, it isn’t so. There is also a need for proper guidance in forming cross-functional teams which have various functional expertise to increase innovation in products and services. To succeed with agility, the company will have to look upon various factors, apart from considering culture as the only means to improve agility.  

Process training alone cannot bring agility

We get to see that employees are given training from coaches to learn new methods and techniques, also expecting them to be capable enough to face any challenges which they witness while practicing agility. But the problem here is, it is nearly impossible to handle technical, governance, and organizational issues by employees with the process education obtained during the training sessions. Such issues need to be resolved by providing essential support to the company employees to tackle such hard situations.

Need for a right ecosystem

To reach the desired level of agility, there is a need for an ecosystem that facilitates continuous improvement to achieve a company’s agility goals and objectives. If a company fails to build the right ecosystem, it will be challenging to sustain agility in an organization for better adaptability and resilience.

Strategize plans according to the size of the organization

One has to strategize plans depending on the size of the organization to sustain agility. For example, the strategy which you will use for transforming a single team will certainly differ from the strategy you plan for a large-sized company having 500 or more employees. In the same manner, if you are leading a group of five to seven people, sending them to training sessions might be sufficient. But if you lead 1000 employees, the planning and arrangement must be executed on a much different level. So, it justifies the fact that the size of the organization is to be considered while adopting agility.

Overcome the challenge of dependency 

Dependencies can bring hurdles in successfully attaining agility in organizations. When we have small teams, it is easier to manage dependencies but if we have multiple teams working towards the same goal, it becomes very difficult to handle inter-team communication and collaboration. So, removing dependencies shall be one of the primary tasks. For smooth delivery of products and services, it is very essential to strategize plans to overcome dependencies and develop agility in an organization.

Benefits achieved by adopting agile transformation

Many organizations have received benefits from practicing agile transformation in recent years. They need to put the right agile transformation approach to attain the desired business outcomes with this transformation. The agility in enterprises allows flexibility to adapt new organizational practices and techniques leading to maximization of business value. 

Moving forward, we will discuss some of the benefits which are attained by companies adopting agile transformation in their business. 



Maximise customer satisfaction

With agility, companies mainly focus on adding value to the customer experience by understanding their requirements and making early delivery of products and services. It helps in evolving customer satisfaction by prioritizing customer feedback to improve the product quality as per their expectations. Enterprise agility allows employees to provide services with expertise, proper collaboration among various teams, and transparency which leads to an increase in customer satisfaction.

Here is an example of Asia Pacific Telco, which adopted an agile operating model to meet customer needs and was successful in increasing customer satisfaction by implementing new ideas and techniques into their work process. Below is the diagram showing the transformation shift towards a positive direction leading to a great customer experience.

Source: McKinsey & CompanyIncrease employee engagement

Adopting agility facilitates employees the ability to use their creativity to produce better work performance and results. It gives them a sense of ownership to take all the necessary decisions to improve their work productivity and help them feel valued in the workplace. Such flexibility helps in increasing employee engagement to a great extent also empowering companies to reach their desired goals and ambitions. For instance, read how you can build a diverse and inclusive team by leveraging agile techniques.

Raising operational performance

Agility helps in providing various business models to the organizations which further helps in improving the operational performance according to the desired expectations. Due to this agile transformation, the companies are availed with various approaches which help in increasing the speed of company decision making and product development. The target achievement rate can be seen improving remarkably, by the agile companies which prove to be one of the major achievements of a progressing enterprise. 

Growing competence towards changing priorities 

With agility, a behavioral transformation takes place among the employees to reach their highest potential in embracing change and innovation. They learn to handle the changing priorities within the organization in the form of resources re-location to a team who needs support and assistance to survive the challenges which come along with agility. They get comfortable with the changes that take place in their work process and techniques, accepting change for better company growth. 

Enhance project visibility

Project visibility provides a clear vision of a project performance which includes allocating resources, potential risks, and proper distribution of responsibilities. Increased visibility ensures everyone involved in the project understands the objective of the project and their role in meeting the business goals and aspirations. It gives clarity to stakeholders regarding the real-time status of the project. Agility helps in changing any project plan or initiative following customer or stakeholder needs and requirements for better project performance. For instance, read how imbibing agile documentation processes helps improve project management.

Improving Business and IT alignment

Business IT alignment can be regarded as a business strategy that helps in achieving the business objectives leading to improved financial performance. This alignment is necessary to adapt to the constant change in the company and environment due to agility. Therefore, both business agility and business-IT alignment should go hand in hand to maintain company growth and development. For instance, read how the inclusion of agile processes to the testing phases of software development can be immensely beneficial.

Lastly, the most important benefit which we witnessed recently by adopting the agile transformation is the flexibility of working at our convenience during the pandemic of COVID 19. Due to this pandemic, the organizations felt the need for agile transformation rather than sticking to the old traditional transformation techniques which created hurdles in the proper functioning of their business. According to McKinsey’s research with Harvard Business School during COVID-19, agile companies have received better results in comparison to non-agile companies.

Source: McKinsey & CompanyCompanies sharing their successful journeys with agile transformation

With agility, many organizations have achieved immense success leading their business towards their set goals. Here are some of the companies sharing their success stories which can act as a motivation for everyone to move towards agile transformation. 

Ericsson

Ericsson aimed at improving the delivery of products within the stipulated time leading to an increase in customer satisfaction. To achieve this target, they adopted agility in 2008. They implemented cross-functional teams which could focus on specific projects along with building effective communication across several teams. Instead of individual targets, each team worked towards both organizational and group goals to receive desired results. After making such changes with the help of agile transformation, Ericsson could successfully achieve speedy development, faster customer feedback, and generate higher revenue according to desired company standards. 

Bank of America

In late 2012, the agile transformation in global markets at Bank of America began. Merrill Lynch, the director of global markets technology at the Bank of America expressed that their main aim was to improve the time to deliver better company solutions and also reduce key person dependencies across his technology team. They adopted Scrum (a specific Agile methodology) also providing an environment to the employees where they could experiment by taking risks to bring exceptional work results. The cross-functional team formation too was encouraged to turn business ideas into working products for achieving company targets. After a year of consistent efforts, they finally succeeded in meeting their business goals with agility.

LEGO 

LEGO attained success by adopting agile transformation in early 2018. They adopted this approach in their two large digital departments. After such adoption, they witnessed various improvements in several areas like market engagement, digitalization, and reduction in project delivery time. This further brought a sense of motivation and satisfaction among the employees. So, with this transformation, LEGO could set a successful journey of embracing change. 

To get more insight on a company's smooth agile transformation, you can go through this book-   “Agile Transformation: A Brief Story of How an Entertainment Company Developed New Capabilities and Unlocked Business Agility to Thrive in an Era of Rapid Change” which will give you an idea about a company in the entertainment industry who got excellent results by adopting agility in its work culture. This will be a good read.

Here is a video presented by Scrum Alliance about IBM’s wonderful experience of learning, implementing, and overcoming challenges with agile transformation. Without any further wait, take a look at their exciting agile transformation journey.

Final thoughts

Agility is an approach to drive performance and provide endless innovation to organizations. Adopting this transformation can break the old traditional working methods enabling to achieve tremendous growth and advancement in business. So, the organizations will have to step out of their comfort and strive for something new which can deliver exceptional business outcomes.

blog banner blog image Agile Transformation Agile development methodology Enterprise agility Agile Blog Type Articles Is it a good read ? Off

Drupal blog: Drupal 9.2.0 is available

3 days 14 hours ago
What’s new in Drupal 9.2.0?

The second feature release of Drupal 9 helps keep your site even more secure, and comes with increased visitor privacy protection, improved migration tools from Drupal 7, enhancements to the Olivero frontend theme and early support for the WebP image format.

Download Drupal 9.2.0

Security and privacy improvements

Critical security advisories and public service announcements will now be displayed on the status report page and certain administration pages for the site's administrators. This helps prepare site owners to apply security fixes in a timely manner. For increased privacy protection of your site visitors, Drupal 9.2.0 now blocks Google Federated Learning of Cohorts (FLoC) cookie-less user tracking by default.

Better building blocks out of the box

The Olivero theme, soon to be Drupal's new default frontend theme, has dozens of major improvements in this release, including a new form design and various accessibility fixes. The built-in Umami demo is now also more flexible with a built-in editor role and more versatile Layout Builder demonstration.

On the way to Drupal 10

In preparation for Drupal 10, all Symfony 5 and and several Symfony 6 compatibility issues have been resolved. As part of modernizing the frontend of Drupal 9, core's Tour feature now uses ShepherdJS instead of jQuery Joyride. This significantly improves accessibility of tours and removes one more reliance on jQuery.

Other improvements

The already stable migration path from Drupal 7 is now expanded with migrations for user settings, node/user reference fields and other previously missing pieces.

Drupal's GD toolkit integration, and, therefore image styles, can now manage WebP images. There is more to do for complete WebP support. Stay tuned for improvements in future releases.

Sneak peak at future core features

The upcoming core CKEditor 5 upgrade is being worked on in a contributed project. Progress has been made on various aspects of the roadmap, and the project is near to completing all issues identified as requirements for tagging a beta release. Core inclusion is expected in Drupal 9.3.0, but contributed projects are requested to build compatibility ahead of that.

The Automated Updates Initiative has been very active in the repositories under https://github.com/php-tuf building a PHP implementation of The Update Framework (TUF) with Typo3 and Joomla developers to provide signing and verification for secure PHP application updates. Results will be included with later Drupal releases.

Check out the initiative keynotes from DrupalCon North America 2021 on what else is in the works.

What does this mean for me? Drupal 9 site owners

Drupal 9.0.x is now out of security coverage. Update at least to 9.1.x to continue to receive security support.

Drupal 8 site owners

Update to at least 8.9.x to continue receiving bug fixes until Drupal 8's end of life in November 2021. The next bug-fix release (8.9.17) is scheduled for June 7, 2021. (See the release schedule overview for more information.) Versions of Drupal 8 before 8.9.x no longer receive security coverage.

With only five months left until the end of life of Drupal 8, we suggest that you upgrade from Drupal 8 to Drupal 9 as soon as possible. Upgrading is supported directly from 8.8.x and 8.9.x. Of the top 1000 most used drupal.org projects, 94% are updated for Drupal 9, so the modules and themes you rely on are most likely compatible.

Drupal 7 site owners

Drupal 7 is supported until November 28, 2022, and will continue to receive bug and security fixes throughout this time. From November 2022 until at least November 2025, the Drupal 7 Vendor Extended Support program will be offered by vendors.

On the other hand, the migration path for Drupal 7 sites to Drupal 9 is stable. Read more about the migration to Drupal 9.

Translation, module, and theme contributors

Minor releases like Drupal 9.2.0 include backwards-compatible API additions for developers as well as new features.

Since minor releases are backwards-compatible, modules, themes, and translations that supported Drupal 9.1.x and earlier will be compatible with 9.2.x as well. However, the new version does include some changes to strings, user interfaces, internal APIs and API deprecations. This means that some small updates may be required for your translations, modules, and themes. Read the 9.2.0 release notes for a full list of changes that may affect your modules and themes.

This release has further advanced the Drupal project and represents the efforts of hundreds of volunteers and contributors from various organizations. Thank you to everyone who contributed to Drupal 9.2.0!

Aten Design Group: Upgrade paths for your Drupal 7 website

4 days 6 hours ago
Upgrade paths for your Drupal 7 website Eric Toupin Tue, 06/15/2021 - 14:14 Drupal

Drupal 7 will reach end-of-life (EOL) in November of 2022, which means that at least a half million webmasters & site owners have some decisions to make. What’s the next step for your organization’s website? What sorts of costs might you be looking at for this upgrade? What timeline can you plan on for this change? All good questions.

If you’re interested in this topic, take a moment to register for our Director of Engineering, Joel’s free webinar coming next week. He'll be covering aspects of these options in greater detail.

Webinar, June 23rd:
Options for upgrading your Drupal 7 or Drupal 8 site

Register Now

What is EOL and what does it mean to me?

The Drupal ecosystem of core and contributed modules is protected against hackers, data miners, automated exploits and other malicious actors by the Drupal Security Team — more than thirty developers working across three continents in almost a dozen countries to keep Drupal websites safe. The security team responds to reports of potential weaknesses in the Drupal core or contributed code and coordinates efforts to release new versions of the software that address those vulnerabilities.

The more than a million Drupal developers worldwide going about their day-to-day development tasks act as a passive network of quality control agents. Developers who discover security vulnerabilities while working with the code can confidentially report them so that the security team can go about fixing the problem before knowledge of the vulnerability is widely available. A million worldwide developers backing a thirty-something strong team of elite developers spells security — for your website, your data, and your organization.

In November of 2022, that all comes to an end for Drupal 7. That’s when the security team will officially retire from the Drupal 7 project in favor of modern versions of the platform. As new vulnerabilities in the code are discovered (and made public) you won’t have anyone in your corner to fight back with new security releases.

After EOL you can expect what’s left of the Drupal 7 community to move on, too. That means no new modules, new themes, or other new features built for the platform. It also means the pool of developers specializing in Drupal 7 starts to shrink very fast. If you’re still on Drupal 7 in late 2022, you’re out in the cold.

The good news is that there are options. Here’s are my top three picks:

Drupal 9: Drupal is dead, long live Drupal

Drupal 9 is the most modern iteration of the Drupal framework and CMS. It introduces a completely reimagined architecture and a rebuilt API more inline with modern development standards.

  • Cost: High
  • Build Time: High
  • Longevity: High
  • Support: High
Pros

Upgrading your site to the latest version of Drupal (9.1.10 at the time of this article) is, in most cases, the right move. Modern Drupal has grown to support a wide array of innovative features in core. Improved WYSIWYG content editing, a feature rich Media library, advanced publishing workflows, and rich JSON API are all available right out of the box. Couple that with Drupal’s new, highly modern architecture built on Symfony, the adoption of the Twig templating engine, and dependency management via Composer and you really do Build the best of the web in terms of technology, support, and longevity.

When you make the move to Drupal 9 you can count on Drupal’s huge and thriving community of developers (and security team) making the move right along with you. Existing modules from previous versions of Drupal are either — in almost all cases — already available, now packaged into core, or making their way to Drupal 9 at this moment. It’s very likely the agency you’re already working with has or is building a Drupal 9 proficiency, and it’s guaranteed that hundreds of other shops can pick up the slack in the odd case that your provider isn’t on board yet.

Finally, let’s not forget Drupal’s commitment to easy future upgrades which promises continuity in architecture that should facilitate easy upgrades to Drupal 10 and beyond. Gone are the days (probably) of “rebuild” style upgrades like those of Drupal 6 to Drupal 7, or Drupal 7 to Drupal 8/9.

Cons

Speaking of “rebuild” style upgrades... upgrading from Drupal 7 to Drupal 9 is one of them. While it could be your last major upgrade if you stick with Drupal for the long haul, moving from Drupal 7 to the more modern 8/9 and beyond architecture is a very heavy lift. For most organizations the move to Drupal 9 is the longest term, most feature-rich, most supported, and most modern option, but it generally entails a complete rebuild of your site’s backend and theme which basically means starting from scratch. Take a look at Joel’s post about the upgrade from Drupal 7 to Drupal 8 for more information — the process is comparable to a Drupal 7 to Drupal 9 upgrade.

Backdrop CMS: The same, but different

Backdrop CMS is a lightweight, flexible, and modernized platform built on Drupal 7 architecture with notable improvements. The software is a fork of the Drupal 7 code and boasts a simple, straightforward upgrade path.

  • Cost: Low / Medium
  • Build Time: Low / Medium
  • Longevity: Medium / High
  • Support: Medium
Pros

Drupal 7 sites moving to any other platform — including Drupal 8 / 9 — must be rebuilt. That’s not the case for Backdrop CMS, which gives you the option of protecting your investment in an existing Drupal 7 website and reaping the benefits of modern features like configuration management and advanced layout control. Backdrop CMS will prioritize backward compatibility with Drupal 7 until at least 2024, meaning that even fully custom Drupal 7 code — with very minor modifications — should work in the Backdrop CMS ecosystem. A large selection of widely used Drupal 7 modules are already available for Backdrop CMS, and more are on the way. And while backwards compatibility is a major selling point for Backdrop CMS, its architecture is forward thinking with the introduction of classed entities and an object-oriented approach to all of its new components and features.

While the Backdrop CMS developer community isn’t particularly large, Drupal 7 and Backdrop CMS development skill sets are virtually interchangeable for the time being due to the almost identical API. There’s also considerable overlap on the Drupal 8/9 front due to Backdrop’s preference for object-oriented code in all of its newly added features. That means your existing Drupal developers can help you make the switch, and while the upgrade process isn’t exactly seamless it’s definitely a far cry from a complete rebuild.

Backdrop CMS also has its own security team, which — for now at least — works closely with the Drupal security team. Active development for the current version of Backdrop CMS is planned through 2024 according to their Roadmap, with the next version of Backdrop CMS promising an even easier upgrade path compared to the Drupal 7 to Backdrop CMS upgrade.

Cons

Backdrop CMS implements both Drupal 7 style procedural coding and Drupal 8/9 style object-oriented coding, which in theory means that it caters to a wide range of developers. In practice it’s hard to predict the future of any up-and-coming development community. That makes the outlook for long term support a little opaque, in that it’s hard to say just how many developers will be supporting Backdrop CMS and building new features for it down the road a couple of years.

Also, while Backdrop CMS absolutely prioritizes backwards compatibility with Drupal 7, a greater number of contributed and custom modules in your existing site could complicate the upgrade process. Simpler Drupal 7 sites with fewer contributed and custom modules would probably encounter a low effort to complete the upgrade, while a greater number of contributed and custom modules are likely to see a medium effort as some of those modules may need to be converted.

Drupal 7 Vender Extended Support: Don’t move a muscle

Drupal 7 ES is the do nothing for now option. A small collection of approved and vetted vendors will be providing security updates and / or critical patches for Drupal 7 core and contributed modules following a variety of vendor-specific plans.

  • Cost: Low
  • Build Time: None
  • Longevity: Low / Medium
  • Support: Medium
Pros

The biggest plus here is simple: No further action is required at this time. If you’re planning to work with a vendor that provides extended support for Drupal 7, you won’t need to take any action to protect your website from aging software until Drupal 7 EOL in 2022. At that point, you’ll need to plan on a flat or adjustable monthly fee through the end of 2025 — or possibly beyond. This could mean avoiding major strategic and financial decisions regarding your digital strategy for at least a few years, and all at a cost that (depending on the size of your organization / website) is probably a fraction of the cost of a software upgrade.

With the Drupal 7 EOL recently extended until November of 2022, many of these Vender Extended Support plans haven’t fully materialized — so details are still forthcoming. Agencies like Tag1Quo or MyDropWizard advertise services from a surprising $15 / month to $1250 / month for a range of beyond EOL Drupal support plans. Acquia and Lullabot are also named by Drupal.org as ES vendors — but without any specifics about pricing or support levels. While the picture isn’t entirely clear yet, availability of an affordable ES plan is virtually guaranteed by 2022.

Cons

Drupal 7 Vendor Extended Support may protect you against vulnerabilities and exploits discovered after Drupal 7 EOL, but community support will be all but dead by that time. That means no new features or modules will be released and the pool of Drupal 7 developers will be rapidly drying up. Unless you have an in-house development team, you can plan on your website coming to a standstill in terms of ew features.

The amount of contributed and custom modules your site implements has an impact here, too. The greater number of custom and contributed modules, the greater you can expect the effort to be in supporting those modules beyond EOL.

Another concern with Drupal 7 ES is PHP 7 end-of-life. Once PHP 7 (the language Drupal 7 is largely built on) is no longer supported towards the end of 2022, you can expect the security of your Drupal 7 site to rapidly degrade. Updating Drupal 7 to be compliant with the newer, more secure PHP 8 is doable — but you can expect it to be a difficult process.

Finally, it’s likely that you will still need to consider upgrading to a supported platform in the future if your website will need to change and adapt in the coming years. You can expect this process to become more challenging as time goes on and the gap between your existing website and modern platforms grows ever larger.

Taking the first step

There are other options, too. Moving from Drupal 7 to another platform entirely (WordPress?) could make the most sense depending on the complexities of your website. Moving to a less robust CMS could be nominally more cost effective than an upgrade to Drupal 9, but it also bakes in some hard limitations to what your website will be able to do.

If you haven’t already, take a minute to register for Joel’s free webinar coming June 23rd. He'll be walking through a few of these options and more.

Webinar, June 23rd:
Options for upgrading your Drupal 7 or Drupal 8 site

Register Now

A lot of organizations are beginning to evaluate options for their Drupal 7 sites. The best way forward depends largely on your goals as an organization, your ambitions for your digital presence, and the amount of time and effort you’re willing to invest. We’d love to consider your questions or learn more about the specific challenges you’re facing as you sort through your options. Get in touch today with your questions about upgrade paths from Drupal 7.

Eric Toupin

Web Wash: Generate Twitter Card Meta Tags using Metatag in Drupal

4 days 14 hours ago

When someone tweets a link from your website, Twitter can use Twitter Cards to attach rich photos, videos and media to Tweets.

By doing some minimal configuration changes on your Drupal site using the Metatag Module and the Twitter Cards submodule, users can see a “Card” added below the tweet that contains neatly formatted information coming from your website, as shown in Image 1 below.

The cards are generated using HTML markup in the HEAD region of your Drupal site; that’s why the Metatag module is used.

Twitter will scrape your site and generate the card using the HTML meta tags.

OpenSense Labs: The Open Source Security Manual

4 days 15 hours ago
The Open Source Security Manual Gurpreet Kaur Tue, 06/15/2021 - 16:42

Imagine you created something and that something is a software. You wanted your creation to be used by as many people as possible, you wanted to make it universally accessible. So, you did just that, you made the software source code accessible so that anyone could inspect it, modify it and enhance its capabilities.

This is the scenario that makes an open source software what it is; a publicly accessible tool that is all for the community. It honours open exchanges, collaborations, transparency and perpetual development that is community-centric. These principles have made open source software become immensely popular today. And here is proof of that. 

Source: Github

Many of the public repositories, like PHP, Java and .NET, use open source software and in heavy numbers. If we look at the revenue open source software is deriving, the numbers are again quite impressive.

Source: Statista 

All these numbers speak volumes to the efficiency of open source software. However, if there is one aspect of open source software that needs some kind of assurance, I’d say it’s open source security. The reason is probably the fact that OSS is completely open for everyone, so it is assumed that something with this level of openness cannot be secure. 

In this blog, we’ll try to find an answer to the question, ‘what is open source security’ and see whether it is actually secure or not.

What Is Open Source Security?

Today, businesses try to leverage multiple software in their efforts to move forward in technology and open source is one software that is omnipresent in these efforts, be it just for its code. 

Source: Synopsys

The reasons for this elevated usage of open source components are plenty. 

The fact that you get to try the software before you buy it; 
The fact that support is free; 
The fact that there would be fewer bugs to deal with and faster fixes; 
The fact that software security would improve; 

To know more about the power of open source, read about the perks of being an open source contributor, leadership in open source, why are large enterprises investing in open source, why is open source recession-free, impact of open source during Covid-19 pandemic, and the significance of diversity, equity and inclusion in open source.

All of these account for open source to become a software that is quite pleasing to the eye. The last point that I mentioned may be the most pleasing factor of them all. But why? What is open source security? Is open source insecure? Let’s understand just that.

Like any other software out there, the OSS also goes through two main stages, the development and the production. And open source security works in both of them, managing and securing the OSS at all times by using certain tools and processes; all of this usually done through automation. 

Talking about the Software Development Lifecycle, open source security has three main responsibilities;  

  • It identifies open source dependencies in your applications; 
  • It provides critical versioning and usage information; 
  • And it detects and warns about any policy violations and its consequent risks. 

Moving on to the production phase, open source security continues to work diligently. Its main duties at this point are to focus on any and all open source vulnerabilities. It does so by; 

  • Monitoring vulnerability attacks; 
  • Blocking vulnerability attacks, if possible; 
  • And most importantly, alerting you for the same, thus making you ready to take action against them.

Be it a community driven open source or a commercial one, open source security works in much the same way. 

Delving a little deeper in open source security, is there an initiative or a body that is accountable for it. This was one question that I found myself asking while researching about this piece. And there is, it is The Open Source Security Foundation. It helps organisations relying on open source software to understand their responsibilities in terms of user and organisational security and verify it. 

The initiative focuses on aspects like vulnerability disclosure, security tooling and best practices, identification of threats and even digital identity attestation. All of these only aid in securing your projects, critical and otherwise, in a much better and efficient manner.

Is Open Source Good for Security?

The answer to the question ‘How does open source security work?’ is not a linear one. But if I had to answer it, I’d say open source security is nothing at all like Microsoft, which should provide a lot of clarity to you and instill a sense of faith in OSS.

According to Snyk’s The State of Open Source Security 2020 report, 

Open source ecosystems have expanded by a third in 2019; 
Open source security culture is focusing on shared responsibility; 
Open source vulnerabilities have reduced by a fifth.

Source: Snyk

On top of this, the vulnerabilities that were found in open source as most reported weren’t high impact on software projects. 

These facts were enough for me to believe in the capability of open source security. However, for you, I am going to provide four more reasons.

Security that is transparent

The main benefit of open source security is that it is transparent. What I mean by transparent is that its source code is open. You can get information about the code base and potential bugs.

People can sift through the source code of any open source project and improve any imperfections, which would not have been possible if the source code wasn’t open. This further means that there won’t be any surprises as the chances of any malicious functionality would be quite slim with this level of scrutiny. 

Security that is reliable 

This advantage is relatable to the previous one. OSS openness has made it possible for its code to be continually tested. 

The online community, which is responsible for developing the code, is behind these tests, making the software more reliable and trusted. The software developed on such trust would most likely never crash and fail.

Security that provides quick catches and fixes 

After transparency and reliance comes the benefit of quick fixes. The open source community is again to be thanked for this. The many contributors of open source make it possible to detect any bugs and flaws and quickly patch and fix them, without any elongated downtime for your applications. 

Security that is sustainable 

Open source software isn’t going to go anywhere and would open source security become antiquated. The reason would be its growing community that would continue to expand indefinitely. Therefore, the platform would continue to improve and you would have the assurance of better security means as time continues to move ahead.

At the heart of every benefit of open source security is its openness and community. Is open source a security risk? Not really. Is it a full-proof solution? Again not really. Yes, open source security cannot provide you the guarantee of being full-proof at all times, but the fact that the open source security at least provides a better chance of being secure is enough to make it advantageous for us; after all, are there really any guarantees in life?

Are There Challenges That You Need To Overcome?

Moving on from the pretty picture of open source security, let’s focus on the dark side of the concept. Open source security isn’t always full of the joys of spring, there are certainly challenges that need to be overcome. Since open source has become prevalent in every business sector, so have the open source security vulnerabilities. 

Open source vulnerabilities by business sectors | Source: Synopsys

Ironically, most of the challenges coincide with the openness of an OSS, so the benefits become the drawbacks. Let’s take a look at them.

The openness isn’t without vulnerabilities

Much like any software out there, open source also comes with some vulnerabilities. Yes, the open source community aids in the remediation of these flaws, but they tend to widen the difference between open source safety and open source attacks.

Vulnerabilities reported in OSS | Source: WhiteSource Software  

Yes, open source security issues come with their fair share of vulnerabilities, from XSS to information exposure, there is everything and these vulnerabilities keep on changing year after year. 

However, there is a silver lining in this challenge and that is the impact of these vulnerabilities. 

Source: Snyk

XSS is one of the most reported vulnerabilities, however, it only impacts a low number of projects. This can be considered as a positive outcome of this particular challenge.

The openness lures attackers

The OSS code is open for everyone and so its vulnerabilities; and we certainly know that everyone includes people with malicious intent as well. So, open source vulnerabilities become an easy target for attackers.

The National Vulnerability Database, which is a platform providing information about the open source vulnerabilities that too publicly isn’t helping this challenge much. Don’t get me wrong, such platforms are indeed helpful in identifying the problems, but considering they are public and open, the attackers get their arsenal for the next target.

You may think that the known vulnerabilities should get fixed before the attackers are lured in by them. But that is easier said than done. The problem here is that the open source vulnerabilities are published at multiple platforms, thus tracking them becomes difficult. Even if they have been located, updating, patching or fixing can require some time and during that phase, you’d be at risk.

The openness might overlook quality 

There are a number of people who contribute to open source security and you cannot be sure that all of them would be security experts. Everyone in the community will not have the same level of skills and expertise. Therefore, the way they would create a piece of code would be different. This makes quality assurance a task that could almost be impossible to take on. Furthermore, the fact that there are no set standards for the quality of open source code makes it all more convenient to overlook quality.. 
 
All of this means that the quality might be overlooked and even compromised. The fact that only 8% of the WhiteSource survey respondents were concerned about the quality is a testament to this challenge.

The openness comes with licensing risks 

OSS may be free to use, but it does come with a number of licenses that need compliance; 110 licenses to be exact, according to the Open Source Initiative. These act as the guidelines for OSS source to be used.

With these many licenses, there is bound to be a risk of compatibility. Let’s understand this, some licenses are compatible, this means you can use them together. However, some aren’t, which means that using them together would put you at risk, like the Apache 2.0 and GPL v2 license.

What’s more is that, if you do not comply with the licensing guidelines of open source, you’d be making yourself open to a lawsuit. While I know this isn’t the kind of security concern we've been talking about so far, it is a security concern all the same.

Can You Overcome the Security Challenges?

The major challenge in open source security are the vulnerabilities. Detecting them and resolving them has to be the priority, if you want to overcome the challenges. Given the fact that open source vulnerabilities have risen in 2020, you need to be sure that you are not at an elevated level of risk.

Source: WhiteSource Software 

Let’s see how these vulnerabilities can be caught in time, so that they do not affect your business by implementing some of these open source best practices.

Prioritising security, always 

The first part in overcoming open source vulnerabilities is to always prioritise security. This starts with the choice, whenever you choose an open source component to work with, security has to be one of the considerations in the choice. 

Usually, functionality comes as the main reason for choosing an OSS. However, just focusing on that can put you at a disadvantage. Think of it this way, an open source component that does not require any integrations with your codebase would remove any and all security risks, along with reducing the complexity of your source code.

Prioritising automation as a means to detect and monitor vulnerabilities 

Next comes the detection of the security vulnerabilities and automation comes quite handy here. Organisations, especially large ones, have a pretty massive codebase and going through it would be a mammoth task, if not automated. Detecting susceptibilities is already quite a lengthy process, even with automation.

You have to identify which packages are being used; 
You have to pinpoint the vulnerable functionality in your code; 
You have to map out the way that particular vulnerability is impacting; 
And then you have to work on rectifying the findings.

Such a process may only include four steps, however, it isn’t a trivial task.

One of the problems in overcoming the vulnerability challenge is that organisations, sometimes, have no clue that they are actually susceptible. The fact that the open source community has an extensive amount of data means that the vulnerabilities would be spread across that expansiveness. So, running automated scans for identifying vulnerabilities would never let them go unidentified.

Taking help of automation tools would not only help you get to the problem areas faster, but also keep doing it continuously. When you enforce automated tools to continually monitor security problems, you come closer to protecting your project and taking control over the open source components you are using.

Prioritising the involvement of the team in security

The last point to cover in order to overcome the open source challenges involves your team. There is a high likelihood that your developers would not be experts in security. And the people you may have in security would be lost in the developers’ realm. Since open source vulnerabilities require you to be efficient at both development and security, there has to be some training involved.

Source: Snyk

Such a response for detecting open source dependencies is not ideal. So, aim for cross training your staff, the developers should be able to at least identify certain security vulnerabilities and the security team should have some understanding of the development process. 

If you think that isn’t a possibility, you can hire outside help to assist you in overcoming the challenges posed by the open source components. 

The Verdict 

OSS is on the rise and it will continue to grow in the future, there isn't any doubt about it. Along with that open source security will also strive to improve. Yes, there are issues that surround open source security, it isn’t perfect. I think that’s a good thing, because perfection cannot be improved upon and that means open source security has a lot of strides to make. 

Open source security operates on visibility and openness, and it also teaches its adoptive organisations to preach the same. Aiming for visibility in your source code would always keep you ahead of the vulnerabilities you might have. It would also provide you with knowledge of your dependencies and a clear understanding of your code. 

So, in that sense, open source software would be a great low cost addition to your project and open source security isn’t something that would ever hold you back. With the amount of open source security tools available today, that’s almost a guarantee.

blog banner blog image open source security Open Source Software Open Source Community Blog Type Articles Is it a good read ? On

Oomph Insights: The New Rules for Company Intranets: Why You Need to Go Beyond the Desktop

5 days 2 hours ago
Not long ago, company intranets were little more than a repository for shared files, general announcements, and the all-important list of holiday office closures. Today, the humble intranet has evolved as a way to enhance internal communication and employee engagement, and to help workers do their jobs. While organizations tend to have more content- and feature-rich intranets these days, many are missing one crucial element: a mobile-optimized version. As a result, they can exclude a large proportion of workers—including the 80% of people who make up today’s Deskless Workforce. Top “deskless…

Centarro: Understanding the Drupal Commerce 2.x Address Book

5 days 5 hours ago

Drupal Commerce 2.x includes address book functionality for both customers (from their account pages and checkout form) and administrators (from order edit pages). This article provides a quick summary of the address book architecture to help you understand how customer addresses are modeled / saved to your database and what you need to take into consideration when writing custom code / data migration processes for orders and customer profiles.

Commerce Core uses our Address module to add address fields to various entities, including stores and customer profiles. Address fields are not added directly to orders, payment methods, or shipments - the things for which we might typically expect an address to be selected from an address book. Those entities instead reference profiles with addresses that represent billing and shipping addresses.

As a result, a user’s address book is basically just a collection of profiles with the same uid as the user. These profiles are created in various ways:

Read more

ComputerMinds.co.uk: Entity Extra Field module: display blocks & views amongst fields

5 days 17 hours ago

I'm a fan of configuring things for display through Drupal's admin UI. It gives site builders confidence and power. What if you want to place blocks or views listings in amongst fields on pages of content? For example, to display:

  • A listing (view) of related content, such as accessories for a product
  • A standard contact block, advert, or some other calls to action in the middle of the content, exactly where the user is best 'caught' in their journey, rather than having to stick those in sidebars or after all the content fields.
  • Some specific value(s) pulled from fields on some indirectly related entity, through a token, such as details from a taxonomy term representing the 'section' that a page is in.
  • Consistent relevant links on user profiles to take people to common destinations

Drupal's usual blocks system allows you to put these in sidebars or above/below the usual node fields, but not between them. You could use a 'heavyweight' system like Layout Builder, Panels, or Display Suite, but those tend to entirely change the way you configure or edit your content. You could get a developer to override twig templates or write custom PHP. But is there a middle ground?

Well, of course! You might have noticed some modules already allow their page additions to be moved around amongst the usual fields on content. See these rows without widget or format settings in this following screenshot, which aren't for ordinary fields at all? Wouldn't it be great to be able to add your own?

This is where the Entity Extra Field module (entity_extra_field) comes in. It supports embedding blocks, views or values to be replaced via tokens. So a site builder can set these up to be managed just like ordinary fields on the page (whether it's a node, term, paragraph, or any other type of content). Each one would act as a sort of 'pseudo-field', rendered as part of a display mode amongst the ordinary fields. It also works for form modes - so you can display useful content beside existing field widgets, perhaps displaying relevant related data to editors in the places that they would be entering content about that data.

Entity Extra Field supports visibility conditions (just like blocks, but for views & tokens too) and passing & selecting contexts for blocks. These give it quite a lot of power - for example, to conditionally hide a field rather than just using Drupal's ordinary display settings for it. So I believe this module does a better job than the older EVA module (for views), and my own similar EBA module (for blocks) did. In fact, I recommend that anyone using my EBA module in D7 should use Entity Extra Field in its place when moving to Drupal 9. Here are some screenshots of its interface - first for selecting a view to add to content:

And for choosing a block to display - in this case, a custom one that requires a context:

Each 'Extra field' gets shown on all entities of the type/bundle they are configured on. So there's no need to constantly remember to add a common block or view every time you create/edit a page. If you do want to have different ones on different pages, then you should use Views Reference or Block Field. These modules provide true fields for editors to choose which view/block to display on each individual page.

The code inside Entity Extra Field uses hook_entity_extra_field_info(), which acts just like its Drupal 7 predecessor, hook_field_extra_fields(), which I've written about before. So you could write code using that to add your own page additions too - but given that blocks, views, and content accessible via tokens are possibly the most common things to embed, that suddenly feels unnecessary. Even as a developer, I'm glad to avoid writing code that would need maintaining anyway.

I've been privileged to be able to contribute fixes & functionality to the Entity Extra Field project, resulting in a recent new release. My time for that was essentially sponsored by ComputerMinds and one of our clients who would use this site-building capability, especially around block contexts. So thanks to them! And of course a big thank you goes to Travis Tomka (droath) for making the module, and accepting my many issues & patches!

 

Photo by Y. Peyankov on Unsplash

Golems GABB: Upgrading to Composer 2: good reasons and key instructions

5 days 20 hours ago
Upgrading to Composer 2: good reasons and key instructions Editor Mon, 06/14/2021 - 09:45

One of the goals of our blog posts is to spread the word about the best web development practices. When it comes to the best practices for PHP-based CMSs like Drupal, the famous package manager Composer is always on top of the list. Some time ago, we published an article about the superpowers of Composer in Drupal development but would also like to dedicate a special post to its new release. Read on to see why it’s a great idea and how to upgrade to Composer 2.

Why upgrade to Composer 2

Composer has been around for 8 years performing its mission of a great assistant to developers in installing, updating, or removing all kinds of PHP packages. The major new version of this dependency management CLI tool was released in October 2020.

Sergiu Nagailic (Nikro) Blog: Drupal Redirects in Gatsby.JS

6 days 13 hours ago

If you’re running Drupal + Gatsby.JS website, you’ll inevitably change the URLs of some of these articles (i.e. by changing the title) → and this will change the slug (URL) →and this will cause 404s (i.e. break all Social Media posts, etc). There’s a way to fix it.

The Reason

This depends on the case, in my case (and many other examples I’ve seen) - the slugs are generated by using Drupal's path aliases. And Drupal’s paths depend (usually) on the node’s title.

This has unforeseen consequences, once you change the title, the path is changed too and on the next build, Gatsby will stop recognizing the old paths, resulting in 404s. This happened to me - when I wanted to rename the initial article as “Part 1” (because I’ve written a “Part 2” later), all my social-media posts were broken and Goo...

Read the Full Article
Checked
13 hours 46 minutes ago
Drupal.org - aggregated feeds in category Planet Drupal
Subscribe to Drupal Planet feed