Since Drupal is a content management framework, so it’s worth mentioning a module which reflects the very essence of content management — the Views, of course. Simple but powerful, the Views is the most popular module, installed on over two-thirds of Drupal sites.Read more
This article will explain how to formulate the route name for a view because there are very few sources for the information online.
We needed a router and wifi access point in the office, and simultaneously both I and my co-worker Ivan needed such a thing at our respective homes. After some discussion, and after reading articles in Ars Technica about building PCs to act as routers, we decided to do just that.
The PC solution seem to offer better performance, but this is actually not a major reason for us.
We want to have systems we understand and can hack. A standard x86 PC running Debian sounds ideal to use.
Why not a cheap commercial router? They tend to be opaque and mysterious, and can't be managed with standard tooling such as Ansible. They may or may not have good security support. Also, they may or may not have sufficient functionality to be nice things, such as DNS for local machines, or the full power if iptables for firewalling.
Why not OpenWRT? Some models of commercial routers are supported by OpenWRT. Finding good hardware that is also supported by OpenWRT is a task in itself, and not the kind of task especially I like to do. Even if one goes this route, the environment isn't quite a standard Linux system, because of various hardware limitations. (OpenWRT is a worthy project, just not our preference.)
We got some hardware:Component Model Cost Barebone Qotom Q190G4, VGA, 2x USB 2.0, 134x126x36mm, fanless 130€ CPU Intel J1900, 2-2.4GHz quad-core - NIC Intel WG82583, 4x 10/100/1000 - Memory Crucial CT102464BF160B, 8GB DDR3L-1600 SODIMM 1.35V CL11 40€ SSD Kingston SSDNow mS200, 60GB mSATA 42€ WLAN AzureWave AW-NU706H, Ralink RT3070L, 300M 802.11b/g/n, half mPCIe 17€ mPCIe adapter Half to full mPCIe adapter 3€ Antennas 2x 2.4/5GHz 6dBi, RP-SMA, U.FL Cables 7€
These were bought at various online shops, including AliExpress and verkkokauppa.com.
After assembling the hardware, we installed Debian on them:
Connect the PC to a monitor (VGA) and keyboard (USB), as well as power.
I built a "factory image" to be put on the SSD, and a USB stick installer image, which includes the factory one. Write the installer image on a USB stick, boot off that, then copy the factory image to the SSD and reboot off the SSD.
The router now runs a very bare-bones, stripped-down Debian system, which runs a DHCP server on eth3 (marked LAN4 on the box). You can log as root on the console (no password), or via ssh, but for ssh you need to replace the /home/ansible/.ssh/authorized_keys file with one that contains only your public ssh key.
Connect a laptop to the Ethernet port marked LAN4, and get an IP address with DHCP.
Log in with ssh to email@example.com, and verify that sudo id works without password. Except you can't do this, unless you put in your ssh key in the authorized keys file above.
Git clone the ansible playbooks, adjust their parameters in minipc-router.yml as wanted, and run the playbook. Then reboot the router again.
You should now have wifi, routing (with NAT), and be generally speaking able to do networking.
There's a lot of limitations and problems:
There's no web UI for managing anything. If you're not comfortable doing sysadmin via ssh (with or without ansible), this isn't for you.
No IPv6. We didn't want to enable it yet, until we understand it better. You can, if you want to.
No real firewalling, but adjust roles/router/files/ferm.conf as you wish.
The router factory image is 4 GB in size, and our SSD is 60 GB. That's a lot of wasted space.
The router factory image embeds our public keys in the ansible user's authorized keys file for ssh. This is because we built this for ourselves first. If there's interest by others in using the images, we'll solve this.
Probably a lot of stupid things. Feel free to tell us what it is (firstname.lastname@example.org would be a good address for that).
If you'd like to use the images and Ansible playbooks, please do. We'd be happy to get feedback, bug reports, and patches. Send them to me (email@example.com) or my ticketing system (firstname.lastname@example.org).
You can see how we're doing on the various Trello boards for:
As Richard and I work toward a version of Gitano we're prepared to support long-term in Debian we are making many changes to make our lives easier. For those of you who have been using Gitano over the past few years, you'll need to pay attention to some postings which will be coming soon about how to make the changes you need so as to not explode horribly when you upgrade to the version we're releasing soon. For those of you who are not yet using Gitano but feel like you might want to; I'll also be producing some postings about getting started with the packages. And for those happily running current HEAD of Gitano already, I'll be posting about some of the new features over the next little while in case you're not aware of them.
IMPORTANT: If you're using Gitano already and have any issues or feature requests then please please please let me know ASAP otherwise they're unlikely to be resolved/implemented before 1.0. irl already asked for the facility to verify GPG signed commits and tags, but if you want anything else considering then I need to know v. soon. (Ideally email me, but you may comment on this posting too if you must)
So this morning, along with a few other members of staff, I was filmed for a Diversity and Inclusion video for Ada Lovelace Day at work. Very positive experience, and I was wearing my rainbow chain mail necklace made by the wonderful Rosemary Warner, and a safety pin, which I had to explain the meaning of to the two peeps doing the filming. We all of us read the same script, and they are going to paste it together with each of us saying one sentence at a time. The script was not just about gender, it also mentioned age, skills, sexual orientation and physical ability among other things (I cannot remember the entire list). I was very happy and proud to take part.
If you have a site that's still on Drupal 6, you're not alone. As of about a week ago, there's still over 88,000 Drupal 6 sites out there!
While support from the community ended on February 24th, the Drupal 6 Long-Term Support vendors have been hard at work, releasing over 20 security fixes for various contrib so far, including very popular modules like Views and Panels!
While the D6LTS vendors haven't released any security fixes for Drupal 6 core yet - it's only a matter of time!
If you want to be ready for it when they do, we recommend that you update to Pressflow. But that's not the only reason!
Read more to find out why and how!
This is the second installment of Palantir.net’s Guide to Digital Governance, a comprehensive guide intended to help get you started when developing a governance plan for your institution’s digital communications.In this post we will cover...
- What's next after the 10,000ft view
- What properties you need to think about
- Applications and integrations you also need to consider
Stay connected with the latest news on web strategy, design, and development.Sign up for our newsletter.
Having started at the 10,000ft view to assess the digital ecosystem for our governance planning, part two of the Guide to Digital Governance begins to identify the specific properties and platforms you will need to consider within that ecosystem.
Taking the top level categories you listed for your governance plan in part one, you now will want to think of the properties and platforms within each of them. The following questions are intended to help you think through each piece carefully.
- What are the websites we own that are visible to anyone on the Web?
- Do we have any public subdomain Websites, such as subdomain.mywebsite.com?
- Do we have any micro-sites, or Websites with a URL that is different from our main site?
- Do we have any blogs that may be hosted elsewhere, but would be considered part of our public Web presence?
- What are the Websites we own that are visible to only those with access we control?
- What are the Websites we own that are visible to only those who have access through machines running on our organization’s network?
- Do we have any subdomain Websites, such as subdomain.mywebsite.com that require logging in?
- Do we have any Websites for only a specific set of constituents?
Intranets and Portals
- Do we have a network of internal-use Websites (a.k.a an Intranet), accessible only by password or by logging on to the organization’s network, or otherwise hidden (even by obscurity)?
- Do we use any portal sites or pages as a means of aggregating links of importance for specific groups of users?
- Are there any web-based applications we use to perform specialized tasks, such as generating reports from data in a database or retrieving digital assets from a database?
- Are there any online tools that we use (whether built internally or purchased from a third-party vendor as software-as-a-service (SaaS)?
- What platforms, systems, and/or services do we use for collecting payments online?
- What platforms, systems, and/or services do we use for selling products online?
- Where are these located relative to our other Websites?
- What are the social media networks we use to communicate to the outside world?
- What are the platforms we use to create digital media, such as video, audio, and photography?
- What are the platforms we use to distribute digital media, such as video, audio, and photography
- What are the systems we use to send broadcast email to all or large segments of our internal group, members, staff, community, etc.?
- What are the systems we use to send broadcast email to all or large segments of our external community, clients, constituents, etc. for the purposed of marketing and promotion?
Digital Communications Governance
- What are the pieces that will constitute our official governance system?
- NOTE: You may not know the answer to this one yet, so leave it empty for now.
This post is part of a larger series of posts, which make up a Guide to Digital Governance Planning. The sections follow a specific order intended to help you start at a high-level of thinking and then focus on greater and greater levels of detail. The sections of the guide are as follows:
- Starting at the 10,000ft View – Define the digital ecosystem your governance planning will encompass.
- Properties and Platforms – Define all the sites, applications and tools that live in your digital ecosystem.
- Ownership – Consider who ultimately owns and is responsible for each site, application and tool.
- Intended Use – Establish the fundamental purpose for the use of each site, application and tool.
- Roles and Permissions – Define who should be able to do what in each system.
- Content – Understand how ownership and permissions should apply to content.
- Organization – Establish how the content in your digital properties should be organized and structured.
- URLs – Define how URL patterns should be structured in your websites.
- Design – Determine who owns and is responsible for the many aspects design plays in digital communications and properties.
- Personal Websites – Consider the relationship your organization should have with personal websites of members of your organization.
- Private Websites, Intranets and Portals – Determine the policies that should govern site which are not available to the public.
- Web-Based Applications – Consider use and ownership of web-based tools and applications.
- E-Commerce – Determine the role of e-commerce in your website.
- Broadcast Email – Establish guidelines for the use of broadcast email to constituents and customers.
- Social Media – Set standards for the establishment and use of social media tools within the organization.
- Digital Communications Governance – Keep the guidelines you create updated and relevant.
We want to make your project a success.Let's Chat.
Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Android, Java, Games and LTS topics, this might be interesting for you.Debian Android
- I sponsored a new upstream release of android-platform-tools-base prepared by Kai-Chung Yan and Chirayu Desai.
- I packaged a new upstream release of hyperrogue, a rogue-like game settled in a non-euclidian world, fixing one RC bug (#811991). I uploaded two more revisions later that addressed build failures on arm64 and hppa.
- I fixed more RC bugs (build failures with GCC-6) in torus-trooper (#835712) and fife (#811858).
- I packaged new upstream releases of pygame-sdl2, renpy, freeorion, netrek-client-cow, redeclipse, redeclipse-data, hitori, atomix, adonthell and adonthell-data.
- I updated gtkballs and fixed a documentation bug (#820588) but also a /usr/share/locale issue that prevented the actual use of the translations.
- I raised the severity of #797998 to grave in unknown-horizons because the game cannot be started currently. In order to fix this issue I packaged a new build-dependency, fifechan, which is currently awaiting approval by the FTP team. As soon as fifechan got accepted I will upload new upstream releases of fife and unknown-horizons.
- I released debian-games 1.5, a Debian blend and collection of games metapackages.
- Hardening-wrapper has been deprecated for some time and this issue became release critical now. I updated cookietool, alex4 and netrek-client-cow to use dpkg-buildflags instead.
- Together with Russel Coker I packaged a new upstream release of warzone2100. This package would benefit from a new regular uploader. If you are interested in it, please get involved. (Same story for hyperrogue, redeclipse, renpy and unknown-horizons and many other games.)
- I started a new Bullet transition (#839243). The package is currently waiting in the NEW queue and I hope to complete this work in October.
- I triaged #838199 and reassigned the issue to fonts-roboto. Initially I prepared an NMU but eventually the maintainer uploaded a new revision himself. It is now possible to install the hinted and unhinted versions of fonts-roboto together which also resolved former installation problems with kodi and freeorion.
- I packaged new upstream releases of undertow, activemq and jackrabbit.
- I fixed RC bugs in libphonenumber (#836768), wagon2 (#837022) and activemq (#839244).
- I updated syncany in experimental and simplified the packaging a little. Unfortunately upstream has been on hiatus for the past year and we haven’t seen new releases in the meantime. Nevertheless give it a try, even though it is still alpha software, it’s an useful cloud-storage and synchronization tool.
- I sponsored a new upstream release of freeplane for Felix Natter.
- I prepared and uploaded security updates for jackrabbit and zookeeper in Jessie.
- From 12. September until 19. September I was in charge of our LTS frontdesk. I triaged bugs in tiff3, mysql-5.5, curl, dropbear, mantis, icu, dwarfutils, jackrabbit, zendframework, zookeeper and graphicsmagick. For the latter I skimmed through all commits since the last version to identify the patches that fix the recent issues in graphicsmagick. I also answered questions on the mailing list and contacted Diego Biurrun again about his progress with libav. It is now anticipated that Hugo Lefeuvre and Diego will issue a new libav security release this month.
- I reviewed and tested a patch by Raphaël Hertzog for roundcube.
- DLA-629-1. Issued a security update for jackrabbit fixing 1 CVE.
- DLA-630-1. Issued a security update for zookeeper fixing 1 CVE.
- DLA-633-1. Issued a security update for wordpress fixing 7 CVE. This one also required backports of certain functions from newer releases and a database upgrade that required careful testing.
- I also issued DLA-622-1 and DLA-623-1, two security issues that I already mentioned last month. It was discovered that Debian’s versions of Tomcat were vulnerable to a root privilege escalation issue. However it was also necessary that another exploit, for instance in a web application, could be used to gain write access as the tomcat user. Former security issues were already fixed and new ones are not known. Nevertheless since a zero-day exploit could not be ruled out, the issue was embargoed for a month to give other distributions time to fix this issue as well. You can read more about this topic at legalhackers.com.
- I fixed various RC bugs in several games that are not maintained by the Games Team. The following games will be available in Stretch again soon: solarwolf, enigma, open-invaders, crrcsim, noiz2sa, csmash, csmash-demosong and glob2.
This isn't limited to individual relationships. Something that distinguishes good customer service from bad customer service is getting the details right. There are many industries where significant failures happen infrequently, but minor ones happen a lot. Would you prefer to give your business to a company that handles those small details well (even if they're not overly annoying) or one that just tells you to deal with them?
And the same is true of software communities. A strong and considerate response to minor bug reports makes it more likely that users will be patient with you when dealing with significant ones. Handling small patch contributions quickly makes it more likely that a submitter will be willing to do the work of making more significant contributions. These things are well understood, and most successful projects have actively worked to reduce barriers to entry and to be responsive to user requests in order to encourage participation and foster a feeling that they care.
But what's often ignored is that this applies to other aspects of communities as well. Failing to use inclusive language may not seem like a big thing in itself, but it leaves people with the feeling that you're less likely to do anything about more egregious exclusionary behaviour. Allowing a baseline level of sexist humour gives the impression that you won't act if there are blatant displays of misogyny. The more examples of these "insignificant" issues people see, the more likely they are to choose to spend their time somewhere else, somewhere they can have faith that major issues will be handled appropriately.
There's a more insidious aspect to this. Sometimes we can believe that we are handling minor issues appropriately, that we're acting in a way that handles people's concerns, while actually failing to do so. If someone raises a concern about an aspect of the community, it's important to discuss solutions with them. Putting effort into "solving" a problem without ensuring that the solution has the desired outcome is not only a waste of time, it alienates those affected even more - they're now not only left with the feeling that they can't trust you to respond appropriately, but that you will actively ignore their feelings in the process.
It's not always possible to satisfy everybody's concerns. Sometimes you'll be left in situations where you have conflicting requests. In that case the best thing you can do is to explain the conflict and why you've made the choice you have, and demonstrate that you took this issue seriously rather than ignoring it. Depending on the issue, you may still alienate some number of participants, but it'll be fewer than if you just pretend that it's not actually a problem.
One warning, though: while building trust in this way enhances people's willingness to join your community, it also builds expectations. If a significant issue does arise, and if you fail to handle it well, you'll burn a lot of that trust in the process. The fact that you've built that trust in the first place may be what saves your community from disintegrating completely, but people will feel even more betrayed if you don't actively work to rebuild it. And if there's a pattern of mishandling major problems, no amount of getting the details right will matter.
Communities that ignore these issues are, long term, likely to end up weaker than communities that pay attention to them. Making sure you get this right in the first place, and setting expectations that you will pay attention to your contributors, is a vital part of building a meaningful relationship between your community and its members.
When I was on vacation in Italy this summer, I had no internet, which gave me a lot of time to think. Some of that time was spent reflecting on why I do what I do. I have been working on Drupal for over 15 years and on Acquia for almost 10 years. The question of what gives me meaning and purpose has changed drastically over that time.Evolving purpose
I started Drupal because I wanted to build a website for myself and a few friends — an internet message board to exchange messages. In the early days of Drupal, I was obsessed with the code and architecture of Drupal.
As I wrote in 2006: "I focused completely and utterly on creating fewer and fewer lines of more elegant code.". I wanted Drupal to be pure. I wanted the code to be perfect. For Drupal to be architected in the right way, I had to rewrite it multiple times and strip away anything that wasn't necessary – I couldn't imagine preserving backwards compatibility as it meant we had to drag along a lot of historical baggage. My mission in the early days was to keep the platform fast, clean and on the leading edge of technology.
As time passed and Drupal started growing, my role evolved. More people became involved with Drupal, and I thought more about scaling the community, including our tools, processes and culture. I started to focus on building the Drupal Association, promoting Drupal, handling trademark issues, and last but not least, setting the overall direction of the project. In the process, I started to worry less about achieving that perfect vision and more about the health of the community and collaborating on a shared vision.
While I miss programming, I have come to accept that I can't do everything. Every day when I wake up, I decide where I want to focus my energy. My guiding principle at this time in my life is to optimize for impact. That means enabling others versus doing much programming myself.Meaningful moments: part I
While in Italy I decided to make a list of the moments in Drupal's history that stand out as particularly meaningful or purposeful. I started to discover some patterns in these moments, and ended up sorting them into two groups. Here is the first set:
- When people find Drupal, and it gives them a better career path and ultimately changes their life. I got goosebumps when almost 3,000 people stood up at DrupalCon San Francisco when I asked "Please stand up if Drupal changed your life". I often talk to people that went on to make a full-time living with Drupal – or even start a Drupal business – to provide better lives for their families. Some of these stories, such as Vijaya Chandran Mani's, are deeply impactful.
- Seeing how Drupal is used for aid relief, like in the aftermath of the 2013 tornado in Moore, Oklahoma. Members of the Drupal community worked throughout the night to create a website for victims to help each other.
- Seeing how Drupal has made a meaningful impact on the Open Web movement. Over the last 10 years, millions of people have created Drupal sites that express their creative freedom and individuality. In recent years, I've become concerned about the Open Web's future and have spoken out on how the Drupal community is uniquely positioned to help preserve the open web. I believe it's an important mission that we should all embrace, so the original integrity and freedom of the Open Web remains intact for our children and grandchildren.
All of these moments suggest that my purpose is self-transcendent – I get meaning when my work matters more to others than it does to myself. Organized into radiating circles, the impact on each of these groups gives me purpose: individual Drupalists, the Drupal community, Drupal end users, and the open web. This is why I've become so passionate about things like usability, internationalization and accessibility over the years.
I know it's not just me; my team interviewed many other people that have the same feelings of finding meaning when their work results in life-changing outcomes. One great example is "Franck" Seferiba Salif Soulama, who hopes that training more young people in Drupal can lift people from Burkina Faso, Africa out of poverty. He wants to provide them job opportunities so they don't have to leave their country. Other examples are Drew Gorton or Ronan Dowling. There are many people like Franck, Drew or Ronan around the world that have a positive domino effect on others.Meaningful moments: part II
The second group of moments I wrote down weren't necessarily self-transcendent, but still gave me purpose. Here are a few examples:
- Fundraising after the great server meltdown. In 2005, we had to raise money to buy new infrastructure for Drupal.org. We nearly had to shut down Drupal.org and could have lost everything. While it was a difficult time, this moment was especially meaningful as it helped us come together as a community.
- Having to ask individuals to leave the project or change their behavior because their values weren't aligned with the project. While providing critique or removing someone from the project has never been never easy, I'm proud of the times we stand up for our values.
- Getting Drupal 8 over the finish line after 4.5 years of hard work. At times, many people doubted our progress, questioned whether we were making the right decisions, and even left our project. While the development process wasn't always fun in the moment, when we did release parties around the world, we all felt a real sense of accomplishment. In the long run, we built something that will keep Drupal relevant for many years to come.
Many of us find meaning when the hard and uncomfortable work results in life-changing outcomes for others. Not only does this type of work provide purpose, some people believe it is the recipe for success. For example, Angela Lee Duckworth's TED talk on grit applies directly to the work that is done by Drupal's maintainers.How do we scale purpose?
Hearing all of these inspirational stories makes me think: How we can attract more people to the project, but do so in a way that ensures we share our core values (like giving back)? While there are no straightforward answers to this question, there are many organizations that are doing great things in this area.
One example is the Drupal Campus Ambassador Program which hopes to appoint ambassadors in every university in India to introduce more students to Drupal and help them with their job search. While at Drupalcon India earlier this year, I met Rakesh James, who has personally trained 600 people on Drupal!
Another example is the Drupal apprenticeship program in the UK, which focuses on recruiting new talent to the Drupal community. Participants get an extensive Drupal bootcamp to help them with their job search. Many of these apprentices are disadvantaged young people who have great talent and aptitude, but might be lacking the traditional route or access to a meaningful career path.
I'd love to take programs like these global – they instill our values, culture and a sense of purpose to many new people. If you know of similar initiatives, or have ideas to share, please do so in the comments section.
Based on my own introspection, and hearing from amazing Drupalists from around the world, I truly believe that Drupal is fueled by a collective sense of purpose that sets us apart from other open source software communities and organizations. We need to keep this purpose in mind when we make decisions, especially when the going gets tough. What is your sense of purpose? And how can we scale it around the world?
Starting with Drupal 8, we decided to make more rapid innovation possible by releasing minor versions every 6 months that may come with new features and backwards compatible changes. Now that we released Drupal 8.1.0 and almost 8.2.0 as well, how did we do? Also what else is possible and what is blocking us to make those moves? What do all the changes mean for how might Drupal 9 unfold?
Dries Buytaert posted last Wednesday The transformation of Drupal 8 for continuous innovation and on the same day I presented Checking on Drupal 8's rapid innovation promises at DrupalCon Dublin. Here is a video recording of my session, which should be good for those looking to get to know Drupal's release process and schedule, as well as how we made it possible to experiment within Drupal core directly with Drupal 8. While I did hope for more discussion on the possibilities within Drupal 8 with the participants, somehow the discussion pretty much ended up focusing on Drupal 9, when it should be released and how much change should it come with.
Drupal 8 Development Cookbook, written by Matt Glaman is full of useful information about Drupal 8 site building and development - and a worthy addition to anyone's Drupal library. Unfortunately, the "cookbook" format of the book seems to subtract, rather than add, to the usually well-explained concepts throughout.
The book covers an impressive array of topics: Everything from setting up a local environment to many of the technical details of the Entity API. No matter what your skill level with Drupal, there is likely to be something in this book of interest. Having been a Drupal professional for over ten years, I found the chapters on plugins, configuration management, the Entity API and web services especially interesting and educational.
Each chapter (there are 13) includes an often-too-brief introduction, followed by several "recipes." Each recipe includes several sections, including "Getting ready," "How to do it…," "How it works…," "There's more…," and "See also." While the How to do it… sections usually contained the bulk of the narrative, I often found myself wanting more details in the How it works… section. Additionally, I felt that each recipe often didn't have an adequate introduction. The crazy part is that the information I was looking for was often in the How it works… section - presented after the How to do it… section. I think this will lead to some initial confusion by readers asking themselves "why am I doing this?" until they read the How it works… portion. Usually, all of the information was there, just not in the right order (for me at least.) This is especially apparent in the "Plug and Play with Plugins" chapter where I found the How it works… sections more valuable than the How to do it… sections. They really would have been better leading off each recipe.
The author clearly has a firm grasp of the material. This usually shines through in most of the recipes, but there are times in the book where I think the author assumes the reader has a similar level of knowledge - which leads to some disconnects in the narrative. One example of this is the "Creating a custom content type" recipe. There is very little introduction, and I feel that it assumes the reader has a firm grasp of the power of content types (and fieldable entities, for that matter.) This, and several other recipes would benefit greatly from beefed-up introductions (including Features, text formats, some of the Front-end recipes and plugins [especially explaining why we use annotations.])
The recipes also vary widely in their complexity. I'm not sure this if this is a good or bad thing, but perhaps some sort of "complexity level" rating should have been applied to each one to give the reader a heads-up. This is illustrated well with the fact that the plugins chapter assumes the reader has a firm understanding of object-oriented PHP. Granted, I don't expect the author to write a primer on the topic, but a warning in the introduction, or aforementioned complexity level, would have helped smooth the transition into this chapter.
As one example of the format forcing things to be out-of-order, the book begins with the assumption that the reader has a local development stack installed, which is not an unreasonable assumption. But for readers who are new to local development environments, after the recipe to install Drupal 8, in the There's more… section, the author presents valuable information about how to create a database and a database user. There is no mention of this material prior to the How to do it… section. I can easily imagine a scenario where a reader is attempting the recipes in the order they are presented without reading ahead, and being extremely frustrated until they find the There's more… section. A mention of it earlier in the chapter would go a long way here.
The book does a really nice job covering topics I didn't expect to see - including DrupalVM, Entity Reference Views displays, a thorough explanation of a module's .info.yml file and routing files (who knew you could validate a route name with RegEx right in the .routing.yml file!) There is a really nice chapter on configuration management (although more of an introduction on content vs. configuration would have been extremely useful) and Entity API.
For Drupal 7 developers moving to Drupal 8, "The Entity API" chapter is worth the cost of the book. This chapter solidified and extended the knowledge I already had. Its introduction is solid and the chapter includes examples for both content and configuration entities. While it suffers from some of issues I've already mentioned (great content, wrong format,) for the most part it overcomes these challenges and goes much deeper into the topic than I had hoped. Well done!
At the same time, the book also covers a few topics in places where I thought it was a little too aggressive - having a "Running simpletest and PHPUnit" recipe in chapter 1 is a good example. In addition, I believe I spotted a few bugs in the book - both in the narrative and in the code samples - I've forwarded them to the author. Also, in some chapters, the author is writing about a moving target. There are more than a few places where he is forced to reference active Drupal.org issues. As these issues are resolved, recipes may spoil (food pun!)
There were more than a few recipes that involved custom module development; all of which are well-written, technically on-point, and will be extremely useful for Drupal 7 developers moving to Drupal 8. Since this is a book review, I have to pick on one point - all of the recipes were presented as if the developer is writing them from scratch. In reality, I've found the vast majority of Drupal 8 developers building custom modules for clients take full advantage of Drupal Console's "generate" command. While the author does formally introduce this in the last chapter of the book, it feels like it's not in the right place. By introducing it earlier many of the recipes could be written to take advantage of it.
Who would I recommend this book to? If you're a Drupal 7 developer looking to learn Drupal 8 development, this book is a great resource. While there are several introductory and site-building chapters that won't be very useful to you, the more advanced chapters provide (usually) adequate background information along with practical examples (ahem, recipes) to get you going. Would I recommend this book for beginners? If you have a solid PHP background, then yes. In my opinion, the author is more than capable of writing an intermediate-to-advanced Drupal 8 development book - leave the introductory stuff to someone else.
Shipping Position Independent Executables and using read-only Global Offset Table was already possible for packages but needed package maintainers to opt-in for each package (see Hardening wiki) using the “pie” and “bindnow” Dpkg hardening flags.
Now we can change that. We can make those hardening flags the default for every package.
We already have the needed patches for GCC (#835148) and dpkg (#835146, #835149). We already have all packages rebuilt once to test which breaks (Thanks to Lucas Nussbaum!). The Release Team already asked porters if they feel their ports ready for enabling PIE and most ports tentatively opted-in (Thanks to Niels Thykier for pushing this!).
What is left is fixing the ~75 open bugs found during the test rebuilds and this is where You can help, too! Please check if your packages are affected or give a helping hand to other maintainers who need it. (See PIEByDefaultTransition wiki for hints on fixing the bugs.) Many thanks to those who already fixed their packages!
If we can get past those last bugs we can enable those badly needed security features and make Stretch the most secure release ever!
The monthly core patch (bug fix) release window is this Wednesday, October 05. Drupal 7.51 will be released with fixes for Drupal 7. This is also the release window for Drupal 8.2.0, the next scheduled minor release of Drupal 8. (Read the release candidate announcement for more information on the minor release.)
To ensure a reliable release window for the patch and minor releases, there will be a Drupal 8.2.x commit freeze from 12:00 UTC Tuesday to 12:00 UTC Thursday. The final patches for 7.51 have been committed and the 7.x code is currently frozen (excluding documentation fixes and fixes for any regressions that may be found prior to the 7.51 release). So, now is a good time to update your development/staging servers to the latest 8.2.x-dev or 7.x-dev code and help us catch any regressions in advance.
If you do find any regressions, please report them in the issue queue. Thanks!
Other upcoming core release windows after this week include:
- Wednesday, October 19 (security release window)
- Wednesday, November 02 (patch release window)
Drupal 6 is end-of-life and will not receive further releases.
10 years ago I first blogged about getting glasses . I’ve just ordered my 4th pair of glasses. When you buy new glasses the first step is to scan your old glasses to use that as a base point for assessing your eyes, instead of going in cold and trying lots of different lenses they can just try small variations on your current glasses. Any good optometrist will give you a print-out of the specs of your old glasses and your new prescription after you buy glasses, they may be hesitant to do so if you don’t buy because some people get a prescription at an optometrist and then buy cheap glasses online. Here are the specs of my new glasses, the ones I’m wearing now that are about 4 years old, and the ones before that which are probably about 8 years old:New 4 Years Old Really Old R-SPH 0.00 0.00 -0.25 R-CYL -1.50 -1.50 -1.50 R-AXS 180 179 180 L-SPH 0.00 -0.25 -0.25 L-CYL -1.00 -1.00 -1.00 L-AXS 5 10 179
The Specsavers website has a good description of what this means . In summary SPH is whether you are log-sighted (positive) or short-sighted (negative). CYL is for astigmatism which is where the focal lengths for horizontal and vertical aren’t equal. AXS is the angle for astigmatism. There are other fields which you can read about on the Specsavers page, but they aren’t relevant for me.
The first thing I learned when I looked at these numbers is that until recently I was apparently slightly short-sighted. In a way this isn’t a great surprise given that I spend so much time doing computer work and very little time focusing on things further away. What is a surprise is that I don’t recall optometrists mentioning it to me. Apparently it’s common to become more long-sighted as you get older so being slightly short-sighted when you are young is probably a good thing.
Astigmatism is the reason why I wear glasses (the Wikipedia page has a very good explanation of this ). For the configuration of my web browser and GUI (which I believe to be default in terms of fonts for Debian/Unstable running KDE and Google-Chrome on a Thinkpad T420 with 1600×900 screen) I can read my blog posts very clearly while wearing glasses. Without glasses I can read it with my left eye but it is fuzzy and with my right eye reading it is like reading the last line of an eye test, something I can do if I concentrate a lot for test purposes but would never do by choice. If I turn my glasses 90 degrees (so that they make my vision worse not better) then my ability to read the text with my left eye is worse than my right eye without glasses, this is as expected as the 1.00 level of astigmatism in my left eye is doubled when I use the lens in my glasses as 90 degrees to it’s intended angle.
The AXS numbers are for the angle of astigmatism. I don’t know why some of them are listed as 180 degrees or why that would be different from 0 degrees (if I turn my glasses so that one lens is rotated 180 degrees it works in exactly the same way). The numbers from 179 degrees to 5 degrees may be just a measurement error.
-  https://etbe.coker.com.au/2006/09/20/vision/
-  https://www.specsavers.com.au/glasses/your-prescription
-  https://en.wikipedia.org/wiki/Astigmatism_(eye)
Onward to security things I found interesting in Linux v4.7:
KASLR text base offset for MIPS
Matt Redfearn added text base address KASLR to MIPS, similar to what’s available on x86 and arm64. As done with x86, MIPS attempts to gather entropy from various build-time, run-time, and CPU locations in an effort to find reasonable sources during early-boot. MIPS doesn’t yet have anything as strong as x86′s RDRAND (though most have an instruction counter like x86′s RDTSC), but it does have the benefit of being able to use Device Tree (i.e. the “/chosen/kaslr-seed” property) like arm64 does. By my understanding, even without Device Tree, MIPS KASLR entropy should be as strong as pre-RDRAND x86 entropy, which is more than sufficient for what is, similar to x86, not a huge KASLR range anyway: default 8 bits (a span of 16MB with 64KB alignment), though CONFIG_RANDOMIZE_BASE_MAX_OFFSET can be tuned to the device’s memory, giving a maximum of 11 bits on 32-bit, and 15 bits on EVA or 64-bit.
SLAB freelist ASLR
Thomas Garnier added CONFIG_SLAB_FREELIST_RANDOM to make slab allocation layouts less deterministic with a per-boot randomized freelist order. This raises the bar for successful kernel slab attacks. Attackers will need to either find additional bugs to help leak slab layout information or will need to perform more complex grooming during an attack. Thomas wrote a post describing the feature in more detail here: Randomizing the Linux kernel heap freelists. (SLAB is done in v4.7, and SLUB in v4.8.)
eBPF JIT constant blinding
Daniel Borkmann implemented constant blinding in the eBPF JIT subsystem. With strong kernel memory protections (CONFIG_DEBUG_RODATA) in place, and with the segregation of user-space memory execution from kernel (i.e SMEP, PXN, CONFIG_CPU_SW_DOMAIN_PAN), having a place where user-space can inject content into an executable area of kernel memory becomes very high-value to an attacker. The eBPF JIT was exactly such a thing: the use of BPF constants could result in the JIT producing instruction flows that could include attacker-controlled instructions (e.g. by directing execution into the middle of an instruction with a constant that would be interpreted as a native instruction). The eBPF JIT already uses a number of other defensive tricks (e.g. random starting position), but this added randomized blinding to any BPF constants, which makes building a malicious execution path in the eBPF JIT memory much more difficult (and helps block attempts at JIT spraying to bypass other protections).
Elena Reshetova updated a 2012 proof-of-concept attack to succeed against modern kernels to help provide a working example of what needed fixing in the JIT. This serves as a thorough regression test for the protection.
The cBPF JITs that exist in ARM, MIPS, PowerPC, and Sparc still need to be updated to eBPF, but when they do, they’ll gain all these protections immediatley.
Bottom line is that if you enable the (disabled-by-default) bpf_jit_enable sysctl, be sure to set the bpf_jit_harden sysctl to 2 (to perform blinding even for root).
fix brk ASLR weakness on arm64 compat
There have been a few ASLR fixes recently (e.g. ET_DYN, x86 32-bit unlimited stack), and while reviewing some suggested fixes to arm64 brk ASLR code from Jon Medhurst, I noticed that arm64′s brk ASLR entropy was slightly too low (less than 1 bit) for 64-bit and noticeably lower (by 2 bits) for 32-bit compat processes when compared to native 32-bit arm. I simplified the code by using literals for the entropy. Maybe we can add a sysctl some day to control brk ASLR entropy like was done for mmap ASLR entropy.
LSM stacking is well-defined since v4.2, so I finally upstreamed a “small” LSM that implements a protection I wrote for Chrome OS several years back. On systems with a static root of trust that extends to the filesystem level (e.g. Chrome OS’s coreboot+depthcharge boot firmware chaining to dm-verity, or a system booting from read-only media), it’s redundant to sign kernel modules (you’ve already got the modules on read-only media: they can’t change). The kernel just needs to know they’re all coming from the correct location. (And this solves loading known-good firmware too, since there is no convention for signed firmware in the kernel yet.) LoadPin requires that all modules, firmware, etc come from the same mount (and assumes that the first loaded file defines which mount is “correct”, hence load “pinning”).
That’s it for v4.7. Prepare yourself for v4.8 next!
© 2016, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Just started a discussion about it here:
Hope you join the discussion and share your thoughts.