Elsewhere

Jonathan Dowland: mount-on-demand backups

Planet Debian - Wed, 20/04/2016 - 22:49

Last week, someone posted a request for help on the popular Server Fault Q&A site: they had apparently accidentally deleted their entire web hosting business, and all their backups. The post (now itself deleted) was a reasonably obvious fake, but mainstream media reported on it anyway, and then life imitated art and 123-reg went and did actually delete all their hosted VMs, and their backups.

I was chatting to some friends from $job-2 and we had a brief smug moment that we had never done anything this bad, before moving on to incredulity that we had never done anything this bad in the 5 years or so we were running the University web servers. Some time later I realised that my personal backups were at risk from something like this because I have a permanently mounted /backup partition on my home NAS. I decided to fix it.

I already use Systemd to manage mounting the /backup partition (via a backup.mount file) and its dependencies. I'll skip the finer details of that for now.

I planned to define some new Systemd units for each backup job which was previously scheduled via Cron in order that I could mark them as depending on the /backup mount. I needed to adjust that mount definition by adding StopWhenUnneeded=true. This ensures that /backup will be unmounted when it is not in use by another job, and not at risk of a stray rm -rf.

The backup jobs are all simple shell scripts that convert quite easily into services. An example:

backup-home.service:

[Unit] Requires=backup.mount After=backup.mount [Service] User=backupuser Group=backupuser ExecStart=/home/backupuser/bin/phobos-backup-home

To schedule this, I also need to create a timer:

backup-home.timer:

[Timer] OnCalendar=*-*-* 04:01:00 [Install] WantedBy=timers.target

To enable the timer, you have to both enable and start it:

systemctl enable backup-home.timer
systemctl start backup-home.timer

I created service and timer units for each of my cron jobs.

The other big difference to driving these from Cron is that by default I won't get any emails if the jobs generate output - in particular, if they fail. I definitely do want mail if things fail. The Arch Wiki has an interesting proposed solution to this which I took a look at. It's a bit clunky, and my initial experiments with a derivation from this (using mail(1) not sendmail(1)) have not yet generated any mail.

Pros and Cons

The Systemd timespec is more intuitive than Cron's. It's a shame you need a minimum of three more lines of boilerplate for the simplest of timers. I think WantedBy=timers.target should probably be an implicit default for all .timer type units. Here I think clarity suffers in the name of consistency.

With timers, start doesn't kick-off the job, it really means "enable" in the context of timers, which is clumsy considering the existing enable verb, which seems almost superfluous, but is necessary for consistency, since Systemd units need to be enabled before they can be started As Simon points out in the comments, this is not true. Rather, "enable" is needed for the timer to be active upon subsequent boots, but won't enable it in the current boot. "Start" will enable it for the current boot, but not for subsequent ones.

Since I need a .service and a .unit file for each active line in my crontab, that's a lot of small files (twice as many as the number of jobs being defined) and they're all stored in system-wide folder because of the dependency on the necessarily system-level units defining the mount.

It's easy to forget the After= line for the backup services. On the one hand, it's a shame that After= doesn't imply Require=, so you don't need both; or alternatively there was a convenience option that did both. On the other hand, there are already too many Systemd options and adding more conjoined ones would just make it even more complicated.

It's a shame I couldn't use user-level units to achieve this, but they could not depend on the system-level ones, nor activate /backup. This is a sensible default, since you don't want any user to be able to start any service on-demand, but some way of enabling it for these situations would be good. I ruled out systemd.automount because a stray rm -rf would trigger the mount which defeats the whole exercise. Apparently this might be something you solve with Polkit, as the Arch Wiki explains, which looks like it has XML disease.

I need to get mail-on-error working reliably.

Categories: Elsewhere

Ben Hutchings: Experiments with signed kernels and modules in Debian

Planet Debian - Wed, 20/04/2016 - 20:53

I've lately been working on support for Secure Boot in Debian, mostly in the packages maintained by the kernel team.

My instructions for setting up UEFI Secure Boot are based on OVMF running on KVM/QEMU. All 'Designed for Windows' PCs should allow reconfiguration of SB, but it may not be easy to do so. They also assume that the firmware includes an EFI shell.

Updated: Robert Edmonds pointed out that the 'Designed for Windows' requirements changed with Windows 10:

@benhutchingsuk "Hardware can be Designed for Windows 10 and can offer no way to opt out of the Secure Boot" https://t.co/lQVdPYtMwx

— Robert Edmonds (@rsedmonds) April 20, 2016

The ability to reconfigure SB is indeed now optional for devices which are designed to always boot with a specific Secure Boot configuration. I also noticed that the requirements say that OEMs should not sign an EFI shell binary. Therefore I've revised the instructions to use efibootmgr instead.

Background

UEFI Secure Boot, when configured and enabled (which it is on most new PCs) requires that whatever it loads is signed with a trusted key. The one common trusted key for PCs is held by Microsoft, and while they will sign other people's code for a nominal fee, they require that it also validates the code it loads, i.e. the kernel or next stage boot loader. The kernel in turn is responsible for validating any code that could compromise its integrity (kernel modules, kexec images).

Currently there are no such signed boot loaders in Debian, though the shim and grub-signed packages included in many other distributions should be usable. However it's possible to load an appropriately configured Linux kernel directly from the UEFI firmware (typically through the shell) which is what I'm doing at the moment.

Packaging signed kernels

Signing keys obviously need to be protected against disclosure; the private keys can't be included in a source package. We also won't install them on buildds separately, and generating signatures at build time would of course be unreproducible. So I've created a new source package, linux-signed, which contains detached signatures prepared offline.

Currently the binary packages built from linux-signed also contain only detached signatures, which are applied as necessary at installation time. The signed kernel image (only on x86 for now) is named /boot/vmlinuz-kversion.efi.signed. However, since packages must not modify files owned by another package and I didn't want to dpkg-divert thousands of modules, the module signatures remain detached. Detached module signatures are a new invention of mine, and require changes in kmod and various other packages to support them. (An alternate might be to put signed modules under a different directory and drop a configuration file in /lib/depmod.d to make them higher priority. But then we end up with two copies of every module installed, which can be a substantial waste of space.)

Preparation

The packages you need to repeat the experiment:

  • linux-image-4.5.0-1-flavour version 4.5.1-1 from unstable (only 686, 686-pae or amd64 flavours have signed kernels; most flavours have signed modules)
  • linux-image-4.5.0-1-flavour-signed version 1~exp3 from experimental
  • initramfs-tools version 0.125 from unstable
  • kmod and libkmod2 unofficial version 22-1.2 from people.debian.org

For Secure Boot, you'll then need to copy the signed kernel and the initrd onto the EFI system partition, normally mounted at /boot/efi.

SB requires a Platform Key (PK) which will already be installed on a real PC. You can replace it but you don't need to. If you're using OVMF, there are no persistent keys so you do need to generate your own:

openssl req -new -x509 -newkey rsa:2048 -keyout pk.key -out pk.crt \ -outform der -nodes

You'll also need to install the certificate for my kernel image signing key, which is under debian/certs in the linux-signed package. OVMF requires this in DER format:

openssl x509 -in linux-signed-1~exp3/debian/certs/linux-image-benh@debian.org.cert.pem \ -out linux.crt -outform der

You'll need to copy the certificate(s) to a FAT-formatted partition such as the EFI system partition, so that the firmware can read it.

Use efibootmgr to add a boot entry for the kernel, for example:

efibootmgr -c -d /dev/sda -L linux-signed -l '\vmlinuz.efi' -u 'initrd=initrd.img root=/dev/sda2 ro quiet'

You should use the same kernel parameters as usual, except that you also need to specify the initrd filename using the initrd= parameter. The EFI stub code at the beginning of the kernel will load the initrd using EFI boot services.

Enabling Secure Boot
  1. Reboot the system and enter UEFI setup
  2. Find the menu entry for Secure Boot customisation (in OVMF, it's under 'Device Manager' for some reason)
  3. In OVMF, enrol the PK from pk.crt
  4. Add linux.crt to the DB (whitelist database)
  5. Ensure that Secure Boot is enabled and in 'User Mode'
Booting the kernel in Secure Boot

If all went well, Linux will boot as normal. You can confirm that Secure Boot was enabled by reading /sys/kernel/security/securelevel, which will contain 1 if it was.

Module signature validation

Module signatures are now always checked and unsigned modules will be given the 'E' taint flag. If Secure Boot is used or you add the kernel parameter module.sig_enforce=1, unsigned modules will be rejected. You can also turn on signature enforcement and turn off various other methods of modifying kernel code (such as kexec) by writing 1 to /sys/kernel/security/securelevel.

Categories: Elsewhere

Reproducible builds folks: Reproducible builds: week 51 in Stretch cycle

Planet Debian - Wed, 20/04/2016 - 20:47

What happened in the reproducible builds effort between April 10th and April 16th 2016:

Toolchain fixes
  • Roland Rosenfeld uploaded transfig/1:3.2.5.e-6 which honors SOURCE_DATE_EPOCH. Original patch by Alexis Bienvenüe.
  • Bill Allombert uploaded gap/4r8p3-2 which makes convert.pl honor SOURCE_DATE_EPOCH. Original patch by Jerome Benoit, duplicate patch by Dhole.
  • Emmanuel Bourg uploaded ant/1.9.7-1 which makes the Javadoc task use UTF-8 as the default encoding if none was specified and SOURCE_DATE_EPOCH is set.

Antoine Beaupré suggested that gitpkg stops recording timestamps when creating upstream archives. Antoine Beaupré also pointed out that git-buildpackage diverges from the default gzip settings which is a problem for reproducibly recreating released tarballs which were made using the defaults.

Alexis Bienvenüe submitted a patch extending sphinx SOURCE_DATE_EPOCH support to copyright year.

Packages fixed

The following packages have become reproducible due to changes in their build dependencies: atinject-jsr330, avis, brailleutils, charactermanaj, classycle, commons-io, commons-javaflow, commons-jci, gap-radiroot, jebl2, jetty, libcommons-el-java, libcommons-jxpath-java, libjackson-json-java, libjogl2-java, libmicroba-java, libproxool-java, libregexp-java, mobile-atlas-creator, octave-econometrics, octave-linear-algebra, octave-odepkg, octave-optiminterp, rapidsvn, remotetea, ruby-rinku, tachyon, xhtmlrenderer.

The following packages became reproducible after getting fixed:

Some uploads fixed some reproducibility issues, but not all of them:

Patches submitted which have not made their way to the archive yet:

  • #820603 on viking by Alexis Bienvenüe: fix icon headers inclusion order.
  • #820661 on nullmailer by Alexis Bienvenüe: fix the order in which files are included in the static archive.
  • #820668 on sawfish by Alexis Bienvenüe: fix file ordering in theme archives, strip hostname and username from the config.h file, and honour SOURCE_DATE_EPOCH when creating the config.h file.
  • #820740 on bless by Alexis Bienvenüe: always use /bin/sh as shell.
  • #820742 on gmic by Alexis Bienvenüe: strip the build date from help messages.
  • #820809 on wsdl4j by Alexis Bienvenüe: use a plain text representation of the copyright character.
  • #820815 on freefem++ by Alexis Bienvenüe: fix the order in which files are included in the .edp files, and honour SOURCE_DATE_EPOCH when using the build date.
  • #820869 on pyexiv2 by Alexis Bienvenüe: honour the SOURCE_DATE_EPOCH environment variable through the ustrftime function, to get a reproducible copyright year.
  • #820932 on fim by Alexis Bienvenüe: fix the order in which files are joined in header files, strip the build date from fim binary, make the embeded vim2html script honour SOURCE_DATE_EPOCH variable when building the documentation, and force language to be English when using bison to make a grammar that is going to be parsed using English keywords.
  • #820990 on grib-api by Santiago Vila: always call dh-buildinfo.
diffoscope development

Zbigniew Jędrzejewski-Szmek noted in #820631 that diffoscope doesn't work properly when a file contains several cpio archives.

Package reviews

21 reviews have been added, 14 updated and 22 removed in this week.

New issue found: timestamps_in_htm_by_gap.

Chris Lamb reported 10 new FTBFS issues.

Misc.

The video and the slides from the talk "Reproducible builds ecosystem" at LibrePlanet 2016 have been published now.

This week's edition was written by Lunar and Holger Levsen. h01ger automated the maintenance and publishing of this weekly newsletter via git.

Categories: Elsewhere

Mediacurrent: New eBook: Intranets the Drupal Way

Planet Drupal - Wed, 20/04/2016 - 20:14

The Intranet has entered a new era where 78% of companies are running on open source software. Now, options for corporate Intranets are no longer confined to proprietary platforms.

Categories: Elsewhere

myDropWizard.com: Drupal 6 security update for Views!

Planet Drupal - Wed, 20/04/2016 - 19:40

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for Views to fix an Access Bypass vulnerability.

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented.

The module doesn't sufficiently check handler access when returning the list of handlers fromview_plugin_display::get_handlers(). The most critical code (access plugins and field output) is unaffected - only area handlers, theget_field_labels()method, token replacement, and some relationship handling are susceptible.

Download the patch for Views 6.x-2.x or Views 6.x-3.x!

If you have a Drupal 6 site using the Views module (probably most sites), we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Categories: Elsewhere

OSTraining: Drupal 8.1 and What It Means for Drupal's Future

Planet Drupal - Wed, 20/04/2016 - 17:32

Today, Drupal 8.1 was officially released.

All the way back in 2014, we talked about the changes coming to Drupal and how the release cycle would allow for changes to be progressively added to Drupal.

At that time, it was estimated that a new version with new features could be released every 6 months. Keeping to that schedule for Drupal 8 has been problematic due to the size and scope of what they wanted to achieve, but they made it! 

Categories: Elsewhere

Wim Leers: Drupal 8.1: BigPipe as an experimental module

Planet Drupal - Wed, 20/04/2016 - 13:09

Today, Drupal 8.1 has been released and it includes BigPipe as an experimental module.

Six months ago, on the day of the release of Drupal 8, the BigPipe contrib module was released.

So BigPipe was first prototyped in contrib, then moved into core as an experimental module.

Experimental module?

Quoting d.o/core/experimental:

Experimental modules allow core contributors to iterate quickly on functionality that may be supported in an upcoming minor release and receive feedback, without needing to conform to the rigorous requirements for production versions of Drupal core.

Experimental modules allow site builders and contributed project authors to test out functionality that might eventually be included as a stable part of Drupal core.

With your help (in other words: by testing), we can help BigPipe “graduate” as a stable module in Drupal 8.2. This is the sort of module that needs wider testing because it changes how pages are delivered, so before it can be considered stable, it must be tested in as many circumstances as possible, including the most exotic ones.

(If your site offers personalization to end users, you are encouraged to enable BigPipe and report issues. There is zero risk of data loss. And when the environment — i.e. web server or (reverse) proxy — doesn’t support streaming, then BigPipe-delivered responses behave as if BigPipe was not installed. Nothing breaks, you just go back to the same perceived performance as before.)

About 500 sites are currently using the contrib module. With the release of Drupal 8.1, hopefully thousands of sites will test it.12

Please report any issues you encounter! Hopefully there won’t be many. I’d be very grateful to hear about success stories too — feel free to share those as issues too!

Documentation

Of course, documentation is ready too:

What about the contrib module?

The BigPipe contrib module is still available for Drupal 8.0, and will remain available.

  • 1.0-beta1 was released on the same day as Drupal 8.0.0
  • 1.0-beta2 was released on the same day as Drupal 8.0.1, and made it feature-complete
  • 1.0-beta3 contained only improved documentation
  • 1.0-rc1 brought comprehensive test coverage, which was the last thing necessary for BigPipe to become a core-worthy module — the same day as the work continued on the core issue: https://www.drupal.org/node/2469431#comment-10899308
  • 1.0 was tagged today, on the same day as Drupal 8.1.0

Going forward, I’ll make sure to tag releases of the BigPipe contrib module matching Drupal 8.1 patch releases, if they contain BigPipe fixes/improvements. So, when Drupal 8.1.3 is released, BigPipe 1.3 for Drupal 8.0 will be released also. That makes it easy to keep things in sync.

Upgrading?

When you upgrade from Drupal 8.0 to Drupal 8.1, and you were using the BigPipe module on your 8.0 site, then follow the instructions in the 8.1.0 release notes:

If you previously installed the BigPipe contributed module, you must uninstall and remove it before upgrading from Drupal 8.0.x to 8.1.x.

  1. Note there is also the BigPipe demo module (d.o/project/big_pipe_demo), which makes it easy to simulate the impact of BigPipe on your particular site. 

  2. There’s also a live demo: http://bigpipe.demo.wimleers.com/ 

  • Acquia
  • Drupal
  • WPO
  • performance
Categories: Elsewhere

Michal Čihař: Testing Sphinx documentation with Jenkins

Planet Debian - Wed, 20/04/2016 - 12:00

While reviewing comments on phpMyAdmin wiki (which we're shrinking down to developer documentation and moving end user documentation to proper documentation) I've noticed that people complained there on broken links in our documentation. Indeed there was quite some of them as this is something nobody really checks. It seems like obvious task to automate.

It seemed to me as obvious as somebody had to do it already. Unfortunately I have not found much, but at least there was Using Jenkins to parse sphinx warnings. This helps with the build warnings, but unfortunately I found no integration for the linkcheck builder. Fortunately it's quite easy with the Jenkins Warnings plugin to write custom parsers and to parse linkcheck output as well.

The Sphinx output parser based on above link can be configured like:

Regular Expression:

^(.*):(\d+): \((.*)\) (.*)

Mapping Script:

import hudson.plugins.warnings.parser.Warning String fileName = matcher.group(1) String lineNumber = matcher.group(2) String category = matcher.group(3) String message = matcher.group(4) return new Warning(fileName, Integer.parseInt(lineNumber), "sphinx", category, message);

Example Log Message:

Percona-Server-1.0.2-3.rst:67: (WARNING/2) Inline literal start-string without end-string.

The Sphinx linkcheck output is quite similar:

Regular Expression:

^(.*):(\d+): \[([^\]]*)\] (.*)

Mapping Script:

import hudson.plugins.warnings.parser.Warning String fileName = matcher.group(1) String lineNumber = matcher.group(2) String category = matcher.group(3) String message = matcher.group(4) return new Warning(fileName, Integer.parseInt(lineNumber), "sphinx-linkcheck", category, message);

Example Log Message:

faq.rst:793: [broken] http://www.hardened-php.net/: <urlopen error [Errno -3] Temporary failure in name resolution>

All you need to do now is to enable these in your Jenkins project, let the Sphinx parse output and the Sphinx linkcheck one file generated by linkcheck (usually _build/linkcheck/output.txt). The result can be found on the phpMyAdmin CI server.

Filed under: English phpMyAdmin | 0 comments

Categories: Elsewhere

Dries Buytaert: Applaud the Drupal maintainers

Planet Drupal - Wed, 20/04/2016 - 11:38

Today is another big day for Drupal as we just released Drupal 8.1.0. Drupal 8.1.0 is an important milestone as it is a departure from the Drupal 7 release schedule where we couldn't add significant new features until Drupal 8. Drupal 8.1.0 balances maintenance with innovation.

On my blog and in presentations, I often talk about the future of Drupal and where we need to innovate. I highlight important developments in the Drupal community, and push my own ideas to disrupt the status quo. People, myself included, like to talk about the shiny innovations, but it is crucial to understand that innovation is only a piece of how we grow Drupal's success. What can't be forgotten is the maintenance, the bug fixing, the work on Drupal.org and our test infrastructure, the documentation writing, the ongoing coordination and the processes that allow us to crank out stable releases.

We often recognize those who help Drupal innovate or introduce novel things, but today, I'd like us to praise those who maintain and improve what already exists and that was innovated years ago. So much of what makes Drupal successful is the "daily upkeep". The seemingly mundane and unglamorous effort that goes into maintaining Drupal has a tremendous impact on the daily life of hundreds of thousands of Drupal developers, millions of Drupal content managers, and billions of people that visit Drupal sites. Without that maintenance, there would be no stability, and without stability, no room for innovation.

Categories: Elsewhere

Jim Birch: Midcamp 2016 Recap - Where the Drupal community comes together!

Planet Drupal - Wed, 20/04/2016 - 11:20

MidCamp 2016, the Midwest Drupal Camp was a roaring success.  We had 36 Sessions and 1 keynote were spread across the University of Chicago Student Center West,.  All of the sessions were successfully recorded by our amazing AV team and shared within hours on the Midcamp YouTube channel.  Our sponsor tables were busy; our Birds of a Feather discussions were many; and our socials were social!

This was my second time attending, and my first time being a volunteer organizer.  If you attended, I hope that I got to greet you on the way in.  Attending my first year, I was so awestruck by the amount of knowledge and talent at MidCamp, I couldn't help but get involved.  After volunteering to help, I am still in awe of the dedication of the volunteers, and the effort it takes to put on a camp like this.  Thanks to all of the volunteers for the countless hours put in throughout the year to make this event happen.

Please indulge me a moment while I call out a few individuals specifically for their incredible effort and dedication put forth to MidCamp 2016.

Read more

Categories: Elsewhere

Drupal Console: Drupal Console and Beer - Enzo join us from Chongqing

Planet Drupal - Wed, 20/04/2016 - 10:33
This time, enzo join us from Chongqing to talk about upcoming presentations on his enzotour 2016. We also talk about lates added features in the 0.11.3 release our very last one before the 1.0.0-alpha1 release. The next upcoming release will be tagged once Drupal 8.1.0 got release.
Categories: Elsewhere

Drupal Blog: Drupal 8.1.0 is now available

Planet Drupal - Wed, 20/04/2016 - 09:48

Drupal 8.1.0, the first minor release of Drupal 8, is now available. With Drupal 8, we made significant changes in our release process, adopting semantic versioning and scheduled feature releases. This allows us to make extensive improvements to Drupal 8 in a timely fashion while still providing backwards compatibility. Drupal 8.1.0 is the first such update.

What's new in Drupal 8.1.x?

Drupal 8.1.0 comes with numerous improvements, including CKEditor WYSIWYG enhancements, added APIs, an improved help page, and two new experimental modules. (Experimental modules are provided with Drupal core for testing purposes, but are not yet fully supported.)

Download Drupal-8.1.0 Experimental UI for migrations from Drupal 6 and 7

Drupal 8.1.0 now includes the Migrate Drupal UI module, which provides a user interface for Drupal core migrations. Use it to migrate Drupal 6 or 7 sites to Drupal 8. The user guide on migrating from Drupal 6 or 7 to Drupal 8 has full documentation. Note that the Drupal 8 Migrate module suite is still experimental and has known issues. Read below for specific information on migrating Drupal 6 and Drupal 7 sites with 8.1.0. (Always back up your data before performing a migration and review the results carefully.)

BigPipe for perceived performance

The Drupal 8 BigPipe module provides an advanced implementation of Facebook's BigPipe page rendering strategy, leading to greatly improved perceived performance for pages with dynamic, personalized, or uncacheable content. See the BigPipe documentation.

CKEditor WYSIWYG spellchecking and language button

Drupal 8.0.0 included the CKEditor module (a WYSIWYG editor), but it was not previously possible to use your browser's built-in spell checker with it to check the text. With Drupal 8.1.0, spellchecking is now enabled within CKEditor as well.

Another great improvement is the addition of the optional language markup button in CKEditor. When configured to appear in your editing toolbar, it allows you to assign language information to parts of the text, which is useful for accessibility and machine processing.

Improved help page with tours

Drupal 8.0.0 included a new system for help tutorials called tours with the core Tour module. In Drupal 8.1.0, we made these tours easier to discover by listing them in the administrative help overview at /admin/help.

The help overview page is also more flexible now, so contributed modules can add sections to it and themes can override its appearance more easily. You can read more about the new system in the change record for the updated help page, or refer to the Tour API documentation for how to add tours for your modules.

Rendered entities in Views fields

Drupal 8.1.0 now includes a rendered entity field handler for Views, which allows placing a fully rendered entity within a view field. For example, this feature could be used to display a rendered user profile for each node author in a table listing node content. (This feature was provided by the Entity contributed module in Drupal 7, but had not yet been available in Drupal 8.)

Support for JavaScript automated testing

Drupal 8.1.0 adds support for automated testing of JavaScript, which will mean fewer bugs with Drupal's JavaScript functionality in the future as we write new tests for it. (Read more about how to run the JavaScript tests.) There are also other improvements to the testing system, including improved reporting of PHPUnit and other test results.

Improved Composer support

Starting with Drupal 8.1.x, Drupal core and its dependencies are packaged by Composer on Drupal.org. This means that sites and modules can now also use Composer to manage all of their third-party dependencies (rather than having to work around the vendor directory that previously shipped with core).

Developer API improvements

Minor releases like Drupal 8.1.0 include backwards-compatible API additions for developers as well as new features. Read the 8.1.0 release notes for more details on the many improvements for developers in this release.

What does this mean to me?
Drupal 8 site owners

Update to 8.1.0 to continue receiving bug and security fixes. The next bugfix release, 8.1.1, is scheduled for May 4, 2016.

Updating your site from 8.0.6 to 8.1.0 with update.php is exactly the same as updating from 8.0.5 to 8.0.6. Modules, themes, and translations may need small changes for this minor release, so test the update carefully before updating your production site.

Drupal 6 site owners

Drupal 6 is not supported anymore. Create a Drupal 8 site and try migrating your data into it as soon as possible. Your Drupal 6 site can still remain up and running while you test migrating your Drupal 6 data into your new Drupal 8 site. Note that there are known issues with the experimental Migrate module suite. If you find a new bug not covered by one of these issues, your detailed bug report with steps to reproduce is a big help!

Drupal 7 site owners

Drupal 7 is still fully supported and will continue to receive bug and security fixes throughout all minor releases of Drupal 8.

The new Migrate Drupal UI for Migrate also allows migrating a Drupal 7 site into a Drupal 8 site, but the migration path from Drupal 7 to 8 is not complete, so you may encounter errors or missing migrations when you try to migrate. That said, since your Drupal 7 site can remain up and running while you test migrating into a new Drupal 8 site, you can help us stabilize the Drupal 7 to Drupal 8 migration path! Testing and bug reports from your real-world Drupal 7 sites will help us stabilize this functionality sooner for everyone. (Search the known issues.)

Translation, module, and theme contributors

Minor releases like Drupal 8.1.0 are backwards-compatible, so modules, themes, and translations that support Drupal 8.0.x will be compatible with 8.1.x as well. However, the new version does include some string changes, minor UI changes, and internal API changes (as well as more significant changes to experimental modules like the Migrate suite). This means that some small updates may be required for your translations, modules, and themes. See the announcement of the 8.1.0 release candidate for more background information.

Categories: Elsewhere

Wunderkraut blog: Dropcat, a new deploy tool for Drupal

Planet Drupal - Wed, 20/04/2016 - 09:24

In a series of blog posts I am going to present our new tool for doing drupal deploys. It is developed internally in the ops-team in Wunderkraut Sweden , and we did that because of when we started doing Drupal 8 deploys we tried to rethink how we mostly have done Drupal deploys before, because we had some issues what we already had.

In a series of blog posts I am going to present our new tool for doing drupal deploys. It is developed internally in the ops-team in Wunderkraut Sweden , and we did that because of when we started doing Drupal 8 deploys we tried to rethink how we mostly have done Drupal deploys before, because we had some issues what we already had.

What we had - Jenkins and Aegir

Since some years we have been using a combination of Jenkins and Aegir to deploy our sites. 
That work-flow worked, sort off, well for us. And because it was not a perfect match we tried to rethink how we should do deploys with Drupal 8 in mind. 

Research phase

We looked in many directions, like Capistrano and Appistrano, OpenDevShop, platform.sh, Aegir 3 etc. But none of them fitted our current need – we wanted to simplify things, and most of the tools just added another layer that was not a perfect fit for us. Also, it was important to us that the solution should be open source.

We went old school and built our own solution – almost.

Re-use and invent

With Drupal 8 we got to know Symfony in a better way, and Symfony has a console, that also is used by Drupal console project. The advantages in using Symfony console for a base for our deploy flow were big, based on Symfony best practice and using open source projects. Also, drush does a lot of stuff that we need in the deploy process, so that is an important part also. We did not want to re-invent stuff that already worked well.

Enter Dropcat

So we started to build Dropcat (Drop as in Drupal, and cat because… because of cats) and we slowly added more and more stuff to it, and now we have most part of the commands that we need to do a normal deploy, we are still working on one important bit – and that is the rollback – and hopefully when this series of blog posts about Dropcat is finished, we have that in place also.

In next blog post we take a look into how to install dropcat and how th configuration files works. You could check out the Dropcat project on our GitLab server

Categories: Elsewhere

Yuriy Gerasimov: Visual testing of Drupal.org. BackTrac Case Study

Planet Drupal - Wed, 20/04/2016 - 08:18

Visual testing is a great technique to keep styles of your website under control. But what other things visual testing can catch? Maybe some problems with functionality?

It is always best to see visual testing on real life projects. In this article we have done testing of Drupal.org website by comparing it with its staging environment and found some interesting issues.

 

Read full article on BackTrac's blog

 

Please leave your comments on BackTrac's blog instead of here. Thanks!

Tags: drupal planet
Categories: Elsewhere

Norbert Preining: GnuPG notes: subkeys, yubikey, gpg1 vs gpg2

Planet Debian - Wed, 20/04/2016 - 07:42

Switching from one GnuPG master key to the usage of subkeys was long on my list of things I wanted to do, but never came around. With the advent of a YubiKey NEO in my pocket I finally took the plunge: reading through lots of web pages (and adding one here for confusion), trying to understand the procedures, and above all, understanding my own requirements!

To sum up a long story, it was worth the plunge, and all over the security level of my working environment has improved considerable.

While the advantages of subkeys are well documented (e.g., Debian Wiki), at the end of the day I was – like probably many Debian Developers – having one master key that was used for every action: mail decryption and signing, signing of uploads, etc. Traveling a lot I always felt uncomfortable. Despite a lengthy passphrase, I still didn’t want my master key to get into wrong hands in case the laptop got stolen. Furthermore, I had my master key on several computers (work, laptop, mail server), which didn’t help a lot either. With all this, I started to compile a list of requirements/objectives I wanted to have:

  • master key is only available on offline medium (USB sticks)
  • subkeys for signing, encryption, authentication
  • possibility to sign and decrypt my emails on the server where I read emails (ssh/mutt)
  • laptop does not contain any keys, instead use Yubikey
  • all keys with expiry date (1y)
  • mixture of gpg versions: local laptop: gpg2.1, mail server: gpg1

Warning Before we start a word of caution – make backups, best is to make backups at every stage. You don’t want that an erroneous operations wipes out your precious keys without a backup!

Preparation

In the following I will assume that MASTERKEY environment variable contains the id of the master key to be converted. Furthermore, I have followed some of the advice here, so key ids will be shown in long format.

Let us start with the current situation:

$ gpg -K $MASTERKEY sec 4096R/0x6CACA448860CDC13 2010-09-14 Key fingerprint = F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 uid Norbert Preining <norbert@preining.info> uid Norbert Preining <preining@logic.at> uid Norbert Preining <preining@debian.org> uid Norbert Preining <preining@jaist.ac.jp> ssb 4096R/0xD1D2BD14810F62B3 2010-09-14

In the following we will go through the following steps:

  • Prepare the Yubikey NEO (forthcoming blog>
  • Edit to current key: add expiry, add photo, and above all add subkeys
  • Create revocation certificate
  • Create gpg2.1 structure
  • Backup to USB media
  • Move subkeys to Yubikey NEO
  • Remove master keys
  • Separate gpg1 (for mail server) and gpg2 (for laptop)
  • Upload to key servers
Yubikey SmartCard setup

There are several guides out there, but I will in very near future write one about using the NEO for various usage scenaria including GPG keys.

Edit the current key

The following can be done in one session or in different sessions, the screen logs are after starting with:

$ gpg --expert --edit-key $MASTERKEY add expiry date

Having an expiry date on your key serves two purposes: If you loose it, it will solve itself automatically, and furthermore, you are forced to deal with the key – and refresh your gpg knowledge – at least once a year. That are two perfect reasons to set expiry to one year.

The following log selects each key in turn and sets its expiry date.

$ gpg --expert --edit-key $MASTERKEY gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.   Secret key is available.   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: never usage: SC trust: ultimate validity: ultimate sub 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: never usage: E [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp>   gpg> expire Changing expiration time for the primary key. Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Mon 06 Feb 2017 08:09:16 PM JST Is this correct? (y/N) y   You need a passphrase to unlock the secret key for user: "Norbert Preining <norbert@preining.info>" 4096-bit RSA key, ID 0x6CACA448860CDC13, created 2010-09-14   Enter passphrase:   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: never usage: E [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp>   gpg> key 1   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub* 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: never usage: E [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp>   gpg> expire Changing expiration time for a subkey. Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Mon 06 Feb 2017 08:09:27 PM JST Is this correct? (y/N) y   You need a passphrase to unlock the secret key for user: "Norbert Preining <norbert@preining.info>" 4096-bit RSA key, ID 0x6CACA448860CDC13, created 2010-09-14   Enter passphrase:   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub* 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> Add a photo

Not strictly necessary, but an interesting feature. gpg suggests 240×288, I resized a photo of my head, greyscaled it, and optimized it with jpegoptim -s -m40 my-photo.jpg. The parameter 40 is the quality, I played around a bit to find the best balance between size and quality. The size should not be too big as the photo will be part of the key!

gpg> addphoto   Pick an image to use for your photo ID. The image must be a JPEG file. Remember that the image is stored within your public key. If you use a very large picture, your key will become very large as well! Keeping the image close to 240x288 is a good size to use.   Enter JPEG filename for photo ID: GPG/norbert-head.jpg Is this photo correct (y/N/q)? y   You need a passphrase to unlock the secret key for user: "Norbert Preining <norbert@preining.info>" 4096-bit RSA key, ID 0x6CACA448860CDC13, created 2010-09-14   Enter passphrase:   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub* 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ unknown] (5) [jpeg image of size 4185] Add subkeys of 2048bit for signing/encryption/authentication

Now comes the interesting part, adding three subkeys: one for signing, one for encrypting, and one for authentication. The one for signing is the one you will use for signing your uploads to Debian as well as emails. The authentication key will later be used to provide ssh authentication. Note that you have to use the --expert expert option to edit-key (as shown above), otherwise gpg does not allow to do this.

As I want to move the subkeys to the Yubikey NEO, a keysize of 2048bits is necessary.

First for the signing:

gpg> addkey Key is protected.   You need a passphrase to unlock the secret key for user: "Norbert Preining <norbert@preining.info>" 4096-bit RSA key, ID 0x6CACA448860CDC13, created 2010-09-14   Enter passphrase:   Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) Your selection? 4 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Mon 06 Feb 2017 08:10:06 PM JST Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ....+++++ ..........+++++   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub* 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E sub 2048R/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ unknown] (5) [jpeg image of size 4185]

Now the same for encryption key:

gpg> addkey Key is protected.   You need a passphrase to unlock the secret key for user: "Norbert Preining <norbert@preining.info>" 4096-bit RSA key, ID 0x6CACA448860CDC13, created 2010-09-14   Enter passphrase:   Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) Your selection? 6 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Mon 06 Feb 2017 08:10:20 PM JST Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ..+++++ ........+++++   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub* 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E sub 2048R/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S sub 2048R/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ unknown] (5) [jpeg image of size 4185]

Finally for the authentication key. Note that only here the --expert is necessary! We use ‘(8) RSA (set your own capabilities)’ and then toggle sign and encryption capabilities off, and authentication on.

gpg> addkey Key is protected.   You need a passphrase to unlock the secret key for user: "Norbert Preining <norbert@preining.info>" 4096-bit RSA key, ID 0x6CACA448860CDC13, created 2010-09-14   Enter passphrase:   Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) Your selection? 8   Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Sign Encrypt   (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished   Your selection? s   Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Encrypt   (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished   Your selection? e   Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions:   (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished   Your selection? a   Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Authenticate   (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished   Your selection? q RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Mon 06 Feb 2017 08:10:34 PM JST Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ......+++++ +++++   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub* 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E sub 2048R/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S sub 2048R/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E sub 2048R/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ unknown] (5) [jpeg image of size 4185]   gpg> save Check the current status

Good point to take a break and inspect the current status. We should have one main key and three subkeys, all with expiry dates of 1 year ahead, and a photo also attached to the key:

$ gpg --expert --edit-key $MASTERKEY gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.   Secret key is available.   gpg: checking the trustdb gpg: public key 0x0FC3EC02FBBB8AB1 is 58138 seconds newer than the signature gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model gpg: depth: 0 valid: 2 signed: 28 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: depth: 1 valid: 28 signed: 41 trust: 28-, 0q, 0n, 0m, 0f, 0u gpg: next trustdb check due at 2016-11-02 pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E sub 2048R/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S sub 2048R/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E sub 2048R/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> Create revocation certificate

In case something happens, like all your backups are burned, your computers are destroyed, or all data stolen by the NSA, it is a good idea to have an old fashioned paper print out of a revocation certificate which allows you to revoke the key even if you are not in possession of it.

This should be printed out and kept in a safe place.

$ gpg --gen-revoke $MASTERKEY > GPG/revoke-certificate-$MASTERKEY.txt   sec 4096R/0x6CACA448860CDC13 2010-09-14 Norbert Preining <norbert@preining.info>   Create a revocation certificate for this key? (y/N) y Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision? 1 Enter an optional description; end it with an empty line: > Reason for revocation: Key has been compromised (No description given) Is this okay? (y/N) y   You need a passphrase to unlock the secret key for user: "Norbert Preining <norbert@preining.info>" 4096-bit RSA key, ID 0x6CACA448860CDC13, created 2010-09-14   Enter passphrase:   ASCII armored output forced. Revocation certificate created.

Please move it to a medium which you can hide away; if the NSA or KGB or Mossad gets access to this certificate, they can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable.

Create gpg 2.1 structure

There are currently three versions of gpg available: ‘classic’ (version 1) which is one static binary, perfect for servers or scripting tasks; ‘stable’ (version 2.0) which is the modularized version supporting OpenPGP, S/MIME, and Secure Shell; and finally ‘modern’ (version 2.1 and up) with enhanced features like support for Elliptic Curve cryptography. Debian currently ships version 1 as standard, and also the modern version (but there are traces in experimental of a pending transition).

The newer versions of GnuPG are modularized and use an agent. For the following we need to kill any running instance of gpg-agent.

$ killall gpg-agent

After that a simple call to gpg2 to list the secret keys will convert the layout to the new standard:

$ gpg2 -K $MASTERKEY gpg: keyserver option 'ca-cert-file' is obsolete; please use 'hkp-cacert' in dirmngr.conf gpg: starting migration from earlier GnuPG versions gpg: porting secret keys from '/home/norbert/.gnupg/secring.gpg' to gpg-agent gpg: key 0xD2BF4AA309C5B094: secret key imported gpg: key 0x6CACA448860CDC13: secret key imported gpg: migration succeeded sec rsa4096/0x6CACA448860CDC13 2010-09-14 [SC] [expires: 2017-02-06] Key fingerprint = F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 uid [ultimate] Norbert Preining <norbert@preining.info> uid [ultimate] Norbert Preining <preining@logic.at> uid [ultimate] Norbert Preining <preining@debian.org> uid [ultimate] Norbert Preining <preining@jaist.ac.jp> uid [ultimate] [jpeg image of size 4185] ssb rsa4096/0xD1D2BD14810F62B3 2010-09-14 [E] [expires: 2017-02-06] ssb rsa2048/0xEC00B8DAD32266AA 2016-02-07 [S] [expires: 2017-02-06] ssb rsa2048/0xBF361ED434425B4C 2016-02-07 [E] [expires: 2017-02-06] ssb rsa2048/0x9C7CA4E294F04D49 2016-02-07 [A] [expires: 2017-02-06]

After this there will be new files/directories in the .gnupg directory, in particular: .gnupg/private-keys-v1.d/ which contains the private keys.

Creating backup

Now your .gnupg directory contains still all the keys, available for gpg1 and gpg2.1.

You MUST MAKE A BACKUP NOW!!! on at least 3 USB sticks and maybe some other offline media. Keep them in a safe place, better in different and safe places, you will need them for extending the expiry date, signing other keys, etc.

Warning concerning USB and vfat file systems

gpg >= 2.1 requires gpg-agent which in turn needs a socket. If you have the backup on an USB drive (most often with vfat file system), you need to redirect the socket, as vfat does not support sockets!

Edit /USBSTICK/gnupghome/S.gpg-agent and enter there

%Assuan% socket=/dev/shm/S.gpg-agent

After that the socket will be created in /dev/shm/ instead and invoking gpg with gpg2 --homedir /USBSTICK/gnupghome will work.

You have done your backups, right?

Move sub keys to card

As I mentioned, I want to have no keys on my laptop which I carry around to strange countries, instead I want to have them all on a Yubikey NEO. I will describe the setup and usage in details soon, but mention here only how to move the keys to the card. This requires a finished setup including change of pins.

Note that when using gpg2 to move the keys to the card, the local copies are actually deleted, but only for the gpg2(.1) files. The gpg1 secret keys are still all in place.

$ gpg2 --edit-key $MASTERKEY gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.   Secret key is available.   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> key 2   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb* rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> keytocard Please select where to store the key: (1) Signature key (3) Authentication key Your selection? 1   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb* rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> key 2   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> key 3   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb* rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> keytocard Please select where to store the key: (2) Encryption key Your selection? 2   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb* rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> key 3   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> key 4   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb* rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> keytocard Please select where to store the key: (3) Authentication key Your selection? 3   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb* rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> key 4   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> save

Note the repetition of selecting and deselecting keys.

Current status

After this procedure we are now in the following situation:

  • gpg1: all keys are still available
  • gpg2: sub keys are moved to yubikey (indicated below by ssb>), and master key is still available

In gpg words it looks like this:

$ gpg2 -K $MASTERKEY gpg: keyserver option 'ca-cert-file' is obsolete; please use 'hkp-cacert' in dirmngr.conf sec rsa4096/0x6CACA448860CDC13 2010-09-14 [SC] [expires: 2017-02-06] Key fingerprint = F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 uid [ultimate] Norbert Preining <norbert@preining.info> uid [ultimate] Norbert Preining <preining@logic.at> uid [ultimate] Norbert Preining <preining@debian.org> uid [ultimate] Norbert Preining <preining@jaist.ac.jp> uid [ultimate] [jpeg image of size 4185] ssb rsa4096/0xD1D2BD14810F62B3 2010-09-14 [E] [expires: 2017-02-06] ssb> rsa2048/0xEC00B8DAD32266AA 2016-02-07 [S] [expires: 2017-02-06] ssb> rsa2048/0xBF361ED434425B4C 2016-02-07 [E] [expires: 2017-02-06] ssb> rsa2048/0x9C7CA4E294F04D49 2016-02-07 [A] [expires: 2017-02-06]   $ gpg -K $MASTERKEY sec 4096R/0x6CACA448860CDC13 2010-09-14 [expires: 2017-02-06] Key fingerprint = F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 uid Norbert Preining <norbert@preining.info> uid Norbert Preining <preining@logic.at> uid Norbert Preining <preining@debian.org> uid Norbert Preining <preining@jaist.ac.jp> uid [jpeg image of size 4185] ssb 4096R/0xD1D2BD14810F62B3 2010-09-14 [expires: 2017-02-06] ssb 2048R/0xEC00B8DAD32266AA 2016-02-07 [expires: 2017-02-06] ssb 2048R/0xBF361ED434425B4C 2016-02-07 [expires: 2017-02-06] ssb 2048R/0x9C7CA4E294F04D49 2016-02-07 [expires: 2017-02-06]   $ gpg2 --card-status   .... Name of cardholder: Norbert Preining .... PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: 5871 F824 2DCC 3660 2362 BE7D EC00 B8DA D322 66AA created ....: 2016-02-07 11:10:06 Encryption key....: 2501 195C 90AB F4D2 3DEA A303 BF36 1ED4 3442 5B4C created ....: 2016-02-07 11:10:20 Authentication key: 9CFB 3775 C164 0E99 F0C8 014C 9C7C A4E2 94F0 4D49 created ....: 2016-02-07 11:10:34 General key info..: sub rsa2048/0xEC00B8DAD32266AA 2016-02-07 Norbert Preining <norbert@preining.info> sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 ssb> rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 card-no: 0006 03645719 ssb> rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 card-no: 0006 03645719 ssb> rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 card-no: 0006 03645719 $ Remove private master keys

You are sure that you have a working backup? Did you try it with gpg --homedir ...? Only if you are really sure, continue.

We are now removing the master key from both the gpg2 and gpg1 setup.

removal for gpg2

gpg2 keeps the private keys in ~/.gnupg/private-keys-v1.d/KEYGRIP.key and the KEYGRIP can be found by adding --with-keygrip to the key listing. Be sure to delete the correct file, the one related to the master key.

$ gpg2 --with-keygrip --list-key $MASTERKEY pub rsa4096/0x6CACA448860CDC13 2010-09-14 [SC] [expires: 2017-02-06] Key fingerprint = F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 Keygrip = 9DC1E90703856C1DE0EAC970CED7ABF5EE5EF79D uid [ultimate] Norbert Preining <norbert@preining.info> uid [ultimate] Norbert Preining <preining@logic.at> uid [ultimate] Norbert Preining <preining@debian.org> uid [ultimate] Norbert Preining <preining@jaist.ac.jp> uid [ultimate] [jpeg image of size 4185] sub rsa4096/0xD1D2BD14810F62B3 2010-09-14 [E] [expires: 2017-02-06] Keygrip = 4B8FF57434DD989243666377376903281D861596 sub rsa2048/0xEC00B8DAD32266AA 2016-02-07 [S] [expires: 2017-02-06] Keygrip = 39B14EF1392F2F251863A87AE4D44CE502755C39 sub rsa2048/0xBF361ED434425B4C 2016-02-07 [E] [expires: 2017-02-06] Keygrip = E41C8DDB2A22976AE0DA8D7D11F586EA793203EA sub rsa2048/0x9C7CA4E294F04D49 2016-02-07 [A] [expires: 2017-02-06] Keygrip = A337DE390143074C6DBFEA64224359B9859B02FC   $ rm ~/.gnupg/private-keys-v1.d/9DC1E90703856C1DE0EAC970CED7ABF5EE5EF79D.key $

After that the missing key is shown in gpg2 -K with an additional # meaning that the key is not available:

$ gpg2 -K $MASTERKEY sec# rsa4096/0x6CACA448860CDC13 2010-09-14 [SC] [expires: 2017-02-06] ... removal for gpg1

Up to gpg v2.0 there is no simple way to delete only one part of the key. We export the subkeys, delete the private key, and reimport the subkeys:

$ gpg --output secret-subkeys --export-secret-subkeys $MASTERKEY   $ gpg --delete-secret-keys $MASTERKEY   sec 4096R/0x6CACA448860CDC13 2010-09-14 Norbert Preining <norbert@preining.info>   Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y   $ gpg --import secret-subkeys gpg: key 0x6CACA448860CDC13: secret key imported gpg: key 0x6CACA448860CDC13: "Norbert Preining <norbert@preining.info>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1   $ Current status

We are basically at the stage we wanted to achieve:

For gpg2.1 only the old encryption key is available, the master key is not, and the other sub keys are moved to the yubikey:

$ gpg2 -K $MASTERKEY sec# rsa4096/0x6CACA448860CDC13 2010-09-14 [SC] [expires: 2017-02-06] Key fingerprint = F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 uid [ultimate] Norbert Preining <norbert@preining.info> uid [ultimate] Norbert Preining <preining@logic.at> uid [ultimate] Norbert Preining <preining@debian.org> uid [ultimate] Norbert Preining <preining@jaist.ac.jp> uid [ultimate] [jpeg image of size 4185] ssb rsa4096/0xD1D2BD14810F62B3 2010-09-14 [E] [expires: 2017-02-06] ssb> rsa2048/0xEC00B8DAD32266AA 2016-02-07 [S] [expires: 2017-02-06] ssb> rsa2048/0xBF361ED434425B4C 2016-02-07 [E] [expires: 2017-02-06] ssb> rsa2048/0x9C7CA4E294F04D49 2016-02-07 [A] [expires: 2017-02-06] $

And for gpg <= 2.0 the old encryption key and the sub keys are available, but the master key is not:

$ gpg -K $MASTERKEY sec# 4096R/0x6CACA448860CDC13 2010-09-14 [expires: 2017-02-06] Key fingerprint = F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 uid Norbert Preining <norbert@preining.info> uid Norbert Preining <preining@logic.at> uid Norbert Preining <preining@debian.org> uid Norbert Preining <preining@jaist.ac.jp> uid [jpeg image of size 4185] ssb 4096R/0xD1D2BD14810F62B3 2010-09-14 [expires: 2017-02-06] ssb 2048R/0xEC00B8DAD32266AA 2016-02-07 [expires: 2017-02-06] ssb 2048R/0xBF361ED434425B4C 2016-02-07 [expires: 2017-02-06] ssb 2048R/0x9C7CA4E294F04D49 2016-02-07 [expires: 2017-02-06]   $ Split the .gnupg directory for mail server and laptop

As mentioned, I want to have a gpg1 version available at the server where I read my emails, and be able to sign/encrypt emails there, while on my laptop no secret key is available. Thus I prepare two gnupg directories.

For the mailserver the gpg2 specific files are removed:

$ cp -a .gnupg .gnupg-mail $ cd .gnupg-mail $ rm -rf private-keys-v1.d/ pubring.gpg~ reader_0.status $ rm -rf S.gpg-agent* S.scdaemon .gpg-v21-migrated

On my laptop, where I did all this operation, I remove the gpg1 files, namely the outdated secring.gpg:

$ cd $HOME/.gnupg $ rm secring.gpg

As a last step I move the .gnupg-mail directory to my mail server.

Once could *expire* the old encryption key, but for now I leave it as is.

Upload keys to keyservers

If you are a Debian Developer, a simple update of your master key will suffice:

gpg --keyserver hkp://keyring.debian.org --send-key YOURMASTERKEYID

Note that the update from the keyring server to the actual Debian keyring takes up to one month. Until that time either do not upload anything, or use the (offline) master key for signing. After your key has been updated in the Debian keyring, signatures made with the signing subkey will be accepted for uploading to Debian.

It might be also a good idea to upload your new keys to some keyservers like:

gpg --keyserver hkp://pool.sks-keyservers.net --send-key $MASTERKEY

Now you an also fix the configuration file skew between gpg1 and gpg2.

Further remark

I am currently trying to use the authentication key from my Yubikey NEO as ssh key, but bugs (see #795368 and #818969) prohibit it at the moment. Raphael Herzog gave a possible fix by killing the gpg-agent and restarting it with gpg-agent --daemon from an X terminal, and I can confirm that this worked.

After one year before the key expires I need to extend the key validity for another year. For this you need the offline master key. I will describe the process when it becomes necessary.

Reading list

The following web sites have been useful in collecting the necessary information:

  1. https://iain.learmonth.me/yubikey-neo-gpg/
  2. https://iain.learmonth.me/yubikey-udev/
  3. http://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/
  4. https://wiki.debian.org/Subkeys
  5. https://jclement.ca/articles/2015/gpg-smartcard/ as modernized version of (3)
  6. https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ similar style, with ssh and gnome-keyring infos
  7. http://karlgrz.com/2fa-gpg-ssh-keys-with-pass-and-yubikey-neo/ also good reading
  8. https://help.riseup.net/en/security/message-security/openpgp/best-practices good and concise advise on gpg practices

My writing is mostly based on (5) with additions from (4).

Please let me know of any errors, improvements, and fixes. I hope this walk-through might help others in the same situation.

Categories: Elsewhere

Mike Ryan: Migration update for Drupal 8.1

Planet Drupal - Tue, 19/04/2016 - 21:24

For those of you using the migration system under Drupal 8.0.x, with Drupal 8.1 scheduled to release tomorrow, let’s take a look at where the migration ecosystem now stands. We’ll discuss the biggest core API change, then how moving to 8.1 affects various use cases.

Migrations are now plugins

read more

Categories: Elsewhere

Drupal core announcements: Reinventing Drupal’s User Experience process

Planet Drupal - Tue, 19/04/2016 - 21:20

The Drupal core product needs to become more engaging and useful right out of the box. Usability testing has shown why. We want to look at how we can change our process to be more efficient and effective.

We learned during the Drupal 8 process, that our way of building the product side of Drupal has many challenges. We propose to adopt a different way of working that avoids current pitfalls and enables a fresher, faster way to iterate on the core product.

The UX-team has started a discussion in the Usability group to explore how we can change our process to allow for more drastic UX changes.

Join the discussion at: Reinventing Drupal’s User Experience process

Categories: Elsewhere

Drupal @ Penn State: Drupal 8 Theme Generation and Development Intro Using the Drupal Console

Planet Drupal - Tue, 19/04/2016 - 19:16

Here is a screen cast of how to get started with Drupal 8 theme development.

In the video I cover:

  • using the drupal console to generate a theme from a base theme
  • creating a libraries yml file
  • adding global css to your theme
  • Using Kint with the devel module
  • debugging twig
  • adding your own twig file to your theme
Categories: Elsewhere

Acquia Developer Center Blog: Drupal 8 Module of the Week: Monolog

Planet Drupal - Tue, 19/04/2016 - 17:33

Special PHP-Interoperability Edition! Each day, more Drupal 7 modules are being migrated over to Drupal 8 and new ones are being created for the Drupal community’s latest major release. In this series, the Acquia Developer Center is profiling some of the most prominent, useful modules available for Drupal 8. This week, logging with Monolog.

Tags: acquia drupal planetloggingPSRPHP FIGMonologdrupal 8
Categories: Elsewhere

Phponwebsites: Create page without header and footer in Drupal 7

Planet Drupal - Tue, 19/04/2016 - 16:46
    This blog describes about create only page contents without header and footer in Drupal 7. All of you know almost all of the pages in Drupal have header and footer. Suppose you want to create a page without header and footer in Drupal 7. Is it possible? Yes, it is possible in Drupal 7. You can create a page without header and footer using 'delivery callback' in hook_menu.

Render a page without header and footer in Drupal 7:
     Drupal provide a option to create page without header and footer. Let see the below code for render a page without header and footer in Drupal 7.

/**
 * Implement hook_menu().
 */
function phponwebsites_menu() {
  $items['sample-wo-header-footer'] = array(
    'title' => 'A page without header and footer in Drupal 7',
    'access callback' => TRUE,
    'page callback' => 'phponwebsites_without_header_footer',
    'type' => MENU_CALLBACK,
    'delivery callback' => 'deliver_plain',
  );
  return $items;
}

function deliver_plain($page_callback_result) {
  print $page_callback_result;
}

/**
 * Implement phponwebsites_without_header_footer().
 */
function phponwebsites_without_header_footer() {
  return 'This is the page without header and footer';
}

   You could see the page without any header and footer when you view page in a browser. Now I've hope you how to render a page without header and footer in Drupal 7.

Related articles:
Add new menu item into already created menu in Drupal 7
Add class into menu item in Drupal 7
Create menu tab programmatically in Drupal 7
Add custom fields to search api index in Drupal 7
Login using both email and username in Drupal 7
Clear views cache when insert, update and delete a node in Drupal 7
Categories: Elsewhere

Pages

Subscribe to jfhovinne aggregator - Elsewhere