Vroom vroom! Love Adventure? Love Drupal? Want to win a Royal Enfield Classic motorcycle? You're in luck!
The DrupalCon Asia Developer Contest is being sponsored by the great folks over at Azri Solutions and they've come up with one of the coolest developer contests we've heard of thus far. The challenge, should you choose to accept it, is this: create a beautiful, interactive visualization of the data found at https://www.drupal.org/drupalorg/api, and submit it via github no later than 11:59 PM IST on Thursday, February 18.
Address space layout randomization helps to protect against buffer overflow attacks as it becomes harder for an attacker to turn a programming error into an exploitable security hole. The first implementation for Linux is 15 years old. Support in mainline kernel and toolchains have been available for a good while now. But to work, ASLR also needs executables to be built as position independent. And as Hanno Böck from the fuzzing project gently reminded me at 32C3, almost no executables in Debian are built as such, while it is now the default in Windows, Mac OS X, OpenBSD, and Fedora to name just a few other systems.
PIE has the reputation of having a performance hit. While true, especially for register constrained architectures like i386, it makes a difference only for the executable itself, not any shared library it uses as they are already built as position independent. Also, several optimizations have been made since the early days. GCC 5 will reuse the PIC hard register (which is also good for libraries). On amd64, GCC 5 and binutils 2.26 will do copy relocations. More improvements for i386 are being worked on.
I sincerly believe that users are way more likely to notice a compromised system than a slightly slower one.Tracking progress
Since version 2.5.40, lintian will now issue a warning1 when it detects that a binary has not been compiled as a position independent executable. Kudos to Niels Thykier. Now that we can track our progress, I'm calling every Debian Developers: let's try to get as many ALSR-compatible executables in Stretch!How to enable PIE
Thanks to all contributors over the past years who have improved our toolchain, we now have a fairly easy way to enable hardening flags with dpkg-buildflags. For packages using dh, it now boils down with adding on top of debian/rules:export DEB_BUILD_MAINT_OPTIONS = hardening=+all
You can even test if a package supports all hardening flags without any changes running DEB_BUILD_OPTIONS=hardening=+all dpkg-buildpackage. Running lintian or hardening-check can then tell you if the protections have been successfully enabled.Hardening by default?
But do we really need to change so many packages individually? The difference between the current default features and all hardening features are pie and bindnow. Could we turn them by default and do binNMUs instead of requiring actions from maintainers?
I guess the question boils down to: how many packages would require a (one-liner) change to turn off the pie or bindnow features if they were on by default?
To get the beginning of an answer, I took the top 502 (according to popcon installations) source packages shipping non-position independent executables. I've try to rebuild them enabling all hardening flags through DEB_BUILD_OPTIONS.
Out of 49 packages3:
- 32 (65%) built fine and produced PIE binaries: acpi, bc, bind9, bsd-mailx, bsdmainutils, bzip2, cpio, cron, debianutils, diffutils, dpkg, file, fontconfig, gettext, glib2.0, glibc, gnupg, gzip, hostname, ifupdown, iputils, logrotate, m4, mutt, nano, net-tools, netcat, netkit-ftp, netkit-telnet, os-prober, pam, util-linux.
- 4 (8%) built fine but did not compiled hardened binaries: discover, mawk, mlocate, patch.
- 13 (27%) failed to build, with some of these expected failures, e.g. for *-static or GRUB: bash, busybox, coreutils, e2fsprogs, grub2, insserv, iptables, kbd, ncurses, newt, openssl, pciutils, perl.
The results are really encouraging. Especially taking in account that some of these packages are part of the “tricky and weird” set. To know for sure, we would need a mass-rebuild of the archive with DEB_BUILD_OPTIONS=hardening=+all in the environment. Any takers?
Verification of the whole archive by the latest version of lintian is still in progress by the time I'm writing these lines. According to Niels it should take 3-4 more days to look at all available packages. ↩
As always, UDD does wonders:SELECT packages.source, MAX(popcon.insts) AS insts FROM lintian, popcon, packages WHERE lintian.tag = 'hardening-no-pie' AND lintian.package_arch = 'amd64' AND popcon.package = lintian.package AND packages.package = popcon.package AND packages.distribution = 'debian' AND packages.release = 'sid' GROUP BY packages.source ORDER BY MAX(popcon.insts) DESC LIMIT 50; ↩
In mid-January we held a webinar with Acquia, explaining how to train your team on Drupal 8.
This was an interesting webinar to run because it ended up being pretty different from our planning. There were two major changes:
- When scheduling the webinar, we intended to explain many of Drupal 8 training resources available. However, by mid-January, many contributed Drupal 8 modules didn't have stable releases and so most D8 training wasn't ready. So, in the webinar, we explaind when Drupal 8 training would be available.
- We were able to make a very cool surprise announcement. Watch to the end of the webinar for the big reveal.
From the webinar, here's an overview of when several important modules will be stable:
Web Services in today's applications and websites have become critical to interacting with third parties, and a lot of Drupal developers have the need to expose content and features on their site via an API. Luckily for us, Drupal 8 now has this capability built right into Core. Some contrib modules are attempting to make such capabilities even better, too.
To shed some light onto these new features, we've worked with Acquia to develop a webinar and subsequent series of blog posts to help get you up to speed with these exciting, new features. The first of these blog posts, Web Services 101, has been published on the Acquia Developer Center today, written by our very own Senior Architect and Community Lead Larry "Crell" Garfield.
Larry kicks off the series by laying out a comprehensive explanation of exactly what Web services are, providing a necessary and strong foundation for you to approach the exciting Web services developments new to Drupal 8. Look for his follow-up posts on Palantir.net in the coming weeks. And in the meantime, we have plenty more Drupal 8 content with Larry's .
This first post on Acquia is part of a 4-part series written by Larry, and Kyle Browning, of Acquia, based on a webinar that Larry and Kyle recently gave: Drupal 8 Deep Dive: What It Means for Developers Now that REST Is in Core.
Lately I have been hearing a lot about Laravel. This is a PHP framework to build web applications and that is quickly gaining popularity. I wanted to test it to keep up to date with this current technology. So I thought: I will build a concept in Laravel to see how it works and to compare it with Drupal 8.
- A static page in which the content is loaded from a local database.
- Build a list of Blog items which is fed from a Drupal 8 RESTful API (which I had previously built for Node.js).
Overall content of this blog:
- Introduction to Laravel
- Laravel’s foundation
- Installing Laravel
- Routing in Laravel
- Laravel’s Migration: management of the database structure
- Eloquent ORM: query the database
- HTML templating in Laravel: Blade and Views
- Loading data from a RESTful Drupal 8 API
Web developers are discovering that Web services have become critical to interacting with third parties -- whether on Web sites or in applications.
Many Drupal developers now have the need to expose content and features on their site via an API. Fortunately, Drupal 8 now has this capability in core. And some contributed modules are attempting to make it even better.Tags: acquia drupal planet
BlackMesh: Attend a sprint at one of the 40 Drupal Global Sprint Weekend locations, January 30 and 31!
Drupal Global Sprint Weekend is January 30 and 31, 2016, and so far we have 40 locations all over the world.
You might think you can't help Drupal, that you should not go to a sprint… But anyone who has worked with Drupal before (content editors, site builders), can help at a sprint. So you should go to one! Bring your computer. :)
(No location near you? *You* can organize one. :) There is still time to add your small local sprint. Read the post and get your location listed!)What will you do at a sprint? Work with others
You might have had a goal of contributing for a while, but when you tried before it may have been intimidating or frustrating.
This is your chance to change that! Working together is more fun, and we can learn so much from each other.
At the sprint, ask the organizer or another attendee what project they are working on. It might be Drupal Core, a Drupal 7 contrib project, a distribution, a translation, documentation, the Drupal 8 Handbook, porting a module to Drupal 8, or drupal.org infrastructure. Find out where their issue queue is.
Write down people's names and usernames that you meet.Post comments on issues
All over the world, people work on Drupal every day (not just on Global Sprint Weekend). To coordinate this work, we post comments (and questions!) on issues, a lot.
For example, let's say after finding the issue queue, you want to help with some bugs.
Filter the list of issues to bugs. Pick one that looks interesting to you, and make a comment on the issue saying you are going to verify it and work on steps to reproduce. After a while, make another comment to post questions you have on the issue, or post some partial information you found out. Later, make *another* comment and update the issue summary and/or steps to reproduce.Eat and have fun
Take care of yourself at the sprint. Take short breaks; stand up and stretch; walk around a bit. Spend a few quiet moments alone a couple times during the day.
If your location is not providing lunch, bring food with you. (Leaving for two hours in the middle of a sprint will not be a productive use of time.)
After getting their permission, take pictures of smiling people talking and working together, and post them.Stick with a few issues
Do not measure your success, or the success of a sprint, with how many issues get touched. Stay with one or two issues, and work with a group to get them as close to done as possible.
If you were verifying a bug, ask around and find someone to fix the bug and work with them. :) Before starting to work on a fix, make sure they post a comment on the issue also, saying what you and they will be doing next.
Test a fix. Before starting to test a fix, post a comment on the issue saying what you will test (you should be posting comments on issues before starting to work on them, saying what you will do, is pretty important). Post questions about how to test, or post the result of your trying the fix. If you do not have a local environment to try out fixes, use SimplyTest.me.
Look at a patch or pull request and post questions about the fix, or post opinions you have about the solution. Or, ask around and find someone to look at the fix, and make sure they post a comment about it.
Keep gathering people on one or two issues until they get updated, fixed, reviewed, and tested (maybe doing that a few times).Celebrate
Before leaving the sprint, post comments on issues summarizing any questions and posting partial work. Check with others at the sprint and make sure they post too. Some people don't want to say things in public on issues if they feel their work is not finished or not perfect. Let them see you did it and help them feel comfortable posting questions and half broken things.
Look back on what you got done that day, what you learned, and what barriers you had before the sprint, that you have now gotten over. Even small things add up over time.You decided to attend a sprint. What next? Tell people you are going
The person organizing the location near you might be feeling a bit nervous and wondering if people will show up. Help them by RSVP'ing. Make a comment on their post saying you will attend, respond "yes" to their meetup, get a ticket through their event page, or use whatever method they have for signups.
Tweet (use the #SprintWeekend hash tag) and say you will be at X location.
Convince a friend to go with you.Read more about sprints
Still curious about what sprinting will be like? Zsófi from Cheppers in Budapest wrote about what to expect at a Global Sprint sprint. And Leslie from OwnSourcing wrote about tools sprinters can get ready before hand (or go to a sprint to get help setting up).Have questions?
- Drupal Global Sprint Weekend 2016 wiki
- You can organize a small local sprint as part of Drupal Global Sprint Weekend 2016
- Preparation tips for organizers of local Drupal Global Sprint Weekend 2016 sprints
- Get issues you care about ready for Global Sprint Weekend
- Drupal.org handbook page: Resources for sprint planners
- Dropcast Episode 14: Mediacurrent and Cathy talk about Drupal Global Sprint Weekend 2016
Last week consisted mostly of code fixes. For example the code for checking latest phpMyAdmin turned out to be buggy under some PHP configurations. But most work for last week is not yet public, you will see it in upcoming security releases.
All handled issues:
- #11874 Warn if no means of obtaining the version information are found
- #11873 Notice
- #11855 "set password" on MariaDB 10.1
- #11849 Designer cannot export schema in PDF (master)
As you may know, Drupal 6 will reach End-Of-Life (EOL) on February 24th, 2016. This means the Drupal community (including the Security Team) will no longer support Drupal 6!
However, a small group of commercial vendors will collaborate with the Drupal Security Team to take on Long-Term Support of Drupal 6! And myDropWizard is one of those Drupal 6 long-term support vendors. :-)
In this article, we'll answer the following questions:
- What specifically will happen on February 24th?
- What is the official Drupal 6 LTS?
- How will the process work?
- What will customers need to pay for?
Read more for the answers!
Embed code for Infographics:Read more
Acquia Developer Center Blog: Acquia U: "Making the world a better place, one Drupalist at a time." - with Amy Parker
Part 2 of 2 - Amy Parker, the Director of Acquia University, and I sat down in Acquia's downtown Boston headquarters to talk about Acquia's technology boot camp, affectionately known as "Acquia U". In this podcast we talk about the diversity of candidate backgrounds, the candidate selection process, and go into what makes a successful Acquia "Ubie." We also talk about measuring the success of a program like this in human terms.
In part one, we went over the course and how it covers much more than Drupal. The curriculum is designed to produce people able to work in tech companies: Drupal and related technologies, agile methodologies, project management tools, trouble shooting tickets, presentation skills, and more. Listen to Part 1 to learn more.Interview video - 14:30 min.
More Amy and Acquia U on the web!
- Acquia Podcast: Acquia U: "Jump in and own it. Kickstart your career." - meet Amy Parker
- Acquia Podcast with Keith Donaldson, Acquia U graduate, 2015: Drupal, the fastest way from idea to MVP
- Amy spoke with Brian Lewis in 2015 on Modules Unravelled Podcast 132, AcquiaU (here's the video of their conversation).
- Amy was a guest on DrupalEasy podcast 141 in 2014.
Most of us have been using the Features module for configuration management in Drupal 7 for years now. This is not what the module was originally intended for, but it has allowed us to move variables and configurations that were kept in the database into code, so they can be transferred from development to staging and production sites.
Features is a module that creates other modules. It was designed to bundle together functionality, say for a blog or a gallery, so you could deploy that functionality to multiple sites. If you can think of grouping together a Content type with it's fields, dependencies, and views and you are thinking along the lines of the original design.
However, somewhere along the way, some smart people figured out that we could send a lot of configuration to code using Features. Different ideas of what should be kept in each "feature" arose, and a pseudo-configuration system evolved in Drupal 7. Features provides a User Interface in the Drupal admin where developers and administrators could click together variables that go into a feature, and click together we did.
You may already be familiar with Amazon S3, the most popular solution for cost effective storage services nowadays. You will need it when you are looking for:
- Low cost storage: it happens to be my case, when I implemented a Drupal based web app for a local governmental authority. The app is used by branches from all provices of the country, and they usually upload a large amount of data (documents, photos, scans etc ...) regularly. Using the app server's storage is too expensive. So I converted the Drupal file system to Amazon S3, leaving only the core and modules on the app server.
- Fast loading: many bloggers have used S3 to store their photos, videos, audios and files, for better serving their readers. As customers are from all over the world, saving the multimedia content to S3 will let them access them much faster.
- And many more benefits
In this tutorial, we will show you how to convert the Drupal 7 file system to Amazon S3 and sync all existing files to S3 Storage.1. Preparation
You will need to run several client programs like drush and awscli. So if your site is on a shared hosting, you are not able to install and execute them. Pls download it to your local host and configure it there. After that you can upload to your shared hosting.
The techniques that I use in this tutorial are:
Pronovix: Upping our game in accessibility, openness and signature technology - PDF in Drupal part 1
In the web community, PDF has become synonym for a range of accessibility bad practices. Some people even think that we would all be better off if PDF would finally die, just like Flash and Internet Explorer. As a result PDF is not very sexy in the Drupal and wider PHP community and this has negatively impacted our tooling.
It would be better to rename repo.CC.debian.org or something, IMO.
For those of us who have been breathlessly waiting since you saw the jazz band in Los Angeles, registration for DrupalCon New Orleans is open at last!
Coming up in May, DrupalCon New Orleans promises to be a fantastic time — so make sure you register today to get the earlybird rate.
Vincent Sanders: Creativity is allowing yourself to make mistakes. Art is knowing which ones to keep.
In the workshop today I had a selection of freshly laser cut.completed cases for several single board computers out on the desk. I was asked by a new member of the space how I was able to produce these with no failures?
I was slightly taken aback at the question and had to explain that the designs I was happily running off on the laser cutter are all the result of mistakes, lots of them. The person I was talking to was surprised when I revealed that I was not simply generating fully formed working designs first time.
We chatted for a while and it became apparent that they had been holding themselves back from actually making something because they were afraid the result would be wrong. I went to my box and retrieved the failures from my most recent case design for a Raspberry Pi model B to put alongside the successful end product to try and encourage them.
I explained that my process was fairly iterative, sure I attempted to get it right first time by reusing existing working solutions as a basis but that when the cost of iterating is relatively small it is sometimes worthwhile to just accept the failures.
For example in this latest enclosure:
- my first attempt (in the semi opaque plastic) resulted in a correct top and bottom but the height was a couple of mm short and the audio connector cutout was too small
- second attempt was in clear acrylic and omitting the top and bottom. I stuffed the laser cutter setup and the resulting cutouts would not actually fit together properly.
- third attempt went together ok but my connector cutouts were 0.5mm high so the board did not sit properly, this case would have been usable but I like to publish refined designs so I fixed all the small issues.
- Fourth version is pretty much correct and I have tried all three different Raspberry Pi model B boards (mine and the spaces) and they all fit so I am confident I have a design I can now use anytime I want a case for this SBC.
The person I was talking to could not get past the possibility of having a pile of scrap material, it was wasteful in their view and my expectation to fail was unfathomable. They left with somewhat of a bad view of me and my approach.
I pondered this turn of events for a time and they did have a point in that I have a collection of thirty or so failures from all my various designs most of which is unusable. I then realised I have produced over fifty copies of those designs not just for myself but for other people and published them for anyone else to replicate, so on balance I think I am doing ok on wastage.
The stronger argument for me personally is that I have made something. I love making things, be that software, electronics or physical designs. It may not always be the best solution but I usually end up with something that works.
That makespace member may not like my approach but in the final reckoning, I have made something, their idea is still just an idea. So Scott I may not be an artist but I am at least creative and that is halfway there.