Daniel Silverstone: Gitano - Approaching Release - Work

Planet Debian - Tue, 04/10/2016 - 06:41

I have been working quite hard, along with my friend and colleague Richard Maw, on getting Gitano ready for a release suitable for inclusion into Debian Stretch.

You can see how we're doing on the various Trello boards for:

As Richard and I work toward a version of Gitano we're prepared to support long-term in Debian we are making many changes to make our lives easier. For those of you who have been using Gitano over the past few years, you'll need to pay attention to some postings which will be coming soon about how to make the changes you need so as to not explode horribly when you upgrade to the version we're releasing soon. For those of you who are not yet using Gitano but feel like you might want to; I'll also be producing some postings about getting started with the packages. And for those happily running current HEAD of Gitano already, I'll be posting about some of the new features over the next little while in case you're not aware of them.

IMPORTANT: If you're using Gitano already and have any issues or feature requests then please please please let me know ASAP otherwise they're unlikely to be resolved/implemented before 1.0. irl already asked for the facility to verify GPG signed commits and tags, but if you want anything else considering then I need to know v. soon. (Ideally email me, but you may comment on this posting too if you must)

Categories: Elsewhere

Lucy Wayland: Diversity and Inclusion

Planet Debian - Mon, 03/10/2016 - 21:55

So this morning, along with a few other members of staff, I was filmed for a Diversity and Inclusion video for Ada Lovelace Day at work. Very positive experience, and I was wearing my rainbow chain mail necklace made by the wonderful Rosemary Warner, and a safety pin, which I had to explain the meaning of to the two peeps doing the filming. We all of us read the same script, and they are going to paste it together with each of us saying one sentence at a time. The script was not just about gender, it also mentioned age, skills, sexual orientation and physical ability among other things (I cannot remember the entire list). I was very happy and proud to take part.

Categories: Elsewhere

myDropWizard.com: If you're still on Drupal 6, you should switch to Pressflow ... ASAP!

Planet Drupal - Mon, 03/10/2016 - 21:33

If you have a site that's still on Drupal 6, you're not alone. As of about a week ago, there's still over 88,000 Drupal 6 sites out there!

While support from the community ended on February 24th, the Drupal 6 Long-Term Support vendors have been hard at work, releasing over 20 security fixes for various contrib so far, including very popular modules like Views and Panels!

While the D6LTS vendors haven't released any security fixes for Drupal 6 core yet - it's only a matter of time!

If you want to be ready for it when they do, we recommend that you update to Pressflow. But that's not the only reason!

Read more to find out why and how!

Categories: Elsewhere

Palantir: Palantir.net's Guide to Digital Governance: Properties and Platforms

Planet Drupal - Mon, 03/10/2016 - 20:58
Palantir.net's Guide to Digital Governance: Properties and Platforms Palantir.net's Guide to Digital Governance brandt Mon, 10/03/2016 - 13:58 Scott DiPerna Oct 3, 2016

This is the second installment of Palantir.net’s Guide to Digital Governance, a comprehensive guide intended to help get you started when developing a governance plan for your institution’s digital communications.

In this post we will cover...
  • What's next after the 10,000ft view
  • What properties you need to think about
  • Applications and integrations you also need to consider 

Stay connected with the latest news on web strategy, design, and development.

Sign up for our newsletter.

Having started at the 10,000ft view to assess the digital ecosystem for our governance planning, part two of the Guide to Digital Governance begins to identify the specific properties and platforms you will need to consider within that ecosystem.

Taking the top level categories you listed for your governance plan in part one, you now will want to think of the properties and platforms within each of them. The following questions are intended to help you think through each piece carefully.

Public Websites

  • What are the websites we own that are visible to anyone on the Web?
  • Do we have any public subdomain Websites, such as subdomain.mywebsite.com?
  • Do we have any micro-sites, or Websites with a URL that is different from our main site?
  • Do we have any blogs that may be hosted elsewhere, but would be considered part of our public Web presence?

Private Websites

  • What are the Websites we own that are visible to only those with access we control?
  • What are the Websites we own that are visible to only those who have access through machines running on our organization’s network?
  • Do we have any subdomain Websites, such as subdomain.mywebsite.com that require logging in?
  • Do we have any Websites for only a specific set of constituents?

Intranets and Portals

  • Do we have a network of internal-use Websites (a.k.a an Intranet), accessible only by password or by logging on to the organization’s network, or otherwise hidden (even by obscurity)?
  • Do we use any portal sites or pages as a means of aggregating links of importance for specific groups of users?

Web-Based Applications

  • Are there any web-based applications we use to perform specialized tasks, such as generating reports from data in a database or retrieving digital assets from a database?
  • Are there any online tools that we use (whether built internally or purchased from a third-party vendor as software-as-a-service (SaaS)?


  • What platforms, systems, and/or services do we use for collecting payments online?
  • What platforms, systems, and/or services do we use for selling products online?
  • Where are these located relative to our other Websites?

Social Networks

  • What are the social media networks we use to communicate to the outside world?

Digital Media

  • What are the platforms we use to create digital media, such as video, audio, and photography?
  • What are the platforms we use to distribute digital media, such as video, audio, and photography

Broadcast Email

  • What are the systems we use to send broadcast email to all or large segments of our internal group, members, staff, community, etc.?
  • What are the systems we use to send broadcast email to all or large segments of our external community, clients, constituents, etc. for the purposed of marketing and promotion?

Digital Communications Governance

  • What are the pieces that will constitute our official governance system?
  • NOTE: You may not know the answer to this one yet, so leave it empty for now.


This post is part of a larger series of posts, which make up a Guide to Digital Governance Planning. The sections follow a specific order intended to help you start at a high-level of thinking and then focus on greater and greater levels of detail. The sections of the guide are as follows:

  1. Starting at the 10,000ft View – Define the digital ecosystem your governance planning will encompass.
  2. Properties and Platforms – Define all the sites, applications and tools that live in your digital ecosystem.
  3. Ownership – Consider who ultimately owns and is responsible for each site, application and tool.
  4. Intended Use – Establish the fundamental purpose for the use of each site, application and tool.
  5. Roles and Permissions – Define who should be able to do what in each system.
  6. Content – Understand how ownership and permissions should apply to content.
  7. Organization – Establish how the content in your digital properties should be organized and structured.
  8. URLs – Define how URL patterns should be structured in your websites.
  9. Design – Determine who owns and is responsible for the many aspects design plays in digital communications and properties.
  10. Personal Websites – Consider the relationship your organization should have with personal websites of members of your organization.
  11. Private Websites, Intranets and Portals – Determine the policies that should govern site which are not available to the public.
  12. Web-Based Applications – Consider use and ownership of web-based tools and applications.
  13. E-Commerce – Determine the role of e-commerce in your website.
  14. Broadcast Email – Establish guidelines for the use of broadcast email to constituents and customers.
  15. Social Media – Set standards for the establishment and use of social media tools within the organization.
  16. Digital Communications Governance – Keep the guidelines you create updated and relevant.

We want to make your project a success.

Let's Chat.
Categories: Elsewhere

Markus Koschany: My Free Software Activities in September 2016

Planet Debian - Mon, 03/10/2016 - 20:12

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Android, Java, Games and LTS topics, this might be interesting for you.

Debian Android Debian Games
  • I packaged a new upstream release of hyperrogue, a rogue-like game settled in a non-euclidian world, fixing one RC bug (#811991). I uploaded two more revisions later that addressed  build failures on arm64 and hppa.
  • I fixed more RC bugs (build failures with GCC-6) in torus-trooper (#835712) and fife (#811858).
  • I packaged new upstream releases of pygame-sdl2, renpy, freeorion, netrek-client-cow, redeclipse, redeclipse-data, hitori, atomix, adonthell and adonthell-data.
  • I updated gtkballs and fixed a documentation bug (#820588) but also a /usr/share/locale issue that prevented the actual use of the translations.
  • I raised the severity of #797998 to grave in unknown-horizons because the game cannot be started currently. In order to fix this issue I packaged a new build-dependency, fifechan, which is currently awaiting approval by the FTP team. As soon as fifechan got accepted I will upload new upstream releases of fife and unknown-horizons.
  • I released debian-games 1.5, a Debian blend and collection of games metapackages.
  • Hardening-wrapper has been deprecated for some time and this issue became release critical now. I updated cookietool, alex4 and netrek-client-cow to use dpkg-buildflags instead.
  • Together with Russel Coker I packaged a new upstream release of warzone2100. This package would benefit from a new regular uploader. If you are interested in it, please get involved. (Same story for hyperrogue, redeclipse, renpy and unknown-horizons and many other games.)
  • I started a new Bullet transition (#839243). The package is currently waiting in the NEW queue and I hope to complete this work in October.
  • I triaged #838199 and reassigned the issue to fonts-roboto. Initially I prepared an NMU but eventually the maintainer uploaded a new revision himself. It is now possible to install the hinted and unhinted versions of fonts-roboto together which also resolved former installation problems with kodi and freeorion.
Debian Java
  • I packaged new upstream releases of undertow, activemq and jackrabbit.
  • I fixed RC bugs in libphonenumber (#836768), wagon2 (#837022) and activemq (#839244).
  • I updated syncany in experimental and simplified the packaging a little. Unfortunately upstream has been on hiatus for the past year and we haven’t seen new releases in the meantime. Nevertheless give it a try, even though it is still alpha software, it’s an useful cloud-storage and synchronization tool.
  • I sponsored a new upstream release of freeplane for Felix Natter.
  • I prepared and uploaded security updates for jackrabbit and zookeeper in Jessie.
Debian LTS

This was my eight month as a paid contributor and I have been paid to work 12,25 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 12. September until 19. September I was in charge of our LTS frontdesk. I triaged bugs in tiff3, mysql-5.5, curl, dropbear, mantis, icu, dwarfutils, jackrabbit, zendframework, zookeeper and graphicsmagick. For the latter I skimmed through all commits since the last version to identify the patches that fix the recent issues in graphicsmagick. I also answered questions on the mailing list and contacted Diego Biurrun again about his progress with libav. It is now anticipated that Hugo Lefeuvre and Diego will issue a new libav security release this month.
  • I reviewed and tested a patch by Raphaël Hertzog for roundcube.
  • DLA-629-1. Issued a security update for jackrabbit fixing 1 CVE.
  • DLA-630-1. Issued a security update for zookeeper fixing 1 CVE.
  • DLA-633-1. Issued a security update for wordpress fixing 7 CVE. This one also required backports of certain functions from newer releases and a database upgrade that required careful testing.
  • I also issued DLA-622-1 and DLA-623-1, two security issues that I already mentioned last month. It was discovered that Debian’s versions of Tomcat were vulnerable to a root privilege escalation issue. However it was also necessary that another exploit, for instance in a web application, could be used to gain write access as the tomcat user. Former security issues were already fixed and new ones are not known. Nevertheless since a zero-day exploit could not be ruled out, the issue was embargoed for a month to give other distributions time to fix this issue as well. You can read more about this topic at legalhackers.com.
Non-maintainer uploads Misc
  • I packaged a new upstream release of MediathekView.
  • I uploaded a new revision of xarchiver and applied a patch from Helmut Grohne that made it possible to cross-build the package.
Categories: Elsewhere

Matthew Garrett: The importance of paying attention in building community trust

Planet Debian - Mon, 03/10/2016 - 19:14
Trust is important in any kind of interpersonal relationship. It's inevitable that there will be cases where something you do will irritate or upset others, even if only to a small degree. Handling small cases well helps build trust that you will do the right thing in more significant cases, whereas ignoring things that seem fairly insignificant (or saying that you'll do something about them and then failing to do so) suggests that you'll also fail when there's a major problem. Getting the small details right is a major part of creating the impression that you'll deal with significant challenges in a responsible and considerate way.

This isn't limited to individual relationships. Something that distinguishes good customer service from bad customer service is getting the details right. There are many industries where significant failures happen infrequently, but minor ones happen a lot. Would you prefer to give your business to a company that handles those small details well (even if they're not overly annoying) or one that just tells you to deal with them?

And the same is true of software communities. A strong and considerate response to minor bug reports makes it more likely that users will be patient with you when dealing with significant ones. Handling small patch contributions quickly makes it more likely that a submitter will be willing to do the work of making more significant contributions. These things are well understood, and most successful projects have actively worked to reduce barriers to entry and to be responsive to user requests in order to encourage participation and foster a feeling that they care.

But what's often ignored is that this applies to other aspects of communities as well. Failing to use inclusive language may not seem like a big thing in itself, but it leaves people with the feeling that you're less likely to do anything about more egregious exclusionary behaviour. Allowing a baseline level of sexist humour gives the impression that you won't act if there are blatant displays of misogyny. The more examples of these "insignificant" issues people see, the more likely they are to choose to spend their time somewhere else, somewhere they can have faith that major issues will be handled appropriately.

There's a more insidious aspect to this. Sometimes we can believe that we are handling minor issues appropriately, that we're acting in a way that handles people's concerns, while actually failing to do so. If someone raises a concern about an aspect of the community, it's important to discuss solutions with them. Putting effort into "solving" a problem without ensuring that the solution has the desired outcome is not only a waste of time, it alienates those affected even more - they're now not only left with the feeling that they can't trust you to respond appropriately, but that you will actively ignore their feelings in the process.

It's not always possible to satisfy everybody's concerns. Sometimes you'll be left in situations where you have conflicting requests. In that case the best thing you can do is to explain the conflict and why you've made the choice you have, and demonstrate that you took this issue seriously rather than ignoring it. Depending on the issue, you may still alienate some number of participants, but it'll be fewer than if you just pretend that it's not actually a problem.

One warning, though: while building trust in this way enhances people's willingness to join your community, it also builds expectations. If a significant issue does arise, and if you fail to handle it well, you'll burn a lot of that trust in the process. The fact that you've built that trust in the first place may be what saves your community from disintegrating completely, but people will feel even more betrayed if you don't actively work to rebuild it. And if there's a pattern of mishandling major problems, no amount of getting the details right will matter.

Communities that ignore these issues are, long term, likely to end up weaker than communities that pay attention to them. Making sure you get this right in the first place, and setting expectations that you will pay attention to your contributors, is a vital part of building a meaningful relationship between your community and its members.

Categories: Elsewhere

Dries Buytaert: Drupal's collective purpose

Planet Drupal - Mon, 03/10/2016 - 16:46

When I was on vacation in Italy this summer, I had no internet, which gave me a lot of time to think. Some of that time was spent reflecting on why I do what I do. I have been working on Drupal for over 15 years and on Acquia for almost 10 years. The question of what gives me meaning and purpose has changed drastically over that time.

Evolving purpose

I started Drupal because I wanted to build a website for myself and a few friends — an internet message board to exchange messages. In the early days of Drupal, I was obsessed with the code and architecture of Drupal.

As I wrote in 2006: "I focused completely and utterly on creating fewer and fewer lines of more elegant code.". I wanted Drupal to be pure. I wanted the code to be perfect. For Drupal to be architected in the right way, I had to rewrite it multiple times and strip away anything that wasn't necessary – I couldn't imagine preserving backwards compatibility as it meant we had to drag along a lot of historical baggage. My mission in the early days was to keep the platform fast, clean and on the leading edge of technology.

As time passed and Drupal started growing, my role evolved. More people became involved with Drupal, and I thought more about scaling the community, including our tools, processes and culture. I started to focus on building the Drupal Association, promoting Drupal, handling trademark issues, and last but not least, setting the overall direction of the project. In the process, I started to worry less about achieving that perfect vision and more about the health of the community and collaborating on a shared vision.

While I miss programming, I have come to accept that I can't do everything. Every day when I wake up, I decide where I want to focus my energy. My guiding principle at this time in my life is to optimize for impact. That means enabling others versus doing much programming myself.

Meaningful moments: part I

While in Italy I decided to make a list of the moments in Drupal's history that stand out as particularly meaningful or purposeful. I started to discover some patterns in these moments, and ended up sorting them into two groups. Here is the first set:

  • When people find Drupal, and it gives them a better career path and ultimately changes their life. I got goosebumps when almost 3,000 people stood up at DrupalCon San Francisco when I asked "Please stand up if Drupal changed your life". I often talk to people that went on to make a full-time living with Drupal – or even start a Drupal business – to provide better lives for their families. Some of these stories, such as Vijaya Chandran Mani's, are deeply impactful.
  • Seeing how Drupal is used for aid relief, like in the aftermath of the 2013 tornado in Moore, Oklahoma. Members of the Drupal community worked throughout the night to create a website for victims to help each other.
  • Seeing how Drupal has made a meaningful impact on the Open Web movement. Over the last 10 years, millions of people have created Drupal sites that express their creative freedom and individuality. In recent years, I've become concerned about the Open Web's future and have spoken out on how the Drupal community is uniquely positioned to help preserve the open web. I believe it's an important mission that we should all embrace, so the original integrity and freedom of the Open Web remains intact for our children and grandchildren.

All of these moments suggest that my purpose is self-transcendent – I get meaning when my work matters more to others than it does to myself. Organized into radiating circles, the impact on each of these groups gives me purpose: individual Drupalists, the Drupal community, Drupal end users, and the open web. This is why I've become so passionate about things like usability, internationalization and accessibility over the years.

I know it's not just me; my team interviewed many other people that have the same feelings of finding meaning when their work results in life-changing outcomes. One great example is "Franck" Seferiba Salif Soulama, who hopes that training more young people in Drupal can lift people from Burkina Faso, Africa out of poverty. He wants to provide them job opportunities so they don't have to leave their country. Other examples are Drew Gorton or Ronan Dowling. There are many people like Franck, Drew or Ronan around the world that have a positive domino effect on others.

Meaningful moments: part II

The second group of moments I wrote down weren't necessarily self-transcendent, but still gave me purpose. Here are a few examples:

  • Fundraising after the great server meltdown. In 2005, we had to raise money to buy new infrastructure for Drupal.org. We nearly had to shut down Drupal.org and could have lost everything. While it was a difficult time, this moment was especially meaningful as it helped us come together as a community.
  • Having to ask individuals to leave the project or change their behavior because their values weren't aligned with the project. While providing critique or removing someone from the project has never been never easy, I'm proud of the times we stand up for our values.
  • Getting Drupal 8 over the finish line after 4.5 years of hard work. At times, many people doubted our progress, questioned whether we were making the right decisions, and even left our project. While the development process wasn't always fun in the moment, when we did release parties around the world, we all felt a real sense of accomplishment. In the long run, we built something that will keep Drupal relevant for many years to come.

Many of us find meaning when the hard and uncomfortable work results in life-changing outcomes for others. Not only does this type of work provide purpose, some people believe it is the recipe for success. For example, Angela Lee Duckworth's TED talk on grit applies directly to the work that is done by Drupal's maintainers.

How do we scale purpose?

Hearing all of these inspirational stories makes me think: How we can attract more people to the project, but do so in a way that ensures we share our core values (like giving back)? While there are no straightforward answers to this question, there are many organizations that are doing great things in this area.

One example is the Drupal Campus Ambassador Program which hopes to appoint ambassadors in every university in India to introduce more students to Drupal and help them with their job search. While at Drupalcon India earlier this year, I met Rakesh James, who has personally trained 600 people on Drupal!

Another example is the Drupal apprenticeship program in the UK, which focuses on recruiting new talent to the Drupal community. Participants get an extensive Drupal bootcamp to help them with their job search. Many of these apprentices are disadvantaged young people who have great talent and aptitude, but might be lacking the traditional route or access to a meaningful career path.

I'd love to take programs like these global – they instill our values, culture and a sense of purpose to many new people. If you know of similar initiatives, or have ideas to share, please do so in the comments section.

Based on my own introspection, and hearing from amazing Drupalists from around the world, I truly believe that Drupal is fueled by a collective sense of purpose that sets us apart from other open source software communities and organizations. We need to keep this purpose in mind when we make decisions, especially when the going gets tough. What is your sense of purpose? And how can we scale it around the world?

Categories: Elsewhere

Gábor Hojtsy: Checking on Drupal 8's rapid innovation promises

Planet Drupal - Mon, 03/10/2016 - 15:44

Starting with Drupal 8, we decided to make more rapid innovation possible by releasing minor versions every 6 months that may come with new features and backwards compatible changes. Now that we released Drupal 8.1.0 and almost 8.2.0 as well, how did we do? Also what else is possible and what is blocking us to make those moves? What do all the changes mean for how might Drupal 9 unfold?

Dries Buytaert posted last Wednesday The transformation of Drupal 8 for continuous innovation and on the same day I presented Checking on Drupal 8's rapid innovation promises at DrupalCon Dublin. Here is a video recording of my session, which should be good for those looking to get to know Drupal's release process and schedule, as well as how we made it possible to experiment within Drupal core directly with Drupal 8. While I did hope for more discussion on the possibilities within Drupal 8 with the participants, somehow the discussion pretty much ended up focusing on Drupal 9, when it should be released and how much change should it come with.

Categories: Elsewhere

DrupalEasy: Book review: Drupal 8 Development Cookbook

Planet Drupal - Mon, 03/10/2016 - 14:51
Really good content in the wrong format.

Drupal 8 Development Cookbook, written by Matt Glaman is full of useful information about Drupal 8 site building and development - and a worthy addition to anyone's Drupal library. Unfortunately, the "cookbook" format of the book seems to subtract, rather than add, to the usually well-explained concepts throughout.

The book covers an impressive array of topics: Everything from setting up a local environment to many of the technical details of the Entity API. No matter what your skill level with Drupal, there is likely to be something in this book of interest. Having been a Drupal professional for over ten years, I found the chapters on plugins, configuration management, the Entity API and web services especially interesting and educational.

Each chapter (there are 13) includes an often-too-brief introduction, followed by several "recipes." Each recipe includes several sections, including "Getting ready," "How to do it…," "How it works…," "There's more…," and "See also." While the How to do it… sections usually contained the bulk of the narrative, I often found myself wanting more details in the How it works… section. Additionally, I felt that each recipe often didn't have an adequate introduction. The crazy part is that the information I was looking for was often in the How it works… section - presented after the How to do it… section. I think this will lead to some initial confusion by readers asking themselves "why am I doing this?" until they read the How it works… portion. Usually, all of the information was there, just not in the right order (for me at least.) This is especially apparent in the "Plug and Play with Plugins" chapter where I found the How it works… sections more valuable than the How to do it… sections. They really would have been better leading off each recipe.

The author clearly has a firm grasp of the material. This usually shines through in most of the recipes, but there are times in the book where I think the author assumes the reader has a similar level of knowledge - which leads to some disconnects in the narrative. One example of this is the "Creating a custom content type" recipe. There is very little introduction, and I feel that it assumes the reader has a firm grasp of the power of content types (and fieldable entities, for that matter.) This, and several other recipes would benefit greatly from beefed-up introductions (including Features, text formats, some of the Front-end recipes and plugins [especially explaining why we use annotations.])

The recipes also vary widely in their complexity. I'm not sure this if this is a good or bad thing, but perhaps some sort of "complexity level" rating should have been applied to each one to give the reader a heads-up. This is illustrated well with the fact that the plugins chapter assumes the reader has a firm understanding of object-oriented PHP. Granted, I don't expect the author to write a primer on the topic, but a warning in the introduction, or aforementioned complexity level, would have helped smooth the transition into this chapter.

As one example of the format forcing things to be out-of-order, the book begins with the assumption that the reader has a local development stack installed, which is not an unreasonable assumption. But for readers who are new to local development environments, after the recipe to install Drupal 8, in the There's more… section, the author presents valuable information about how to create a database and a database user. There is no mention of this material prior to the How to do it… section. I can easily imagine a scenario where a reader is attempting the recipes in the order they are presented without reading ahead, and being extremely frustrated until they find the There's more… section. A mention of it earlier in the chapter would go a long way here.

The book does a really nice job covering topics I didn't expect to see - including DrupalVM, Entity Reference Views displays, a thorough explanation of a module's .info.yml file and routing files (who knew you could validate a route name with RegEx right in the .routing.yml file!) There is a really nice chapter on configuration management (although more of an introduction on content vs. configuration would have been extremely useful) and Entity API.

For Drupal 7 developers moving to Drupal 8, "The Entity API" chapter is worth the cost of the book. This chapter solidified and extended the knowledge I already had. Its introduction is solid and the chapter includes examples for both content and configuration entities. While it suffers from some of issues I've already mentioned (great content, wrong format,) for the most part it overcomes these challenges and goes much deeper into the topic than I had hoped. Well done!

At the same time, the book also covers a few topics in places where I thought it was a little too aggressive - having a "Running simpletest and PHPUnit" recipe in chapter 1 is a good example. In addition, I believe I spotted a few bugs in the book - both in the narrative and in the code samples - I've forwarded them to the author. Also, in some chapters, the author is writing about a moving target. There are more than a few places where he is forced to reference active Drupal.org issues. As these issues are resolved, recipes may spoil (food pun!)

There were more than a few recipes that involved custom module development; all of which are well-written, technically on-point, and will be extremely useful for Drupal 7 developers moving to Drupal 8. Since this is a book review, I have to pick on one point - all of the recipes were presented as if the developer is writing them from scratch. In reality, I've found the vast majority of Drupal 8 developers building custom modules for clients take full advantage of Drupal Console's "generate" command. While the author does formally introduce this in the last chapter of the book, it feels like it's not in the right place. By introducing it earlier many of the recipes could be written to take advantage of it.

Who would I recommend this book to? If you're a Drupal 7 developer looking to learn Drupal 8 development, this book is a great resource. While there are several introductory and site-building chapters that won't be very useful to you, the more advanced chapters provide (usually) adequate background information along with practical examples (ahem, recipes) to get you going. Would I recommend this book for beginners? If you have a solid PHP background, then yes. In my opinion, the author is more than capable of writing an intermediate-to-advanced Drupal 8 development book - leave the introductory stuff to someone else.

Categories: Elsewhere

Bálint Réczey: Harden Debian with PIE and bindnow!

Planet Debian - Mon, 03/10/2016 - 14:14

Shipping Position Independent Executables and using read-only Global Offset Table was already possible for packages but needed package maintainers to opt-in for each package (see Hardening wiki) using the “pie” and “bindnow” Dpkg hardening flags.

Many critical packages enabled the extra flags but there are still way more left out according to Lintian hardening-no-bindnow and hardening-no-pie warnings.

Now we can change that. We can make those hardening flags the default for every package.
We already have the needed patches for GCC (#835148) and dpkg (#835146, #835149). We already have all packages rebuilt once to test which breaks (Thanks to Lucas Nussbaum!). The Release Team already asked porters if they feel their ports ready for enabling PIE and most ports tentatively opted-in (Thanks to Niels Thykier for pushing this!).

What is left is fixing the ~75 open bugs found during the test rebuilds and this is where You can help, too! Please check if your packages are affected or give a helping hand to other maintainers who need it. (See PIEByDefaultTransition wiki for hints on fixing the bugs.) Many thanks to those who already fixed their packages!

If we can get past those last bugs we can enable those badly needed security features and make Stretch the most secure release ever!

Categories: Elsewhere

Drupal core announcements: Drupal 8 and 7 core release window on Wednesday, October 05, 2016

Planet Drupal - Mon, 03/10/2016 - 13:16
Start:  2016-10-04 12:00 - 2016-10-06 12:00 UTC Organizers:  xjm stefan.r catch David_Rothstein Event type:  User group meeting

The monthly core patch (bug fix) release window is this Wednesday, October 05. Drupal 7.51 will be released with fixes for Drupal 7. This is also the release window for Drupal 8.2.0, the next scheduled minor release of Drupal 8. (Read the release candidate announcement for more information on the minor release.)

To ensure a reliable release window for the patch and minor releases, there will be a Drupal 8.2.x commit freeze from 12:00 UTC Tuesday to 12:00 UTC Thursday. The final patches for 7.51 have been committed and the 7.x code is currently frozen (excluding documentation fixes and fixes for any regressions that may be found prior to the 7.51 release). So, now is a good time to update your development/staging servers to the latest 8.2.x-dev or 7.x-dev code and help us catch any regressions in advance.

If you do find any regressions, please report them in the issue queue. Thanks!

To see all of the latest changes that will be included in the releases, see the 8.2.x commit log and 7.x commit log.

Other upcoming core release windows after this week include:

  • Wednesday, October 19 (security release window)
  • Wednesday, November 02 (patch release window)

Drupal 6 is end-of-life and will not receive further releases.

For more information on Drupal core release windows, see the documentation on release timing and security releases, as well as the Drupal core release cycle overview.

Categories: Elsewhere

Russell Coker: 10 Years of Glasses

Planet Debian - Mon, 03/10/2016 - 13:13

10 years ago I first blogged about getting glasses [1]. I’ve just ordered my 4th pair of glasses. When you buy new glasses the first step is to scan your old glasses to use that as a base point for assessing your eyes, instead of going in cold and trying lots of different lenses they can just try small variations on your current glasses. Any good optometrist will give you a print-out of the specs of your old glasses and your new prescription after you buy glasses, they may be hesitant to do so if you don’t buy because some people get a prescription at an optometrist and then buy cheap glasses online. Here are the specs of my new glasses, the ones I’m wearing now that are about 4 years old, and the ones before that which are probably about 8 years old:

New 4 Years Old Really Old R-SPH 0.00 0.00 -0.25 R-CYL -1.50 -1.50 -1.50 R-AXS 180 179 180 L-SPH 0.00 -0.25 -0.25 L-CYL -1.00 -1.00 -1.00 L-AXS 5 10 179

The Specsavers website has a good description of what this means [2]. In summary SPH is whether you are log-sighted (positive) or short-sighted (negative). CYL is for astigmatism which is where the focal lengths for horizontal and vertical aren’t equal. AXS is the angle for astigmatism. There are other fields which you can read about on the Specsavers page, but they aren’t relevant for me.

The first thing I learned when I looked at these numbers is that until recently I was apparently slightly short-sighted. In a way this isn’t a great surprise given that I spend so much time doing computer work and very little time focusing on things further away. What is a surprise is that I don’t recall optometrists mentioning it to me. Apparently it’s common to become more long-sighted as you get older so being slightly short-sighted when you are young is probably a good thing.

Astigmatism is the reason why I wear glasses (the Wikipedia page has a very good explanation of this [3]). For the configuration of my web browser and GUI (which I believe to be default in terms of fonts for Debian/Unstable running KDE and Google-Chrome on a Thinkpad T420 with 1600×900 screen) I can read my blog posts very clearly while wearing glasses. Without glasses I can read it with my left eye but it is fuzzy and with my right eye reading it is like reading the last line of an eye test, something I can do if I concentrate a lot for test purposes but would never do by choice. If I turn my glasses 90 degrees (so that they make my vision worse not better) then my ability to read the text with my left eye is worse than my right eye without glasses, this is as expected as the 1.00 level of astigmatism in my left eye is doubled when I use the lens in my glasses as 90 degrees to it’s intended angle.

The AXS numbers are for the angle of astigmatism. I don’t know why some of them are listed as 180 degrees or why that would be different from 0 degrees (if I turn my glasses so that one lens is rotated 180 degrees it works in exactly the same way). The numbers from 179 degrees to 5 degrees may be just a measurement error.

Related posts:

  1. more on vision I had a few comments on my last so I...
  2. right-side visual migraine This afternoon I had another visual migraine. It was a...
  3. New Portslave release after 5 Years I’ve just uploaded Portslave version 2010.03.30 to Debian, it replaces...
Categories: Elsewhere

Kees Cook: security things in Linux v4.7

Planet Debian - Mon, 03/10/2016 - 09:47

Onward to security things I found interesting in Linux v4.7:

KASLR text base offset for MIPS

Matt Redfearn added text base address KASLR to MIPS, similar to what’s available on x86 and arm64. As done with x86, MIPS attempts to gather entropy from various build-time, run-time, and CPU locations in an effort to find reasonable sources during early-boot. MIPS doesn’t yet have anything as strong as x86′s RDRAND (though most have an instruction counter like x86′s RDTSC), but it does have the benefit of being able to use Device Tree (i.e. the “/chosen/kaslr-seed” property) like arm64 does. By my understanding, even without Device Tree, MIPS KASLR entropy should be as strong as pre-RDRAND x86 entropy, which is more than sufficient for what is, similar to x86, not a huge KASLR range anyway: default 8 bits (a span of 16MB with 64KB alignment), though CONFIG_RANDOMIZE_BASE_MAX_OFFSET can be tuned to the device’s memory, giving a maximum of 11 bits on 32-bit, and 15 bits on EVA or 64-bit.

SLAB freelist ASLR

Thomas Garnier added CONFIG_SLAB_FREELIST_RANDOM to make slab allocation layouts less deterministic with a per-boot randomized freelist order. This raises the bar for successful kernel slab attacks. Attackers will need to either find additional bugs to help leak slab layout information or will need to perform more complex grooming during an attack. Thomas wrote a post describing the feature in more detail here: Randomizing the Linux kernel heap freelists. (SLAB is done in v4.7, and SLUB in v4.8.)

eBPF JIT constant blinding

Daniel Borkmann implemented constant blinding in the eBPF JIT subsystem. With strong kernel memory protections (CONFIG_DEBUG_RODATA) in place, and with the segregation of user-space memory execution from kernel (i.e SMEP, PXN, CONFIG_CPU_SW_DOMAIN_PAN), having a place where user-space can inject content into an executable area of kernel memory becomes very high-value to an attacker. The eBPF JIT was exactly such a thing: the use of BPF constants could result in the JIT producing instruction flows that could include attacker-controlled instructions (e.g. by directing execution into the middle of an instruction with a constant that would be interpreted as a native instruction). The eBPF JIT already uses a number of other defensive tricks (e.g. random starting position), but this added randomized blinding to any BPF constants, which makes building a malicious execution path in the eBPF JIT memory much more difficult (and helps block attempts at JIT spraying to bypass other protections).

Elena Reshetova updated a 2012 proof-of-concept attack to succeed against modern kernels to help provide a working example of what needed fixing in the JIT. This serves as a thorough regression test for the protection.

The cBPF JITs that exist in ARM, MIPS, PowerPC, and Sparc still need to be updated to eBPF, but when they do, they’ll gain all these protections immediatley.

Bottom line is that if you enable the (disabled-by-default) bpf_jit_enable sysctl, be sure to set the bpf_jit_harden sysctl to 2 (to perform blinding even for root).

fix brk ASLR weakness on arm64 compat

There have been a few ASLR fixes recently (e.g. ET_DYN, x86 32-bit unlimited stack), and while reviewing some suggested fixes to arm64 brk ASLR code from Jon Medhurst, I noticed that arm64′s brk ASLR entropy was slightly too low (less than 1 bit) for 64-bit and noticeably lower (by 2 bits) for 32-bit compat processes when compared to native 32-bit arm. I simplified the code by using literals for the entropy. Maybe we can add a sysctl some day to control brk ASLR entropy like was done for mmap ASLR entropy.

LoadPin LSM

LSM stacking is well-defined since v4.2, so I finally upstreamed a “small” LSM that implements a protection I wrote for Chrome OS several years back. On systems with a static root of trust that extends to the filesystem level (e.g. Chrome OS’s coreboot+depthcharge boot firmware chaining to dm-verity, or a system booting from read-only media), it’s redundant to sign kernel modules (you’ve already got the modules on read-only media: they can’t change). The kernel just needs to know they’re all coming from the correct location. (And this solves loading known-good firmware too, since there is no convention for signed firmware in the kernel yet.) LoadPin requires that all modules, firmware, etc come from the same mount (and assumes that the first loaded file defines which mount is “correct”, hence load “pinning”).

That’s it for v4.7. Prepare yourself for v4.8 next!

© 2016, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

Categories: Elsewhere

Drupal governance announcements: Is Drupal the right tool for drupal.org and the project itself?

Planet Drupal - Mon, 03/10/2016 - 04:04

Just started a discussion about it here:


Hope you join the discussion and share your thoughts.


Reply here

Categories: Elsewhere

Russ Allbery: Review: Winds of Fury

Planet Debian - Mon, 03/10/2016 - 03:18

Review: Winds of Fury, by Mercedes Lackey

Series: Mage Winds #3 Publisher: DAW Copyright: August 1994 ISBN: 0-88677-612-0 Format: Mass market Pages: 427

This is the concluding book of the Mage Winds trilogy and a direct sequel to Winds of Change. This series doesn't make sense to read out of order.

In traditional fantasy trilogies of this type, the third book is often the best. The author can stop developing characters, building the world, and setting the scene and can get to the meat of the story. All the guns on the mantles go off, all the twists the author has been saving can be used, and there's usually a lot more action than in the second book of a trilogy. That is indeed the case here. I'm not sure Winds of Fury rises to the level of a good book, but if you're invested in the Valdemar story, it works better than the previous books of this series.

As one might expect, the protagonists do return to Valdemar, finally. The method of that return makes sense of some things that happened in Winds of Change and is an entertaining surprise, although I wish more had been done with it through the rest of the book and we'd gotten more world-building details. I also like how Lackey handles the Valdemar reactions to the returning protagonists, and their own reactions to Valdemar. Lackey's characters might fit some heavy-handed stereotypes a bit too neatly, but they do grow and change over the course of a series, and the return home is a good technique for showing that.

Lackey also throws in her final twist for the villains of this series at the start of this book, and it's a good one (if typical Lackey; she does love her abused youth characters). The villains are still far too one-dimensional and far too stereotyped evil, but the twist (which I'll avoid spoiling) does make that dynamic a bit more interesting. And she manages to get the reader to root for one evil over another, since one of them is at least competent.

You'd think from the direction the series was taking that Winds of Fury would culminate in another epic war of magic, but not this book. Lackey takes a more personal and targeted approach, heavier on characterization and individual challenge. This gives Firesong a chance to grow into an almost-likable character and earn some of that empathy and insight that he'd gotten for free. Unfortunately, it sidelines Nyara a lot, and pushes her back into a stereotyped role, which made me sad. The series otherwise emphasizes the importance of magic users who know their own limitations and can thoughtfully use the power they have, but rarely extends that to Nyara herself. I would have much rather seen her play a role like that in the final climax instead of the one she played.

This is partly made up for by centering Need in the story and having her play the key connecting role between two different threads of effort. Those are probably the best parts of this book. I wish the entire series had been told from Need's perspective, with a heavy helping of exasperated grumbling, although I don't think Lackey could have written that series. But what we get of her is a delight. The gryphons, sadly, are relegated to fairly minor roles, but we get a few more tantalizing hints about the Companions to make up for it. (Although not enough to figure out their great mystery, which isn't revealed until future books.)

This series is nowhere near as good as I remembered, sadly, but I did enjoy bits of it. If you like Valdemar in general, the world building is fairly important and reveals quite a lot about the underpinnings and power dynamics of Lackey's universe. I'm not sure that makes up for some tedious characters, poor communication, and some uncomfortable and dragging sections, but if you're trying to get the whole Valdemar story, the events here are rather important. And this ending was at least entertaining, if not great fiction.

Rating: 6 out of 10

Categories: Elsewhere

Enzolutions: My DrupalCon Dublin experience

Planet Drupal - Mon, 03/10/2016 - 02:00

Last week I had the opportunity of participate in my 6th DrupalCon and my second European DrupalCon.

But, to be honest, this one is the most important DrupalCon for me until now, I know the first one it's always especial, but in this case, represent a lot for me, because the relevance as speaker in this event.

I have been in a roller coaster of emotions since I was notified that my proposal to present as Community Keynote was accepted; Since that moment I have been working a lot to try to provide the best material I could do to try to share with the community my view and perception of global Drupal Community.

During my keynote, I talk about the tour Around the Drupal world in 140+ days and I present some proposals I think that could be implemented improve the engagement with the global community because right now I think we are an international community, but we need to be global.

Keynote resources:

Slides: weknowinc.com/dublin/community-keynote.pdf

Tour video: http://weknowinc.com/video/aroundtheworld Chinese version

But, before the keynote, I participate as co-presenter with Jesus Manuel Olivas my business partner at weKnow.

Our first session was Drupal Console: An overview of the new Drupal CLI.

The second session was Learn the new things in Drupal 8 via debugging

The cherry on the cake were the B.OF.s Writing Moder CLI commands for Drupal 8 and Improving your Drupal 9 development workflow with Composer that Jesus and I lead during Drupal Con.

Last, but not least; I had the opportunity to participate in Code Sprints to try to advance in our goal to have the first release 1.0.0 stable for Drupal Console project.

In general, I am very satisfied with the comments and feedbacks from the Drupal community; Now I could say I have a lot of ideas to contribute via code and community hacks to try to improve as a product as well as a community.

Airplane Distance (Kilometers) San Jose , Costa Rica → Dubline , Ireland 9564 Previously 87,040 Total 96,604 Walking Distance (steps) Dublin 102.470 Previously 1.678.485 Total 1.780.955 Train Distance (Kilometers) Today 0 Previously 528 Total 528 Bus/Car Distance (Kilometers) Today 0 Previously 2.944 Total 2.944
Categories: Elsewhere

Thorsten Alteholz: My Debian Activities in September 2016

Planet Debian - Sun, 02/10/2016 - 23:37

FTP assistant

This month I was rather busy with other stuff and only marked 191 packages for accept and rejected 21 packages. I also sent 6 emails to maintainers asking questions.

Debian LTS

This was my twenty-seventh month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 12.25h. During that time I did an upload of php5 fixing 17 CVEs and two additional bugs, I uploaded mactelnet and fixed one CVE. I also prepared a package for testing of zendframework, which will fix one CVE. Unfortunately my bind9 upload needed to be postponed as Florian Weimer found an incomplete patch of a previous CVE. I am trying to fix that as well. I also had some progress with the asterisk CVEs and of course the next round of php5 patches is waiting…

This month I also had a few days of frontdesk work at the beginning of the month and a few days at the end.

Other stuff

For the Alljoyn framework I uploaded alljoyn-services-1604 and as I forgot a Conflict:, I had to take care of RC-bugs: #836717, #836718 and #836719. Thanks a lot to Ralf Treinen for his automatic installation tests.

As mentioned earlier, openzwave is on its way to the Debian archive. While it is still in non-free, the author of a used library gave his permission to relicense this code, so the way to main is paved now.

Categories: Elsewhere

Gregor Herrmann: RC bugs 2016/38-39

Planet Debian - Sun, 02/10/2016 - 22:40

the last two weeks have seen the migration of perl 5.24 into testing, most of the bugs I worked on were related to it. additionally a few more build dependencies on tzdata werde needed. – here's the list:

  • #784845 – libdevel-gdb-perl: "libdevel-gdb-perl: FTBFS: t/expect.t #8 sometimes fails"
    skip brittle test (pkg-perl)
  • #825629 – src:libgd-perl: "libgd-perl: FTBFS: Could not find gdlib-config in the search path. "
    add patch to use pkg-config instead of the removed gdlib-config (pkg-perl)
  • #832840 – src:license-reconcile: "license-reconcile: FTBFS: dh_auto_test: perl Build test --verbose 1 returned exit code 255"
    sponsor upload prepared by gfa (pkg-perl)
  • #838310 – keyboard-configuration: "keyboard-configuration: user configuration lost + error message from setupcon"
    propose a patch
  • #838851 – libcoro-perl: "libcoro-perl: FTBFS with Perl 5.24: panic: corrupt saved stack index -144185424"
    resurrect parts of the removed patch (pkg-perl)
  • #838933 – libio-compress-lzma-perl: "libio-compress-lzma-perl: uninstallable and unbuildable with Perl 5.24"
    fix dependencies (pkg-perl)
  • #838934 – libperl-apireference-perl: "libperl-apireference-perl: FTBFS with Perl 5.24.1"
    add support for 5.24.1 (pkg-perl)
  • #839187 – sa-compile: "sa-compile: failed make after perl upgraded to 5.24.1~rc3-3 on testing"
    close on suggestion of submitter after investigation
  • #839442 – src:libtime-parsedate-perl: "libtime-parsedate-perl: FTBFS: Tests failures"
    add build dependency on tzdata (pkg-perl)
  • #839477 – src:libposix-strftime-compiler-perl: "libposix-strftime-compiler-perl: FTBFS: dh_auto_test: perl Build test --verbose 1 returned exit code 5"
    add build dependency on tzdata (pkg-perl)
  • #839513 – src:libapache-logformat-compiler-perl: "libapache-logformat-compiler-perl: FTBFS: dh_auto_test: perl Build test --verbose 1 returned exit code 8"
    add build dependency on tzdata (pkg-perl)
  • #839516 – src:libclass-date-perl: "libclass-date-perl: FTBFS: Tests failures"
    add build dependency on tzdata (pkg-perl)
Categories: Elsewhere

Steinar H. Gunderson: SNMP MIB setup

Planet Debian - Sun, 02/10/2016 - 13:15

If you just install the “snmp” package out of the box, you won't get the MIBs, so it's pretty much useless for anything vendor without some setup. I'm sure this is documented somewhere, but I have to figure it out afresh every single time, so this time I'm writing it down; I can't possibly be the only one getting confused.

First, install snmp-mibs-downloader from non-free. You'll need to work around bug #839574 to get the Cisco MIBs right:

# cp /usr/share/doc/snmp-mibs-downloader/examples/cisco.conf /etc/snmp-mibs-downloader/ # gzip -cd /usr/share/doc/snmp-mibs-downloader/examples/ciscolist.gz > /etc/snmp-mibs-downloader/ciscolist

Now you can download the Cisco MIBs:

# download-mibs cisco

However, this only downloads them; you will need to modify snmp.conf to actually use them. Comment out the line that says “mibs :”, and then add:

mibdirs +/var/lib/snmp/mibs/cisco/

Voila! Now you can use snmpwalk with e.g. -m AIRESPACE-WIRELESS-MIB to get the full range of Cisco WLC objects (and the first time you do so as root or the Debian-snmp user, the MIBs will be indexed in /var/lib/snmp/mib_indexes/.)

Categories: Elsewhere

Russell Coker: Hostile Web Sites

Planet Debian - Sun, 02/10/2016 - 07:06

I was asked whether it would be safe to open a link in a spam message with wget. So here are some thoughts about wget security and web browser security in general.

Wget Overview

Some spam messages are designed to attack the recipient’s computer. They can exploit bugs in the MUA, applications that may be launched to process attachments (EG MS Office), or a web browser. Wget is a very simple command-line program to download web pages, it doesn’t attempt to interpret or display them.

As with any network facing software there is a possibility of exploitable bugs in wget. It is theoretically possible for an attacker to have a web server that detects the client and has attacks for multiple HTTP clients including wget.

In practice wget is a very simple program and simplicity makes security easier. A large portion of security flaws in web browsers are related to plugins such as flash, rendering the page for display on a GUI system, and javascript – features that wget lacks.

The Profit Motive

An attacker that aims to compromise online banking accounts probably isn’t going to bother developing or buying an exploit against wget. The number of potential victims is extremely low and the potential revenue benefit from improving attacks against other web browsers is going to be a lot larger than developing an attack on the small number of people who use wget. In fact the potential revenue increase of targeting the most common Linux web browsers (Iceweasel and Chromium) might still be lower than that of targeting Mac users.

However if the attacker doesn’t have a profit motive then this may not apply. There are people and organisations who have deliberately attacked sysadmins to gain access to servers (here is an article by Bruce Schneier about the attack on Hacking Team [1]). It is plausible that someone who is targeting a sysadmin could discover that they use wget and then launch a targeted attack against them. But such an attack won’t look like regular spam. For more information about targeted attacks Brian Krebs’ article about CEO scams is worth reading [2].

Privilege Separation

If you run wget in a regular Xterm in the same session you use for reading email etc then if there is an exploitable bug in wget then it can be used to access all of your secret data. But it is very easy to run wget from another account. You can run “ssh otheraccount@localhost” and then run the wget command so that it can’t attack you. Don’t run “su – otheraccount” as it is possible for a compromised program to escape from that.

I think that most Linux distributions have supported a “switch user” functionality in the X login system for a number of years. So you should be able to lock your session and then change to a session for another user to run potentially dangerous programs.

It is also possible to use a separate PC for online banking and other high value operations. A 10yo PC is more than adequate for such tasks so you could just use an old PC that has been replaced for regular use for online banking etc. You could boot it from a CD or DVD if you are particularly paranoid about attack.

Browser Features

Google Chrome has a feature to not run plugins unless specifically permitted. This requires a couple of extra mouse actions when watching a TV program on the Internet but prevents random web sites from using Flash and Java which are two of the most common vectors of attack. Chrome also has a feature to check a web site against a Google black list before connecting. When I was running a medium size mail server I often had to determine whether URLs being sent out by customers were legitimate or spam, if a user sent out a URL that’s on Google’s blacklist I would lock their account without doing any further checks.


I think that even among Linux users (who tend to be more careful about security than users of other OSs) using a separate PC and booting from a CD/DVD will generally be regarded as too much effort. Running a full featured web browser like Google Chrome and updating it whenever a new version is released will avoid most problems.

Using wget when you have to reason to be concerned is a possibility, but not only is it slightly inconvenient but it also often won’t download the content that you want (EG in the case of HTML frames).

Related posts:

  1. Google web sites and Chromium CPU Use Chromium is the free software build of the Google Chrome...
  2. How SE Linux Prevents Local Root Exploits In a comment on my previous post about SE Linux...
  3. Can SE Linux Stop a Linux Storm Bruce Schneier has just written about the Storm Worm [1]...
Categories: Elsewhere


Subscribe to jfhovinne aggregator - Elsewhere