Feed aggregator

DrupalCon News: Sessions and Training Opportunities Have Been Announced

Planet Drupal - Mon, 23/03/2015 - 19:40
One of the most exciting aspects of preparing for a DrupalCon is selecting the sessions that will be presented. It’s always incredibly cool and humbling to see all the great ideas that our community comes up with— and they’re all so great that making the official selections is definitely not an easy process!   
Categories: Elsewhere

Commercial Progression: Drupal 8 Release Date from Dreisy-Wan Kenobi plus Backdrop & Lift (EP7)

Planet Drupal - Mon, 23/03/2015 - 19:23
Download

Commercial Progression presents Hooked on Drupal, “Episode 7: Dreisy-Wan Kenobi You're our only hope!".  In this latest installment, lead developers Brad Czerniak and Chris Keller are given a mysterious droid with a message from "Dreisy-Wan Kenobi" concerning the future release date of Drupal 8.  After a brief moment of reminiscing about the highlights of DrupalCamp Michigan, Brad and Chris muse about the cryptic messages that seem to predict when Drupal 8 will launch, what the fate of the Backdrop CMS will be, and what Acquia Lift actually is.  Tune in for cosmic revelations from beyond time and space.

Hooked on Drupal is available for RSS syndication here at the Commercial Progression site. Additionally, each episode is available to watch online via our YouTube channel, within the iTunes store, on SoundCloud, and now via Stitcher.

If you would like to participate as a guest or contributor, please email us at

social@commercialprogression.com

 

Content Links and Related Information

 

Hooked on Drupal Content Team

BRAD CZERNIAK - Developer Talent

CHRIS KELLER - Developer Talent

SHANE SEVO - Host

 Podcast Subscription

Tags:  Hooked on Drupal, podcast, Drupal, Drupal 8, Backdrop, Lift, Planet Drupal
Categories: Elsewhere

Drupal governance announcements: Evolving and documenting Drupal core's structure, responsibilities, and decision-making

Planet Drupal - Mon, 23/03/2015 - 17:41

The Drupal project just turned 14 years old. There are now over 1 million known installations of Drupal, and Drupal.org has over 1 million users. Drupal 8 has over 2,700 contributors (almost three times that of Drupal 7) and over 13,000 commits so far (50% more commits per day on average than Drupal 7). I wanted to take an opportunity to reflect on our current governance structure and try to evolve the Drupal leadership team and decision-making, enable better scaling, and document both the formal and informal processes we have currently in place.

Over in the Drupal core issue queue, I've proposed an evolution to Drupal core's structure and decision-making process which documents how things are currently done, and also proposes some incremental improvements:

  1. Defines roles and responsibilities that are currently carried out by individuals within the core committer team: product managers, framework managers, and release managers. This is done to provide transparency, to help expedite decision-making, and to ensure that these roles are easier to fill in the future, as we can eliminate the requirement for core committers to be “superhuman” contributors capable of doing anything and everything, at all times.
    • This document also adds the concept of “provisional” product, framework, and release managers, without actual commit access, who work alongside the core committers until they gain the necessary experience to play a full committer role.
    • In so doing, the document also appoints two additional core committers—Alex Bronstein (effulgentsia) and Jess (xjm)—who have been playing this "provisional" role for some time now, informally.
  2. Lays out an explicit decision-making framework to make it clear who needs to be involved in what types of changes, and to what degree. This documents the process we already use, but also introduces some changes. The added transparency should make it easier for contributors who are proposing changes to direct their questions to the right people.
  3. Clearly outlines the role of subsystem maintainer (formerly component maintainer) as an active “maintenance” role: performing or organizing regular maintenance tasks: triaging the subsystem's queue(s), reviewing patches in need of review, etc. These responsibilities also come with a more formal opportunity to sign off on proposed changes that significantly affect the subsystem. The advantages to this are additional transparency, delegating and scaling responsibilities, and reducing the workload that currently falls to core committers. Going forward, subsystem maintainers who are not currently active will no longer be listed in MAINTAINERS.txt.

This document builds on ideas that have been blogged about or presented at Drupal events by many people, including Randy Fay (rfay), Larry Garfield (Crell), Cathy Theys (YesCT), Gábor Hojsty, Greg Dunlap (heyrocker), Jess (xjm), Alex Pott (alexpott), Nat Catchpole (catch), Jennifer Hodgdon (jhodgdon) and others. It has been reviewed by numerous people, including the existing core committer team. Special thanks to Angie Byron who has spent weeks helping me co-author this proposal.

Categories: Elsewhere

Drupalpress, Drupal in the Health Sciences Library at UVA: equipment booking system — content types

Planet Drupal - Mon, 23/03/2015 - 16:16

For our equipment booking system we needed two kinds of content types: reservation and equipment. Patrons would create nodes of the reservation content type. Staff would create nodes of the equipment content type(s). Because our library circulates a lot of different equipment we need a bunch of content types — one for each: Apple TV, Laptop, iPad Air, Digital Video Camera, Projector, etc. The equiment content types all need the same field structure — title, description, image, accessories and equipment category. It’s tedious creating these individually, but once you get one fully fleshed out (and the skeletons of the rest in place) then the Field Sync module will finish the job with the push of a button.

The reservation content type would be canonical for each kind of equipment. In other words, we don’t have to create a Reservation_iPad and a Reservation_Laptop and a Reservation_Projector, etc. There’s just one: Reservation. The way we accomplish this is by using an entity reference field that looks for any nodes of equipment content types.

When a patron creates a node of the reservation content type, he/she will select the equipment to be reserved in the entity reference field. This entity reference structure allows us to offer a pretty helpful feature for patrons navigating from a specific equipment page to the reservation form. An Entity Reference Prepopulate and Display Suite combination gives us a “Reserve This Item” link on equipment pages (say Apple TV – Copy 1) that sends the patron to a node/add reservation page that has that piece of equipment (in this case Apple TV – Copy 1) selected in the equipment field.

There’s good documentation out there for Entity Reference Prepopulate — check out this video. But it might be worth explaining how we built the URL that prepoluates the entity reference field. With Display Suite you can create a custom code field — we hardcode a URL to the node/add reservation form, with a token for the id of the currently viewed entity appended onto it. When the user clicks the link, the Entity Reference Prepopulate module kicks off, sees the id and builds the form with that entity referenced.

Categories: Elsewhere

Chromatic: Through the Looking-Glass: MidCamp 2015

Planet Drupal - Mon, 23/03/2015 - 14:56


photograph taken for Aaron Winborn (aaron), a long-time member of the Drupal community.

This last weekend I was fortunate to attend and speak at the second MidCamp in Chicago. It was hosted within the University of Illinois at Chicago campus and was a very well organized Drupal Camp. MidCamp drew a very diverse crowd (around 350 attendees, I believe) and had a schedule packed with solid sessions.

MidCamp becomes MADCamp

Prior to the event, plenty of Alice in Wonderland references were thrown around and there was even a “MADCamp” track, but it wasn’t entirely clear why. It was then revealed that MidCamp – tired of being the middle child – was rebranding itself as MADCamp (Midwest Area Drupal Camp). This was a creative move that added an entertaining twist to the atmosphere.

Keynotes

The keynote speakers were Tiffany Farriss, the CEO of Palantir.net and Drupal Association Treasurer, and Jen Lampton, a Founding Forker of Backdrop CMS and a notable member of the Drupal community.

Tiffany’s keynote, The Economics of Drupal Contribution, discussed the changes needed to make core contribution more attractive for organizations and individuals. Depending heavily on a small number individuals and their spare time leads to burnout and is not a sustainable model, she says. She also referenced a number of moves made by the Linux Foundation as ideas for helping solve those problems; including significantly shorter release cycles and a higher percentage of development being funded. Drupal 8 Accelerate is an example of an existing attempt to rethink the economics of core contribution.

Jen Lampton (photo by Marty Vernon)

Jen’s keynote was titled PHP for Everyone and gave a great overview of what PHP is and why it doesn’t deserve the bad rap it’s been given in the past. She outlined the arguments against it and rebutted them with its strengths. As she pointed out, PHP is currently involved with 80% of the web and is used by a number of large organizations like Facebook. These organizations are working hard to improve the language and each version sees significant improvements, continuing to modernize an otherwise older language.

I also enjoyed having a discussion with Jen about their experiences with Backdrop CMS thus far. After receiving some initial friction, it seems that the Drupal community has accepted and is embracing Backdrop. It will be very interesting to see the role that Backdrop plays and the audience it attracts as Drupal 8 is released and adopted.

Sessions

As mentioned, the schedule was packed with great sessions. I’m thankful to have had the opportunity to present a session about organizing Features. As for those I attended, there were two themes that stuck out to me the most: automation tools and headless Drupal.

Automation Tools

Fredric Mitchell, VP of Engineering at Better Weekdays, presented on using Grunt with Drupal. Among the Drupal tasks that can be automated with Grunt, using it with Drush Make provides a very interesting build workflow. Phase2, Fredric’s previous employer, has shared their grunt-drupal-tasks tools, along with a blog post about using them.

Allan Chappell of Promet Source presented another interesting Drupal 7 build workflow using Composer, the dependency manager of choice in the PHP community. He also pointed to a number of related tools Promet has shared, such as Drupal Tangler, and demoed how Composer can be used to manage Drupal 7 core, contributed modules, their dependencies, libraries, and patches.

Jeff Geerling, a Technical Architect of Acquia, introduced everyone to Ansible, a tool we began using recently at CHROMATIC. He demonstrated Ansible using Dramble, his cluster of 6 Raspberry Pi 2 computers; a combination of web servers, a load balancer, a Redis cache server, and a MySQL server. He installed Drupal 8 on the web servers and used LEDs to help demonstrate just how easy it is to manage servers with Ansible. Impressive!

Headless Drupal Steve Persch (photo by Marty Vernon)

Off with Drupal’s Head was a panel discussion led by Steve Persch, a senior engineer at Palantir.net. The consensus of the panel was… well… that there is no consensus. While there is plenty of talk about Headless Drupal, many things remain unclear. Where to cut off the head (what Drupal should and shouldn’t be responsible for) and when to use the headless approach is still up for debate and the right answer may depend on the project. Some consider it only useful for web applications while others recommend it only when fighting Drupal to build beautiful pages or forms isn’t worth the trouble. Regardless, a key takeaway was that a headless project is no less work. While it does avoid wrestling with the Drupal theme system, introducing a JavaScript framework is no simple task.

Steve also later presented Rendering HTML with Drupal: Past, Present and Future. He anticipates that many Drupal 7 projects will undergo redesigns without a corresponding Drupal upgrade, two tasks that often currently happen at the same time. Headless Drupal makes that easier and he sees clear decoupling as the future of rendering HTML with Drupal. He doesn’t, however, anticipate that a particular JavaScript MVC framework will be permanently paired with Drupal because front-end technologies are currently evolving at a much faster rate than back-end technologies and Drupal’s release cycle.

Wrapping Up

After Steve’s session I headed to Saturday night’s social event at the Moxee Restaurant and Brewery. The night was filled with great company, food, drinks, and entertaining bouts of table shuffleboard. Getting away from our code and bright screens never fails to bring the community closer together.

MidCamp/MADCamp was another excellent opportunity to meet and catch up with the myriad of personalities and companies that comprise the Drupal community. It was also a humbling reminder of how fast things move and how much more there is to learn. I recommend attending camps to anyone that has the opportunity. Being smaller than DrupalCon (North America, at least) allows them to become a more personal experience. That being said, I hope to see everyone again at DrupalCon Los Angeles in May!

Categories: Elsewhere

undpaul: A book about Configuration Management in Drupal 8

Planet Drupal - Mon, 23/03/2015 - 13:54

In December 2013, Packt Publishing asked us to write a book about the upcoming Drupal 8. They had seen the Drupal Association survey that showed the new feature Configuration Management was the most popular topic they wanted to learn about in Drupal 8. Since we are long-time evangelists of tracking configuration changes in code, we were excited about having the opportunity to write this book, which is expected to be published in March 2015 (like this week!). It's even more exciting because Packt actually donates a portion of sales of Drupal-related books to the Drupal Association. For this to work, you need to order or pre-order directly at Packt.

Since we did so much testing with and writing about Drupal 8, we also wanted to build something with it. So we built a microsite for the book and we were surprised about how smooth this worked. It took 9 hours on a Sunday to find an appropriate HTML template, install and configure Drupal and make it look the way it does now. After the book is published, the site will get some more functionality so we can publish questions and answers as well as errata. Since it will be quite a while until Drupal 8 is actually released, we are expecting there will be a few changes and some of our code might become outdated.

You can read a sample chapter in an article on Packt's website.

What will be in the book?

Chapter 1, Understanding Configuration Management, will give you a quick overview of Configuration Management. You will learn what types of configuration exist, why managing configuration is a good idea, and how to get started with it. It will provide a look at the several ways in which configuration was managed in Drupal 7 and then show how Drupal 8 approaches the problem.

Chapter 2, Configuration Management for Administrators, provides an introduction on how to use Configuration Management for users who are not developers, but administrators of a Drupal website who want to make use of the advantages of this new feature. We will show you how to use the Configuration Management interface and how to create a copy of your website, and you will learn how to move a configuration made on one site to another site.

Chapter 3, Drupal 8's Take on Configuration Management, will show you the inner workings of the Configuration Management system in Drupal 8. You will learn about config and schema files, and read about the difference between simple configuration and configuration entities.

Chapter 4, Configuration Management API, will teach you how to get your hands dirty and learn about the Configuration Management API of Drupal 8. Here, you will dive into the Simple Configuration API and learn how configuration can be overridden. Later, you will take a closer look at how to create custom configuration entity types, and we'll also teach you about the configuration's context system.

Chapter 5, The Anatomy of Schema Files, covers schema files and explains how Drupal uses them for Configuration Management. You will learn about the structure of schema files used by Drupal and write your own schema for custom configuration.

Chapter 6, Adding Configuration Management to Your Module, will teach you how to access configuration objects and how schema files are structured in the previous chapters. (You will surely want to know how to get all this fancy stuff into your shiny new module for Drupal 8). You will learn how to include the default configuration in custom modules, how to define and use your own configuration, and how to create configuration forms.

Chapter 7, Upgrading Your Drupal 7 Variables to Drupal 8 Configuration, will show you ways to convert your Drupal 7 variables into Drupal 8 Configuration objects and how to provide an upgrade path in your modules.

Chapter 8, Managing Configuration for Multilingual Websites, allows you to build comprehensive multilingual websites in which you can display a site's content in different languages and translate the user interface. While many features were built into Drupal's core in previous versions, building multilingual sites remained a very painful task. In this chapter, we will take a look at how Drupal 7 deals with different languages on a site and how Drupal 8 is trying to fix weaknesses from previous versions.

Chapter 9, Useful Tools and Getting Help, provides a list of links and tools provided by the Drupal community; these will be useful if you reach a point where you need help when dealing with Configuration Management.

Like what you see?

Go pre-order the book directly on Packt's website, or follow us on Twitter.

drupal planet english

Categories: Elsewhere

Iztok Smolic: Fastest way to build a landing page on your Drupal site

Planet Drupal - Mon, 23/03/2015 - 13:53

Landing pages are a must-have for any web business. Every marketer will tell you that pointing ads to a home page is a waste of money. Actually, any campaign should have a dedicated landing page to maximise the the conversion. Here is the problem: setting-up landing pages in Drupal is not easy. Modules like Panels and Display Suite sure […]

The post Fastest way to build a landing page on your Drupal site appeared first on Iztok.

Categories: Elsewhere

Mario Lang: Why is Qt5 not displaying Braille?

Planet Debian - Mon, 23/03/2015 - 11:59

While evaluating the cross-platform accessibility of Qt5, I stumbled across this deficiency:

#include <QApplication> #include <QTextEdit> int main(int argv, char **args) { QApplication app(argv, args); QTextEdit textEdit; textEdit.setText(u8"\u28FF"); textEdit.show(); return app.exec(); }

(compile with -std=c++11).

On my system, this "application" does not show the correct glyph always. Sometimes, it renders a a white square with black border, i.e., the symbol for unknown glyph. However, if I invoke the same executable several times, sometimes, it renders the glyph correctly.

In other words: The glyph choosing mechansim is apparently non-deterministic!!!

UPDATE: Sune Vuorela figured out that I need to set QT_HARFBUZZ=old in the environment for this bug to go away. Apparently, harfbuzz-ng from Qt 5.3 is buggy.

Categories: Elsewhere

Jonathan Dowland: Linux music players, 2015 edition

Planet Debian - Mon, 23/03/2015 - 11:10

Now I'm back to Linux on the Desktop for my dayjob, I was slightly nervous about checking out the state of the art for Linux music players; an area I've never felt the Linux desktop was very strong on.

However for the time being I've largely side-stepped the issue by listening to BBC 6 Music for most of the day. For better or worse, I scrobble, and somebody has written a neat web app for scrobbling along to radio stations. When I want to listen to something different for a change, I've been trying out a trial of Google Play Music, for which somebody has written a Chrome extension to scrobble. On the rare occasions I listen to local music, I'm using VLC.

Google Play Music seems pretty good, but I'm not getting a lot from my trial because 6 Music is generally fantastic.

Scrobbling 6 Music has revealed a bit of a disconnect for how I use last.fm, and how website thinks you should use it. Within a day or two, my "music compability" with 6 Music was (predictably) "SUPER". Looking at my "Top artists", right near the top are 6 Music's current playlist favourites Courtney Barnett and Nadine Shah, who I can (at least) recall the songs that have been played; just below them are Young Fathers, who I cannot. A little lower are Hot Chip and Slaves: both artists who have current singles out which I enjoyed for a while, but the relentless BBC playlist policy is overdoing them and I'm inclined to switch over when they come on now. If I listen to a whole album in a given week, then the artist will likely (and rightly) be sat at the top of "last 7 days"; if I don't, then it could be something I can't even remember listening to.

Categories: Elsewhere

Web Omelette: Custom access control for Drupal 7 entities

Planet Drupal - Mon, 23/03/2015 - 09:05

Have you ever used hook_node_access() to control access to various node operations on your site? Have you found this hook unbelievably awesome? Thought to yourself, boy, I'm unstoppable now? Well, I sure did.

The problem is that Drupal 7 entities do not start and end with nodes and you may want to control access to other entities in the same way. However, there is no hook_taxonomy_term_access() or hook_fieldable_panels_pane_access() that you can use to apply this tactic. So what can you do in these cases?

The first thing is to understand that each entity implementation is different. Some have a centralised access callback for all the operations while others simply define permissions or access callbacks to be used directly inside the hook_menu() definition. And I'm sure there are also other ways of handling this but these I think are the most common.

In this article we are going to look at two entity examples: taxonomy terms (from core) and fieldable panels panes (from contrib). We will trace the access pipeline from request to response and see what we can do to intervene in this process and add our own logic. So let's begin.

Taxonomy terms

The first entity type we are going to look at is the regular taxonomy term introduced by core. It's actually pretty easy to understand how this entity type is built and what we can do in order to hook into the access pipeline.

If we take a look at taxonomy_menu(), we can quickly figure out which paths it creates to add and edit terms and what access callback and arguments are defined:

Adding terms to a vocabulary

$items['admin/structure/taxonomy/%taxonomy_vocabulary_machine_name/add'] = array( 'title' => 'Add term', 'page callback' => 'drupal_get_form', 'page arguments' => array('taxonomy_form_term', array(), 3), 'access arguments' => array('administer taxonomy'), 'type' => MENU_LOCAL_ACTION, 'file' => 'taxonomy.admin.inc', );

Editing a particular term

$items['taxonomy/term/%taxonomy_term/edit'] = array( 'title' => 'Edit', 'page callback' => 'drupal_get_form', // Pass a NULL argument to ensure that additional path components are not // passed to taxonomy_form_term() as the vocabulary machine name argument. 'page arguments' => array('taxonomy_form_term', 2, NULL), 'access callback' => 'taxonomy_term_edit_access', 'access arguments' => array(2), 'type' => MENU_LOCAL_TASK, 'weight' => 10, 'file' => 'taxonomy.admin.inc', );

By nature, viewing taxonomy term pages has to do with node access since they show a list of nodes so we will skip this aspect here and stick with just the add/edit operations.

So let's change the access callbacks and potential passed arguments inside a hook_menu_alter() implementation.

/** * Implements hook_menu_alter(). */ function demo_menu_alter(&$items) { $items['admin/structure/taxonomy/%taxonomy_vocabulary_machine_name/add']['access callback'] = 'demo_taxonomy_term_access'; $items['admin/structure/taxonomy/%taxonomy_vocabulary_machine_name/add']['access arguments'] = array(3, 'add'); $items['taxonomy/term/%taxonomy_term/edit']['access callback'] = 'demo_taxonomy_term_access'; $items['taxonomy/term/%taxonomy_term/edit']['access arguments'][] = 'edit'; }

So what happens here? We are simply replacing the access callback definition for these two menu items with our own custom function demo_taxonomy_term_access(). Additionally, we standardise a bit the arguments this function gets: $entity (either term or vocabulary object) and $op (add or edit). This covers both cases.

Now let's write our callback function:

/** * Access callback for taxonomy term add/edit operations * * @param null $entity * @param null $op * @return bool */ function demo_taxonomy_term_access($entity = null, $op = null) { if ($op === 'add') { return user_access('administer taxonomy'); } if ($op === 'edit') { return taxonomy_term_edit_access($entity); } }

Inside the function we run a check on $op and perform the access logic we want. In doing so, we make use of the $entity object that can be either the term being edited or the vocabulary to which a new term is added. In this example we are replicating exactly the intended access checks of the Taxonomy module. To add a term, a user needs to have the administer taxonomy permission while to edit one it needs either the same permission or a vocabulary specific permission (as seen inside taxonomy_term_edit_access()). Now it's up to you to include inside this logic whatever else you need. And you end up with something not so dissimilar to hook_node_access() but for taxonomy terms.

Fieldable Panels Panes (FPP)

FPP is a contributed module that creates an entity type that is primarily used inside a Panels context. Regardless of any of this though, it too exposes CRUD operations on the entities of this type. And consequently, there are access implications. So let's see how we can hook into this pipeline by starting where we did with the Taxonomy module: at fieldable_panels_panes_menu().

By looking inside this hook implementation we can find many defined paths which relate to these CRUD operations. And we also see that many of them have fieldable_panels_panes_access() as the access callback with some specific arguments passed to it.

But what does this function actually do? Nothing but taking the parameters and deferring to the controller class responsible for this entity type and its access() method. And by checking fieldable_panels_panes_entity_info(), the principle function responsible for defining the entity type, we find that this is the PanelsPaneController class. In there, we find all the logic for determining access rights for various operations.

Now that we know all this, what can we do to hook into this pipeline? We could do like before and override the hook_menu() implementation. But since there are so many menu items and the FPP class controller is already doing such a nice job, that may be counter productive. So let's instead override the entity definition and replace the class controller with one of ours that extends PanelsPaneController. In there, we then do what we want.

First, we implement hook_entity_info_alter():

/** * Implements hook_entity_info_alter(). */ function demo_entity_info_alter(&$entity_info) { $entity_info['fieldable_panels_pane']['controller class'] = 'DemoPanelsPaneController'; }

Right after this, we create a file inside our module called DemoPanelsPaneController.inc which contains the following to start with:

<?php /** * Overrides fieldable panels panes controller functionality */ class DemoPanelsPaneController extends PanelsPaneController { }

Finally, we edit the module's .info file and make sure it loads this file:

files[] = DemoPanelsPaneController.inc

Then we clear the cache. If all went well, nothing really has changed on the site in terms of functionality. However, the DemoPanelsPaneController class is being used for controlling the fieldable_panels_pane entity type. And since this one extends PanelsPaneController, all previous functionality remains. It follows to now override the access() method and include our own logic to it:

public function access($op, $entity = NULL, $account = NULL) { // $account not always full (defaults to current user) return parent::access($op, $entity, $account); }

In the example above, nothing is really changed because the logic is deferred back to the parent class. But you could add some logic in addition or instead of that depending on various contextual factors.

However, I strongly recommend/warn you to stick to the minimum amount of deviation from default is needed, and for all rest, defer back to the original logic. This is to prevent the opening of any security holes. For example, if your access() method looks like this:

public function access($op, $entity = NULL, $account = NULL) { if ($op === 'update') { return false; } }

You are indeed denying access to the edit form but now anybody can create and delete entities because there is no more check on those operations. So make sure you understand this and do not leave any loopholes. The fix in this case would be:

public function access($op, $entity = NULL, $account = NULL) { if ($op === 'update') { return false; } return parent::access($op, $entity, $account); }

If the operation is edit, the access is denied for everybody (probably not a good idea but suitable for this demo purpose). However, if the operation is delete, create or view, we defer to the logic of the parent class to handle those cases. In which case the default FPP permissions will be used.

Conclusion

In this article we've seen two ways we can hook into the access checking pipeline of entities in Drupal 7. We've learned that there is more than just one way of going about it depending on how the entity type in question has been defined. The purpose was to illustrate how you can approach the matter and where you need to look in order to find a solution. Hope this helps.

In Drupal var switchTo5x = true;stLight.options({"publisher":"dr-8de6c3c4-3462-9715-caaf-ce2c161a50c"});
Categories: Elsewhere

Jan Wagner: Wordpress dictionary attack

Planet Debian - Mon, 23/03/2015 - 08:23

Today early in the morning my monitoring system notified me about unusual high outgoing traffic on my hosting plattform. I traced the problem down the webserver which is also hosting this abondened website.

Looking into this with iptraf revealed that this traffic is coming only from one IP. At first I thought anybody might grabbing my Debian packages from ftp.cyconet.org. But no, it was targeting my highly sophisticated blogging plattform.

$ grep 46.235.43.146 /var/log/nginx/vhosts/access_logs/blog.waja.info-access.log | tail -2 46.235.43.146 - - [23/Mar/2015:08:20:12 +0100] "POST /wp-login.php HTTP/1.0" 404 22106 "-" "-" 46.235.43.146 - - [23/Mar/2015:08:20:12 +0100] "POST /wp-login.php HTTP/1.0" 404 22106 "-" "-" $ grep 46.235.43.146 /var/log/nginx/vhosts/access_logs/blog.waja.info-access.log | wc -l 83676 $ grep 46.235.43.146 /var/log/nginx/vhosts/access_logs/blog.waja.info-access.log | wc -l 83782 $ grep 46.235.43.146 /var/log/nginx/vhosts/access_logs/blog.waja.info-access.log | grep -v wp-login.php | wc -l 0

It makes me really sad to see, that dictionary attacks are smashing with such a high power these days, even without evaluating the 404 response.

Categories: Elsewhere

Drupal core announcements: Plan to finalize the Migration system

Planet Drupal - Mon, 23/03/2015 - 05:56

If you move to Drupal 8 from Drupal 6/7, you'll be using the new core migration system.

Migrate team lead benjy has just posted a plan to finalize the migration system, a "meta" issue which outlines what work's already been completed, what's left to be done, what's blocking what, and how to get involved.

Migrations are an extremely high-impact place to throw time and energy, so if fixing Drupal 8 release blockers isn't your thing, but being able to actually move to Drupal 8 when it's ready is, please jump in and lend a hand! :D (Especially if you've worked with Migrate module in D7 contrib.)

Categories: Elsewhere

Chen Hui Jing: Drupal 101: Creating custom content with Panels

Planet Drupal - Mon, 23/03/2015 - 01:00

If you ever find yourself needing to create a static page in Drupal, perhaps for a temporary landing page or an under-construction page, while the site is being fleshed out behind the scenes, an option to consider is via Panels. I was in the process of building the DrupalCamp Singapore 2014 website and needed to put up a temporary home page. Using Panels gave me the option of hand-coding the HTML for the page. To do this, you will also need to install the Chaos tools suite (ctools).

  1. Enable the Panels, Chaos tools and Page manager (comes with ctools) modules.

    drush en panels ctools page_manager -y
  2. Once all the required modules are...
Categories: Elsewhere

groups.drupal.org frontpage posts: Registration is Live for Drupal Dev Day NYC 2015! (#D3nyc15)

Planet Drupal - Sun, 22/03/2015 - 20:20
Start:  2015-04-19 09:00 - 17:00 America/New_York Drupalcamp or Regional Summit Organizers:  joebachana richbaldwin mdorman amycham forestmars

Registration is now up for D3NYC15, to be held Sunday, April 19th at John Jay College in Midtown Manhattan. To reserve your seat, follow this link: http://goo.gl/22LnX5.

The camp website may be found at http://www.drupalcamp.nyc.

Drupal Dev Day NYC 2015 will be a free, full-day Drupal unconference and Drupal 8 sprint event. All skill levels are welcome at Drupal Dev Day NYC 2015. The content is determined by attendees at the beginning of the day, but you can expect to find sessions and conversations on topics ranging from the most basic to advanced.

Among the exciting details of the camp include:
• Morning coffee, bagels and a schmear (wouldn't be a NYC camp without 'em!)
• Beginning Drupal training presented by Bleen!
• A Drupal Ladder/mentoring room, where you can get your environment set up and learn to code for Drupal
• Drupal 8 codesprints
• Sessions all day, picked by us all and presented by drupalists among us or collaboratively in BoF format.

If you are an organization interested in helping to sponsor this event, please contact Matt Dorman (mdorman) for more details, or you can go to the registration page and select your level of sponsorship commitment. Thank you in advance!

For those people interested in volunteering on the day of the event, please ping Joe Bachana (joe@bachana) or post a comment to this event page.

Watch this Event page and follow @DrupalNYC (https://twitter.com/drupalnyc) on Twitter or our Facebook page (https://www.facebook.com/Drupalcampnyc) for the latest updates!

Categories: Elsewhere

Rhonda D'Vine: Yasmo

Planet Debian - Sun, 22/03/2015 - 19:19

Friday the 13th was my day. In so many different ways. I received a package which was addressed to Rhonda D'Vine with a special hoodie in it. The person at the post office desk asked me whether it was for my partner, my response was a (cowardly) "no, it's my pseudonym" but that settled any further questions and I got my package.

Later I received an email which made me hyper happy (but which I can't share right now, potentially later).

In the evening there was the WortMacht FemSlam (WordMight FemSlam) poetry slam to which the host asked me to attend just the day before. I was hyper nervous about it. The room was fully packed, there were even quite some people who didn't have a place to sit and were standing at the side. I presented Mermaids because I wasn't able to write anything new on the topic. One would think I am attached enough to the poem by now to not be nervous about it, but it was the environment that made my legs shake like hell while presenting. Gladly I hope it wasn't possible to see it enough under my skirt, but given that it was the first time that I presented it in my home town instead of the "anonymous" internet made me extra anxious. In the end I ended up in place 5 of 7 attendees, which I consider a success given that it was the only text presented in English and not in typical poetry slam style.
(Small addition to the last part: I've been yesterday to the Free Hugs Vienna event at the Schloss Schönbrunn, and one of the people I hugged told me I know you, I've seen you at the FemSlam!. That was extra sweet. :))

I'm happy that I was notified about the FemSlam on such short notice, it was a great experience. So today's entry goes out to the host of that event. This is about Yasmo. One can just be envious about what she already accomplished in her still young life. And she is definitely someone to watch out for in the years to come. I have to excuse to my readers who don't understand German yet again, but I'll get back to something English next time, I promise. :)

  • Kein Platz für Zweifel: The title track from her last album.
  • Wer hat Angst vorm weißen Mann: Most straight-to-the-point line of the lyrics is Wie kann es sein, dass es immer noch diesen Jolly-Buntstift gibt, der "Hautfarbe" heißt?" (How is it possible that there is still this jolly crayon called "colour of the skin"?)
  • Wo kommst du her?: Not a song but one of her great slam poetry texts that I love since I first heard it.

Like always, enjoy!

/music | permanent link | Comments: 0 | Flattr this

Categories: Elsewhere

Lars Wirzenius: Obnam 1.9 released (backup software)

Planet Debian - Sun, 22/03/2015 - 17:12

I have just released version 1.9 of Obnam, my backup program. See the website at http://obnam.org for details. The new version is available from git (see http://git.liw.fi) and as Debian packages from http://code.liw.fi/debian. Due to the freeze of Debian for the jessie release, I've not uploaded this version to Debian yet (not experimental and not backports).

This is the first Obnam release since May 13, 2014, 313 days ago. That's a long time. I make no excuses: Obnam is a hobby project, which I work on when I have the time and energy. The past year has been very /interesting/ year for me, in all sorts of stressful ways: I've changed jobs, moved to another country, and dealt with the loss of a close relative. Because of this, I've not been able to spend as much time on Obnam as I'd like.

The NEWS file extract below gives the highlights of what has happened to Obnam during this time. There's been a lot of things, actually.

My plans for Obnam next are mainly centered around performance. This will require developing a new repository format, to allow things that are not possible with the current format. For example, the current format stores each data chunk in its own file in the repository, and that is quite wasteful when live data files (and therefore their chunks) are quite small.

As preparation for this work, the silly-looking "simple" format has been added, mostly to make sure the internal code infrastructure is ready to support multiple repository formats in the same Obnam version.

Those interested in discussing ways to make Obnam fast should join the obnam-dev mailing list.

Version 1.9, released 2015-03-22

New features:

  • James Vasile changed Obnam so it can backup an individual file, instead of an entire directory.

  • James Vasile added the --include option to Obnam, allowing one to include files that would otherwise be excluded (see --exclude).

  • Carlo Teubner changed obnam fsck to remove unused chunks, if the --fsck-fix or --fsck-rm-unused settings are used. He also made it not check for unused chunks when it's useless to do so, because of various --fsck-skip settings are used.

  • A start of a French translation of the manual by pedrito2.

  • Ian Cambell provided a new Obnam command, obnam kdirstat, which makes the KDE k4dirstat utility be able to show graphically which parts of a backup generation use most space.

  • Lars Wirzenius added the simple repository format, which is for demonstration only. It is much too simplistic to be used for real.

Minor changes:

  • The manual page and obnam --help are now clearer that the --root setting and command line arguments to obnam backup can be SFTP URLs. Thanks to Simone Piccardi for reporting the issue.

  • David Fries filled in the displayed file permission mode bits.

  • Grammar and typo fixes for the obnam.1 manual page, from Jean Jordaan.

  • Tom Chiverton suggested a clarification to the manual page for "obnam mount" to say that each generation is a subdirectory.

  • David Fries changed restore to set the group ownership if possible even when not root. No warnings are issued if the attempt fails.

  • Jan Niggemann added a little to the German translation of the Obnam manual.

  • Lars Wirzenius added the path to the error message about a missing chunk (R43272X).

  • Lars Wirzenius made the message at the end of a backup report more statistics about transfers during the backup.

Bug fixes:

  • The Obnam SFTP plugin would loop infinitely if it lost the connection to the SSH server while creating a temporary file. Itamar Turner-Trauring provided a fix for this.

  • Will Dyson fixed a bug about locking while removing checkpoint generations.

  • Michel Alexandre Salim fixed a Python 2.6 compatibility problem in the unit tests (use of assertRaises as a context manager).

  • Lars Kruse fixed a bug with backing up of overlapping backup roots (e.g., / and /boot), given a test case by Adrien Clerc.

  • Thomas Eschenbacher fixed a bug in the format 6 repository code that would crash when there is an obscure problem and a B-tree code can't be found in the tree.

  • Tom Chiverton pointed out that the manual page was using "obnam restore" instead of "obnam mount" in an example for "obnam mount".

  • The yarn test suite now runs FUSE tests (obnam mount) when fusermount is available, rather than checking for membership in the group fuse. The latter is a Debianism (fixed in Debian jessie).

  • Thomas Waldmann noticed that obnam verify didn't notice that a file had new data, when the modification time was the same. Obnam now notices this.

  • Thomas Waldmann fixed many typos and minor bugs in the source code.

  • Laurence Perkins reported that the Tahoe-LAFS SFTP server returned some stat fields as None. Fixed to change those to be 0 instead.

  • Lars Wirzenius fixed double-downloading of chunks during restores.

Categories: Elsewhere

Mehdi Dogguy: Running for DPL

Planet Debian - Sun, 22/03/2015 - 11:44
Every year, Debian organizes a DPL election. Around end of March, one waits for the beginning of the DPL campaign. Everyone can ask questions to nominated candidates on debian-vote. This year, and for the first time, I nominated myself as a candidate for the 2015 DPL election. You can read my platform here.

Over the past few years, I've followed DPL campaigns on debian-vote reading questions and replies from candidates. It didn't seem easy to keep up with flood of questions and find the right wording while replying. Intuitively, you may think that a question is the first mail of every thread and replies follow... but, not at all :-) Questions can be asked in any mail. So candidates have to read every single mail posted to the list :-) The campaign ends within a week (or so) and it is still time to ask more questions.

Following discussions on debian-vote is a very good opportunity for newcomers to understand, for example, how Debian works and where help is needed. It is also a good place to see what are the main current issues (as perceived by contributors) and read a list of proposals to fix them. I invite anyone interested in Debian in reading debian-vote's archives.

While preparing my platform, I've also realized how much writing down thoughts and ideas was important. It really helps to put things into perspective and re-evaluate priorities. It may sound obvious but I think we are not used to do this often. I really recommend everyone to do this as an exercise, and for any perimeter (personal, team, project-wide, ...).

Last but not least, I'd like to thank all those who helped me to polish my platform and to prepare my candidacy. I am sure they will recognize themselves :-) (whatever the outcome of the election may be)
Categories: Elsewhere

Hideki Yamane: just an idea: automated release note generation about changes in packages

Planet Debian - Sun, 22/03/2015 - 10:16
Now we're (hopefully) in the last stage for Debian "Jessie" release cycle. Well, however, "Please add your package information to release notes ASAP" style doesn't work well, IMHO.

Some package maintainer (including me ;) are lazy, they forget about changes in their package when it was pushed to a repo (put & forget about it). And "last spurt" edit is hard for translators. We translators want to finish it with Debian release time but it's really hard thing.

How wonderful if release notes would be automatically generated! So, system should help them us. Then, how about adding [releasenote] section to debian/NEWS?

In debian/changelog,

foobar (0.2.0-1) unstable; urgency=medium   * update debian/NEWS file  -- Hideki Yamane <henrich@debian.org>  Wed, 20 Aug 2014 07:12:51 +0900
and debian/NEWS file,

foobar (0.2.0-1) unstable; urgency=medium  [releasenote: Stretch]
  * "buz" package user should migrate other packages since this package
    doesn't provide buz package anymore.  -- Hideki Yamane <henrich@debian.org>  Wed, 20 Aug 2014 07:12:51 +0900
Then, parse all debian/NEWS files and generate release notes automatically.

It's just an idea, not well considered. But probably you'll get the point. "Big Bang release" style is not good, CI style is better - don't you think so?
Categories: Elsewhere

DrupalOnWindows: Deploying changing module dependencies with Drupal

Planet Drupal - Sun, 22/03/2015 - 06:00
Language English

Deployments are often one of the most important aspects of the Drupal development cycle. But sometimes, due to time and/or budget constraints (or the maturity of your company) developers clone databases downstream, manually reproduce content on production environments, and rely on other bad practices on a regular basis.

Today we will show you how we manage small (but critical) changes in module dependencies for our custom modules here at www.DrupalOnWindows.com.

More articles...
Categories: Elsewhere

Robert Edmonds: Bad Google repository signatures

Planet Debian - Sun, 22/03/2015 - 04:50

Google publishes Linux software repositories for several of their products, including Google Chrome, which is available from the following apt source:

deb http://dl.google.com/linux/chrome/deb/ stable main

These repositories are signed with an 8 year old 1024-bit DSA key:

pub 1024D/7FAC5991 2007-03-08 Key fingerprint = 4CCA 1EAF 950C EE4A B839 76DC A040 830F 7FAC 5991 uid Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com> sub 2048g/C07CB649 2007-03-08

Asymmetric 1024-bit keys are not considered strong enough and were, for instance, aggressively retired from Google's SSL frontends almost two years ago. Such short keys should not be used to protect the integrity of software package repositories.

Note that this key has a longer 2048-bit ElGamal subkey, which is not actually used to produce signatures, but only for encryption. In fact, only a signing key is needed to sign the files in a secure apt repository, and, for instance, the archive keys used to sign official debian.org repositories do not contain an encryption subkey.

Since years, many users have reported an error message like the following when running apt-get update:

W: GPG error: http://dl.google.com stable Release: The following signatures were invalid: BADSIG A040830F7FAC5991 Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>

This error might resolve itself if apt-get update is run again. Apparently, this is due to "bad pushes" occurring in the Google infrastructure. An example of this can be seen in the following curl output:

$ curl -v http://dl.google.com/linux/chrome/deb/dists/stable/Release \ http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg * Hostname was NOT found in DNS cache * Trying 74.125.196.136... * Connected to dl.google.com (74.125.196.136) port 80 (#0) > GET /linux/chrome/deb/dists/stable/Release HTTP/1.1 > User-Agent: curl/7.38.0 > Host: dl.google.com > Accept: */* > < HTTP/1.1 200 OK < Accept-Ranges: bytes < Content-Length: 1347 < Content-Type: application/octet-stream < Etag: "518b8" < Expires: Sun, 22 Mar 2015 18:55:19 PDT < Last-Modified: Fri, 20 Mar 2015 04:22:00 GMT * Server downloads is not blacklisted < Server: downloads < X-Content-Type-Options: nosniff < X-Frame-Options: SAMEORIGIN < X-Xss-Protection: 1; mode=block < Date: Sun, 22 Mar 2015 01:55:19 GMT < Alternate-Protocol: 80:quic,p=0.5 < Origin: Google, Inc. Label: Google Suite: stable Codename: stable Version: 1.0 Date: Thu, 19 Mar 2015 22:55:29 +0000 Architectures: amd64 i386 Components: main Description: Google chrome-linux repository. MD5Sum: 53375c7a2d182d85aef6218c179040ed 144 main/binary-i386/Release c556daf52ac818e4b11b84cb5943f6e0 4076 main/binary-i386/Packages 867ba456bd6537e51bd344df212f4662 960 main/binary-i386/Packages.gz 2b766b2639b57d5282a154cf6a00b172 1176 main/binary-i386/Packages.bz2 89704f9af9e6ccd87c192de11ba4c511 145 main/binary-amd64/Release fa88101278271922ec9b14b030fd2423 4082 main/binary-amd64/Packages 1ba717117027f36ff4aea9c3ea60de9e 962 main/binary-amd64/Packages.gz 19af18f376c986d317cadb3394c60ac5 1193 main/binary-amd64/Packages.bz2 SHA1: 59414c4175f2cc22e67ba6c30687b00c72a7eafc 144 main/binary-i386/Release 1764c5418478b1077ada54c73eb501165ba79170 4076 main/binary-i386/Packages db24eafac51d3e63fd41343028fb3243f96cbed6 960 main/binary-i386/Packages.gz ad8be07425e88b2fdf2f6d143989cde1341a8c51 1176 main/binary-i386/Packages.bz2 153199d8f866350b7853365a4adc95ee687603dd 145 main/binary-amd64/Release 7ce66535b35d5fc267fe23af9947f9d27e88508b 4082 main/binary-amd64/Packages a72b5e46c3be8ad403df54e4cdcd6e58b2ede65a 962 main/binary-amd64/Packages.gz dbc7fddd28cc742ef8f0fb8c6e096455e18c35f8 1193 main/binary-amd64/Packages.bz2 * Connection #0 to host dl.google.com left intact * Found bundle for host dl.google.com: 0x7f24e68d06a0 * Re-using existing connection! (#0) with host dl.google.com * Connected to dl.google.com (74.125.196.136) port 80 (#0) > GET /linux/chrome/deb/dists/stable/Release.gpg HTTP/1.1 > User-Agent: curl/7.38.0 > Host: dl.google.com > Accept: */* > < HTTP/1.1 200 OK < Accept-Ranges: bytes < Content-Length: 198 < Content-Type: application/octet-stream < Etag: "518f4" < Expires: Sun, 22 Mar 2015 18:55:19 PDT < Last-Modified: Fri, 20 Mar 2015 04:05:00 GMT * Server downloads is not blacklisted < Server: downloads < X-Content-Type-Options: nosniff < X-Frame-Options: SAMEORIGIN < X-Xss-Protection: 1; mode=block < Date: Sun, 22 Mar 2015 01:55:19 GMT < Alternate-Protocol: 80:quic,p=0.5 < -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEABECAAYFAlULm7YACgkQoECDD3+sWZFyxACeNPuK/zQ0v+3Py1n2s09Wk/Ti DckAni8V/gy++xIinu8OdUXv7c777V9H =5vT6 -----END PGP SIGNATURE----- * Connection #0 to host dl.google.com left intact

Note that both the Release and Release.gpg files were fetched with the same HTTP connection, so the two files must have come from the same web frontend. (Though, it is possible they were served by different backends.) However, the detached signature in Release.gpg does not match the content in Release:

gpgv: Signature made Fri 20 Mar 2015 12:01:58 AM EDT using DSA key ID 7FAC5991 gpgv: BAD signature from "Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>"

Performing the same pair of fetches again, the same Release.gpg file is returned, but the Release file is slightly different:

$ curl -v http://dl.google.com/linux/chrome/deb/dists/stable/Release \ http://dl.google.com/linux/chrome/deb/dists/stable/Release.gpg * Hostname was NOT found in DNS cache * Trying 74.125.196.136... * Connected to dl.google.com (74.125.196.136) port 80 (#0) > GET /linux/chrome/deb/dists/stable/Release HTTP/1.1 > User-Agent: curl/7.38.0 > Host: dl.google.com > Accept: */* > < HTTP/1.1 200 OK < Accept-Ranges: bytes < Content-Length: 1347 < Content-Type: application/octet-stream < Etag: "518f3" < Expires: Sun, 22 Mar 2015 18:55:04 PDT < Last-Modified: Fri, 20 Mar 2015 04:05:00 GMT * Server downloads is not blacklisted < Server: downloads < X-Content-Type-Options: nosniff < X-Frame-Options: SAMEORIGIN < X-Xss-Protection: 1; mode=block < Date: Sun, 22 Mar 2015 01:55:04 GMT < Alternate-Protocol: 80:quic,p=0.5 < Origin: Google, Inc. Label: Google Suite: stable Codename: stable Version: 1.0 Date: Fri, 20 Mar 2015 04:02:02 +0000 Architectures: amd64 i386 Components: main Description: Google chrome-linux repository. MD5Sum: 89704f9af9e6ccd87c192de11ba4c511 145 main/binary-amd64/Release fa88101278271922ec9b14b030fd2423 4082 main/binary-amd64/Packages 1ba717117027f36ff4aea9c3ea60de9e 962 main/binary-amd64/Packages.gz 19af18f376c986d317cadb3394c60ac5 1193 main/binary-amd64/Packages.bz2 53375c7a2d182d85aef6218c179040ed 144 main/binary-i386/Release c556daf52ac818e4b11b84cb5943f6e0 4076 main/binary-i386/Packages 867ba456bd6537e51bd344df212f4662 960 main/binary-i386/Packages.gz 2b766b2639b57d5282a154cf6a00b172 1176 main/binary-i386/Packages.bz2 SHA1: 153199d8f866350b7853365a4adc95ee687603dd 145 main/binary-amd64/Release 7ce66535b35d5fc267fe23af9947f9d27e88508b 4082 main/binary-amd64/Packages a72b5e46c3be8ad403df54e4cdcd6e58b2ede65a 962 main/binary-amd64/Packages.gz dbc7fddd28cc742ef8f0fb8c6e096455e18c35f8 1193 main/binary-amd64/Packages.bz2 59414c4175f2cc22e67ba6c30687b00c72a7eafc 144 main/binary-i386/Release 1764c5418478b1077ada54c73eb501165ba79170 4076 main/binary-i386/Packages db24eafac51d3e63fd41343028fb3243f96cbed6 960 main/binary-i386/Packages.gz ad8be07425e88b2fdf2f6d143989cde1341a8c51 1176 main/binary-i386/Packages.bz2 * Connection #0 to host dl.google.com left intact * Found bundle for host dl.google.com: 0x7ffa33d8b6a0 * Re-using existing connection! (#0) with host dl.google.com * Connected to dl.google.com (74.125.196.136) port 80 (#0) > GET /linux/chrome/deb/dists/stable/Release.gpg HTTP/1.1 > User-Agent: curl/7.38.0 > Host: dl.google.com > Accept: */* > < HTTP/1.1 200 OK < Accept-Ranges: bytes < Content-Length: 198 < Content-Type: application/octet-stream < Etag: "518f4" < Expires: Sun, 22 Mar 2015 18:55:05 PDT < Last-Modified: Fri, 20 Mar 2015 04:05:00 GMT * Server downloads is not blacklisted < Server: downloads < X-Content-Type-Options: nosniff < X-Frame-Options: SAMEORIGIN < X-Xss-Protection: 1; mode=block < Date: Sun, 22 Mar 2015 01:55:05 GMT < Alternate-Protocol: 80:quic,p=0.5 < -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEABECAAYFAlULm7YACgkQoECDD3+sWZFyxACeNPuK/zQ0v+3Py1n2s09Wk/Ti DckAni8V/gy++xIinu8OdUXv7c777V9H =5vT6 -----END PGP SIGNATURE----- * Connection #0 to host dl.google.com left intact

Note that the Date line in the Release file is different:

@@ -6 +6 @@ -Date: Thu, 19 Mar 2015 22:55:29 +0000 +Date: Fri, 20 Mar 2015 04:02:02 +0000

The file hashes listed in the Release file are in a different order, as well, though the actual hash values are the same. This Release file does have a valid signature:

gpgv: Signature made Fri 20 Mar 2015 12:01:58 AM EDT using DSA key ID 7FAC5991 gpgv: Good signature from "Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>"

Note that the Release.gpg files in the good and bad cases are the same, and the same signature cannot cover two files with different content. Also note that the same mis-signed content is available via HTTPS, so it is probably not caused by a MITM attack.

The possibility of skew between the Release and Release.gpg files is precisely why inline signed Release files were introduced, but Google's repositories use only the older format with a detached signature.

It would be nice if Google could fix the underlying bug in their infrastructure that results in mis-signed repositories being published frequently, because it trains users to ignore cryptographic failures.

Categories: Elsewhere

Pages

Subscribe to jfhovinne aggregator