Bevan Rudge JavaScript and web technologist

The Drupal security team published a PSA to warn about upcoming security advisories. I shared my advice and predicted attacks within the hour after the security advisories are published. The security advisories are now published. Here is my followup.

I applaud the Drupal Security Team for warning about the highly critical updates. However the public service announcement (PSA) left the impression that this event was going to be much more serious than it was. Such a PSA would have been perfectly appropriate for SA-CORE-2014-005 "Drupalgeddon". But the only PSA there was in hindsight.

I guess it is resonable for the Drupal Security Team to be over cautious, especially given the lessons learned from Drupalgeddon fallout. And of course, such decisions and criticism is much easier with hindsight.

But now I am concerned how the Drupal Security Team can realistically raise the level further there is another vulnerability that is as serious as Drupalgeddon. Even if they raise the alert level using language in the PSA, will people still believe them? It reminds me of the boy who cried wolf.

Of course serious vulnerabilities like these are rare events in Drupal, so there is not yet a standard to compare alert levels to.

Just arrived here? Read my followup first.

Original post

The Drupal security team announced multiple highly critical updates to Drupal contrib modules in PSA-2016-001. Expect attacks within less than one hour from the announcement; 18 hours from the time this article is published. This is probably going to be Drupalgeddon all over again.

My advice

If you are prepared, you will save yourself a lot of time. If you are late or too slow, you will probably find yourself with a lot more work, e.g. the rescue workflow for Drupalgeddon 1.

Today

Don't skimp on the first two. And do at least one of "3. Update a contrib module" or "4. Learn how to apply patches". Which one you choose depends on your skills and how out of date contrib modules are on your Drupal websites. Ideally, do both steps 3 & 4; You might find one of them is significantly challenging for you.

Four years after the last DrupalSouth, and three fantastic Australasian Drupal conferences later, DrupalSouth returns!

DrupalSouth Wellington 14-16 February 2014 is setting up to be a great event! With an awesome venue, large capacity and amazing sponsors, things are well on track.

Originally posted at PreviousNext.com.au.

Scheduler module allows content editors to specify times for content to be published and/or unpublished. However it is not compatible with Workbench Moderation module, which allows content to have states like “draft” and “needs review” rather than just “published” or not.

Scheduler Workbench is a new module that integrates Workbench Moderation and Scheduler modules, so that content can be configured to become published or unpublished and be assigned a new moderation state at a date and time specified by the content editor.

The Donald W. Reynolds Journalism Institute (RJI) is an organization that seeks out and tests innovations in journalism to find the best solutions for use in the real world.

DrupalDownunder is just 2 months away and is expected to be a sell-out event, with Dries Buytaert (the Drupal project lead and founder) presenting a keynote and attending.

The keynote speakers are:

• Dries Buytaert, Drupal project founder and lead
• New Zealand's own Josh Waihi
• Josh Koenig
• Allie Micka

Today is a new beginning. Today is my first day at Palantir.net. I am now a "Palantiri"! (That's Palantiri-speak for someone who works at Palantir.net. ;)

In January 2009 I wrote and released jQuery.dashboard() plugin, which extends jQuery to quickly and easily create dashboard UIs like iGoogle. A handful of people have using it for a while, but in December 2009, it was announced that CiviCRM 3.1 would include a dashboard feature utilising jQuery.dashboard() plugin! CiviCRM 3.1 was released late January 2010. (So this blog post is a little late!)

I scheduled the "tpl.phps are not real templates" session and discussion as a BoF session on Wednesday at 11am in room 212 at DrupalCon San Francisco.

From my original post;

Drupal's template files (*.tpl.php) are not really templates. This is what my DrupalCon core developer summit submission is about. The slides briefly explain why tpl.phps are not real templates, what real templates are, why this is a problem for the Drupal project and community, and mentions some possible solutions to the problem. It also provides some basic guidelines as a starting point for tpl.php standards, should that be pursued.