Drupal core updates for November 8, 2014

Co-authored by alimac, xjm, mparker17, and effulgentsia.

What's new with Drupal 8?

DrupalCon Amsterdam and the Drupal 8 beta!

It's been more than a month since the last Drupal Core Update, and so much has happened! Around 2300 people travelled to the historic city of Amsterdam, Netherlands for DrupalCon Amsterdam, where after 5 days of sprinting, Drupal 8.0 entered beta! Beta 3 will be released on Wednesday, November 12.

Photo credit: Paul Johnson

Be sure to review the allowed beta changes policy to understand which core issues are still priorities for Drupal 8.0, and which will need to wait for Drupal 8.1 or Drupal 9.

Highly critical security fix released for Drupal 7 and 8

On October 15th, SA-CORE-2014-005, a highly critcial security fix necessary for all Drupal 7 and 8 sites was revealed and Drupal 7.32 and Drupal 8.0.0-beta2 were released to address the issue. A week later, on October 29th, the Drupal security team issued a public service announcement warning of automated attacks against Drupal sites that haven't been patched for SA-CORE-2014-005.

To help website administrators choose the best possible path for dealing with affected Drupal sites, Bevan Rudge has developed a detailed flowchart of actions to take, specific to different scenarios. One tool that can be useful is Drupalgeddon, a Drush command that can help detect some of the exploits. It is important to understand that some attacks may not leave any trace. If possible, restore your Drupal site from backup made before October 15, 2014.

In A Lesson In Security, Anthony Ferrara deconstructed the vulnerability and its resolution as well as Drupal Security Team's response. For some discussion of Drupal Security Team's practices and the media response, check out Bryan Ruby's post: Drupal Security: Not Shocking but Responsible.

D8 critical office hours with chx

Core contributor chx has started a weekly critical issue office hours on Fridays at 12:00p PST. If you are interested in really digging into a tough problem and helping resolve a stagnating release blocker, or if you are stuck on a critical currently, join #drupal-contribute IRC channel during the office hours. See chx's report of the first critical office hours for an idea of what we've done so far!

Where's Drupal 8 at in terms of release?

DrupalCon Amsterdam and the beta release have brought lots of new momentum to the critical issue queue, with many issues both identified and resolved. Of the 130 critical issues currently blocking Drupal 8's release, 1 in 3 are new since the initial beta release, and 58% have activity within the past two weeks!

Where can I help?

Top criticals to hit this week

Each week, we check with core maintainers and contributors for the "extra critical" criticals that are blocking other work. These issues are often tough problems with a long history. If you're familiar with the problem-space of one of these issues and have the time to dig in, help drive it forward by reviewing, improving, and testing its patch, and by making sure the issue's summary is up to date and any API changes are documented with a draft change record.

• #2368349: Entity view and form display configuration schemas are too verbose / key ones missing needs review. This issue will resolve bugs in the entity system's configuration schemas. Critical configuration schema issues affect Drupal's multiligual functionality and block a beta-to-beta ugprade path.
• #2352155: Remove HtmlFragment/HtmlPage is the next step to finalize Drupal's page rendering. This detailed issue builds on extensive discussions at DrupalCon Amsterdam and includes an extremely illuminating diagram of Drupal 8's render pipeline. The issue needs review and iteration to incorporate the latest feedback.
• #2345255: [meta] CMI path to release tracks the progress for completing the Configuration Management Initiative. Follow this issue to get involved with the most critical current blockers for the Configuration system.
• As of this writing, there are 20 known critical performance issues in Drupal 8. Help make Drupal 8 fast!

More ways to help

• #2348381: [META-20 theme functions left] Convert/refactor core theme functions is part of the home stretch for completing Drupal 8's theme layer with Twig. Pick a child issue and help improve themer experience!
• #2369781: Ensure twig_debug output has needed sanitization is a critical issue to improve the security of a newly-added theme developer debugging tool. Help discuss the best solution for this issue or provide an initial proposal for a patch.
• #2066207: Contextual filters in view preview UI are not retained on preview navigation is the last bug that needs to be fixed before we can remove the _current_path() function, which is part of cleaning up legacy code from before all of the routing system conversions.
• Want to keep an eye on what issues are blocking other issues in general? Keep an eye on the blocker issue tag. You can also add this tag to other issues you encounter that require other work to be postponed; if more people use the tag, then it will increase these issues' visibility.

As always, if you're new to contributing to core, check out Core contribution mentoring hours. Twice per week, you can log into IRC and helpful Drupal core mentors will get you set up with answers to any of your questions, plus provide some useful issues to work on.

You can also help by sponsoring independent Drupal core development.

Notable Commits

So much great work has gone into Drupal 8 in the past weeks that it's difficult to pick the best of git log --after=2014-09-18 --pretty=oneline (571 commits in total). The final beta blocker was resolved across several issues, as were many entity API, theme system, dependency management, usability, and accessibility improvements.

• Issue #2271419 by alexpott, larowlan: Fixed Allow field types, widgets, formatters to specify config dependencies.
• Issue #1879930 by fran seva, Gábor Hojtsy, martin107, markie, Schnitzel, alexpott, Sutharsan, mon_franco, YesCT, spearhead93, herom, Désiré: Fixed Language selectors are not showing localized to the page language.
• Issue #1953770 by amateescu: Move the field-specific settings form elements at the top of the form.
• Issue #2224581 by alexpott, larowlan, jhodgdon, mgifford: Delete forum data on uninstall.
• Issue #2332935 by plach, alexpott, dawehner: Allow code to respond to entity/field schema changes.
• Issue #2028053 by vegantriathlete, franxo, InternetDevels, thamas, rootwork, LewisNyman: Add typographic styles, components, and utility classes.
• Issue #2226207 by lauriii, mgbellaire, Cottser, m1r1k, Mark Carver, LinL, rachel_norfolk, rteijeiro, skwashd, davidhernandez, euphoric_mv: Make 'template' the default output option for hook_theme().
• Issue #2350779 by benjy: Update Migrate maintainers in MAINTAINERS.txt.
• Issue #2292035 by DimitriV, mgifford | andrewmacpherson: Fixed CKEditor uses the automatically generated ID attribute for the body field in the ARIA label.
• Issue #2324791 by Michael Hodge Jr, ParisLiakos: Remove watchdog().
• Issue #2329501 by alexpott, mdrummond, davidhernandez | Cottser: Add classy.info.yml to core, set Classy as base theme for Bartik and Seven.
• Issue #2278353 by cilefen, dawehner, hussainweb, jibran, andyceo: Update to Symfony 2.5.
• Issue #2304987 by Berdir, Wim Leers: Fixed Don't invalidate cache tags of referenced entities, use entity list cache tags correctly, add test coverage for entity list cache tags.
• Issue #1869476 by rteijeiro, LewisNyman, lauriii, Wim Leers, mdrummond, swentel, hosef, cbiggins, larowlan, sun, EclipseGc, Gábor Hojtsy: Convert global menus (primary links, secondary links) into blocks.
• Issue #2343759 by pwolanin, larowlan, dawehner, tim.plunkett, effulgentsia, xjm, Wim Leers: Provide an API function to replace url()/l() for external urls.
• Issue #2002138 by yched, Jose Reyero, xjm, andypost, fago, msonnabaum, Berdir, dixon_: Use adapters for supporting typed data.
• Issue #2338475 by herom: Remove hook_permission().
• Issue #2232605 by alexpott, dawehner, martin107, Cottser, sun: Fixed Themes cannot be uninstalled.

Security fixes

Now that Drupal 8 is in beta, we're focusing on resolving disclosed security vulnerabilities in Drupal 8 so that site owners can safely build test sites. Here are the security fixes that have gone in over the past weeks:

• Issue #1948418 by webflo, martin107, galooph, cilefen, gaurav.goyal, amitgoyal, dawehner, dstol: Fixed Address SA-CONTRIB-2013-035 for views in D8.
• Issue #2357249 by Stefan Horst, greggles, larowlan, David_Rothstein, klausi: Fixed SA-CORE-2014-005 (SQL injection).
• Issue #2304969 by pwolanin, cilefen, Berdir, Devin Carlson, klausi: Fixed Port private files access bypass from SA-CORE-2014-003.
• Issue #2242749 by znerol, torotil, rszrama, larowlan, dawehner, penyaskito, tim.plunkett, sun, Damien Tournoud, David_Rothstein, effulgentsia: Fixed Port Form API security fix SA-CORE-2014-002 to Drupal 8.
• Issue #2234277 by cilefen, hussainweb, Xano, netlooker, martin107: Composer update (includes security fixes).
• Issue #2029855 by klausi, benjy, fgm, hussainweb, Cottser, pfrenssen, kim.pepper | moshe weitzman: Fixed Missing access control for user base fields.
• Issue #2098419 by larowlan | fago: Fixed Missing default access for all comment fields.

Drupal 8 Around the Interwebs

• Cathy Theys, Tim Erickson and Alina Mackenzie looked at DrupalCon Amsterdam Sprints and upcoming sprints for you to attend.
• Wim Leers explains the Drupal 8 render pipeline (as mapped out in #2368349).
• Chris Doherty gives an update on theming in Drupal 8, highlighting current progress with the Classy theme.
• For a look at a first time sprinter's experience in contributing to Drupal 8, check out Sprinting for the first time by Adam Evertsson
• Matt Korostoff asks (and answers) 27 questions that came up during a Drupal 8 site build. Ever wondered why you can't disable modules in Drupal 8? Matt has the answer.
• In part 5 of How to Build a Drupal 8 Module Daniel Sipos tells us about Drupal 8 Hooks and the Symfony Event Dispatcher.
• In a series of short demos, Alex Pott shows us that Drupal 8 Administration is Faster, Cheaper and Easier.
• Are you a front-end developer? Brian Wald wrote up a field guide about Drupal 8 with you in mind.
• Andrea Prescetti slipped us a Drupal 7 to Drupal 8 cheat sheet, for a quick reference about the differences in directory structure, APIs and configuration. Interested in just Entities, try Erik Stielstra's Drupal 8 Entity cheat sheet instead.
• martijn gives an update on the the state of ReST in Headless Drupal 8.
• Angie Byron answers all your burning questions In the 8th and final installment of The Ultimate Guide to Drupal 8.
• Brian Lewis of Mods Unraveled talks to Scott Reeves and David Hernandez about the origin story of Consensus Banana and what it means for Drupal themers.
• Michael Anello looks at the big picture and Drupal 8 Migrate in core.
• Jonathan Brown explains how to generate safe markup in Drupal 8 and avoid Twig auto-escape woes.
• Is your favorite contributed module ported to Drupal 8 yet? Adrian Rollett shows us how to follow the readiness of the top 100 modules for Drupal 8.

Drupal 8 in "Real Life"

• November 8 - Lima: Learn more about API changes and help port Examples for Developers module to Drupal 8.
• November 10 and 11: Angela Byron, Jeffrey 'jam' McQuire, and Larry Garfield will be keynote speakers at the php[world] Conference in in Washington, D.C.
• November 20 - Kitchener: Join Nik Alexandrov for an introduction to object-oriented programming for Drupal 8 in Kitchener, Ontario.
• December 10 - 14 - Ghent: The Drupal Association and Wunderkraut are sponsoring a focused sprint in Ghent to help move core critical issues forward.
• January 17 and 18: Drupal Global Sprint Weekend returns for the third year to unite small local sprints around the world. Find or add your sprint location or join online.
• February 8 - 13 - Bogotá: DrupalCon Latin America in Bogotá is the next DrupalCon! Join the sprinters and sign up for various sprints including Multilingual and Sign me up for anything.

Whew! That's a wrap!

Do you follow Drupal Planet with devotion, or keep a close eye on the Drupal event calendar, or git pull origin 8.0.x every morning without fail before your coffee? We're looking for more contributors to help compile these posts. You could either take a few hours once every six weeks or so to put together a whole post, or help with one section more regularly. Read more about how you can volunteer to help with these posts!