Drupal

Security risk of automatic Drupal updates

Submitted by Darren Oh on Thu, 07/16/2020 - 14:23

Yesterday I had my fears confirmed about the Drupal Automatic Updates initiative. It requires sites to be able to modify core Drupal files. While this makes it easier to fix vulnerabilities, it is not something you want when your site is actually being attacked. The best way to protect against someone exploiting a vulnerability to modify your Drupal core files is to change the file permissions so that your site cannot modify them.

Tags

Will JavaScript eat Drupal?

Submitted by Darren Oh on Mon, 07/13/2020 - 20:45

I have been hearing warnings for a while now that distributed services and JavaScript running in the browser are about to reach the point where no one will want to work on Drupal any more. That would be true if no one cared about vendor independence and future-proof investment. If you’re building a disposable site or afraid that your client will run out of work for you, it may not pay to worry about those things. But if you would rather not do the same job over and over again, you want a platform under your own control that can be continuously reused and improved upon.

Tags

What open source sustainability means

Submitted by Darren Oh on Wed, 04/25/2018 - 09:52

Today I was listening to Talking Drupal #168. The topic was how to ensure that open source project developers can afford to provide updates to their users. As an open source developer myself, I have to disagree with the premise that we should support a distinction between users and developers. The projects that I develop for are the projects that I use. As a user-developer, I do not care how many users a project has. I care how many user-developers it has.

Community code of conduct

Submitted by Darren Oh on Fri, 02/23/2018 - 12:34
Last year, there was a lot of discussion within the Drupal community about a code of conduct. Many people expressed the hope that a clearly stated code of conduct would prevent misunderstandings and enforce good behavior within the Drupal community. While I support this effort, I think it’s important to keep our expectations realistic. Some kinds of participation should be governed by a code of conduct, some require people to govern them directly, and others cannot be governed by the community at all.

Tags

Drush Cron on Dreamhost

Submitted by Darren Oh on Mon, 02/08/2016 - 10:19

I set up Dreamhost cron jobs to run drush cron for two different sites running Drupal 8.0.3. One of the cron jobs worked, but the other failed with a syntax error. Drupal 8 requires PHP 5.5.9 or later, and the default version of PHP for one of the sites was 5.4.42. Changing the default PHP version in .bash_profile and .bashrc did not fix the error.

Tags

Protecting private files in Drupal 8

Submitted by Darren Oh on Thu, 02/04/2016 - 14:32

If you add a private files directory after installing Drupal 8.0.3, you will get a warning on the status page saying it is not fully protected and to see https://www.drupal.org/SA-CORE-2013-003 for information about how to protect it with an .htaccess file. The message shows up even if the directory is not Web-accessible. Ignore it. The .htaccess file will be created automatically after caches are rebuilt.

Tags