Skip to main content

5 posts tagged with "Drupal7"

View All Tags

· 4 min read
Klaus Purer

The official Drupal 7 end of life date is still a couple of months away. Even before the Drupal 7 extended support phase starts, Drupal 7 site owners are already facing the problem of Drupal 7 contributed modules becoming unsupported. The maintainers of such Drupal 7 modules decide that they don't want to support them anymore and make a fatal mistake: they mark the module as unsupported on drupal.org. Per drupal.org's policy PSA-2023-06-07 security support cannot be enabled again for the module, so even if there are new maintainers willing to take over they can't do that on drupal.org.

Views Slideshow: 70,000 site installations

This happened recently to the Views Slideshow module which is currently used on 70,000 Drupal 7 sites. What the maintainers might not have realized: when they abandon security support for such a widely used module thousands of emails are sent out by Drupal's own update status module to site owners. A red light warning turns on in the admin backend showing that there is a potential security problem:

Screenshot of the Drupal status report page with text: "The installed version of at least one of your modules or themes is no longer supported. Upgrading or disabling is strongly recommended. See the project homepage for more details. See the available updates page for more information and to install your missing updates."

And on the updates page:

Screenshot of the Drupal Updates page: "Views Slideshow 7.x-3.10. Project not supported: This project is no longer supported, and is no longer available for download. Disabling everything included by this project is strongly recommended!"

I don't blame the maintainers: they don't run Drupal 7 sites anymore and overlooked the large user base. The problem is getting out of this process failure to put the Views Slideshow module back on security support.

The strength of the Drupal community is that people care and try to find solutions: a8w4 opened an issue for discussion.

D7Security takes over maintenance

As it happens my clients also use the Views Slideshow module. In the D7Security group we have a process in place to take over maintenance of abandoned modules. We did this before for other projects (see Supported Projects) and also released security advisories. Both our policy conditions are met: D7Security members use the Views Slideshow module and it is unsupported on drupal.org.

Gregor and I worked on transferring the source code from drupal.org to our new Views Slideshow repository. We made a new release according to our release process to establish the new home of Views Slideshow. I also reached out to the former maintainers of the module if there are any known unresolved security vulnerabilities - we want to deal with them to protect our sites.

This is great so far but there is an important obstacle: only Drupal 7 sites that followed our user guide will know that the Views Slideshow module is supported again. If you run Drupal 7 sites I urge you to install the d7security_client module to join our shared Drupal 7 maintenance effort!

A plea to Drupal 7 maintainers

While Drupal 7 is still supported I plea to all Drupal 7 maintainers to not mark modules as unsupported on drupal.org. Please? Please! Please please please.

Instead, you can reach out to us, the D7Security group via our communication channels. If we use the project we are happy to take over maintainership on drupal.org. Releases on drupal.org reach many more users than when they are forked here in D7Security.

What about official commercial Drupal 7 support providers?

I'm very happy that there are now at least 2 (soon 3) official commercial providers for Drupal 7 extended support. They have only been announced recently and focus on supporting Drupal 7 from next year on. This is a bit disappointing to me, as there is already a security support need right now with the Views Slideshow module being only one example. I hope we can improve on that soon - I want to collaborate with the commercial providers as much as their business model allows.

It feels weird to write this: currently the best Drupal 7 security support is coming from community projects (the Drupal Security Team + the D7Security Group) because the commercial Drupal 7 extended support providers are not maintaining or releasing anything yet.

Conclusion

There is a path forward for Drupal 7 contrib module support - we can catch unsupported modules and distribute update information with our D7Security project. Join us! 🤗

· 3 min read
Klaus Purer

Welcome to the fourth D7Security newsletter!

Presentation at Drupal Austria meetup

I did a short presentation about D7Security at the Drupal Austria March Meetup. I recorded the session afterwards and you can watch it on YouTube.

On June 26th I will talk about D7Security again at Drupal Dev Days Burgas. I will try to outline options for Drupal 7 site owners from migration to long term support and I'm looking forward to a discussion what developers need to handle their Drupal 7 projects in the future. Let me know if you have any topic that could fit and is not in the talk description yet!

Security advisory process established

The D7Security group now publishes security releases with accompanying security advisory posts on the website, very similar to what the Drupal Security Team does on drupal.org. Check out our first advisory post for the Coffee module.

Help wanted for the D7Security website

The work on the d7security.org website is ongoing, but the people working on it are busy and could use some help. We have a basic design and now need to fix links and dummy text. If you are interested to contribute please reach out to me or Allison!

Commercial extended support for Drupal 7

I'm in contact with 2 commercial vendors that will offer extended support for Drupal 7 (HeroDevs and Tag1 Consulting). They could be interesting for organizations that need compliance security guarantees for their Drupal 7 projects or need other ongoing Drupal 7 coverage. My goal is to collaborate with those vendors in the D7Security group, so that they release their security fixes in the D7Security open source project. If we get a commitment from them to participate in the D7Security project then we can promote and recommend them for site owners seeking commercial contracts.

Drupal 7 beyond January 2025

Roughly 300,000 sites are still running on Drupal 7, down from 400k sites a year ago. The official Drupal 7 end-of-life date is 8 months away and I expect more sites moving away from Drupal 7 at a faster rate before that. I assume that more than 100k Drupal 7 sites will still be running after January 2025. I'm working with clients that will likely still run on Drupal 7 beyond January. It is becoming even more clear to me that a Drupal 7 long term support solution is needed and that we need a central place to continue to maintain Drupal 7 core and selected contrib projects. D7Security could be the open source collaboration place to take over Drupal 7 maintenance. This will be interesting to plan in the next months and I hope to get Drupal 7 developers on board that need to do this work anyway. That is all for today, please reach out in our communication channels if you have any questions!

· 3 min read
Klaus Purer

Welcome to the third D7Security newsletter!

First security release

On February 28th the D7Security group released their first security update of a contributed Drupal 7 module. In coordination with the Drupal Security Team new versions of the Coffee module were published on drupal.org for Drupal 10 and on gitlab.com for Drupal 7. The Coffee module is now in the list of supported D7Security projects. This is a big milestone for the D7Security group and proves that our technical setup is capable of distributing and notifying Drupal 7 site owners of new Drupal 7 security updates. Special thanks to Greg Knaddison and Oliver Köhler for helping me with the Coffee release!

New supported modules: coffee, ldap, simple_gmap

Besides the already mentioned Coffee module we took 2 more modules under the D7Security umbrella and released new versions for them: ldap and simple_gmap. This was only possible because of a new D7Security member that stepped up and contributed these 2 modules, which brings me to my next point ...

New D7Security member: Caroline Boyden

I'm happy that Caroline joined and was able to release the ldap and simple_gmap module completely on her own just by following our release documentation. I'm relieved that other contributors find their way around how to get stuff done in the D7Security group, which also validates my ideas how to operate and that this project is not dependent on myself. Thanks a lot Caroline!

Planning security advisories

Jen Lampton brought up the topic of security advisories, which the D7Security group does not publish yet. I opened a discussion on D7Security advisories, planning something similar as Drupal.org is doing at https://www.drupal.org/security/ or Backdrop at https://backdropcms.org/security/advisories . The main purpose of D7Security is to provide security alerts and updates, so I think advisory posts are a good idea as well.

Improved Wiki documentation

I improved the start page and menu sidebar in our Wiki to make it more clear. I also added an overview page how D7Security works, check it out! Presentation at Drupal Austria meetup I will do a short presentation about D7Security at the Drupal Austria March Meetup. I will post the slides afterwards and maybe I can also find the time to do a video recording.

d7security.org website

The D7Security website is still work in progress, we have some designs that we are currently reviewing. More updates will follow! That's it for this newsletter, let me know if you have any questions!

· 2 min read
Klaus Purer

Welcome to the second D7Security newsletter!

Podcast episode about D7security

I did an episode on the Drupal 7 End-of-Life podcast with Mark and Chris from Chromatic. It was a pleasure to talk with them and you can get a lot of background information on the D7Security group motivation.

New D7Security members

I'm very happy to announce that several more people have stepped up as members of the D7Security group:

  • John Locke
  • Jen Lampton Backdrop CMS Security team member who can can help us coordinate with them
  • Gregor Sýkora
  • Greg Knaddison Drupal 10 Security team member who can help us coordinate with them
  • Allison Vorthmann from Herodevs, who are planning a Never Ending Drupal 7 support product

If you are interested in continuing security support for a Drupal 7 module please check our members page about how to join!

Drupal 7 Message module support

The Drupal 7 version of the Message module got unsupported on drupal.org and D7Security group took it over. We forked it on Gitlab.com, made a 7.x-1.13 release and marked it as supported in the D7Security group. If you would like to get update notifications about D7Security supported projects please follow the user guide.

d7security.org website

Allison Vorthmann is looking into implementing a design for the d7security.org static website, to provide information and news. Thank you Allison! If you would like to help with the website or any other topic feel free to reach out to us

· 2 min read
Klaus Purer

Welcome to the first D7Security newsletter! The D7Security initiative is now starting up and we have accomplished a couple of things so far:

Gitlab wiki documentation

There is a lot of written documentation in the Gitlab wiki already. I would like to highlight the mission and values page here that outlines the D7Security philosophy.

User Guide

The first version of a user guide is now available in the wiki. It describes how Drupal 7 site administrators can get updates of supported modules by the D7Security initiative.

A dummy page is now live at https://www.d7security.org/ and we have a logo for the D7Security group! Special thanks to Sebastian Gilits for generating the logo. I'm looking for help to make the website pretty, accessible and informative. Please get in touch at the Gitlab issue if you would like to contribute!

Technical prototype validated

With the fork of the Drupal 7 Devel module we have validated in a prototype that the release process and update status functionality works on Gitlab. The release process was also documented in the wiki. We are ready to release more Drupal 7 modules in the D7Security group!

New D7Security members

I'm happy to announce that I could add 3 senior developers as members to the D7Security group. Thanks a lot Ivan, Juraj and Andrii for joining! I'm in contact with more developers as well, please check the wiki page if you are interested in joining!

Next steps

Besides building out the d7security.org website there are a couple of small TODOs being collected. The next bigger milestone will be the first security release of a module in the D7security group, once we encounter such a case. Thank you all for your input and support!