Embed Size (px)
Citation preview
GET DRUPAL B DONE
Earlier this week…
11 release blockers!
Now…
5
8
10
13
15
Monday Tuesday Wednesday Thursday Friday
11 release blockers!
OUR DEMO: HOW WE ARE SAVING THE DRUPAL WORLD FROM THE ZOMBIE APOCALYPSE OF CRITICAL ISSUES
Lots of things were fixed during the hackathon…
• 4 critical security issues (in D6/7 *and* 8!)
• 8 blockers to Safe Markup criticals
• 2 upgrade path criticals
• 1 Entity API critical
…so how did we go from 11 to 11?
Security
SHIPPED!
Thanks, Peter! :D
Before SA…
5
8
10
13
15
Monday Tuesday Wednesday Thursday Friday
<— Previously hiddencriticals!
After SA…
Would love to demo, but…
Customs confiscated my Neuralyzer. ;)
Safe Markup
CLOSE!
Markup in Drupal 7<script>alert('Mwahahaha!')</script>
<script>alert("Mwahahaha!")</script>
https://www.drupal.org/writing-secure-code
check_plain()/check_markup() filter_xss()/filter_xss_admin()
t() + @ or %
If you forget…
Markup in Drupal 8<script>alert('Mwahahaha!')</script>
<script>alert("Mwahahaha!")</script>
"Twig autoescape enabled" change record
If you forget…
Instances of SafeMarkup::set()
[meta] Remove every SafeMarkup::set() call
This week! =>
Upgrade Path
CLOSE!
Sordid tale…• Beta 12 (June 29) we started requiring
upgrade paths in core patches.
• Beta 13 (July 29) we attempted to provide an upgrade path to site builders from Beta 12
• People tested it, found out stuff broke (silent fails on content updates)
• Now fixing those issues, and adding better automated tests to mitigate future regressions.
Watch for beta-15 for upgrade path provided by core, take 2
15
…and please, please, stop testing D8 so we can ship! ;)
Scalability
SHIPPED!
files/php
files/php
• Drupal 6/7: more secure for our customers today
• Drupal 8: more secure for our customers tomorrow (including plugging #1 security hole)
• Drupal 8 beta-to-beta upgrade path two issues away from being unblocked
• Major milestone for customers waiting to make the leap into Drupal 8
• Less Cloud Team angst!
Hackathon Accomplishments, in short…
Thanks!
