There will be an important security release of contrib modlules at 11 AM Central time today. Yes, in a few minutes. We're ready to start doing a rollout of these to our clients who are on security contracts.
Drupal Camp Wisconsin is on! and will be held on July 29-30 in beautiful Madison Wisconsin. This year we will be meeting at the Chemistry biulding on the UW Campus. There are still open slots for presentations --- so please stop by at http://drupalcampwi.org or make a session proposal, or to sign up for the camp.
Everyone in the world is back from Drupalcon - full of seafood and other New Orleans specialties, and tired after all the great ideas and --- netowrking. So things are slowly getting back to normal here at the farm as this video will attest. Unpacking and getting back to work. And yes, I DO look a lot like Gene Autrey - it never occurred to me before I watched the video.
Update --- all of our servers are now fully patched with the recently released updates for ImageMagick -
The talk of the Internet for the last few days has been a new exploit termed ImageTragick - CVE-2016–3714. It's a potential exploit on any server with the ImageMagick package installed that runs web apps that do not check properly for file type before displaying a file manipulated through the Convert command. It doesn't look like Drupal is VERY exploitable by this (and would only be exploitable if the site used ImageMagick, which is not a lot of them. Wordpress will also only be vulnerable if it uses an extension that calls ImageMagick.
However, since our clients run all sorts of code on our servers, we have just taken steps to mitigate this vulnerability on all of our servers. We don't think this will have any bad effects on any production sites - but if you're suddenly having issues with image processing, this may be why. We've patched the policy.xml file on all of the servers as suggested by Red Hat and CentOS. This should stop any potential exploits until such time that actual patches for ImageMagick are available that are known to actually fix the exploit - probably next week.
As most of you are probably aware, Drupal 6 support formally ends on Feb. 24 - so all official support for D6 ends on that date. This has a few ramifications:
- As of that date the Drupal Security Team will no longer release new patches and will no longer send out security notices.
- Most module developers will stop suporting their Drupal 6 versions of modules altogether.
- At some point the security notices on D6 sites should start reporting "unsupported" status for everything.
- We will no longer be able to provide the same sort of support on D6 that we have in the past - in particular we cannot really guarantee any updates will occur.
We're still working on a formal stance on support for D6, since there's quite a lot of activity around the possiblity of a D6 LTS support model to be provided by a few commercial vendors. Being a small company with limited resources, we will not be one of those vendors.
Most likely what we will recommend for everyone using Drupal 6 at this point will be the following:
- If you keep a Drupal maintenance contract on your site we will make a best effort to apply any Drupal patches that become available through the D6 LTS support system - but we cannot make any promise that any Drupal security issues will be patched in a timely basis. We will only be applying patches for security issues, and only if they become publicly available. We are currently mulling over a price structure for this.
- If you prefer you can cancel your D6 support contract and your site will be on its own for any security updates. Frankly we do not expect a LOT of security patches will be ported to D6 in the future, but it's always possible something truly serious will pop up.
- If support for your D6 site is important to you and you do not believe you will be upgrading to D7 or D8 in the near future then we will be happy to recommend a support company that is doing D6 support on a commercial basis. This is likely to become expensive, and may in a lot of cases require that you host your site with the support company involved. However, if support long-term on D6 is important to you, subscribing to one of those services will help to fund back-porting of security fixes to D6 and will support the Drupal community.
In any case, we recommend that if you are on Drupal 6 that you make an attempt to upgrade to D7 or D8 as soon as possible. We will not be taking on any new support contracts for D6 sites as of today. We'll be glad to discuss the possible options with you whether or not you are currently a customer.
Drupal continues to move forward, adding in more features, more power, higher performance, and lots of other new goodies. Drupal 8 in particular is bringing a lot to the table, and a whole new world of web development.
Unfortunately it's also big, and has a lot of new requirements for web hosting which may make it difficult to host your D8 site on a lot of hosting services, particularly if you want to host in a shared hosting environment.
We're working on a solution for that, and are offering a shared hosting environment guaranteed to work with Drupal 8. The D8 package is much like our previous half-acre hosting setup, but includes more:
- Choice of PHP 5.4, 5.5, 5.6, or 7.0 - your choice on every site, or even by directory. We recommend 5.6 currently as many Drupal contrib modules may have trouble with 7.0 (and we REALLY recommend not going with 7.0 if you're on Drupal 7).
- MariaDB 5.5
- One-click Drupal 8 installer
- CentOS 7.2 operating system
- 20 Gbytes of storage
- Unlimited bandwidth
- 6 MySQL databases
- Up to 4 real domains and up to 20 aliases
- Up to 100 email accounts
- php.ini per site under your control - with up to 256 meg php instances
- Drush, Composer, and Git all available on the server
- ssh login to server and scp file access
- Virtualmin Pro control panel
- Free optimized Cloudflare (optional)
This is a work in progress - we are working to make this the best shared hosting environment for Drupal developers, and we'd like to enlist your help. For a limited time we are offering one free month of this service, and you can sign up by going to https://billing.cruiskeenconsulting.com/cart.php?a=add&pid=36 and entering the discount code D8testing at checkout (you need to sign up for monthly billing). No contract, cancel any time.
Help us polish our D8 hosting service and get a free month of hosting to boot ---
Yesteray I went off on an experiment with one of our own Drupal sites. For some years now I've maintaned the web site http://www.uppitywis.org - it's a political blog about progressive politics in Wisconsin. It's gone thorugh a lot of different configurations and life stages. At the moment it's built on a pretty straightforward build of Panopoly,. In the most recent version I have taken it out of Varnish, and it runs behind Cloudflare.
In an attempt to eat our own Dogfood as a Cloudlflare host, I though I'd make a stab at making Cloudflare cache the entire site, rather than just the static assets. You can do this in the free Cloudflare implementation by setting up a rule that says "cache everything" and putting it in with your three allowed rules. I've also set up rules to not cache admin* and user* and have put those ahead of the cache everything rule - so that admin functions are not cached.
I'm spending time this week at Nerd Summit 2015. This has been a great experience, covering many different areas. This is fairly heavy on Drupal, but not at all Drupal-specific. At the moment I'm in the Business Panel, which is really very interesting.
The latest requirements for Drupal 8 include a requirement for MySQL/MariaDB/PerconaDB of version 5.5.3 or later - now THAT one may be an issue for a lot of hosting companies. We're going to get that done, but it's a little more unusual than the PHP requirement. At the moment our solution to this is to be using CentOS 7 for all of our database servers (and since CentOS 7 uses MariaDB 5.5, that works fine). We're currently re-thinking what we're actually going to do about this before the Drupal 8 release.
I'm writing a little bit today about some of the concerns that folks are having about Drupal 8, the new hosting requirements it imposes, and particularly the concerns that smaller organizations will not be able to find Drupal 8 compatible hosting plans. There is a lot going on with us and with other hosting companies at the moment to support Drupal 8 and other PHP software that has more modern requirements. We don't think this will be an issue with most reliable hosting companies by the time Drupal 8 ships.
Some things you probably should know about our company:
- What's this Cruiskeen thing? Its Gaelic. A cruiskeen is a little jug. Our farm is named Cruiskeen Lawn, which has a number of different stories associated with it that are way too confusing to go into. Suffice it to say that among other things I'm a home brewer abd we make a fair quantity of beer, wine, and cider here.