Acquia Drupal 8 Hackathon Demo 2015

GET DRUPAL B DONE

Earlier this week…

11 release blockers!

Now…

5

8

10

13

15

Monday Tuesday Wednesday Thursday Friday

11 release blockers!

OUR DEMO: HOW WE ARE SAVING THE DRUPAL WORLD FROM THE ZOMBIE APOCALYPSE OF CRITICAL ISSUES

Lots of things were fixed during the hackathon…

• 4 critical security issues (in D6/7 *and* 8!)

• 8 blockers to Safe Markup criticals

• 2 upgrade path criticals

• 1 Entity API critical

…so how did we go from 11 to 11?

Security

SHIPPED!

Thanks, Peter! :D

Before SA…

5

8

10

13

15

Monday Tuesday Wednesday Thursday Friday

<— Previously hiddencriticals!

After SA…

Would love to demo, but…

Customs confiscated my Neuralyzer. ;)

Safe Markup

CLOSE!

Markup in Drupal 7<script>alert('Mwahahaha!')</script>

&lt;script&gt;alert(&quot;Mwahahaha!&quot;)&lt;/script&gt;

https://www.drupal.org/writing-secure-code

check_plain()/check_markup() filter_xss()/filter_xss_admin()

t() + @ or %

If you forget…

Markup in Drupal 8<script>alert('Mwahahaha!')</script>

&lt;script&gt;alert(&quot;Mwahahaha!&quot;)&lt;/script&gt;

"Twig autoescape enabled" change record

If you forget…

Instances of SafeMarkup::set()

[meta] Remove every SafeMarkup::set() call

This week! =>

Upgrade Path

CLOSE!

Sordid tale…• Beta 12 (June 29) we started requiring

upgrade paths in core patches.

• Beta 13 (July 29) we attempted to provide an upgrade path to site builders from Beta 12

• People tested it, found out stuff broke (silent fails on content updates)

• Now fixing those issues, and adding better automated tests to mitigate future regressions.

Watch for beta-15 for upgrade path provided by core, take 2

15

…and please, please, stop testing D8 so we can ship! ;)

Scalability

SHIPPED!

files/php

files/php

Replace Symfony container with a Drupal one, stored in cache

• Drupal 6/7: more secure for our customers today

• Drupal 8: more secure for our customers tomorrow (including plugging #1 security hole)

• Drupal 8 beta-to-beta upgrade path two issues away from being unblocked

• Major milestone for customers waiting to make the leap into Drupal 8

• Less Cloud Team angst!

Hackathon Accomplishments, in short…

Thanks!