24 Apr 2018

feedPlanet Grep

Xavier Mertens: [SANS ISC] The real value of an IOC?

I published the following diary on isc.sans.org: "The real value of an IOC?":

When a new malware sample is analysed by a security researcher, details are usually posted online with details of the behaviour and, based on this, a list of IOCs or "Indicators of Compromise" is published. Those indicators are pieces of technical information that, if detected on your network or hosts, may indicate that it has been compromised or at least something suspicious occurred… [Read more]

[The post [SANS ISC] The real value of an IOC? has been first published on /dev/random]

24 Apr 2018 11:07am GMT

22 Apr 2018

feedPlanet Grep

Wouter Verhelst: host detection in bash

There are many tools to implement this, and yeah, this is not the fastest. But the advantage is that you don't need extra tools beyond "bash" and "ping"...

for i in $(seq 1 254); do
  if ping -W 1 -c 1 192.168.0.$i; then
echo ${!HOST[@]}

will give you the host addresses for the machines that are live on a given network...

22 Apr 2018 10:04am GMT

21 Apr 2018

feedPlanet Grep

Frank Goossens: Music from our Tube: At Les, 20 years later

20 years ago I was somewhat into techno and stuff, especially the left-of-center music (and DJ sets) guys like Carl Craig and Stacey Pullen released.

Times change and that jazz thing has caught on pretty big the last couple of years for me. And now there's Japanese Jazz-maestro Toshio Matsuura covering Carl Craig's "At Les". How great is that, right!?

YouTube Video
Watch this video on YouTube.

Possibly related twitterless twaddle:

21 Apr 2018 3:55am GMT

20 Apr 2018

feedPlanet Grep

Frank Goossens: Software development; of cats and monsters

Possibly related twitterless twaddle:

20 Apr 2018 12:11pm GMT

19 Apr 2018

feedPlanet Grep

FOSDEM organizers: Video infrastructure to be shut down

It's several months after FOSDEM by now, but our video transcoding infrastructure is still up and running, in order to deal with the long tail of videos with issues that was still outstanding. This will change next week. Currently, 644 videos have been signed off on, while 25 are marked as needing some kind of intervention or further investigation. These mostly require us to read data from our backups. Unfortunately, due to various complications, it turns out that getting data from those backups is more involved than we initially thought. Now, almost three months after the event, it is not舰

19 Apr 2018 3:00pm GMT

18 Apr 2018

feedPlanet Grep

Xavier Mertens: FIRST Technical Colloquium Amsterdam 2018 Wrap-Up

I'm just back from the 2018 edition of the FIRST TC ("Technical Colloquium") organized in Amsterdam. This was the second edition for me. The format was the same, one day of workshops and two days with normal presentations. And always 100% free! During the quick introduction, Jeff Bollinger from Cisco, which is hosting the event, gave some numbers about this edition: 28 countries represented, 91 organizations (mainly CERTS, SOCs, etc) and 31 FIRST teams amongst them. 3 trainer, 14 speakers and 6 sponsors. Here is my quick review of the talks that I followed. Some of them were flagged as TLP:RED.

Alan Neville (Symantec) presented "The (makes me) Wannacry investigation". He made a review of the infection which started in May 2017 but also explained that Symantec identified previous versions of the malware already in February. Of course, Alan also covered the story of the famous kill-switch and gave a good advice: Create a sinkhole in your organization, set up a web server and capture all the traffic sent to it. You could detect interesting stuff!

Mathias Seitz (Switch) presented an updated version of his talk about DNS Firewalling ("DNS RPZ intro and examples"). He re-explained how it works and why a DNS firewall can be a great security control and not difficult to put in place. Don't forget that you must have procedures and process in place to support your users and the (always possible) false positive. FYI, here is a list of DNZ RPZ providers active in 2018:

  • Farsight security
  • (Infoblox)
  • Spamhaus
  • Switch
  • ThreatSTOP

And organizations providing DFaaS ("DNS Firewall as a Service") if you don't run a resolver:

  • Akamai AnswerX
  • Cisco OpenDNS Umbrella
  • Comodo Secure DNS
  • Neustar Recursive DNS
  • ThreatSTOP
  • Verisign
Krassimir Tzvetanov (Fastly) presented "Investigator Opsec". For me, it was one of the best presentations of this edition. Krassimir explained the mistakes that we are all doing when performing investigations or threat hunting. And those mistakes can help the attackers to detect that they are being tracked or, worse, to disclose some details about you! By example, the first advice provided was to not block the attacker too quickly because you learn them how to improve! Sandboxes must be hardened and tools used must be properly configured and used. Example: data enrichment may lead to resolve domain names or contact IP addresses without your prior consent! Do we have to say something about services like VirusTotal? It was very constructive and opened my eyes… Yes, I'm making a lot of mistakes too!
Melanie Rieback (Radically Open Security) presented "Pentesting ChatOps". Also, a very attractive talk where Melanie explained how she started a business based on freelancers and fully "virtual". There is no physical office and all the communications between consultants and also customers are performed but chat rooms! Event logs are sent to chat rooms.
Abhishta (University of Twente) presented "Economic impact of DDoS attacks: How can we measure it?". It started with a description of the DDoS business. They are very profitable and even more with the huge amount of vulnerable IoT devices that are easier to compromise. In 75%, costs to build a DDoS infrastructure is ~1% of the revenue! What's the main impact of DDoS? Reputation! But it can quickly turn into money loss. Why? Victim of DDoS, the organization has a negative view in the media, there is a decrease in stock demands and then a fall of stock price! Abhista also explained how they use Google Alerts to get news about companies and correlate them with the DDoS reports.
Jaeson Schultz (Cisco - Talos) presented "It's a Trap". It explained how spammers are working today, how campaigns are organized. Then, he explained how to build an effective spam trap based (tip: the choice of the domain names is a critical key to get as much spam as possible).
The last presentation for me was an update from a previous one by Tom Ueltschi (Swiss Post): "Advanced Incident Detection and Threat hunting with Sysmon & Splunk". Tom explained again how he successfully deployed Sysmon with Splunk on all end-points in his company and how he is able to detect a lot of malicious activity thanks to the power of Splunk.
The audience was mainly based on Incident Handlers, it was a good opportunity for me to increase my network and make new friends as wall as discussing about new projects and crazy ideas 😉

[The post FIRST Technical Colloquium Amsterdam 2018 Wrap-Up has been first published on /dev/random]

18 Apr 2018 7:52pm GMT

Xavier Mertens: [SANS ISC] Webshell looking for interesting files

I published the following diary on isc.sans.org: "Webshell looking for interesting files":

Yesterday, I found on Pastebin a bunch of samples of a webshell that integrates an interesting feature: It provides a console mode that you can use to execute commands on the victim host. The look and feel of the webshell is classic… [Read more]

[The post [SANS ISC] Webshell looking for interesting files has been first published on /dev/random]

18 Apr 2018 1:07pm GMT

17 Apr 2018

feedPlanet Grep

Dries Buytaert: Acquia blocks 500,000 attack attempts for SA-CORE-2018-002

On March 28th, the Drupal Security Team released a bug fix for a critical security vulnerability, named SA-CORE-2018-002. Over the past week, various exploits have been identified, as attackers have attempted to compromise unpatched Drupal sites. Hackers continue to try to exploit this vulnerability, and Acquia's own security team has observed more than 100,000 attacks a day.

The SA-CORE-2018-002 security vulnerability is highly critical; it allows an unauthenticated attacker to perform remote code execution on most Drupal installations. When the Drupal Security Team made the security patch available, there were no publicly known exploits or attacks against SA-CORE-2018-002.

That changed six days ago, after Checkpoint Research provided a detailed explanation of the SA-CORE-2018-002 security bug, in addition to step-by-step instructions that explain how to exploit the vulnerability. A few hours after Checkpoint Research's blog post, Vitalii Rudnykh, a Russian security researcher, shared a proof-of-concept exploit on GitHub. Later that day, Acquia's own security team began to witness attempted attacks.

The article by Checkpoint Research and Rudnykh's proof-of-concept code have spawned numerous exploits, which are written in different programming languages such as Ruby, Bash, Python and more. As a result, the number of attacks have grown significantly over the past few days.

Fortunately, Acquia deployed a platform level mitigation for all Acquia Cloud customers one hour after the Drupal Security Team made the SA-CORE-2018-002 release available on March 28th. Over the past week, Acquia has observed over 500,000 attacks from more than 3,000 different IP addresses across our fleet of servers and customer base. To the best of our knowledge, every attempted exploitation of an Acquia customer has failed.

SA-CORE-2018-002 timeline of events as seen by Acquia

The scale and the severity of this attack suggests that if you failed to upgrade your Drupal sites, or your site is not supported by Acquia Cloud or another trusted vendor that provides platform level fixes, the chances of your site being hacked are very high. If you haven't upgraded your site yet and you are not on a protected platform then assume your site is compromised. Rebuild your host, reinstall Drupal from a backup taken before the vulnerability was announced and upgrade before putting the site back online. (Update: restoring a Drupal site from backup may not be sufficient as some of the exploits reinstall themselves from crontab. You should assume the whole host is compromised.)

Drupal's responsible disclosure policy

It's important to keep in mind that all software has security bugs, and fortunately for Drupal, critical security bugs are rare. It's been nearly four years since the Drupal Security Team published a security release for Drupal core that is this critical.

What matters is how software projects or software vendors deal with security bugs. The Drupal Security Team follows a "coordinated disclosure policy": issues remain private until there is a published fix. A public announcement is made when the threat has been addressed and a secure version of Drupal core is also available. Even when a bug fix is made available, the Drupal Security Team is very thoughtful with its communication. The team is careful to withhold as many details about the vulnerability as possible to make it difficult for hackers to create an exploit, and to buy Drupal site owners as much time as possible to upgrade. In this case, Drupal site owners had two weeks before the first public exploits appeared.

Historically, many proprietary CMS vendors have executed a different approach, and don't always disclose security bugs. Instead, they often fix bugs silently. In this scenario, secrecy might sound like a good idea; it prevents sites from being hacked and it avoids bad PR. However, hiding vulnerabilities provides a false sense of security, which can make matters much worse. This approach also functions under the assumption that hackers can't find security problems on their own. They can, and when they do, even more sites are at risk of being compromised.

Drupal's approach to security is best-in-class - from fixing the bug, testing the solution, providing advance notice, coordinating the release, being thoughtful not to over communicate too many details, being available for press inquiries, and repeatedly reminding everyone to upgrade.

Acquia's platform level fix

In addition to the Drupal Security Team's responsible disclosure policy, Acquia's own security team has been closely monitoring attempted attacks on our infrastructure. Following the release of the Checkpoint Research article, Acquia has tracked the origin of the 500,000 attempted attacks:

SA-CORE-2018-002 map of attacks against Acquia Cloud customersThis image captures the geographic distribution of SA-CORE-2018-002 attacks against Acquia's customers. The number denoted in each bubble is the total number of attacks that came from that location.

To date, over 50 percent of the attempted attacks Acquia has witnessed originate from the Ukraine:

SA-CORE-2018-002 countries as seen by Acquia

At Acquia, we provide customers with automatic security patching of both infrastructure and Drupal code, in addition to platform level fixes for security bugs. Our commitment to keeping our customers safe is reflected in our push to release a platform level fix one hour after the Drupal Security Team made SA-CORE-2018-002 available. This mitigation covered all customers with Acquia Cloud Free, Acquia Cloud Professional, Acquia Cloud Enterprise, and Acquia Cloud Site Factory applications; giving our customers peace of mind while they upgraded their Drupal sites, with or without our help. This means that when attempted exploits and attacks first appeared in the wild, Acquia's customers were safe. As a best practice, Acquia always recommends that customers upgrade to the latest secure version of Drupal core, in addition to platform mitigations.

This blog post was co-authored by Dries Buytaert and Cash Williams.

17 Apr 2018 7:51pm GMT

Frank Goossens: Autoptimize 2.4 beta 2; hooking into page cache purges and better Google Fonts handling

I just pushed out an update of the Autoptimize 2.4 beta branch on GitHub, with this in the changelog;

We're still looking for beta-testers and some of these new features might convince you to jump on board? You can download the zip-file here, installing it a simple one-time process:

  1. Deactivate Autoptimize 2.3.x
  2. Go to Plugins -> New -> Upload
  3. Select the downloaded zipfile and upload
  4. Click activate
  5. Go to Settings -> Autoptimize to review some of the new settings

In case of any problem; we're actively looking for feedback in the GitHub Issue queue :-)

Possibly related twitterless twaddle:

17 Apr 2018 4:48pm GMT

Dries Buytaert: State of Drupal presentation (April 2018)

Cowboy Dries at DrupalCon Nashville© Yes Moon

Last week, I shared my State of Drupal presentation at Drupalcon Nashville. In addition to sharing my slides, I wanted to provide more information on how you can participate in the various initiatives presented in my keynote, such as growing Drupal adoption or evolving our community values and principles.

Drupal 8 update

During the first portion of my presentation, I provided an overview of Drupal 8 updates. Last month, the Drupal community celebrated an important milestone with the successful release of Drupal 8.5, which ships with improved features for content creators, site builders, and developers.

Drupal 8 continues to gain momentum, as the number of Drupal 8 sites has grown 51 percent year-over-year:

Drupal 8 site growthThis graph depicts the number of Drupal 8 sites built since April 2015. Last year there were 159,000 sites and this year there are 241,000 sites, representing a 51% increase year-over-year.

Drupal 8's module ecosystem is also maturing quickly, as 81 percent more Drupal 8 modules have become stable in the past year:

Drupal 8 module readinessThis graph depicts the number of modules now stable since January 2016. This time last year there were 1,028 stable projects and this year there are 1,860 stable projects, representing an 81% increase year-over-year.

As you can see from the Drupal 8 roadmap, improving the ease of use for content creators remains our top priority:

Drupal 8 roadmapThis roadmap depicts Drupal 8.5, 8.6, and 8.7+, along with a column for "wishlist" items that are not yet formally slotted. The contents of this roadmap can be found at https://www.drupal.org/core/roadmap.

Four ways to grow Drupal adoption

Drupal 8 was released at the end of 2015, which means our community has had over two years of real-world experience with Drupal 8. It was time to take a step back and assess additional growth initiatives based on what we have learned so far.

In an effort to better understand the biggest hurdles facing Drupal adoption, we interviewed over 150 individuals around the world that hold different roles within the community. We talked to Drupal front-end and back-end developers, contributors, trainers, agency owners, vendors that sell Drupal to customers, end users, and more. Based on their feedback, we established four goals to help accelerate Drupal adoption.

Lets grow Drupal together

Goal 1: Improve the technical evaluation process

Matthew Grasmick recently completed an exercise in which he assessed the technical evaluator experience of four different PHP frameworks, and discovered that Drupal required the most steps to install. Having a good technical evaluator experience is critical, as it has a direct impact on adoption rates.

To improve the Drupal evaluation process, we've proposed the following initiatives:

Initiative Issue link Stakeholders Initiative coordinator Status
Better discovery experience on Drupal.org Drupal.org roadmap Drupal Association hestenet Under active development
Better "getting started" documentation #2956879 Documentation Working Group grasmash In planning
More modern administration experience #2957457 Core contributors ckrina and yoroy Under active development

To become involved with one of these initiatives, click on its "Issue link" in the table above. This will take you to Drupal.org, where you can contribute by sharing your ideas or lending your expertise to move an initiative forward.

Goal 2: Improve the content creator experience

Throughout the interview process, it became clear that ease of use is a feature now expected of all technology. For Drupal, this means improving the content creator experience through a modern administration user interface, drag-and-drop media management and page building, and improved site preview functionality.

The good news is that all of these features are already under development through the Media, Workflow, Layout and JavaScript Modernization initiatives.

Most of these initiative teams meet weekly on Drupal Slack (see the meetings calendar), which gives community members an opportunity to meet team members, receive information on current goals and priorities, and volunteer to contribute code, testing, design, communications, and more.

Goal 3: Improve the site builder experience

Our research also showed that to improve the site builder experience, we should focus on improving the three following areas:

We plan to make all of these aspects easier for site builders through the following initiatives:

Initiative Issue link Stakeholders Initiative coordinator Status
Composer & Core #2958021 Core contributors + Drupal Association Coordinator needed! Proposed
Config Management 2.0 #2957423 Core contributors Coordinator needed! Proposed
Security LTS 2909665 Core committers + Drupal Security Team + Drupal Association Core committers and Security team Proposed, under discussion

Goal 4: Promote Drupal to non-technical decision makers

The fourth initiative is unique as it will help our community to better communicate the value of Drupal to the non-technical decision makers. Today, marketing executives and content creators often influence the decision behind what CMS an organization will use. However, many of these individuals are not familiar with Drupal or are discouraged by the misconception that Drupal is primarily for developers.

With these challenges in mind, the Drupal Association has launched the Promote Drupal Initiative. This initiative will include building stronger marketing and branding, demos, events, and public relations resources that digital agencies and local associations can use to promote Drupal. The Drupal Association has set a goal of fundraising $100,000 to support this initiative, including the hiring of a marketing coordinator.

$54k raised for the Promote Drupal initiative

Megan Sanicki and her team have already raised $54,000 from over 30 agencies and 5 individual sponsors in only 4 days. Clearly this initiative resonates with Drupal agencies. Please consider how you or your organization can contribute.

Fostering community with values and principles

This year at DrupalCon Nashville, over 3,000 people traveled to the Music City to collaborate, learn, and connect with one another. It's at events like DrupalCon where the impact of our community becomes tangible for many. It also serves as an important reminder that while Drupal has grown a great deal since the early days, the work needed to scale our community is never done.

Prompted by feedback from our community, I have spent the past five months trying to better establish the Drupal community's principles and values. I have shared an "alpha" version of Drupal's values and principles at https://www.drupal.org/about/values-and-principles. As a next step, I will be drafting a charter for a new working group that will be responsible for maintaining and improving our values and principles. In the meantime, I invite every community member to provide feedback in the issue queue of the Drupal governance project.

Values and principles alphaAn overview of Drupal's values with supporting principles.

I believe that taking time to highlight community members that exemplify each principle can make the proposed framework more accessible. That is why it was very meaningful for me to spotlight three Drupal community members that demonstrate these principles.

Principle 1: Optimize for Impact - Rebecca Pilcher

Rebecca shares a remarkable story about Drupal's impact on her Type 1 diabetes diagnosis:

Principle 5: Everyone has something to contribute - Mike Lamb

Mike explains why Pfizer contributes millions to Drupal:

Principle 6: Choose to Lead - Mark Conroy

Mark tells the story of his own Drupal journey, and how his experience inspired him to help other community members:

Watch the keynote or download my slides

In addition to the community spotlights, you can also watch a recording of my keynote (starting at 19:25), or you can download a copy of my slides (164 MB).

17 Apr 2018 1:26am GMT

16 Apr 2018

feedPlanet Grep

Mattias Geniar: Upcoming presentation at LOADays: Varnish Internals – Speeding up a site x100

The post Upcoming presentation at LOADays: Varnish Internals - Speeding up a site x100 appeared first on ma.ttias.be.

I'll be speaking at LOADays next Sunday about Varnish.

If you happen to be around, come say hi -- I'll be there all day!

Varnish Internals -- Speeding up a site x100

In this talk we'll look at the internals of Varnish, a reverse proxy with powerful caching abilities.

We'll walk through an HTTP request end-to-end, manipulate it change it in ways that no one should ever do in production -- but it'll proof how powerful Varnish can be.

Varnish is a load balancer, caching engine, its own scripting language and a fun way to deep-dive in to the HTTP protocol.

Source: Varnish Internals -- Speeding up a site x100 (Mattias Geniar)

The post Upcoming presentation at LOADays: Varnish Internals - Speeding up a site x100 appeared first on ma.ttias.be.

16 Apr 2018 8:38am GMT

11 Apr 2018

feedPlanet Grep

Les Jeudis du Libre: Mons, le 19 avril : Data Science

datasciencelogoCe jeudi 19 avril 2018 à 19h se déroulera la 68ème séance montoise des Jeudis du Libre de Belgique.

Le sujet de cette séance : Data Science

Thématique : Data Science|Big Data

Public : Tout public

L'animateur conférencier : Xavier Tordoir

Lieu de cette séance : Université de Mons, Campus Plaine de Nimy, avenue Maistriau, Grands Amphithéâtres, Auditoire Curie (cf. ce plan sur le site de l'UMONS, ou la carte OSM).

La participation sera gratuite et ne nécessitera que votre inscription nominative, de préférence préalable, ou à l'entrée de la séance. Merci d'indiquer votre intention en vous inscrivant via la page http://jeudisdulibre.fikket.com/. La séance sera suivie d'un verre de l'amitié.

Les Jeudis du Libre à Mons bénéficient aussi du soutien de nos partenaires : CETIC, OpenSides, MeaWeb et Phonoid.

Si vous êtes intéressé(e) par ce cycle mensuel, n'hésitez pas à consulter l'agenda et à vous inscrire sur la liste de diffusion afin de recevoir systématiquement les annonces.

Pour rappel, les Jeudis du Libre se veulent des espaces d'échanges autour de thématiques des Logiciels Libres. Les rencontres montoises se déroulent chaque troisième jeudi du mois, et sont organisées dans des locaux et en collaboration avec des Hautes Écoles et Facultés Universitaires montoises impliquées dans les formations d'informaticiens (UMONS, HEH et Condorcet), et avec le concours de l'A.S.B.L. LoLiGrUB, active dans la promotion des logiciels libres.

Description : Data Science est un terme devenu populaire ces dernières années. La Data Science est devenue un point stratégique dans les entreprises, une filière d'études dans le monde académique, un job de grande valeur pour les praticiens. La présentation a pour but de couvrir ce qu'est la Data Science, depuis la collection de données jusqu'à la prise de décision sur base de modèles construits sur ces données. De nombreuses solutions open source permettent de construire une architecture pour la Data Science à grande échelle en entreprise. Nous couvrirons ces solutions ainsi que les outils et méthodes qui font le coeur de la modélisation de données et leur cadre d'utilisation (par exemples prédictions, recommendations, analyses d'images, de texte etc).

Short bio : Xavier, Docteur en Sciences physiques, est consultant et développeur de solutions Data Science et Big Data. Concepteur et formateur de programmes de training en Data Science, machine learning et Pipelines de données. Actif d'abord dans le monde académique comme chercheur en génomique computationnelle et leader pour développement de solutions de stockage et calcul distribué. Ensuite dans divers projets dans des grandes entreprises ou start-ups: marketing, IoT, trading haute fréquence, banking et assurances.

11 Apr 2018 8:16am GMT

10 Apr 2018

feedPlanet Grep

LOADays Organizers: LOADays Schedule 2018 Online

The final draft of the LOADays 2018 schedule is online at http://loadays.org/pages/schedule.html

10 Apr 2018 10:00pm GMT

Dries Buytaert: Defining Drupal's values and principles

Values and principles balloons

Since its founding, Drupal has grown a great deal, and today there are thousands of contributors and organizations that make up our community. Over the course of seventeen years, we have spent a great amount of time and effort scaling our community. As a result, Drupal has evolved into one of the largest open source projects in the world.

Today, the Drupal project serves as a role model to many other open source projects; from our governance and funding models, to how we work together globally with thousands of contributors, to our 3,000+ person conferences. However, the work required to scale our community is a continuous process.

Prompted by feedback from the Drupal community, scaling Drupal will be a key focus for me throughout 2018. I have heard a lot of great ideas about how we can scale our community, in addition to improving how we all work together. Today, I wanted to start by better establishing Drupal's values and principles, as it is at the core of everything we do.

Remarkably, after all these years, our values (what guides these behaviors) and our principles (our most important behaviors) are still primarily communicated through word of mouth.

In recent years, various market trends and challenging community events have inspired a variety of changes in the Drupal community. It's in times like these that we need to rely on our values and principles the most. However, that is very difficult to do when our values and principles aren't properly documented.

Over the course of the last five months, I have tried to capture our fundamental values and principles. Based on more than seventeen years of leading and growing the Drupal project, I tried to articulate what I know are "fundamental truths": the culture and behaviors members of our community uphold, how we optimize technical and non-technical decision making, and the attributes shared by successful contributors and leaders in the Drupal project.

Capturing our values and principles as accurately as I could was challenging work. I spent many hours writing, rewriting, and discarding them, and I consulted numerous people in the process. After a lot of consideration, I ended up with five value statements, supported by eleven detailed principles.

I shared both the values and the principles on Drupal.org as version 1.0-alpha (archived PDF). I labeled it alpha, because the principles and values aren't necessarily complete. While I have strong conviction in each of the Drupal principles and corresponding values, some of our values and principles are hard to capture in words, and by no means will I have described them perfectly. However, I arrived at a point where I wanted to share what I have drafted, open it up to the community for feedback, and move the draft forward more collaboratively.

Values and principles alphaAn overview of Drupal's values with supporting principles.

While this may be the first time I've tried to articulate our values and principles in one document, many of these principles have guided the project for a very long time. If communicated well, these principles and values should inspire us to be our best selves, enable us to make good decisions fast, and guide us to work as one unified community.

I also believe this document is an important starting point and framework to help address additional (and potentially unidentified) needs. For example, some have asked for clearer principles about what behavior will and will not be tolerated in addition to defining community values surrounding justice and equity. I hope that this document lays the groundwork for that.

Throughout the writing process, I consulted the work of the Community Governance Group and the feedback that was collected in discussions with the community last fall. The 1.0-alpha version was also reviewed by the following people: Tiffany Farriss, George DeMet, Megan Sanicki, Adam Goodman, Gigi Anderson, Mark Winberry, Angie Byron, ASH Heath, Steve Francia, Rachel Lawson, Helena McCabe, Adam Bergstein, Paul Johnson, Michael Anello, Donna Benjamin, Neil Drumm, Fatima Khalid, Sally Young, Daniel Wehner and Ryan Szrama. I'd like to thank everyone for their input.

As a next step, I invite you to provide feedback. The best way to provide feedback is in the issue queue of the Drupal governance project, but there will also be opportunities to provide feedback at upcoming Drupal events, including DrupalCon Nashville.

10 Apr 2018 3:47pm GMT

FOSDEM organizers: Introducing FOSDEMx

FOSDEMx is a small scale spin-off of FOSDEM, combining a workshop track geared towards students and anyone interested in the topic, with a main track for a broader audience. FOSDEMx 0 will take place on Thursday the 3rd of May 2018 at ULB Campus de la Plaine from 16:00 onward. This first edition will introduce attendees to the Python ecosystem. As this is a smaller event and seats for the workshops are limited, we ask attendees to register upfront. The main track sessions will be open to anyone. Attendance is free of charge for all sessions. Head over to舰

10 Apr 2018 3:00pm GMT

08 Apr 2018

feedPlanet Grep

Wim Leers: API-First Drupal: file uploads — 572 comments summarized

This blog post summarizes the 572 comments spanning 5 years and 2 months to get REST file upload support in #1927648 committed. Many thanks to everyone who contributed!

From February 2013 until the end of March 2017, issue #1927648 mostly … lingered. On April 3 of 2017, damiankloip posted an initial patch for an approach he'd been working on for a while, thanks to Acquia (my employer) sponsoring his time. Exactly one year later his work is committed to Drupal core. Shaped by the input of dozens of people! Just *look at that commit message!*

Background: API-First Drupal: file uploads!.

Damian's first comment (preceded by many hours of research) was on April 3, 2017. Exactly one year later his work is committed to Drupal core. Shaped by the input of dozens of people! Just look at that commit message!

08 Apr 2018 9:11pm GMT