Zalando-Mitarbeiter erneut in Warnstreiks

heise online Newsticker - 7. Oktober 2017 - 13:30
Die Zalando-Beschäftigten in Brieselang fordern einen neuen Tarifvertrag. Mit Warnstreiks wollen sie die Rückkehr ihrer Arbeitgeber an den Verhandlungstisch erreichen.

Content Management Framework Drupal 8.4 mit Media-API und Workflows

heise online Newsticker - 7. Oktober 2017 - 12:30
Mit der Version 8.4 des quelloffenen Content-Management-Frameworks Drupal kommen Bugfixes und neue experimentelle Module. Internet Explorer 9 und 10 werden mit dem neuen Release nicht mehr unterstützt.

Mars-Lander InSight: Den eigenen Namen mit Sonde zum Mars schicken

heise online Newsticker - 7. Oktober 2017 - 11:30
Zum Roten Planeten reisen: Das können Fünfjährige demnächst ebenso wie 99 Jahre alte Senioren. Zumindest gilt das für ihre Namen.

Elektroautos: Nissan plant "Elektro-Ökosystem"

heise online Newsticker - 7. Oktober 2017 - 11:30
Der japanische Autohersteller meint, vor knapp zehn Jahren die "Elektroauto-Revolution" eingeleitet zu haben und hat nun seine Pläne für die nächsten Jahre vorgestellt.

Literaturnobelpreis geht an Kazuo Ishiguro

heise online Newsticker - 7. Oktober 2017 - 10:30
Die Schwedische Akademie hat den Literaturnobelpreis 2017 an den in Japan geborenen britischen Schriftsteller Kazuo Ishiguro verliehen. Sein bekanntestes Werk erschien in Deutschland unter dem Titel "Was vom Tage übrig blieb".

Studie: Für Elektroautos ist mehr Recycling von Rohstoffen nötig

heise online Newsticker - 7. Oktober 2017 - 10:30
Zwar gibt es laut Öko-Institut weltweit genug Lithium, Kobalt, Graphit und Nickel für die Batterieproduktion, die Vorkommen würden aber möglicherweise nicht rasch genug erschlossen.

Continuous Lifecycle London: Jetzt noch Vortragsidee einreichen

heise online Newsticker - 7. Oktober 2017 - 9:00
DevOps-, Containerisierungs- und Continuous-Delivery-Experten haben noch bis zum 20. Oktober Gelegenheit, sich mit Vortrags- und Workshopvorschlägen für die dritte Continuous Lifecycle London zu bewerben. blog: An update on projects created for Drupal

Planet Drupal - 7. Oktober 2017 - 9:00

About six months ago we made a significant change to the way that modules, themes, and distributions are created on

In the past, contributors had to first create a sandbox project, and then request manual review of their project in the Project Applications issue queue. The benefit of this community-driven moderation process was that modules were vetted for code quality and security issues by a group of volunteers. Project maintainers who completed this process also received the benefit of security advisory coverage from the Security Team for stable releases of their projects.

Unfortunately, the rate of project applications outpaced what volunteers could keep up with, and many worthy projects were never promoted to full project status, or moved off of to be hosted elsewhere.

To ameliorate this issue, we changed the process so that any confirmed user on may now make full projects.

To mitigate the risks of low code quality or security vulnerabilities we added new signals to project pages: including highlighting which release is recommended by the maintainer, displaying recent test results, and indicating whether the project receives security coverage both on the project page and in the composer 'extra' attribute. We're continuing to work on identifying additional signals of project quality that we can include, as well as surfacing some of this information in Drupal core. We also converted the project applications issue queue into a 'request security advisory coverage' issue queue.

What we hoped to see

We knew this would be a significant change for the project and the community. While many community members were excited to see the gates to contribution opened, others were concerned about security issues and Drupal's reputation for code quality.

Our prediction was that the lower barrier to contribution would result in an increase in full projects created on This would indicate that new contributors or third party technology providers were finding it easier to integrate with Drupal and contribute those integrations back for use by others.

At the same time, we also expected to see an increase in the number of full projects that do not receive coverage from the security team. The question was whether this increase would be within an acceptable range, or represent a flood of low quality or insecure modules.

The results

The table below provides statistics about the full projects created on in the 5 months before March 17th, 2017 - when we opened the creation of full projects to all confirmed users.

Full projects created from 2016-10-16 to 2017-03-17…


% of projects created in this period

… without stable release



… with stable releases



… with usage >= 50 sites



… with usage >= 50 sites and without stable release



… with usage >= 50 sites and with stable release



… with an open security coverage application*



Sub-total with security coverage



Sub-total without security coverage



Sub-total with security coverage and >=50 usage



Sub-total without security coverage and >= 50 usage





* note: full projects that did not have stable releases were not automatically opted in to security coverage when we opened the full project creation gates.

… and this table provides statistics about the projects created in the 5 months after we opened the creation of full projects to all confirmed users:

Full projects created from 2017-03-17 to 2017-08-16…



% of projects created

Diff %

… without stable release





… with stable releases





… with usage >= 50 sites





… with usage >= 50 sites and without stable release





… with usage >= 50 sites and with stable release





… with an open security coverage application





Sub-total with security coverage





Sub-total without security coverage





Sub-total with security coverage and >=50 usage





Sub-total without security coverage and >= 50 usage









As you can see, we have an almost 58% increase in the rate of full projects created on We can also see a significant proportional increase in two key areas: projects with greater than 50 site usage and no security coverage(up 150% compared to the previous period), and projects that have applied for security coverage(up 344% compared to the previous period). Note: this increase in applications is for projects *created in these date ranges* not necessarily applications created overall.

This tells us that reducing friction in applying for security coverage, and encouraging project maintainers to do so should be a top priority.

Finally, this last table gives statistics about all of the projects currently on, regardless of creation date:

Full projects (7.x and 8.x)


% of Total

Rate of change after 2017-03-17

… with the ability to opt into security coverage




… with security coverage and stable releases




… without security coverage




… without security coverage and with stable releases




… with security coverage and >=50 usage


66.91 / 26.85%


… with security coverage and stable releases and >=50 usage


65.19 /26.16%


… without security coverage and >=50 usage


33.09 /13.28%


… without security coverage and with stable releases and >=50 usage


1.34 /0.54%


Sub-total with >=50 usage






From the overall data we see approximately what we might expect. The increase in growth of full projects on has lead to a modest increase in projects without security coverage.

Before the project application change, all full projects with stable releases received security advisory coverage. After this change, only those projects that apply for the ability to opt in(and then do so) receive coverage.

What has this meant for security coverage of projects hosted on

1.92% of all full 7.x and 8.x projects have stable releases, but do not receive security advisory coverage. It is likely no accident that this translates into 464 projects, which is nearly equivalent to the number of projects additional projects added compared to our old growth rate.

Of those only 130 of those projects report more than 50 sites usage(or .54% of all 7.x and 8x full projects).

Next steps

From this analysis we can conclude the following:

  1. The opening of the project application gates has dramatically increased the number of projects contributed to

  2. It has also increased the number of projects without security coverage, and the number of applications for the ability to opt in to coverage among new projects.

In consultation with the Security Working Group, we recommend the following:

  • For now, leave the project creation projects as it stands today - open to contribution from any confirmed user on

    • Less than 2% of all Drupal projects with stable releases currently lack security coverage. The rate at which this is increasing is significant (and in the wrong direction) but not rapid enough to merit changing the project application policy immediately.

  • Solve the problem of too many security advisory coverage applications. The security advisory application queue has the same problem that the old project applications queue had - not enough volunteers to manually vet all of the applications - and therefore a significant backlog of project maintainers waiting on the ability to opt into coverage.

    • Recommendation: Implement an automated best practices quiz that maintainers can take in order to be granted the ability to opt into security advisory coverage. If this process is as successful as we hope, we may want to consider making this a gate on stable releases for full projects as well.

We look forward to working with the Security Working Group to implement this recommendation and continue to improve the contribution experience on, while preserving code quality and security.

NSA-Skandal: Keine Hinweise auf NSA-Spionage – Generalbundesanwalt beendet Untersuchung

heise online Newsticker - 7. Oktober 2017 - 7:30
Mehr als vier Jahre nach Beginn des NSA-Skandals mit den Veröffentlichungen von Edward Snowden, sieht der Generalbundesanwalt "keine belastbaren Hinweise" auf eine massenhafte und systematische Internetüberwachung. Die Untersuchungen werden eingestellt.

Annertech: DrupalCon Vienna 2017 - a Retrospective

Planet Drupal - 6. Oktober 2017 - 22:21
DrupalCon Vienna 2017 - a Retrospective

Last week the Annertech team headed to Vienna for a week of Drupal learning and sharing. With thirteen different tracks and various summits, there was a lot of great sessions to choose from. We were also privileged and honoured to have the opportunity to present five sessions ourselves, and of course, we once again played host to the Drupal Trivia Night.

Studie: Kein Boom bei E-Books in Sicht

heise online Newsticker - 6. Oktober 2017 - 18:30
Nur knapp ein Viertel der Deutschen kann sich laut einer Studie des Bitkom für E-Books erwärmen. Damit stagniert die Zahl der Leser von Digitalausgaben seit drei Jahren.

Akku für Elektroautos von Toshiba: 6 Minuten laden für 320 km

heise online Newsticker - 6. Oktober 2017 - 18:00
Toshiba arbeitet an einem Akku, der schneller als herkömmliche Batterien aufgeladen werden kann.

Türkische Wissenschaftler im Exil planen Online-Akademie

heise online Newsticker - 6. Oktober 2017 - 18:00
Was machen türkische Wissenschaftler, die in ihrem Heimatland entlassen werden? Eine Gruppe von türkischen Akademikern in Deutschland hat eine Idee. Sie will in Berlin gemeinsam mit deutschen Forschern eine Online-Akademie ins Leben rufen.

Dries Buytaert: Hermès using Drupal

Planet Drupal - 6. Oktober 2017 - 17:40

Since its founding in 1837, Hermès has defined luxury. Renowned as an iconic brand within the fashion industry, Hermès is now setting the trend for how customers shop online. This week, Hermès launched its new site in Drupal!

Hermès married the abilities of Drupal as a CMS and Magento as an eCommerce engine to provide their customers with highly engaging shopping experience. Hermès' new site is a great example of how iconic brands can use Drupal to power ambitious digital experiences. If you are in the mood for some retail therapy, check out!

Umfrage: Mehrheit gegen Gesichtserkennung für Werbezwecke

heise online Newsticker - 6. Oktober 2017 - 17:30
Kunden möchten nicht, dass in Geschäften ihre Gesichter automatisch erfasst und ausgewertet werden, um etwa Werbung zu personalisieren. Das hat eine aktuelle Umfrage nach ersten derartigen Tests ergeben.

Oracle startet Angebot zu Serverless Computing

heise online Newsticker - 6. Oktober 2017 - 17:30
Project Fn ist ähnlich wie Amazon Lambda und Azure Functions ein System zum Ausführen von Funktionen, ohne vorher eine Infrastruktur bereitstellen zu müssen. Der Einsatz des Open-Source-Projekts ist aber nicht auf einen Cloud-Anbieter begrenzt.

Fake News und trügerisches Gedächtnis: Julia Shaw spricht auf der CEBIT 2018

heise online Newsticker - 6. Oktober 2017 - 17:00
Dr. Julia Shaw wurde international bekannt mit ihrem Buch "Das trügerische Gedächtnis". Auf der CEBIT 2018 will sie zeigen, wie wir spielerisch und effizient mit der heutigen Flut von Informationen umgehen können.

US-Geheimdienstausschuss: Einmischung aus Russland nicht nur in den USA

heise online Newsticker - 6. Oktober 2017 - 17:00
Die Russland-Ermittlungen des US-Senats sind noch längst nicht zu Ende. Nach der Sichtung von mehr als 100.000 Dokumenten ist der Geheimdienstausschuss noch zu keinem Ergebnis gekommen, wie weit die russische Einmischung in die Wahlen von 2016 ging.

iOS 11: Keine Rückkehr auf iOS 10 mehr möglich

heise online Newsticker - 6. Oktober 2017 - 16:30
Apple signiert iOS 10.3.3 und iOS 11.0 nicht mehr. Entsprechend lassen sich iOS-11-Geräte nicht mehr auf das frühere Betriebssystem zurückführen.

Mac & i Heft 5/2017 jetzt im Zeitschriftenhandel

heise online Newsticker - 6. Oktober 2017 - 16:30
Themen: Tipps zu macOS High Sierra, iOS 11 und watchOS 4 • iPhone X • Test: iPhone 8, Apple Watch LTE, Apple TV 4K • MacBook-Docks • Fotos-App • Filmen mit dem iPhone • Konsole verstehen • Apple Park • Das Leak-Desaster • Externe Mac-Grafikkarten