Kommentar: Zuckerbergs halbherziger Canossagang

heise online Newsticker - 13. April 2018 - 7:00
Wenige Freunde hat sich Mark Zuckerberg bei seiner Einvernahme im US-Senat gemacht. Entscheidend war nicht, was er ausgesagt hat, sondern was er nicht gesagt hat. Der Mut zum Klartext fehlt dem Milliardär.

Grafikupdate: Red Dead Redemption ab sofort in nativen 4K auf Xbox One X

heise online Newsticker - 13. April 2018 - 7:00
Das Konsolenspiel Red Dead Redemption lässt sich nach einem Update auf der Xbox One X in 4K ausgeben. Dank der neunfach höheren Renderauflösung sieht das Westernspiel nun beeindruckend gut aus.

Elektroautos: Kia arbeitet am drahtlosen Laden

heise online Newsticker - 13. April 2018 - 7:00
Kia hat ein Entwicklungsprojekt abgeschlossen, in dem es um drahtloses Laden von Elektroautos ging. Der südkoreanische Hersteller meint, es sei erfolgreich verlaufen.

Patchday: Kritische Flash-Updates und mehr

heise online Newsticker - 13. April 2018 - 7:00
Adobe patcht sich im April quer durch das eigene Software-Portfolio. Kritische Lücken klaffen in ColdFusion und Flash Player.

Data Abuse Bounty: Facebook belohnt Hinweise auf Datenmissbrauch

heise online Newsticker - 13. April 2018 - 6:00
Facebook bittet seine Nutzer um Mithilfe, um Datenmissbrauch durch Apps frühzeitig erkennen zu können. Als Belohnung winken hübsche Geldsummen.

CU Boulder - Webcentral: Change My View: D8 isn't the best upgrade path for 1000 D7 EDU sites

Planet Drupal - 12. April 2018 - 21:31

Like many other Drupallers, I'm in Nashville this week. Unlike previous DrupalCons, I'm less excited about being here than previous year. While my team at the University of Colorado Boulder currently manages 1000 D7 sites, it looks increasingly less likely that we'll be upgrading to D8.

Angela “Herder of Cats” Byron recently tweeted...

OK, time for our semi-annual poll/group therapy session. ;)

What are the 5 top things you or your clients run into problems with on #Drupal 8?

— webcsillag (@webchick) March 9, 2018

The last time she tweeted this, we responded with a few specific issues we had at the time. After maintaining a handful of D8 sites in production for a few months and meeting with 20+ developers and designers from teams at all campuses in the University of Colorado system earlier this year, we now have a more comprehensive list to answer the question of why the University of Colorado Boulder isn't moving forward with updating the Express install profile to D8.

We've already written and presented about some of these, but my goal at DrupalCon is to find people who will convince me that we're wrong or point out what we're missing. I can't emphasize this enough that we really want to be proven wrong and pointed in the right direction about some of these so we can stop evaluating options other than D8:

  • When running 1000 sites, D8 requires much more CPU and memory resources to render the same HTML output as D7. Because D8's core can't be run from symlinks, it doesn't support atomic deployments or efficient opcode caching when running 1000 copies of the same codebase. This leaves traditional multisite or containers as options. Multisite's limitations are well known. Containers add complexity and require more resources that provide little benefit when running Drupal as a service.
  • D8 seems slower than D7 or other PHP alternatives. Everything from updating with Composer, menu routing, and editing pages. While this isn't as much of an issue for users browsing the sites since the output is cached and served by Varnish, the slow renders are very noticeable to editors and developers.
  • Install profile inheritance is still unstable. Despite 6 years of development, being included in popular D8 distributions like Lightning, and Dries blogging about it, it is unclear this core patch will ever be committed. Acquia drove the patch in a different direction for over a year trying to make a base profile's dependencies optional. When we suggested making the Umami demo a sub-profile of Standard, it became clear how few members of the core team knew anything about profile inheritance or supported updating core to support it.
  • Our experience with highly promoted D8 "successes" like Webform wasn’t great. The D7 version of Webform reports more than > 440K installs. The D8 version, ~32K reported installs. This isn't a criticism of @jrockowitz or the Webform code. He is doing amazing work, but we felt the lack of a larger base of developers contributing fixes and extending Webform when working with Webform and Views.
  • The lack of license compatibility with 2 of the 3 most popular licenses off the island (Apache-2.0 and GPL-3.0) is a dead end. This is related to @jrockowitz's repeated attempts to find away to give work away while earning a living developing for Drupal. Drupal's strict GPL policies now seem to stifle development vs. encouraging it when compared to the more balanced approach taken by projects like WordPress.
  • D8’s Layout Initiative isn’t a good match for how we currently manage Drupal as a service. Now that the dust has settled on 8.5.0, we'll post more on this soon.
  • We're finding fewer well-maintained contrib projects. While using contrib projects can be golden handcuffs that only get you 80% of a solution with options and assumptions you end up fighting against in the end, we've mastered the embrace and customized/extend/contribute back approach. We rely heavily on contrib and actively contribute back. We maintain or co-maintain projects used by more than 100K D7 sites. When we find fewer D8 contributions to meet even 80% or our needs, it makes less sense to develop our own solutions for Drupal than a leaner, faster framework.
  • The "let's throw everything in core" approach results in an increase in critical security releases for code we aren't using. This is an issue in environments with distributed development, systems, networking and security teams, where a security team is periodically scanning for known vulnerabilities with tools like Qualys, Arachni or Nessus. With something like sa-core-2018-001, these scans don't care that the Comments module is disabled or even deleted. They scan the code looking for anything less than Drupal 8.4.3 and report that the entire code base is a security issue. We can respond to the issue by explaining that it is mitigated by X, but that fact remains that more code in core will likely translate to more staff time applying security updates to 1000+ sites. Ideas like what @davidhernandez suggested package Drupal both framework (essential core) and product (core) aren't getting the same attention from the DA as demos and other improvements to attract non-technical users to Drupal. LTS support services offered for D6 aren't really enough since they aren't altering the code fingerprint that the security scans are looking for.

I wish moving from D7 to D8 was an obvious move for us. It would make my job much easier. After watching the normal stability requirements ignored to sneak Umami into 8.5 and realizing that the initiatives DA was promoting for core (automatic updates, project browser, telemetry and in site announcements from the DA) are NOT features we'd use in our service, it's becoming increasingly clear our needs no longer align with what is driving the priorities of the Drupal project. When I evaluate D8 through the Umami demo, it's clear that we aren't even the target audience for what the project wants to highlight to people evaluating it. When we evaluate a framework, product or service, part of what we evaluate is the cost to maintain. When fatal errors are acceptable in a demo after a core update, we question whether we'll be able to easily apply upgrades if the developers most familiar with this framework can't upgrade the demo?

The Express install profile we've developed and use at multiple campuses is the 5th most popular D7 distribution on Drupal.org.

It's not that the entire University of Colorado system is against D8 either. Both the University of Colorado Colorado Springs (UCCS) and Auraria Library are both using D8, but for very different use cases than the Web Express service we offer for free on the Boulder campus.

UCCS is moving from Ingeniux to D8. For those of you who aren’t familiar with Ingeniux, it is a XML/XLST static site generator with limited features for dynamic content.  UCCS initial D8 offering has similar limitations to Ingeniux, but they are leveraging Migrate to move sites from Ingeniux to Drupal very quickly.  They are also hosting their Drupal 8 sites themselves on the most advanced server architecture within the CU system which well set them up well to add new features in the future.

Auraria Library is another high profile D8 site.  This site has more features and functionality than the UCCS sites, but it also has a small development team supporting a small group of content editors and is hosted on Pantheon.

While D8 makes sense for both of these use case, neither of these groups had insights on how we could overcome what we think are D8's short comings for the ~1000 sites we manage for the University of Colorado Boulder.

While I'd prefer to continue maintaining D7 sites while developing new projects in D8, the lack of clarity from the DA around the EOL of D7 is forcing us to invest time in evaluating alternatives now. When I read that Symfony 4.1's router is now the fastest PHP router, I get both excited and terrified. I'm excited since, in some ways, this would prove everyone that pushed to get off the island and collaborate with the larger PHP community right. I'm terrified because I realize that Drupal going from Symfony 3 to Symfony 4 most likely means D8 to D9. If D9 means the end of support for D7 and quarterly justification for running software our security team views as insecure, we have to go all in on a direction other than D8 soon.

We've spent some time trying to answer the question, "if not Drupal, then what?" If we can't figure out how to make D8 work for us, I'll post more about what we found when evaluating alternatives to D8. This week, I'm focused on trying to make D8 work well when hosting Drupal as a Service in higher ed.

If you see me at DrupalCon, PLEASE change my view. I won't be hard to spot.

I've started a thread on r/drupal/ for everyone who's not at DrupalCon.

Developer Blog

KotOR 2, Morrowind und Jedi Academy laufen bald auf der Xbox One

heise online Newsticker - 12. April 2018 - 20:30
Die Liste der mit der Xbox One kompatiblen Spiele wächst um weitere 19 Titel – darunter sind Klassiker wie Knights of the Old Republic 2, TES 3: Morrowind und Jade Empire.

GitHub feiert: Zehn Jahre Projekt-Hosting-Plattform

heise online Newsticker - 12. April 2018 - 20:00
Auf GitHub vereinen sich die verteilte Versionskontrolle Git und Kollaborationswerkzeuge für Entwickler zu einer der inzwischen meistgenutzten Projekt-Hosting-Plattformen.

Patchday: Microsoft kümmert sich um mehr als 60 Lücken in Windows & Co.

heise online Newsticker - 12. April 2018 - 18:30
Über Windows Update stehen Sicherheitsptaches bereit. Unter anderem schließen diese eine Lücke, über die Angreifer ein Wireless Keyboard in einen Keylogger verwandeln könnten.

Elektro-Rennwagen: Mercedes-Benz und Porsche offiziell in die Formel E aufgenommen

heise online Newsticker - 12. April 2018 - 17:30
In der Saison 2019/2020 dürfen die beiden deutschen Autohersteller mit ihren Elektrorennwagen an der Formel E teilnehmen, gab die FIA bekannt.

AMD-Prozessoren bekommen Windows-10-Update gegen Spectre-V2-Lücke

heise online Newsticker - 12. April 2018 - 17:00
Eine Kombination aus einem Windows-Update mit BIOS-Updates für Mainboards soll Windows-10-Rechner mit AMD-Prozessoren ab der 2011 vorgestellten Bulldozer-Generation schützen.

Acro Media: Drupal Commerce 2: How to Add a Shipping Method

Planet Drupal - 12. April 2018 - 16:45


Drupal Commerce 2 shipping module let you quickly add and configure various shipping methods for your site. Out-of-the-box, you can easily set up basic shipping methods for flat-rate per-order or per-item shipping options. The plug-in based system allows for more advanced shipping integrations with suppliers for real-time rate calculation.

In this Acro Media Tech Talk video, we user our Urban Hipster Commerce 2 demo site to show you just how easy it is to create a simple flat-rate shipping fee for your eCommerce store. We set it up and then run through the checkout so that you can see exactly what your customers would see.

Its important to note that this video was recorded before the official 2.0 release of Drupal Commerce useing a beta release of the Commerce Shipping module. You may see some differences between this video and the current releases. The documentation is also evolving over time.

Urban Hipster Commerce 2 Demo site

This video was created using the Urban Hipster Commerce 2 demo site. We've built this site to show the adaptability of the Drupal 8, Commerce 2 platform. Most of what you see is out-of-the-box functionality combined with expert configuration and theming.

More from Acro Media Drupal modules in this demo

#heiseshow, live ab 12 Uhr: Nach Daten-Skandal und US-Anhörung – wie geht's weiter mit Facebook?

heise online Newsticker - 12. April 2018 - 15:30
Mark Zuckerberg und Facebook sind unter Druck. Vor dem US-Senat zeigte sich Zuckerberg reuig, aber auch recht wendig. Wie geht es nun weiter mit Facebook? Wie sieht die Zukunft der sozialen Netzwerke aus? Das besprechen wir in der neuen #heiseshow.

Deutscher Computerspielpreis 2018: Witch It ist das beste deutsche Videospiel

heise online Newsticker - 12. April 2018 - 15:30
Das Multiplayer-Spiel Witch It vom Hamburger Studio Barrel Roll Games wurde beim Computerspielpreis 2018 als bestes deutsches Videospiel ausgezeichnet. Den Award für das beste internationale Spiel konnte Assassin's Creed Origins abstauben.

Die Kombination von Googlemail und Netflix begünstigt Phishingmails

heise online Newsticker - 12. April 2018 - 15:30
Wer sich mit einer Googlemail-Adresse bei Netflix registriert hat, muss besonders wachsam sein und sich vor Betrügern in Acht nehmen.

Dubai will smarte Kfz-Kennzeichen testen

heise online Newsticker - 12. April 2018 - 15:30
Dubai will Autokennzeichen an das Internet der Dinge anschließen. Die Technik soll ab Mai in dem Emirat erprobt werden.

heise devSec 2018: Jetzt noch Vorträge einreichen

heise online Newsticker - 12. April 2018 - 15:30
Bis zum 20. April läuft der Call for Proposals für die Konferenz zum Thema sichere Softwareentwicklung. Die Premiere der heise devSec 2017 war ausverkauft.

Facebook-Anhörung im US-Senat: Zuckerberg zeigt sich reuig, weicht konkreten Fragen aus

heise online Newsticker - 12. April 2018 - 15:00
Viel Asche streute sich Mark Zuckerberg bei einer Anhörung im US-Senat aufs Haupt. Und er kündigte an, Facebook-Postings bald mit 20.000 Mitarbeitern zu überwachen. Konkreten Fragen zu Daten- und Kinderschutz wich er aber aus.