The Drupal Security Team

• What type of people are on the Drupal Security Team?
  • https://security.drupal.org/team-members
  • Mostly coders, some project managers, core maintainers
• What does the security team do?
  • We fix issues in drupal
  • Resolve reported security issues in a Security Advisory
  • Provide assistance for contributed module maintainers in resolving security issues
  • Provide documentation on how to write secure code
  • Provide documentation on securing your site
  • Help the infrastructure team to keep the drupal.org infrastructure secure
• What doesn’t the security team do
  • projects without stable releases
  • Site support
  • Set policy around security with the security working group.
• Is there a D7 security team and a D8 security team with different people? (What about Drupal 6)
• How can others get involved?
• What was the recent bug that was fixed

Questions from Twitter

• Paulius Pazdrazdys
  How this latest security release is different from others? Do you have any information if this bug done any harm before release?
• aboros
  The recent bug was über critical, still only 20/25. What would be a 25/25 bug?
• aboros
  Do you notify any high value targets before SA is sent out? Is the list of those public? Can one be part of this privileged group?
• Carie Fisher
  When the latest bug was found? is there a private drupal security group where this was discussed? could we have found out sooner?
• David Hernandez
  What is the average time from discovery to announcement?
• Damien McKenna
  @ModsUnraveled Are there existing stats on how long it takes from initial reporting, to maintainer response, to first patch & fix?
• Heine Deelstra
  How was SA-CORE-005 (in hindsight) able to be public for so long in the public queue?
• Mark Conroy
  I think the #drupal security team are great. Working extremely hard. (I know, that wasn't a question)
• aboros
  Are there plans for some sort of bounty program run by DA maybe?
• David Hernandez
  What kind of work does the security team do besides review code? What is the administrative overhead?

New stuff in Drupal 8

• Twig autoescape
• Security improvements
• Cleanup around Entity
• kerneltestbaseng
• mink test base

DrupalUpgrade.info

• What’s the story behind DrupalUpgrade.info?
• What are the plans for drupalupgrade.info?
• How can people get involved with this?

Drupal Module Upgrader

• What is the Drupal Module Upgrader?
• How does it work?
• Is it perfect?

PatchADay

• What is #PatchADay?

Questions from Twitter

• Chris Weber asks:
  • What's your favorite way to get an autoloader working with Drupal 7?
  • Talk about Drupal 8 menu system.
  • Will it be possible to export/import content?

GitTip

• What is GitTip? How does it work?

• What is a GitTip team?

Drupal Core GitTip Team

• How did the Drupal Core team come about? What prompted it’s genesis?

• Who is the organizer of the Drupal Core team, and who is benefiting from it?
  19 members, Alex and Cathy are administering the group, a couple are on vacation.
  16 others are taking money.

• On the GitTip page it says your goal is $5,000 US/week. What would that cover?
  Cathy: This week is the first week that we will not be able to fund the modest goal of giving people $64/week. The past few weeks we have been paying out $700. We have now eaten all our balance and have only $350 coming in this week.
  The $5k goal is what a guess at funding 6 people about ¼ time.

• What have you all been working on lately as a result of this funding?
  Cathy: tips are for work already done, so… I'm not sure. Maybe it motivates future work, or planning to be able to do future work? Jen? Bojhan?
  What has this funding enabled you to do?