Feedback on Drupal Dev Days 2019

Authored on
Changed
Tags

Three weeks ago, from 10 to 14 June, Drupal Dev Days 2019 took place, this year in Cluj-Napoca, Romania.

This edition welcomed around 240 participants.

Here is my feedback on this event.

Sprints

Entity share

Initialization of automated tests for the Entity share client sub-module (https://www.drupal.org/project/entity_share/issues/2909022) and refactoring for the creation of the other tests.

Coder

Added a rule so that the machine name of a block is prefixed by the machine name of the theme in which this block is positioned : https://www.drupal.org/project/coder/issues/3061184

Day 1

Day dedicated to sprints.

DrupalDevDays 2019 contribution table

Chatting with people at the same table, I was able to get feedback from https://www.drupal.org/u/eiriksm on the fact that he was using Entity share on an E-commerce project.

Day 2

Keynote: The fourth wave of the content management system

This was a presentation of the https://preston.so/writing/the-distributed-cms-how-the-decoupled-cms-endgame-will-impact-your-organization article with additional information. And which mostly promoted GatsbyJS.

An overview of the uses of content on sites and how this has evolved since slightly before the 2000s.

Infrastructure costs can be significant on high-traffic " classic " Drupal sites: $1 million a year Drupal site for hosting.

Possibility of interchangeable services, CMSs evolve too quickly.

Security aspect : decoupled architectures make it possible to lock down CMS parts and prevent external access to certain services.

" A CMS renaissance is coming "

At the level of the Drupal community, it is no longer possible to " serve " PHP developers. Javascript is a must.

Now a CMS is more than a tool (examples with old interfaces for business solutions), you have to manage the user experience. Example of Calypso in Wordpress.

Hence the existence of the Admin UI initiative to modernise the Drupal 8 interface.

Point on Headless competitors to Drupal:

  • Contentful
  • Prismic
  • Sanity.io

With a Decoupled Drupal, there is the possibility of decoupling updates between Drupal and the front-end framework.

Full presentational decoupling : parts of pages that come from different external services. Search, forms, content, etc.

This is now referred to as Distributed CMS / Content Mesh.

Costs are reduced because each component can be used to the minimum of what is required.

Security aspect: more complicated to be attacked if lots of different, partitioned services are used.

Possibility of working on a Drupal site offline.

Deep dive into the dependency injection container in Drupal 8

English version of the presentation given at Drupalcamp Paris 2019 (I didn't attend this session at the camp): https://paris2019.drupal.fr/programme/sessions/le-container-dinjections-de-dependances-aux-petits-oignons

Very technical conference, the speaker masters his subject, but I don't see the day-to-day usefulness with Drupal 8.

The services.yml file and ServiceProvider parts for altering services dynamically spoke very well to me, but not the rest of the presentation.

A few points I noted:

  • $container->get is bad.

In Drupal services are public to be able to load services in procedural parts.

  • Autowiring is coming.

Progressively Decoupled Drupal: Lessons Learnt

Due to the short lunch break since there was no lunch scheduled, I missed the beginning of the presentation which was supposed to talk about the advantages... So here are mainly the disadvantages and problems encountered:

  • no notion of behaviour for Javascript,
  • no twig debug available,
  • lazy loading : the Blazy module does not work, forced to do manually depending on the framework chosen,
  • lots of custom code required:
    • preparing data for the front end,
    • cache metadata management,
  • attention to maintenance, difficulty integrating people on the project.

Features and design need to be considered to assess whether decoupling is useful.

Content driven eCommerce with Drupal Commerce

Presentation on the usefulness of the CMS aspect in E-commerce.

Providing sufficient information for the visitor to buy, no more need for a physical shop or catalogue.

With a CMS, you can go beyond simply making catalogue sites:

  • personalisation of content, images displayed, in relation, for example, to the user's preferred colour,
  • articles about products to inspire their use.

State of Drupal 9

If you follow Drupal 8 news, between community blog posts and Driesnote content, this session is a reminder of it all.

Reminder of the adoption of semantic versioning for the core and scheduled releases with a new minor version every 6 months which allows external libraries to be updated.

Reminder of the implementation of the depreciation system enabling code to be removed with each major release.

Reminder of release dates for the move to Drupal 9 : June 2020

Reminder of tools to facilitate the move to Drupal 9:

  • Phpstan for static analysis of deprecated code,
  • Drupal CI for testing code on drupal.org,
  • indications on the modules page of what to do to make the module ready for Drupal 9

At the deprecated code management level:

  • custom code on projects: remove deprecated code now,
  • contributed module: stay up to date with supported kernel versions. Warning: what this implies is that you should not take the latest version of the kernel because the penultimate version is also supported, you should not remove deprecated code between the penultimate and latest version because sites on the penultimate version of the kernel would stop working.

Question from the audience: Will we have to create a 9.x branch in contributed modules, or will Drupal 9 accept 8.x-y.x branch versions seamlessly?

To allow this would require contributed modules to also switch to semantic versioning to remove the 8.x part from contributed module versions. The long-term aim is to have modules that are compatible with different major versions of Drupal.

Creating an enterprise level editorial experience for Drupal 8 using React

A review of interfaces for content editing.

Content now needs to be distributed across different channels, having just one site is no longer enough.

There is also a discussion about whether Twig is still relevant.

3 notions:

  • Content management

Content delivery

  • Content presentation

No two cases are the same : listen to your publishers

Commenced small for the progressive improvement of the interface.

At the moment in Drupal, there are:

  • paragraphs
  • the media library
  • layout builder

With a very high level of expectation on accessibility as far as the kernel is concerned.

Outside of Drupal:

  • Elementor in Wordpress: a live page builder
  • Content planner
  • Guthenberg: not good for accessibility. And the content isn't structured
  • DX8 : a custom paragraph-based Drupal (apparently not publicly accessible)
  • Openstory.io
  • (Gizmo? Not so sure about this one)
  • Glazed builder
  • Droopler

The difficult points when contributing:

  • refreshing pages,
  • time spent building (paragraph nesting example) instead of creating content.

Demonstration of a React interface, made for a client and anonymised, to contribute paragraphs.

Point indicating that for this kind of use, GraphQL is more suitable than the JSON:API.

Day 3

Keynote: Security, Drupal 9, and the Changing Web Landscape

Dependencies set the pace for new Drupal releases, and this presentation gives an overview of the complexity of the subject.

1/3 of Drupal 8 security updates are for dependency security updates.

1/2 of Drupal 8 updates are for dependency updates.

Coordinating version releases between components is difficult and this is also complicated by new versions of PHP.

There are PHP dependencies, but also Javascript dependencies, example with jQuery 3 which wasn't good at managing security vulnerabilities. And which had to be urgently updated in the kernel resulting in backwards compatibility problems.

When there was talk of using React to overhaul Drupal 8's back office, React's version management and security policy were studied, which cast doubt on the Framework's use in Drupal 8.

For on NodeJS, NPM and micro packages.

Example of a package " leftpad " (which by the way only deals with the left side of strings, not the right side...), depublished by its maintainer and which destroyed thousands of build projects based on it. This was the only case where Github (or NPM, I can't remember) republished a repository without asking the repository owner for prior approval.

https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos

Another example of a cascading dependency : drupal-admin-ui, the Javascript library for Drupal's back office redesign has 1732 dependencies.

It's complicated to limit dependencies, even if it's better to reduce the surface area of potential vulnerability.

On an organisational level for the Drupal security team, this involves checking dependencies of dependencies, etc.

Some useful commands:

  • composer install -no-scripts : the no-script option allows you not to trigger embedded scripts in the downloaded code and thus limit the triggering of malicious code
  • yarn audit / npm audit : to check for security updates to Javascript packages.

At application level, it's now the new norm this dependency management.

DrupalDevDays 2019 group photo

© DrupalDevDays 2019.

The past, present, and future of Drupal Commerce

Promotional presentation on Drupal Commerce. This was a short version of the presentation given at each event.

  • 40 first community modules around Drupal Commerce 1.x are now in Commerce 2.x.
  • Release of a version every month.
  • Healthy ecosystem of partner agencies that use the solution and contribute to it either by developing new features directly or by funding Centarro (ex-Commerce Guys)
  • Use of core APIs to improve user experience
  • Development of open source Centarro tools that benefit the entire Drupal community.

Comment from the audience: it would be nice if Drupal Commerce had configuration help steps after installation to make configuration easier especially when you're new to the solution.

Frontend Security is a Thing

Review of browser-side security issues :

  • SQL injection
  • XSS
  • Javascript injected on site pages:
    • Reflected
    • Persistent
  • CSRF : use of others' access
  • attribute : target = _blank allows redirects to malicious sites

Recommendations:

  • use the sandbox attribute of the iframe tag,
  • never trust browser data.

All sites have vulnerabilities, the question is when will they be exploited.

The presentation was interesting, but in my opinion there were points of improvement to be made on the presentation:

  • More slides to illustrate the examples, as there was too much time spent per slide giving examples without a written trace or illustration, this would also have made the presentation a little more dynamic,
  • more dynamism in the presentation, certainly there is the difficulty of passing at the end of the day, but the presentation was very monotonous.

Day 4

Keynote: The greatest asset Drupal holds for growth is you...

Conference on how to communicate about Drupal and thus grow the community.

The Drupal Marketing Initiative has produced tools for communicating about Drupal.

https://www.drupal.org/community/agency-marketing

In particular, there's the Drupal brand book for talking about Drupal, which specifies the words to use, fonts, font sizes, colours, etc.

An initiative to translate the Drupal brand book and promotional videos is underway.

This allows us to contribute to the brand, to have a uniform brand image. To contribute to the brand image, always present the best of ourselves.

There are interview presentations from members of the community.

How to grow the community or help with communication:

  • by adding superb photos to an image bank that can be reused by the community, please mention the authors of the photos at the very least,
  • by introducing the project to new people,
  • by helping other members to progress,
  • by celebrating the community's successes,
  • by translating marketing materials,
  • by getting involved in a local Drupal association,
  • ...

Passing over to the Drupal  association desk:

  • the association supports diversity and inclusion in the project,
  • change of logo for pride month, but this is not enough,
  • inclusion in the office of under-represented group.

To have a section in /community and move the community forward, just ask Rachel Lawson.

Currently 2 board members are elected by the community, but this can go up to 4.

In conclusion, you all represent Drupal!

Drupal Dev Days 2020 announcement

Announcement of Drupal Dev Days 2020.

As this was the last keynote of the event, there was a presentation of the figures on the event (including the 240 participants), and the announcement that the next Drupal Dev Days will take place in Belgium!

Dynamic migrations using templates

Session version of the article https://www.webomelette.com/dynamic-migrations-using-templates-drupal-8

Historical reminder about migrations in Drupal 8.

These are plugins based on YAML files.

There is a derived plugin system and as a result the ability to alter the configuration of templates in YAML dynamically depending on the language (typical use case).

Git repository for code examples : https://github.com/upchuk/advanced_migrations

Drupal Admin UI Modernization Initiative

Status report/presentation of the initiative.

The initiative consists of :

  • Decoupled administration interface -> Javascript changes in the kernel
  • User search -> User experience changes in core
  • Drupal design system -> Interface changes in core

The means used by the initiative to make choices:

  • survey,
  • card sorting : from cards representing pages or content, try to group cards that must go together,
  • comparative studies,
  • wireframe tests.

Solutions proposed:

  • automatically saving pending revisions when editing,
  • adding a new editor role,
  • Drupal's design system : working on components,
  • new administration theme: Claro.

In the works / long-term:

  • complete redesign of layout and navigation,
  • integration of UX changes,
  • high contrast management,
  • decoupled administration interface.

CMI 2.0 and you

Same presentation as given at Drupal Europe in 2018, with slight modifications.

The aims of the CMI 2.0 initiative:

  • documentation:
    • for users on projects, best practices, define standards of use,
    • for developers to use the available API,
  • allow specific configuration by environment: target D8.8
  • enable cross-site  configuration workflows: target D9

Since Drupal 8.6, possible to install a site from an existing configuration : drush site:install --existing-config

But does not work for profiles implementing a hook_install.

Other concepts that will be introduced to improve the API :

  • Config export storage
  • Config storage transform events / subscribers
  • Config environment module (experimental): an active environment both in relation to config split that allows combinations of splits.
  • Config directory in settings

The problem is that not all use cases have necessarily been evaluated.

In the meantime, use Config split, ideally with one active split per environment.

Drupal Debug: improve your developer experience

English version of the presentation given at Drupalcamp Paris 2019: https://paris2019.drupal.fr/programme/sessions/lexperience-developpeur-dans-drupal-ameliorez-la

Compared to the Drupalcamp Paris presentation, I also noted that the Webprofiler (Devel's sub-module) is 2 versions behind Symfony's and is not an integration of Symfony's Webprofiler into Drupal, but a layer of the latter.

Since these Drupal Dev Days, I've modified my Drupal project stack to use Drupal Debug, even though it would be better if some features were configurable.

I've also grouped the settings.php in one place so that beginners will be less confused and as a result the development settings part is greatly lightened with Drupal Debug.

The advantages of Drupal Debug that convinced me:

  • lighter settings.php for development,
  • no settings forgotten when switching to development mode,
  • PHP errors in the form of exceptions,
  • automatic cache validation for routing, services, .module.

Day 5

[Machine Learning] Creating more relevant search results with "Learn to Rank"

When machine learning is used, it is usually on result prediction issues, in this presentation we will be looking at result ranking issues.

The solution, for example embedded in the Search API module, of boosting words from certain fields is no longer relevant enough.

A more relevant customisation idea is to systematically include a criterion on the freshness of the content in queries made to Solr.

Be careful with the Layout Builder module as you are leaving structured content and this can have an impact on indexing and therefore the expected results.

Also be careful with metatags, which are exposed to Google indexing, but not to Search API.

Don't try to put the logic into PHP, let Solr do the work.

At the parameter level in Search API :

  • For the Solr server:
    • check: retrieve result data from solr
    • check: highlight excerpt
  • for processors:
    • use: Use highlighted field data, create excerpt

Demonstration of a ranking tool. Ranker performance, a tool that compares search results based on learning, previous learning, original data model.

Learning is done manually. For a given search, it is possible to tell whether a result is well ranked or not / important or not. This learning is then stored according to the search performed and by source data. If the index is emptied and re-indexed, the learning is not lost.

To integrate this functionality into Drupal, the Search API Learn To Rank https://www.drupal.org/project/search_api_ltr module exposes a view field for indicating in a search whether the resultata is relevant or not.

Miscellaneous note: Parse mode : edismax

Demonstration site: http://drupalsear.ch

Layout Builder is here!

Introduction to the Layout Builder module.

Alternatives:

  • Panel
  • Paragraphs
  • Display Suite

Content blocks get a new meaning with Layout builder.

The ability to have default layouts by content type.

To have custom layout parameters, you need to go through PHP classes.

It's better to put custom layouts in a module so as not to be limited.

Use of the Layout Builder Restrictions module to limit the positionable elements in Layout Builder and thus avoid edge effects and overloading the interface.

There was a demonstration of customisations on layouts, but the module cited did not have a Git repository on drupal.org.

Sharing configuration in multi-site and multi-profile platforms: A Modern Oddysey

The current state of configuration management:

  • with Drupal 8.6, ability to install a site from an existing configuration,
  • no inheritance and hierarchy in installation profiles,
  • contrib modules: config filter, config split, config override system, etc.
  • possibility of creating " task alter " to alter the existing configuration with Drush options

For installation profile inheritance, it is possible to obtain functionality by applying 2 patches to the kernel. This enables inheritance, but also exclusion so that you don't have a module enabled in a child profile if it isn't needed.

In the multi-site installation shown, the problem is that the configuration export folder were shared between the different profiles and that the information for a site's installation profile is located in the core.extension configuration

The solution was to alter the import and export of the configuration to remove or inject this configuration on the fly when required per site.

During the installation of a new site, this caused validation problems, hence a patch to allow injection.

During the life of a site, ability to activate configuration under certain conditions with the Config split  module:

  • in the settings.php file enable or disable splits,
  • in the settings.php file, enable or disable splits depending on the domain name requested,
  • enable splits via configuration overload services.

This showed an architecture that worked on this project, but was very complex, and required a lot of attention to the splitting of functionality between the different profiles to ensure the sites worked.

Moreover it required numerous patches on the kernel mainly, some of which will certainly not end up in the kernel.

web push notifications campaigns management in Drupal

Service workers allow you to react to events emitted by the server.

Usage cases are:

  • downloading progressive files,
  • client-side load balancing,
  • optimised offline experience,
  • advanced caching,
  • tasks performed in the background.

The push API provides a native application experience, emitting pushes even when not browsing.

The notification API, it allows you to communicate with the OS in the background. It does, however, require the user's permission.

Presentation of libraries to use these APIs more easily. Need vapid private key stored in Drupal, usually in the settings.php file.

Conclusion

Favourite talks:

  1. [Machine Learning] Creating more relevant search results with "Learn to Rank",
  2. Dynamic migrations using templates,
  3. Keynote : Security, Drupal 9, and the Changing Web Landscape,
  4. Keynote : The greatest asset Drupal holds to growth is you...,
  5. Sharing configuration in multi-site and multi-profile platforms: A Modern Oddysey.

I had already announced in a previous feedback on an event, I need to reduce the amount of session I attend because most sessions, due to the fact of following the community news, I already knew the content. This was again the case at these Drupal Dev Days.

The " low " number of participants (240) compared to the previous edition (400) was a bit of a shame. But conversely, it made it easier to approach some of the people in the community who were incessantly in demand.

Another consequence was that during the community evenings, it was easier to mingle with the groups of participants, so I was able to make contact, mainly with Romanian, Belgian, Czech, etc. participants and consolidate links, event after event, by seeing the same participants again.

At each discussion, I talk, among other topics, about the Drupal France association and the Entity Share module since I'm contributing to it during the event and I regularly come across people who are interested and I give them a demonstration which is great fun to make a useful module for Smile and for the community. As the call for sessions is closed for the next DrupalCon, I'm thinking of doing a BoF there to present Entity Share which isn't very well known yet.

A point also on the community evenings. Very good quality, excellent each time for meeting new people:

The community evenings are a great way to meet new people.

  • On Tuesday evenings, a bar in a venue with a certain charm,
  • on Wednesday evenings, board game night : a must have at all events !
  • Thursday evening:
    • tour of the city's historic quarter, very close to the event venue, by professional guides : to be had at all events !
    • Traditional Romanian meal
  • Friday evening : evening organized spontaneously by the community.

A very good event, thanks to the organisers, thanks to the community for the participants and presentations, thanks to the sponsors and thanks to Smile for sending me there.

Photos: https://t.co/PAKnNj2VjU

Videos: https://t.co/CeY7eilt2r

Comments

Add new comment

About text formats