This is a transcript. For the full video, see What you need to know about Drupal 9 - Core Confidential #2.

Preston So: [00:00:00] Hello, and welcome to Core Confidential.

The insider guide to Drupal core . I'm Preston So, editor in chief at Tag1, and it's the real big pleasure today to welcome all of you to the second episode of core confidential, our monthly series on what's happening in Drupal core and exactly what you need to know. About Drupal today. Today, we're going to be talking with Drupal core committer, Fabian Franz, VP of software engineering at Tag1.

And we're also joined by Michael Meyers, managing director at Tag1, about what's going on this month in Drupal Core. Today's a very special edition of our show today because we are going to be talking about today's release of Drupal 9. But I think it's important to note that Drupal 9 isn't the only release happening today.

I mean, there's actually four core releases happening today, including Drupal 7.71, part of the Drupal seven family with full PHP, 7.4 Support. It's an exciting day. and, you know, just to get the full kind of picture of what's going on outside of Drupal 9's release, we turn now to Fabian, who's going to talk a little bit about Drupal 7's, latest release.

Fabian Franz: [00:01:02] Yeah. So Drupal 7, we are still in maintenance mode. But it's still supported together with the community, thank you community, who did a great job as usual. we managed to get full PHP 7.4 Support in, which is a pretty big deal. That means all of those Drupal 7 sites. As soon as contrib is ready, obviously can eventually upgrade to PHP 7.4 as well.

We also fix that. Nitty-gritty bad chromium bug. So, even though Chrome will be putting out a release later also to fix it. But, if you have trouble with file uploads not working, it's a good idea to upgrade to 7.71 Because we fixed it here for you and that's cool. But now let's go to Drupal 9 ,I'm credibly excited.

Preston So: [00:01:52] Sure. And one of the things I think we want to emphasize is that, you know, of course there's all sorts of wonderful excitement about Drupal 9, but that doesn't mean that you have to absolutely migrate to Drupal 9 or upgrade to Drupal 9. Drupal 7, obviously, as you mentioned, Fabian has a lot of great, kind of maintenance releases that are all going to be continuing the legacy of what Drupal 7 has offered until now.

But let's go ahead and turn it Drupal 9, because I think that's where a lot of the momentum is right now in the community. The big news of course, is that we're seeing today not only the release of Drupal 9 and Drupal 7.71, but also 8.9 as well. The kind of, next release in Drupal 8. So, you know, I want to congratulate the Drupal community and the entire Drupal ecosystem for accomplishing this major achievement in the history of Drupal.

And, obviously it's been a long time coming. It's been four and a half years. Since Drupal 8 was released, it's been 54 months to develop and release Drupal 9. What does the Drupal 9 release exactly mean? I mean, you know, I know that there's about 2000 contributed modules ready to go, but I'm kind of curious, you know, in terms of the larger picture of Drupal today, what implications does the Drupal 9 release provide and what does it actually mean for our community?

Fabian Franz: [00:03:06] So, For, for technical reasons, it means we are throwing away all the baggage. Let's assume we are in a balloon and we're throwing away all the baggage. So we can go way higher. Again, this is kind of like the mental picture you have to do. You need to have of Drupal 9, all the baggage that's away and we'll have the newest and shiniest Symfony, Twig. all of those things come with performance, stability improvements, bug fixes, new features. We are getting all of those now in, in Drupal 9, because for backwards compatibility reasons, we don't want you to break your site. Like, like every six months, that will be bad. we within Drupal 8.

We just could not. Upgrade Symfony or Twig or whatever like that. And so basically there's this, like all the old baggage is gone, all the new things coming in. So this kind of says that the freedom it gives us.

Preston So: [00:04:04] And I've heard, you mentioned Fabian a little bit about kind of Symfony and, and, you know, the fact that the Drupal 9 release is leveraging the latest and greatest in the Symfony ecosystem.

but you know, what I think is interesting is a lot of the other things that are, that are being introduced as well. you know, not just the amazing kind of, of, upgrades to the code and the ways in which the code evolved, but also the fact that we actually have a new front end theme as well named Olivero.

in, in, in memory of a Drupal community member who was a very big proponent of accessible, Drupal sites and, and all of that, very, very happy to see this theme coming in. and so there's, there's a lot of richness coming into this release, but I'm kind of curious, you know, for those of us who have, who have had a sense of.

The fact that we now have Olivero, we have, you know, a lot of great new libraries that are up to their latest versions. Where does Drupal 9 go from here? What's next? you know, I know that all the deprecations were removed, but, you know, I guess that's just that, you know, it's not just about code management or code upkeep, and release upkeep.

What's kind of the, the next step for Drupal 9 from here.

Fabian Franz: [00:05:06] The next step for Drupal 9 is to be Drupal 8.

Preston So: [00:05:14] Explain

Fabian Franz: [00:05:14] Drupal 9 is now entering like of this space, where Drupal 8 was in the whole time. That means we will be again, adding new API layers, will be again, adding new things that will then be deprecated and. You cannot talk about Drupal 9 without talking about Drupal 10, basically, because there's already Symfony 5 old, but Drupal 9 is still on Symfony 4 LTS because we need the long time support for security releases. The Drupal 10 will then have the newer Symfony five or six or whatever the next LTS version, basically. And so, That's kind of, kind of the same. You're always, within the new model, you're basically thinking in three branches at once.

Always. It's a little bit confusing at all at first, but, but let me explain that real quick again, because it's, it's really important to grock it basically the Drupal 8. There's no more core development officially today. There's only bug fixes, no more features and security. And so the end of life in 2021, Basically.

And, then, basically, it's important that there will be a new Drupal 9 release in December already. So Drupal core development never stops. It's like Ubuntu like, there's a six month schedule and there's coming a new to 9.1 and that already will have new APIs, new things, new new features, et cetera.

And so, Now, again, the focus after this long time of getting Drupal 9 ready, you will be again on user-friendliness, accessibility, performance, security, privacy, diversity and chance, all of those nice things. so momentum starts basically again, in that, and that's very, very exciting

Preston So: [00:06:59] That's really exciting to me because, you know, I think a lot of us in the community had been waiting for a, you know, kind of the next kind of, you know, threshold for innovation where that's going to happen.

And, and it's very clear that Drupal 9.1 is that prime opportunity for folks to get involved. let's talk a little bit about, you know, first I want to mention of course that, You know, if it wasn't clear the last version of Drupal 8 , Drupal 8.9, was also released today. And as Fabian mentioned, of course, these are bugs fixes primarily about making sure that Drupal 8 remains the stable platform. It continues to be. but I'm kinda curious to take a little bit of a different perspective here. You know, I think we've talked a lot about the roadmap for Drupal 9. What Drupal 9 means for the community. I want to get a little bit of an inside perspective. This is core confidential after all. And Fabian, what are some of the biggest obstacles that the core developer and core contributor team faced, when it came to, you know, what sorts of features or what aspects of Drupal 9 took the most wrangling or, or effort or thought or, or, or, or to use Angie Byron phrase, cat herding?

Fabian Franz: [00:08:03] Basically, I'm just a quick disclaimer, I'm getting those, sometimes firsthand when I'm active in the Core community, obviously, but I'm also getting them a little bit second hand from my colleague, Nat Catchpole , who unfortunately couldn't make this date. but, so, basically with Drupal 8 we introduced a change, a change in philosophy. A change in development, all this deprecations, all those backwards compatibility. And sometimes there was especially around data. We got wrong, basically. So a lot of these blockers for Drupal 9 were actually that the deprecation was not easy to really deprecate for Drupal 9 and to really remove. And so this is what's changing and Drupal 10. There's a whole new infrastructure, including PHP, Drupal CI, et cetera, that was built now. And that will make Drupal 9 development, much more pleasant for the community and the core developers because this whole depreciation infrastructure is there. I mean, it's been 4.5 years, so there's a lot of experience now also with how does it work if I add a new API and deprecate another one? What do I need to think about? And we have this experience now, and that's great because that means hopefully from Drupal 9 to 10, there will be less release blockers. And, it would just be a smoother process overall.

Preston So: [00:09:31] That's amazing. And, and, you know, I think that's a, that really illustrates one of the challenges that was involved in, in, in, in kind of that, articulation of what Drupal 9 and Drupal 10 are gonna look like.

I'm curious, looking back at, you know, this deprecation infrastructure and the way that, the transition from Drupal 8 to Drupal 9 happened. Is there anything that, that, that, that you and Nat and, you know, the rest of the core team would have maybe changed a little bit about this approach?

Fabian Franz: [00:09:57] Yeah, I can even give my own perspective because I wish we had used this deprecation approach already there, Catch expressed, that you would have liked to break branch to just be open to way later, like stabilize. Basically make the preparations within Drupal 7 and not like throw everything away.

And rewrite every in Drupal 8. I've did an abandoned approach, some years ago, to basically port some of Drupal 8 back to Drupal 7 and it went amazingly smooth. I can tell from that experience that the backwards compatibility way would have originally worked if we had started early enough, because in the end, I always like to joke that, they hadn't even changed so much from Drupal seven to eight.

You even have the same bugs still. so, A lot of things. One of the things, for example, Drupal had message, you could have just introduced a messenger server in Drupal 7 and it would have been possible, maybe not with whatever like that, but you could have just introduced it and then people could have started using it.

And then when Drupal 8 would have came out at the end, then it would have been already there. And people had been already a little bit more used to the optional object oriented approach as both starting 8 later, and preparing more things in Drupal 7, for that would have eased this transition a lot. I mean, hopefully fortunately now with Drupal 9 to 10.

We will have all that. So that's a good, but enriched perspective would have been nice to have done that.

Preston So: [00:11:31] And we know that this kind of issue of, you know, obviously backwards compatibility and, you know, opening these, these, these new branches is it's a very, very tough issue because you know, sends a lot of signals to the larger community and ecosystem.

and so also I'm curious, you know, based on the things that you've learned from, working with Drupal 7 and Drupal 8, what do you think we, as a community need to do to make sure, to kind of continue that legacy that you just described for Drupal 9 and Drupal 10?

Fabian Franz: [00:11:59] The biggest challenge we have right now.

I think the process overall worked pretty well. but, there's this pesky thing called data. Doesn't anyone just like to reinstall the site again and again. Now, unfortunately, fortunately we have to preserve all the data. So whenever we do changes, for example, in the entity subsystem that are sending schema and those schemas need to be applied.

Then we always need to write these upgrade paths. And this is still not smooth. Kind of like how do you deprecate an old data structure, introduce a new data structure and ensure doing all of that you are not like doubling the database size or, have conflict because some old modules using the old data, some other modules using the new data and it's tricky.

Preston So: [00:12:49] And, you know, just to kind of take a little bit of a even further perspective. one of the things that I'm kind of curious to hear about is, you know, I think we've heard a lot about the fact that, you know, obviously Drupal 9 represents a huge change in the way that Drupal releases work and the way in which we innovate and Drupal.

What's your biggest concern? What worries you? What keeps you up at night? Fabian? I imagine lots of things keep you up at night, but what keeps you up at night in terms of the next 6 to 12 months in the Drupal roadmap and what sorts of things are, are, are kind of on your mind and stuff that you're thinking about in the coming year?

Fabian Franz: [00:13:21] It's probably not keeping me as much up as the core committers , but, basically, the thing is kill all the jQuery. So basically we need to, there's lots of legacy JavaScript in it. And even the most diehard fans of jQuery have moved to something like ---- , -----, even Preact. Preact is great. We've talked about that already a little bit. Can talk a little bit more about it, but basically, jQuery has served us really, really well, but the modern front end has evolved a little bit. And, it would be great to at least get jQuery UI out of that thing as a first step and then later, some other parts out.

And, also, we are still on CKEditor 4, we need a new modern editor, be it Gutenberg, CKEditor 5 , personal route, whatever. I mean, we talked about it. If anyone wants to watch our Team Talk about it. Great overview. And, so Symfony 5 is out like that, we as a stable platform, but then also means at some parts we can be behind.

It can be compared to like, like Debian vs. Ubuntu , And I mean now it's rock solid, et cetera. And we're going to do one more getting the newest same thing, so. Once we have the Drupal 10 branch, basically, then we can also try that out, but obviously. This is all work for the community. We need to find a new editor, we can replace CKEditor 4 with. We have to see what changes does Symfony 5 bring, etc. So those are kinds of challenges. How do we keep up with the larger ecosystem? That Drupal is a part of. And yeah, and, and I mean, we've just seen with the Drupal 7 Chromium bug that have been on an ancient version of jQuery forum can lead to really interesting, strange bugs because there's some optimization for Microsoft Internet Explorer 6. That maybe a Chrome Chrome 83 , doesn't lag as much. So yeah, that's, that's all clashing. So there's a cost to that as well.

Preston So: [00:15:28] And that's of course, one of the challenges of Drupal was that, you know, obviously you have to keep abreast of not only the most, ossified or fossilized browsers that are out there, but also the ones that are really pushing the envelope and maybe introducing, syntax that doesn't work in both.

And it's, you know, I think it's really incredible. I think, you know, Drupal has always had a, had a, had a really great focus on enabling, as many of those browsers, as many of those vendors as possible, which is, which is great. So a good quick note here that I want to make sure that I pass on to the audience.

Please remember that, because Drupal 9 is out it's past time to be upgrading your modules and if you have any modules that the community's using. please make sure to have those available for Drupal 9 , as Gabor Hojtsy, my former colleague at Acquia. mentioned previously, most of these modules that are out there in the contributed ecosystem only need.

A change to their .info dot Yammel file a to register that it's available for Drupal 9 as well. There's no other really, you know, rewriting a PHP or, or, you know, using some of these, new features that are available in Symfony quite yet. by the way, Gabor is also offering a monetary contribution for every module upgrade.

And I'm not sure if that's still going on. But please check out his Twitter account for more information. There's also by the way, a bot that was created in the community, that is able to do a lot of the readiness checking for you out of the box. And, it's a very exciting development as well. Fabian, I just wanna, check with you.

You know, I know that you're a, somebody who has maintained a lot of modules. What have you done to upgrade your modules to Drupal 9? Have you looked at some of these tools that are available for some of the automation of these, upgrading tasks?

Fabian Franz: [00:17:04] Definitely. I mean, in general, the main thing you need to do to, to take your modules are already are basically, you need to know which deprecations have occurred, or maybe if you have a test suite for your module, then you just install your module on Drupal 9.

And you just run your test suite and if it passes, Hey, you are ready for Drupal 9. so, yeah, Yea, you for testing, is what I'm saying here, basically. but on the other hand, if, if things are like, if you run into errors or like exceptions during testing or manual testing, then obviously, if you need to check those change logs and notices and see kind of like what we need to do to adhere to the new APIs, but overall I think that , unless you're using, I mean, some more common APIs have changed, but I think overall, it's pretty smooth upgrade process also.

Preston So: [00:18:02] Wonderful. Well, one of the things I do want to make sure also to mention and highlight here in this second episode of core confidential is we do have some security advisories about Drupal core out right now.

There's two moderately critical advisories that you should be aware of and make sure to address, Fabian. Do you want to talk about these two that are happening right now? I know that there's an open redirects, a vulnerability as well as an XSS process, scripting vulnerability as well. Do you have any insight into these two?

Fabian Franz: [00:18:31] I have, but I would need to do things that we won't do want I don't want to talk about it.

Preston So: [00:18:42] Understandable, understandable.

Fabian Franz: [00:18:45] Basically, just to give, I think I'll take the opportunity basically to talk about what is an open redirect. An open redirect basically means someone can trick you into clicking on a link that looks safe because it starts with Drupal.org or mysafesite.com or whatever.

And, it has an independent parameter and then it forwards you to a phishing site. So basically it's, it's it's it's two-step phishing approach. The approach is basically you give, send someone an email, you give somebody a specially crafted link. They click on that link. Then on the normal site, like they, they check the name, they copied into the browser, they see everything that's okay.

But they don't see that the destination parameter is containing something fishy and then they click on it and then they automatically get forwarded to, to this destination parameter. And then it basically says, for example, like, Hey, your luck has failed, try again, whatever. And then the user puts in that credential and they have basically hacked themselves. Across site scripting thing, this case was in jQuery. So, they've informed us upstream about it, basically. It means that some parameter that is output is not checked enough. The easiest way to, if you ever want to do security audits for your side, just take every text field on the site and put script alert .XSS /script in.

And if you learn kicks we'll sign and there's an alert check box, then you're now you're vulnerable. So yeah, that's probably the most simple way to test. It's also amazingly effective.

Preston So: [00:20:27] And that should illustrate for our listeners and for our viewers today, that it is extremely important to make sure to address these, moderately critical, you know, I don't like the word moderately, you know, I think every critical vulnerability is critical.

Clearly we want to make sure that our sites remain secure and safe. So, thank you so much for that Fabian. And, I think we've learned a lot about Drupal 9 today, and of course the coming roadmap, as well as how Drupal 7 and Drupal 8 users should really start to prepare for this coming era of new innovation in Drupal.

Thanks for joining us on this second episode of Core Confidential. All the links that we mentioned today are going to be posted online with this video. And if you liked this episode of core confidential, Please remember to upvote, subscribe and share it out and check out our past core confidential talks at tag1.com/core. We also have a sibling series about twice the length of these core confidential episodes called Tag1 Team Talks that's available at tag1.com/tagteamtalks. And as always, we would love to hear your feedback and any topic suggestions. Either about Tag1 TeamTalks or 50 minutes series or about Core Confidential our 25 minutes series.

Please write to us for both of those shows at tagteamtalks@tag1consulting.com.

I want to thank our wonderful colleagues today. Michael Meyers, managing director of type one as well as Fabian Franz, VP of software engineering at Tag1. Thanks for joining us on Core Confidential and see you next time.