Recently those of us who subscribe to the Drupal Security email list were bombarded with a series of notifications, indicating that sixteen projects (modules and themes) were no longer downloadable from drupal.org. The emails said:
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer.
Most of these projects were obscure and not widely used, but there were two in particular (Admin Views and Nodequeue) which are very popular.
What happens when a Drupal project is unsupported?
When a security issue is discovered in a Drupal module or theme, it is not logged in the main Drupal.org bugtracker. Instead, it is moved to the Drupal security bugtracker. At that point, only the bug reporter, the module’s maintainers, and the Drupal security team can view the issue. This prevents would-be attackers from exploiting a security issue before a patch is issued. The security team gives the maintainers two weeks to come up with a fix for the security issue. If the maintainers do not respond in that timeframe, the security team declares the module unsupported, hides all releases from viewers, and puts a big red notice at the top of the project page on drupal.org. Site maintainers who use composer or drush make to keep contrib dependencies up-to-date will receive warnings that the project could not be downloaded.
At this point, there are three options:
- Uninstall the module or theme, and find or create a replacement solution for your site.
- Volunteer to become the new maintainer of the module; then you must patch the security issue yourself and manage releases going forward.
- Wait a couple weeks for someone else to step forward to maintain the module. (This may or may not happen.)
Building a non-trivial Drupal site without using contributed modules or themes is pretty much a non-starter. A large part of the site-building functionality you will need are found in contributed modules and themes, which are maintained by volunteers who are not paid by the Drupal community (though they may be financially supported by corporate sponsors).
What does this have to do with upgrades to Drupal 8?
Drupal 8 is no longer new. The first Drupal 8 stable release made its appearance four years ago. Drupal 8 features a built-in object-oriented plugin architecture that is an absolute pleasure to code in. Many of the brightest minds in the Drupalverse have moved on from Drupal 7 and no longer feel any great motivation to maintain code in the clunky old Drupal 7 universe. Additionally, Drupal 7 will reach official end-of-life in November 2021.
In the case of Admin Views and Nodequeue, neither one has a Drupal 8 version. Admin Views provides functionality for Drupal 7 that is already baked into Drupal 8 core. Nodequeue has been made obsolete by the entirely redesigned Entityqueue, which is available for both Drupal 7 and 8.
As the release date of Drupal 9 draws closer, fewer and fewer maintainers will be interested in devoting resources to the losing proposition that Drupal 7 is becoming. This means that more and more contrib modules and themes will lie unmaintained, and any newly-discovered security holes will directly lead to withdrawal of downloadable releases of these projects.
Therefore, anyone running a Drupal 7 site should begin migration plans right now. If you need help managing such a migration project, contact us — we’ll be happy to help navigate the upgrade process.
