20 years of Drupal: Founder Dries Buytaert on API first, the end of breaking compatibility, and JavaScript bloat

Commercial involvement in open source is essential, says CMS boss

Interview Content management system Drupal is 20 years old, prompting its founder to talk about its evolving role, why it shifted from a policy of breaking compatibility with each release, and concerns about JavaScript bloat causing issues for those with poor connectivity.

"When I started Drupal 20 years ago I built it for myself, for me with my friends," Buytaert told us. That was at the University of Antwerp, Belgium, in 2000. He wrote a small message board. When he graduated he put it on the web, intending to call it dorp, which is Dutch for village. He mistyped it as drop, creating drop.org. Drupal is derived from the English pronunciation of druppel, Dutch for drop.

Buytaert is now project lead for Drupal and CTO of Acquia, a cloud platform for marketing sites.

What would he do differently if starting the project today? "I would lead with a strong user experience," he said. "When I released the first version of Drupal it attracted like-minded people, meaning other developers, and we got a bit of tunnel vision, it was for developers by developers. In the last 20 years the world has changed, the primary end user for a content management system like Drupal is no longer a developer but a marketer, typically a less technical person. Because of that Drupal is still considered as a bit harder to use than competing systems.

Drupal founder Dries Buytaert

Buytaert spoke to The Reg via Zoom

"The second thing is less about the product but more about open source. In the early days it was a renegade movement, anti-establishment. They kind of frowned on commercial involvement, maybe it was confused with proprietary. Today we've learned that commercial involvement in open source can be a great thing. Almost two-thirds of the contributions to Drupal come from commercial organisations, over 1,200 companies last year. If starting today, I would embrace that commercial involvement from the get-go. It means finding models that encourage organisations to contribute even more aggressively.

"Open source has won. It results in higher quality software at lower cost, no vendor lock-in, but the final challenge, the end boss, is that it's still hard to scale and sustain open-source projects."

What about Drupal, does he have any anxieties about its financing? "Drupal is very healthy," he said. "We have one of the most vibrant open-source communities, and we're growing. But how do we double or triple our capacity as a project? How do we get to 5,000 organisations? Which in a way we have to do, because we're competing against technology giants, and they are growing in leaps and bounds."

In the WordPress model, you get a single beneficiary, which is Automattic

What about the WordPress model, where hosting sites for the world delivers an income stream? "We are not considering that," said Buytaert. "In the WordPress model, you get a single beneficiary, which is Automattic [WordPress.com's owner]. We have a different view, that we try to give great benefits and incentives for thousands of different organisations that contribute."

API-driven Drupal and supporting JAMstack

Turning to Drupal itself, is it becoming more of an API than an end-to-end content management system (CMS), enabling other approaches like static websites calling Drupal services?

"That's part of the direction and we have a lot of users already using Drupal with a JAMstack," he said. "There are trends that push that strategy. There's the evolution of a simple CMS to what we call a visual experience platform. Organisations integrate Drupal with a bunch of different backend technologies, maybe a CRM [customer relationship management], marketing automation tools. And Drupal users don't just deliver a page of content any more, they want to deliver experiences that are personalised. That requires an API-based approach.

"Similarly on the front end we see an explosion of JavaScript frameworks and adoption, and that also requires an API-based approach. We made the decision six or seven years ago to evolve Drupal into an API platform.

Drupal sponsorship

Breakdown of Drupal contributions

"The third trend is that it's no longer sufficient to deliver content in the browser. It's still a primary channel, but we deliver content to digital kiosks, even email and push notifications and voice assistants. Lufthansa is using Drupal to power in-flight entertainment systems. It's a misconception that Drupal is just for websites. In New York, the screens in the Metro system that say when the next train is coming are all powered by Drupal."

I see a lot of bloat... it's wrong to say JavaScript-based applications are better in every scenario, a big mistake

Is there a problem with JavaScript frameworks leading to heavyweight pages and less clean HTML? "It is worrisome," said Buytaert. "The web is better when it's fast and simple. There are billions of people around the world where they still do not have fast internet. I see a lot of bloat. I know it's fun or sexy for web developers to build with all these frameworks, but people need to think critically, is it the right tool for performance and inclusiveness?

"We have spent 20 years optimising Drupal for SEO, accessibility, performance. A lot of these JavaScript websites lose those benefits because they literally start from scratch. A complex use case where things need to be more application-like is valid, but you have to weigh the pros and cons. It's wrong to say JavaScript-based applications are better in every scenario, a big mistake."

What's coming up in Drupal? Automatic updates is one thing. "People think about how your iPhone updates itself and it magically works. But in enterprise content management we have to cater for complex use cases, compliance needs etc." There will be out-of-the box automatic updates, he said, but with options for things like running automated tests, deploying to a staging environment, and so on.

Historically Drupal had a policy of breaking backwards compatibility

Why was the upgrade from Drupal 7 to 8 so difficult? "Historically Drupal had a policy of breaking backwards compatibility. We had a belief that to promote innovation it's OK to break APIs. That's why the upgrade from 7 to 8 is difficult, because if you had custom code it needed to be updated, because the old APIs would stop working.

"Going from 8 to 9 we changed that policy permanently. Now we make sure there are graceful upgrade paths. We deprecate old APIs but we don't remove them. The upgrade from 7 to 8 will be the last difficult upgrade."

The release cycle has also changed, no longer a big-bang release every four or five years, but a "continuous innovation release cycle," said Buytaert, with an updated release twice a year. "If the feature's ready it ships, if it is not ready it catches the next release. End users will see more innovation faster, and for contributors it's also a good thing."

Why is it so much easier to find a WordPress agency than a Drupal agency? "It's a matter of scale," said Buytaert. "Yes, it's probably easier to find WordPress developers, but Drupal is the second easiest. Compared to finding an Adobe developer, or a Sitecore developer. Having said that, there are things we can do, train or mentor more Drupal developers."

Drupal is written in PHP, is he happy with PHP's direction? "There's a PHP renaissance," he said. "PHP is still the number one language on the web, even though JavaScript is growing fast, if you look at the data. There's all sorts of innovation in the PHP project that wasn't there 10 years ago. They added a just-in-time compiler. That's big. People have opinions about PHP, some love it, some hate it – I think it's part of the reason why Drupal has been successful. Everybody can learn it, everybody can use it, everybody can host it. It may not be the most elegant language but it wins in terms of ease of use, adoption, availability. And it scales."

Buytaert insisted that Drupal no longer deserves its "reputation of being a little hard to use. Somehow we need to change the mindset of people. The Drupal that people looked at 10 years ago, even five years ago, is not the Drupal we have today. We don't have that marketing machine to educate everybody about it." ®

Similar topics

Other stories you might like

  • These six proposed bipartisan antitrust laws put Big Tech in the cross-hairs – and a House committee just OK'd them

    Well, it's a start

    The US House Judiciary Committee this week approved half a dozen major bipartisan antitrust bills aimed at clamping down on the growing power of Big Tech and its monopolization of some markets.

    The panel, led by Jerry Nadler (D-NY), debated for nearly 30 hours on Wednesday and Thursday to advance the wide-sweeping six-bill package. The proposed laws includes all sorts of measures to prevent companies like Google, Apple, Amazon, Microsoft, Facebook, and others from dominating their sectors of the technology industry.

    There was likely plenty of lobbying and other wrangling going on in back and foreground over the exact wording of the package. For instance, there was a concern by some lawmakers that Microsoft would end up avoiding certain provisions in the proposed acts that would otherwise hit Google and Apple. There was some debate over that, and tweaks were made – such as removing "mobile" from "mobile operating system" in the fine-print – to ensure Redmond couldn't wriggle out.

    Continue reading
  • You won't want that Linux bling if it comes from Pling: Marketplace platform has critical vulnerabilities

    No one wants to be pwned by a drive-by RCE

    A Berlin startup has disclosed a remote-code-execution (RCE) vulnerability and a wormable cross-site-scripting (XSS) flaw in Pling, which is used by various Linux desktop theme marketplaces.

    Positive Security, which found the holes and is not to be confused with Russia’s Positive Technologies, said the bugs are still present in the Pling code and its maintainers have not responded to vulnerability reports.

    Pling presents itself as a marketplace for creative folk to upload Linux desktop themes and graphics, among other things, in the hope of making a few quid from supporters. It comes in two parts: code needed to run your own bling bazaar, and an Electron-based app users can install to manage their themes from a Pling souk. The web code has the XSS in it, and the client has the XSS and an RCE. Pling powers a bunch of sites, from pling.com and store.kde.org to gnome-look.org and xfce-look.org.

    Continue reading
  • Would-be password-killer FIDO Alliance aims to boost uptake with new UX guidelines

    Throws a bone to complex enterprise deployment, too

    The FIDO Alliance, which operates with no smaller mission than to "reduce the world's over-reliance on passwords", has announced the release of new user experience (UX) guidelines aimed at bringing the more technophobic on board.

    Launched back in 2013 as the Fast Identity Online Alliance, the FIDO Alliance aims to do away with passwords altogether through the introduction of standards-compliant "authenticators" including USB security dongles, fingerprint readers, Trusted Platform Modules (TPMs) and more.

    While the organisation's standards, which were updated with the launch of FIDO2 in 2018, have enjoyed adoption in the majority of web browsers and with a range of companies, they're still seen as unusual and even inconvenient compared to the good ol' username and password combo – which is where the new UX guidelines come in.

    Continue reading
  • UK's Vodafone network runs trials on standalone 5G in London, Manchester and Cardiff

    These are networks that are not dragged down by LTE core

    Vodafone has launched 5G SA (Standalone) trials in London, Manchester, and Cardiff in its largest test of the technology yet.

    The commercial launch has allowed the carrier to experiment with new ways to commercialise its network, including network slicing – where a portion of network is dedicated to a specific customer for their exclusive use. It will also allow customers to test 5G SA devices on a live, public network.

    Vodafone selected Ericsson's dual-mode 5G core network as the dedicated provider for this trial. It follows trials at Coventry University in 2020, and a separate trial in Spain.

    Continue reading
  • What you need to know about Microsoft Windows 11: It will run Android apps

    The operating system they said shouldn't exist

    Microsoft on Thursday announced Windows 11, or tried to as an uncooperative video stream left many viewers of the virtual event flummoxed by intermittent transmission gaps in the opening minutes.

    The technical issues proved bad enough that Matt Velloso, Technical Advisor to the CEO at Microsoft, suggested trying the YouTube video stream as an alternative to the Microsoft-hosted one.

    But with some of the features already known as a result of a leaked build last week, the impact of the intermittent video dropouts was less than it might have been.

    Continue reading
  • Russia spoofed AIS data to fake British warship's course days before Crimea guns showdown

    Great powers clash while the rest of us sigh and tut at data feed meddling

    Russia was back up to its age-old spoofing of GPS tracks earlier this week before a showdown between British destroyer HMS Defender and coastguard ships near occupied Crimea in the Black Sea.

    Yesterday Defender briefly sailed through Ukrainian waters, triggering the Russian Navy and coastguard into sending patrol boats and anti-shipping aircraft to buzz the British warship in a fruitless effort to divert her away from occupied Crimea's waters.

    Russia invaded Ukraine in 2014 and has occupied parts of the region, mostly in the Crimean peninsula, ever since. The UK and other NATO allies do not recognise Ukraine as enemy-held territory so Defender was sailing through an ally's waters – and doing so through a published traffic separation scheme (similar to the TSS in the English Channel), as Defence Secretary Ben Wallace confirmed this afternoon.*

    Continue reading
  • Lego bricks, upcycled iPhone lenses used in new low-cost, high-res microscope

    Full instructions given away for free, to 'nurture natural curiosity'

    A trio of boffins at the Georg August University Göttingen and Münster University have put together a low-cost yet high-resolution microscope for educational users – using smartphone parts and Lego bricks.

    "An understanding of science is crucial for decision-making and brings many benefits in everyday life, such as problem-solving and creativity," said Timo Betz, professor at the University of Göttingen and co-author of the paper detailing the project. “Yet we find that many people, even politicians, feel excluded or do not have the opportunities to engage in scientific or critical thinking.

    "We wanted to find a way to nurture natural curiosity, help people grasp fundamental principles and see the potential of science."

    Continue reading
  • Romance in 2021: Using creepware to keep tabs on your partner or ex. Aww

    With this app, I thee stalk

    Online stalking appears to be as much a part of modern relationships as lovingly sharing a single spoon and dessert in a dimly lit restaurant or arguing over who should put out the bins.

    That's just one of the conclusions from antivirus merchant Norton's latest look at online trends which found that nearly one in 10 people in the US admit to using stalkerware or creepware to keep tabs on a partner.

    What's more, the threat of cyber snooping works both ways, with those involved in relationships increasingly resigned to the fact that their significant other might be stalking them – either now or in the future.

    Continue reading
  • Report picks holes in the Linux kernel release signing process

    Security procedures need documenting, improving, and mandating - though they're better than they used to be

    A report looking into the security of the Linux kernel's release signing process has highlighted a range of areas for improvement, from failing to mandate the use of hardware security keys for authentication to use of static keys for SSH access.

    The Linux kernel is at the heart of a wealth of modern technology, from embedded gadgets and network equipment all the way up to supercomputers. Its broad deployment makes it a tempting target for ne'er-do-wells, as was made all-too-obvious in 2011 when attackers gained root access to key servers used in its development and distribution.

    In response to that breach, traced back to a Trojan installed on a developer's personal machine which gave the attackers complete control over the affected servers for the 17 days before it was detected, a new release signing process was introduced. The idea: to minimise the trust placed in any given part of the Linux development infrastructure.

    Continue reading
  • British minister claims technology makes maritime cannibalism obsolete

    Even in a shipboard COVID lockdown, chowing down on ailing cabin boys is apparently no longer a thing

    A British government minister has claimed that cannibalism on the high seas should now be a thing of the past, as modern navigation and safety technology have made it very unlikely sailors will find themselves in circumstances where they might want to eat each other.

    This hopeful statement came during a debate in the House of Lords on human rights at sea when Baron Mackenzie of Framwellgate stood to ask a question of Charlotte, Baroness Vere of Norbiton, the Conservative government's Parliamentary Under-Secretary of State for Transport.

    The debate had begun with Baroness Vere answering questions about the government's policy regarding the many merchant sailors worldwide who found themselves stuck on vessels thousands of miles from home, sometimes without pay or current contracts, due to the effects of the COVID pandemic.

    Continue reading
  • In our digital future, IT is really all about experience

    Time to focus on people, not just SLAs

    Sponsored Experience is everything when it comes to delivering IT-enabled products and services. But it’s no longer about how many deadlines your team smashed, how often you’d exceeded service-level agreements (SLAs), or how many lines of code you’ve spat out.

    Rather it’s about how the services and products you deliver impact the rest of the organisation’s ability to do their jobs, increase productivity, deliver customer satisfaction and co-create value.

    “Experience” may be seen as subjective, even ephemeral, compared to the traditional IT metrics, deadlines and SLAs. But if you want proof of its importance, consider how ITIL® 4, the latest revision of the best practice framework for service management from AXELOS, focuses on improving user experience of digital services and how this enhances productivity right across the organisation.

    Continue reading

Biting the hand that feeds IT © 1998–2021