Proposals to improve the Drupal contribution process have been heavily debated for the last few years.
Until now, the only thing everyone could agree on was the current process was broken.
Currently, many submitted modules are hung out to dry, because very few people have time or energy to fight through the submission process. You are lucky if you get your module accepted within 6 months. Many developers have waited much longer.
We were astonished to learn that our theme, called Breeze, was the first theme project to complete the approval process in 2016. And it was published in September! There were no new theme contributors for the vast majority of 2016.
Fortunately, big changes have come to the approval process for code on Drupal.org.
What changes are happening?
Contrib modules will now be passed through an automated code review process such as pareview. If the module passes, then it will be promoted to a full project on Drupal.org. There will no longer be a long, drawn-out process before approval is granted.
Instead, the Drupal community will move towards relying more on code reviews after publication. There will be automated tests, and also incentives for providing peer code review. Project pages will carry clear indicators of code quality, including both automated signals and the results of manual code reviews. Code quality signals will impact where projects appear on listings and search results.
The role of the Security Team is also changing. All new projects can apply for Drupal Security Team coverage. Projects that do not have coverage will get a warning message on the project page and on the update status page for their sites. Here’s a current example of a module with security coverage:
And here’s an example of a module with no security coverage:
However, this security coverage will require some work by the contributor. There will be a user role on Drupal.org called “Opt into security team coverage” role. To get accepted into this role, and to get your project covered by the Security team, you will need to pass through a detailed approval process for your module.
You can click here to read the entire discussion on the changes.
The new method will allow for the quick publication of projects. The new emphasis will be on strong follow-up process (involving the Security Team) instead of a strict approval process.
This shift in focus should help developers improve the modules they submit and move modules forward in a more encouraging manner.
An emphasis on security and stability will be needed to ensure that future modules are security vetted. The updated system for the security coverage will show which modules are deemed released and ready. This will push developers to mark their modules as officially releases. Why is this important? In Drupal 7, a module could often tagged as “beta”, but still be in mass use.
Overall, these are positive changes and they help the development process from “fighting against the system” to “being encouraged and helped with your contributed module.” This is definitely a step in the right direction for Drupal contributions.