With the Commerce Recurring module, any Drupal Commerce website can create recurring orders that users can manage directly in Drupal. This is useful for donations, subscriptions, and memberships, especially for selling access to content. We created the module well before payment gateways like Stripe had robust recurring solutions in place with full webhook support.

However, the market has now evolved, partly because of the SaaS explosion. If you’re looking for a solution to recurring payments, you have many options to implement them reliably beyond Commerce Recurring.

While before we would always lean toward using a native Drupal solution for recurring billing, now the answer is more nuanced. How should you implement recurring payments in Drupal Commerce?

Start by ruling out what you don't need

Before diving into frameworks and modules, it's worth asking whether you actually need Drupal Commerce at all for your subscription use case.

If your requirements are straightforward, like selling access to a user role that unlocks gated content, you could implement that with nothing more than Stripe Checkout and a webhook listener. A customer hits Stripe's hosted checkout page, subscribes, and your Drupal site receives a webhook notification. You grant the role. When Stripe tells you the subscription was canceled or a payment failed, you revoke it. No shopping cart, no checkout flow, no Commerce module required.

Some use cases genuinely are that simple, and adding unnecessary complexity doesn't serve anyone.

This morning, Salesforce announced its plan to acquire Contentful.

Congratulations to Sascha Konietzke, Paolo Negri, and the whole Contentful team. They spent 13 years building Contentful into one of Europe's most visible enterprise software companies. Salesforce buying Contentful is real validation of the product, customers, and team they built.

The deal makes sense for both Salesforce and Contentful. Salesforce has long had a CMS-shaped hole in its product offering, and Contentful fills it with a mature, enterprise-ready SaaS product.

To me, the more important question isn't whether the acquisition makes strategic sense, but what it means for digital sovereignty. It's a textbook example of why "Buy European" isn't enough.

Before I go further, let me be clear about where I'm coming from. I founded Drupal and still lead the project, and I co-founded Acquia, the company built around Drupal, where I'm Executive Chair. So when I argue that this deal exposes a problem, you should factor in that Open Source is both my life's work and my livelihood.

Contentful is a German company, Contentful GmbH, registered in Berlin. For over a decade it has been a flagship European software company.

If the acquisition closes, it becomes part of Salesforce, a US corporation, and falls under US law.

For many of Contentful's customers, this acquisition will be a non-event. For governments, public institutions, and regulated industries, it exposes a harder truth: a vendor being European today is no guarantee it stays European tomorrow.

A practical example is the US CLOUD Act. Many people may not know about it, but it becomes relevant anytime a non-US vendor is acquired by a US company.

In plain English, the CLOUD Act means that US authorities can require any US company to disclose data it controls. That can apply even if its data is stored in Europe, managed by a European team, or running on European infrastructure.

This is not a hypothetical concern. The law came out of a dispute between Microsoft and the US government over emails stored in Ireland. US Congress changed the law while the case was pending, making clear that US providers can be required to produce data stored abroad.

That does not make Contentful a bad company. It does not make Salesforce a bad owner. And it does not take anything away from what the Contentful team built.

But it shows the limit of "Buy European". Contentful spent 13 years as a trusted European vendor, and one board meeting is enough to put it under US law.

An Open Source license changes that. Drupal customers running on Acquia, my own US-based company, are also exposed to US law. But because Drupal is Open Source, they can move to a European hosting partner, self-host, or fork the code. A Contentful customer cannot.

The Contentful team deserves credit for what they built. Few European software companies have reached its scale and size. But this is also a reminder for Europe. For software that governments, public institutions, and critical industries depend on, sovereignty must survive any acquisition.

That is the point of The Software Sovereignty Scale and The Sovereignty Prerequisite that I submitted to the European Commission as feedback on their Cloud Sovereignty Framework.

Open Source is the only way to guarantee long-term choice, control, and governance over your code, data, and infrastructure.

Special thanks to Tiffany Farriss for her review of this blog post.

Today we are talking about AI, How to stay up to date with it, and if it will really take our jobs with guests Angie Byron & Amber Matz. We'll also cover AI Best Practices for Drupal as our module of the week.

For show notes visit: https://www.talkingDrupal.com/555

• What Is AI Learners Club
• Amber Defines the Club
• Origin Story and DrupalCon
• AI Debate and Community Tensions
• Issue Queue Conduct and Moderation
• Thread Tone vs Substance
• AI Adoption Outside Drupal
• Conflict Mediation Playbook
• Maintainer Burnout and Flood
• Safe Space Learners Club
• How the Club Started
• Picking Topics and Demos
• AI Taking Our Jobs
• Future of Learners Club

• Context Control Center
• AI Learners Club
  • Initiative page
  • Event calendar
  • YouTube Playlist
  • Session Recaps
  • Next session (Claude Design)
  • Slack: #ai-learners
  • Most wanted topics
• What Angie's working on these days

Amber Matz - tugboatqa.com amber-himes-matz Angie Byron - ai_best_practices webchick

Nic Laflin - nLighteneddevelopment.com nicxvan John Picozzi - epam.com johnpicozzi Scott Falconer - managing-ai.com scott-falconer

Martin Anderson-Clutz - mandclu.com mandclu

• Brief description:
  • Do you want to start using AI tools for Drupal development, in the most efficient way possible? There's a composer plugin for that!
• Module name/project name:
  • AI Best Practices for Drupal
• Brief history
  • How old: created in Mar 2026 by Angie Byron (webchick), one, of today's guests, a long-time Drupalist, one-time Acquian, and a fellow Canadian
  • Versions available: dev version only, which doesn't seem directly opinionated about what version of Drupal you're using, though it does have minimum versions of PHP and Symfony libraries that suggest Drupal 10 is functionally your minimum
• Maintainership
  • It is officially seeking co-maintainers
  • Test coverage
  • Documentation - an in-depth README, or you can ask an AI model! (like I did for this segment)
  • 54 open "Work Items" on Gitlab, so lots of active discussion already
• Module features and usage
  • AI Best Practices for Drupal aims to be the opinionated starter experience for AI-assisted Drupal development
  • You can think of it as a single Composer install that makes any AI coding agent "speak Drupal": following community standards, preferring contrib over custom code, and avoiding framework-naive mistakes. It replaces scattered, tool-specific CLAUDE.md files and Cursor rules that some Drupal developers currently maintain individually, with one canonical, community-governed package that works across Claude Code, Cursor, Copilot, and more. With contributions by a variety of Drupal luminaries including Marcus Johansson, Christoph Briedert, and Scott Falconer, it's the Drupal equivalent of Laravel Boost: stop explaining Drupal to your AI every session and just get writing code.
  • After install or update, it will create an AGENTS.md file from a provided template if there isn't one already, or it will update a specifically marked "ai-best-practices" section of an existing file
  • You will also have a directory of provided skills, and guidance for creating new Drupal agent skills
  • Also included is a set of evals, meant to automatically identify when AI models go off course and provide feedback
  • AI Best Practices for Drupal is meant to provide guidance that will be particularly useful for AI agents, so it's ideal for Drupal developers getting started with AI tools, or for AI developers who want to get started with Drupal

Drupal 12 is still months away, but readiness work is already becoming visible in contributed projects. One recent example comes from Scheduled Transitions 2.9.0-beta4, which declares compatibility with Drupal ^11.3 || ^12. The release itself is modest, but it serves as an early reminder for teams beginning to review upgrade paths and dependency inventories ahead of the next major Drupal release.

Scheduled Transitions is an editorial workflow module that allows content revisions to move automatically between moderation states at scheduled times. While the module itself may not be widely discussed, it represents the kind of workflow dependency that organisations often rely on for day-to-day publishing operations.

That makes its Drupal 12 compatibility declaration noteworthy. Upgrade planning should not stop at Drupal core. Teams also need visibility into the contributed modules that support moderation, scheduling, revisions, translations, layout management, search, and editorial access. Early compatibility signals help identify which parts of a publishing stack are already preparing for the next release cycle.

According to the Drupal core release schedule, Drupal 12.0.0-beta1 is planned for the week of 14 September 2026, with Drupal 12.0.0 scheduled for the week of 7 December 2026. Drupal 10 is also expected to reach end of life on 9 December 2026, giving site owners a practical reason to begin evaluating dependencies before the final quarter of the year.

The takeaway is straightforward: start small, but start now. Check which contributed modules already declare Drupal 12 support, note any changes in PHP requirements, and identify workflow dependencies that have yet to publish a compatibility path. Scheduled Transitions is only one example, but it highlights the quiet preparatory work that often determines how smoothly a major upgrade goes.

With that context in mind, the major developments covered in last week’s edition of Editor's Pick newsletter are presented in the teaser blocks below.

Readers can follow The Drop Times on LinkedIn, Twitter, Bluesky, and Facebook for ongoing updates. The publication is also active on Drupal Slack in the #thedroptimes channel.

Kazima Abbas
Sub-editor
The Drop Times

Drupal is moving through one of the most exciting periods in its recent history.

We have Drupal CMS, Drupal AI, Recipes, and the upcoming Experience Builder all pushing Drupal toward a more approachable, modern, and ambitious future.

Drupal site building has changed a lot in the last few years.

You can still build a site the traditional way with blocks, templates and Layout Builder, but there are now two newer approaches worth knowing about: UI Suite with Display Builder, and Drupal Canvas in Drupal CMS.

In the above video, we walk through all three approaches to help you pick the right one for your Drupal site.

Climate data are shaping decisions everywhere, from infrastructure and public health to agriculture, insurance, emergency preparedness, and urban planning. Yet despite the growing importance of this information, climate data can still be surprisingly difficult to use.

The challenge is not a lack of science. In many cases, the problem is the opposite: there are an overwhelming amount of data available. What’s often missing is an experience that helps people explore and understand complex information in ways that feel approachable, intuitive, and useful.

Together with Luqia, we redesigned the ClimateData.ca platform around a simple but important idea: climate data become more accessible when people can explore them for themselves. Rather than treating information as something users simply download or read through, the new platform encourages interaction and discovery through maps, filtering tools, and guided exploration.

The goal was never to simplify science. It was to make navigating climate data feel clearer, more intuitive, and more connected to the real-world questions people are trying to answer.

What is ClimateData.ca?

ClimateData.ca is a free, bilingual platform that gives Canadians access to climate projections and historical data to support real-world decision-making.

At its core, it is a data visualization and download platform. You can browse interactive high-resolution maps, filter by sector or variable, explore graphs, and download raw datasets for your own analysis. The platform also includes educational materials and guidance on how to use climate information in decision-making.

Why it matters: Canada is warming fast

Canada is warming, on average, twice as much and twice as fast as the rest of the world. In Northern Canada, it’s happening even faster (Canada's Changing Climate Report, ECCC, 2019). Across the country, the effects are already measurable: more extreme heat, shorter snow and ice seasons, earlier spring peak streamflow, thinning glaciers, thawing permafrost, and rising sea levels. All sectors of society and the economy are at risk, and further warming is described as effectively irreversible. The case for better data infrastructure is built into the science itself.

Feature focus #1: The Learning Zone

A key feature on the Climate Data platform is its Learning Zone, a filterable library of resources designed for users at every level and across sectors. A planner, engineer, health professional, educator, or community organization may come to the platform with very different questions, levels of technical knowledge, and regional concerns. The redesigned Learning Zone gives users a more accessible entry point into the science before they move into maps, datasets, or projections.

Content types include videos, podcasts, interactive tools, articles, case studies, sector overviews, and regional profiles. Resources can be filtered by region (Atlantic, North, Ontario, Pacific, Prairies, Québec) and technical level.

Feature focus #2: Seasonal to Decadal forecasting

Climate data are most useful when they help people understand patterns rather than react to isolated events. Conditions naturally shift from season to season, year to year, and decade to decade, shaped by factors like ocean-atmosphere cycles, volcanic activity, and broader climate trends. El Niño and La Niña are familiar examples: these recurring patterns can influence temperature and precipitation in a given season or year, including during El Niño conditions like those forecast this year. That variability is part of what makes climate information complex: a single warm season or cool year can stand out, but it does not always tell the full story.

Historical reference periods give users a more stable baseline for interpreting what they are seeing, whether they are looking at recent conditions, short-term forecasts, or longer-term projections. In the Seasonal to Decadal (S2D) tool, forecasts are shown against the 1991–2020 historical reference period, helping users understand whether projected conditions are likely to fall above, below, or near a recent baseline rather than viewing them in isolation. 

The underlying data come from CanSIPSv3 (the Canadian Seasonal to Interannual Prediction System, version 3), developed by ECCC. It uses two coupled atmosphere-ocean-land climate models (CanESM5 and GEM5.2-NEMO) with an ensemble of 40 model simulations. This forecasting layer bridges the gap between short-term weather forecasts and the longer-horizon multi-decade projections the platform is better known for.

Feature focus #3: The Maps tool

We redesigned the platform's interactive maps tool to shift from a download-focused experience to an exploratory one. Rather than treating climate data as something users simply retrieve and interpret elsewhere, the interface is built to support comparison and discovery directly in the browser.

The maps tool covers more than 45 climate variables, including specific indicators such as Hottest Day, Frost-Free Season, Cooling Degree Days, and Freeze-Thaw Cycles. Users can compare emissions scenarios side by side, switch between projected change and absolute values, and navigate data through multiple geographic views (watersheds, health regions, census subdivisions, and grid cells) depending on the context of their work. The front end is built in React, designed to keep interaction smooth as users move between datasets and scenarios.

That geographic flexibility matters because different users approach climate impacts differently. Infrastructure planners, public health teams, researchers, and policy makers often need completely different spatial perspectives and levels of detail from the same underlying data.

The data behind the platform

The platform's projection datasets are built on rigorous scientific foundations. The primary future projection dataset, CanDCS-M6, shows how temperature and precipitation conditions may change across Canada under four possible emissions scenarios. It uses data from 26 climate models and maps results at a relatively local scale, with grid cells of about 6 by 10 kilometres. A companion dataset, CanDCS-U6, covers three emissions scenarios across the same 26-model suite.

The platform also includes more specialized datasets for climate-related risks, including drought, extreme heat and humidity, sea level rise, coastal infrastructure planning, and extreme rainfall. These help users move from broad climate projections to more specific questions, such as where drought stress may increase, how often heat may become dangerous, how coastal infrastructure may need to adapt by the end of the century, or how stormwater systems should be designed for heavier rainfall.

All datasets go through a formal evaluation process before being added to the portal. Every step involves representatives from all partner organizations, and respects strict data standards.

Who built ClimateData.ca?

ClimateData.ca is a collaborative product involving several of Canada's leading regional climate organizations: Ouranos (Québec), the Pacific Climate Impacts Consortium (PCIC), the Prairie Climate Centre, ClimateWest, CLIMAtlantic, and ORCAA-CRACO. Evolving Web built and maintains the platform alongside Luqia (formerly the Computer Research Institute of Montréal, CRIM), with overarching support from ECCC.

The bottom line

ClimateData.ca doesn't promise simple answers. Climate projections are probabilistic, scenario-dependent, and require careful interpretation. What the platform does offer is something genuinely valuable: a single, well-documented, freely accessible place where any Canadian can engage with the best available science on how their local climate is likely to change.

Given that Canada's own national climate report describes further warming as effectively irreversible, and that every sector of the economy faces risk, that kind of infrastructure matters, now more than ever.

Get in touch

If your organization is working with complex data and looking for ways to make it more accessible, interactive, and useful, we can help. From interactive maps and data-rich platforms to visualization tools and UX strategy, we work with organizations to create experiences that help people explore and understand information more effectively.

Get in touch to learn how we can help bring your data to life.

The Drupal AI Summit in New York City brought together developers, strategists, designers, and agencies for a full day of talks, demos, and conversations about where Drupal will go next in the age of AI. What struck me most wasn't any single talk or demo, it was the common belief that the Drupal community needs to come together to shape this future responsibly.

Here are the core themes, and the talks that stood out.

The Big Picture: Drupal as an "AI Harness"

Matthew Saunders kicked off the day with a framing that anchored everything that followed: "Drupal is becoming an AI harness." As organizations move AI from experimentation into practical operations, the focus should shift from which AI model is used to the system that orchestrates and governs those models.

An AI harness, as Saunders defined it, connects models to essential organizational requirements: structured data, governance, human oversight, and workflow automation. With 25 years of experience managing structured content, APIs, and permissions, Drupal is positioned to act as that operational layer.

Saunders also highlighted the Drupal AI Initiative — a community-led effort with 30+ partner organizations focused on coordinating responsible AI capabilities and avoiding vendor lock-in through community-driven innovation. A core value of the summit, repeated throughout the day, was the importance of a "human × AI partnership" — ensuring AI augments professional expertise rather than replacing it.

What the Industry Is Aligning On: Key Themes from the Drupal AI Summit

These were just a few of the ideas surfaced during the sessions:

Vibecoding for prototypes, Drupal for systems that last. Josh Koenig cautioned that while generative AI can rapidly build websites and democratize web creation by allowing users to assemble functional interfaces without traditional development hurdles, "vibe coding" often lacks long-term maintainability, governance, and structural integrity. The result is frequently "spaghetti code" that becomes difficult for teams to manage as projects grow in complexity. This is where Drupal can shine. The takeaway: use AI to prototype fast, but use Drupal to build systems that last — sustainable, reliable, and integrated into existing professional workflows.

Orchestrating autonomous agents. The future, according to Koenig, lies in turning AI into a teammate. Today's AI-driven web development is largely a "single-player" experience — just an individual talking to a computer. The next chapter is about building orchestrated workflows where multiple stakeholders collaborate within a controlled environment, ensuring consistency across a large ecosystem of websites. Drupal is well-positioned to be that orchestration layer — not just a platform with AI features, but an AI-friendly ecosystem that supports protocols like the Model Context Protocol (MCP), allowing it to act as a structured source of content and context for external AI agents.

Context-driven AI. Without structured context, AI outputs are off-brand, non-compliant, or just generic — what Kristen Pol memorably calls "AI slop." As Pol put it, context is the difference between "AI that guesses" and "AI that gets it." Her project, the Context Control Center (CCC), also known as the AI Context module, provides a centralized hub within Drupal to capture and manage an organization's rules, policies, and guidelines, then map them directly to AI features. Instead of relying on vague prompts or scattered style guides, CCC treats context as managed content — with familiar Drupal capabilities like revisioning, scheduling, and scoping by workflow, language, or site section. That means an organization can declare rules and have them applied consistently across every AI output.

From UX to AX (Agent Experience). Brands now need to design experiences not just for humans, but for the AI agents acting on their behalf. As more website traffic comes from AI agents and crawlers rather than human visitors, organizations have to think about how their content, components, and APIs are "consumed" by machines — and how to ensure brand voice, accuracy, and trust are preserved when an agent is the one mediating the experience.

Data sovereignty and trust. Particularly relevant for the public sector, Amazee's Jeroen Spitaels emphasized guarantees of no data retention and no training on user data as essential for public sector institutions. For governments, universities, and any organization handling sensitive information, it's not enough for AI to be powerful — it has to be trustworthy, transparent, and sovereign. That means knowing exactly where your data lives, who has access, and being certain it isn't quietly being used to train someone else's model.

Where It Got Specific: Sessions Worth a Closer Look

Every summit has sessions that move beyond the conceptual and get specific. These three stood out because they tackled the operational realities of actually deploying AI — and what it takes to do it well.

The Actual Playbook for Deploying AI without Breaking Trust

John Doyle's session on implementing AI teams and workflows was one of the day's standouts because it tackled the operational reality of AI — not just the tech.

His core idea: stop thinking about AI as isolated prompts and start building "digital teammates" — governed agents with defined owners, SLAs, and clear inputs and outputs. That's a profound reframing. A digital teammate isn't a tool you use; it's a team member you onboard, manage, and hold accountable.

Doyle made a strong case for Drupal as the ideal platform for AI orchestration thanks to its API-first architecture, structured content model, and workflow states. He demoed AI integrated directly into a Drupal interface, generating content drafts based on predefined project briefs and design systems.

His operational advice was refreshingly grounded:

• Give every AI agent a charter — clear scope, purpose, and boundaries.
• Always maintain a human-in-the-loop for final verification.
• Iterate slowly to ensure quality control.

This is exactly the playbook organizations need if they want to actually deploy AI without breaking trust. At the end of his talk, I was able to speak with him, and he mentioned they had piloted this approach at Digital Polygon, and it was very successful.

What a Real AI-Powered Website Experience Actually Looks Like in Practice

John Tran, CTO of Image X, delivered the kind of real-world example I wanted to see. His session detailed how Drupal can be transformed from a static content management system into a dynamic, AI-orchestrated experience platform using AG-UI (Agent-to-User Interaction).

The technical foundation is semantic search — using embedding models and vector databases to map relationships between content, focusing on intent, context, and meaning rather than keywords. That allows the system to retrieve highly relevant information even when the user's phrasing is conversational.

The proof-of-concept for an advanced implementation of an AI chatbot was great to see. The system:

• Triggers specific tools dynamically (such as directions or live weather APIs)
• Renders interactive SDC (Single Directory Components) directly within Drupal based on the agent's logic
• Lets users flag content as they navigate, which the AI then aggregates into a customized, downloadable brochure or notebook

Tran's future vision is for Drupal to handle the orchestration of these experiences natively — moving away from rigid, pre-built pages toward fully dynamic, component-based websites where the entire site experience is generated or assembled on-the-fly based on the user's specific goals, all while maintaining site governance and using standard Drupal form-handling workflows.

Just as importantly, because the AG-UI toolkit is agent-agnostic, it prevents vendor lock-in — allowing developers to switch between LLM providers or agent frameworks without rebuilding the front-end experience.

This is what "richer interactivity" looks like in practice. It's still a chatbot at its core, but with a level of engagement and contextual awareness that genuinely solves problems rather than just answering questions. This felt less like a novelty and more like a higher-order assistant doing meaningful work.

Three Capabilities Your Platform Needs for an AI-First Internet

The Acquia session from Martin Anderson-Clutz framed something every digital team needs to wrestle with: in the evolving role of websites and an AI-first internet, content has to go everywhere — not just to your website, but to AI crawlers, agents, and downstream experiences you don't directly control.

To meet that reality, Anderson-Clutz advocated for three keys to a modern DXP:

Agile Content Engine. Beyond traditional drafting and publishing, organizations need to use AI to accelerate planning and ideation, optimize content post-publication for conversion, and embrace structured content in formats like JSON and Markdown for true omnichannel delivery.

Robust Experience Layer. As users increasingly turn to websites to validate purchase decisions rather than for education, the site's role shifts toward frictionless brand onboarding (social proof, case studies, technical specs) and context-aware AI that keeps brand voice accurate, on-brand, and aligned with strategic objectives.

Agent-Friendly Architecture. With non-human traffic rising, websites must be built for AI agents as primary users. That means treating "APIs as the new UI" — standardizing on machine-readable formats, adopting emerging agent-to-agent protocols, and designing systems that offer packageable "skills" or recipes for modular, autonomous agent interaction.

His core argument: Drupal is uniquely positioned as a leading, AI-ready platform because of its emphasis on structured content, enterprise governance, and community-driven innovation.

The takeaway: in a world where your content is increasingly consumed by machines before it ever reaches a human, the platforms that win will be the ones that treat AI agents as primary users — and Drupal is already there.

A Community Embracing AI

If one line captured the spirit of the day, it was this: "Drupal has quietly become one of the most AI-ready platforms available."

While much of the AI conversation centers on flashy chatbots and proprietary tools, Drupal has been steadily building exactly what AI agents need to do real work. That's not marketing spin — it's the natural outcome of 25 years of disciplined engineering around content structure, governance, and openness. The very things that made Drupal a leader in the structured-content era are the things AI agents require to operate reliably, safely, and at scale.

The Drupal community isn't just adapting to AI. It's quietly becoming one of the most credible, agent-ready platforms on the open web — and the summit made it clear we're just getting started.

Bring practical, proven AI adoption strategies to your organization, let's start a conversation! We'd love to hear from you.

In Open Source software, competition works differently than in proprietary software.

Companies compete through their own products and services, but they all depend on the same commons: the software, the community, the project's reputation, and the shared work that helps people trust and adopt it.

That shared foundation creates a different kind of responsibility: sharing a commons means sharing the work of keeping it strong.

The Open Source companies I admire most show up in two ways. They compete on the merits of their own products: features, support, and price. And they help sustain the commons: through code, documentation, security, marketing, events, education, sponsorships, and more.

Judge companies by what they do

Over the past year, Pantheon, one of Acquia's competitors in the Drupal market, has focused much of its messaging on attacking Acquia, including making our private equity ownership part of its story.

I have no quarrel with Pantheon's products or the people who build them. Competition is healthy. My concern is with marketing that attacks another Drupal company, often with misleading or unwarranted messaging.

I've spent nearly twenty years building Acquia through different stages and ownership models. Acquia has grown from a startup into a company backed first by venture capital and later by private equity. Every ownership model creates different pressures, but ownership determines far from everything.

Customers don't choose a platform because of an ownership model. They choose it because it works, because they can get help, and because they trust it will keep getting better.

No one benefits from unwarranted vendor attacks. They benefit when companies build better products, contribute to Drupal, and help more people adopt it.

License permits, stewardship grows

For an Open Source company, the test is not only what they build for themselves. It is what they help build for everyone.

An Open Source license defines what companies are allowed to do. It sets the floor.

Above that floor is a social contract. No one enforces it, but every healthy Open Source ecosystem depends on it.

Stewardship is what companies choose to do beyond the license: contribute code, fund security work, support maintainers, improve documentation, sponsor events, promote adoption, and more.

Drupal thrives because people and organizations honor the social contract and choose to do more than the license requires.

Contribution is one measure of stewardship

Drupal.org credit is one public signal of that commitment. Acquia is the largest single corporate contributor to Drupal, but the wider community contributes far more than any one company.

In the past year, Acquia engineers earned 2,955 weighted credits on Drupal issues, plus 164 from the Drupal Security Team.

These contributions are good for Acquia, for Drupal, and for every organization that builds on Drupal, including our competitors.

In the same period, Pantheon earned 30 issue credits and 2 security credits. Credits don't capture every form of contribution, and Pantheon contributes in other ways too. Even so, the gap is substantial.

What we let pass becomes the social contract

I don't usually write publicly about competitors. It's not how I want to spend my voice.

Before writing this, I asked myself a simple question: if a major company contributing to Drupal were under sustained attack from another major Drupal company, would I feel a responsibility as Drupal's founder and project lead to speak up?

I would.

The fact that Acquia is the company being attacked made me slower to respond, but it doesn't change the answer.

When companies built on Drupal spend their energy attacking each other instead of growing the project, it bothers me. It's not good for Drupal.

I'm not writing this believing it will change anyone's marketing and sales tactics. I'm writing it because what we let pass now will shape what is acceptable in Drupal years from now.

Communities like ours evolve their social contract through moments like this, when we say in public what we expect of each other. If this post contributes to a healthier social contract taking hold, I'm happy.

Compete on merit, but grow the commons

Every company that builds on Drupal depends on the same commons. Every company has a choice about whether to help sustain it, and how much. Drupal gets stronger when more of us invest in it.

My invitation to every company that builds on Drupal is simple: let's compete on the merits of our products and services, not by attacking each other. Let's serve customers well, contribute where we can, and put our energy into helping more organizations choose Drupal in the first place.

That is the social contract I'd like all of us to live by. I want Acquia to be judged by that same standard: what we ship, how well we serve customers, how much we contribute, and whether Drupal is stronger because of our work.

Not by who owns us. Not by claims made about us. By whether we keep building, contributing, and helping the ecosystem grow.

I have said what I wanted to say, and I won't turn this into an ongoing debate or respond to social media comments on this. My focus is on building and contributing.

Cybersecurity remained a central concern across enterprise and open-source ecosystems this month as multiple high-profile incidents and critical vulnerability disclosures affected widely deployed platforms. Security teams continued to face pressure to patch faster, monitor exposed systems more closely, and respond to a growing volume of actively exploited vulnerabilities.

Verizon’s 2026 Data Breach Investigations Report found that the exploitation of vulnerabilities overtook stolen credentials as the leading initial access method in analysed breaches for the first time. Microsoft’s May Patch Tuesday also addressed roughly 120 vulnerabilities affecting Office, SharePoint Server, and Windows enterprise infrastructure.

The open-source sector saw renewed urgency around patch management after the Drupal Security Team released SA-CORE-2026-004, a highly critical SQL injection vulnerability affecting supported Drupal core versions using PostgreSQL databases. The advisory prompted emergency patching efforts across enterprise Drupal deployments.

Security agencies continued to warn about the growing number of actively exploited vulnerabilities tracked in CISA’s Known Exploited Vulnerabilities catalogue.

Elsewhere in the open-source ecosystem, discussion turned toward the widening gap between technological capability and public perception. In a recent post, Dries Buytaert argued that Drupal’s reputation has not kept pace with its technical evolution despite continued investment in structured content architecture, APIs, and AI-oriented tooling.

The discussion reflects a broader challenge facing mature open-source platforms competing for visibility against newer frameworks with stronger marketing momentum. Community perception increasingly shapes how projects are evaluated alongside technical capability, governance maturity, and long-term sustainability.

That said, let us now look at the major developments covered in Volume 4, Issue 21 of The Drop Times weekly newsletter, Editor’s Pick. Story listings are now permanently shifted to teaser blocks below, and we will no longer duplicate linked headlines within the Letter from the Editor.

Additional developments from across the Drupal ecosystem were published during the week. Readers can follow The Drop Times on LinkedIn, Twitter, Bluesky, and Facebook for ongoing updates. The publication is also active on Drupal Slack in the #thedroptimes channel.

Allen Jason
Junior Sub-editor
The Drop Times

Managing a patchwork of digital systems? Discover why 2026 is the year for membership bodies and charities to trade platform fragmentation for integration.

Managing a patchwork of digital systems? Discover why 2026 is the year for membership bodies and charities to trade platform fragmentation for integration.

Today we are talking about Web Education, Level up Tutorials, and life after Drupal with guest Scott Tolinski. We'll also cover Views Row SDC as our module of the week.

For show notes visit: https://www.talkingDrupal.com/554

• Scott Origin Story
• Level Up Tutorials Era
• Syntax Podcast Beginnings
• Growing The Audience
• Web Components Debate
• Leaving Drupal Behind
• What Drupal Still Nails
• Agency Project Highlights
• Booking Podcast Guests
• Scott Work Week Setup
• Running Syntax Team
• Canvas HTML Experiments
• Livestream Tools Challenges
• Funding Via Sentry
• Project Ideas Process
• Conference Speaking Journey
• Speaking Logistics Family
• Content Focus Passion
• Drupal Influence Today
• Mad CSS Tournament
• AI Coding Workflow
• What Excites Him Now

• Scott Tolinski's Website
• Levelup tutorials
• 1000th episode
• Web awesome
• Talk in Amsterdam - React summit
  • This component could have been a class
• Sigraph conference site
• Too fast too furious learning things quickly
• JSNation
• Scratch
• Css tricks
• MadCss Championship
• State of ai survey
• Jazz.tools
• 0sync
• Graffiti

Scott Tolinski - tolin.ski stolinski

Nic Laflin - nLighteneddevelopment.com nicxvan John Picozzi - epam.com johnpicozzi Bernardo Martinez - bernardm28

Martin Anderson-Clutz - mandclu.com mandclu

• Brief description:
  • Have you ever wanted to use a Single Directory Component to format the output of a view on your Drupal website? There's a module for that
• Module name/project name:
  • Views Row SDC
• Brief history
  • How old: created in Apr 2026 by James Shields (lostcarpark), a friend of the podcast
  • Versions available: 1.0.0, which works with Drupal 11.3 and 12
• Maintainership
  • Actively maintained
  • Security coverage
  • Number of open issues: 9 open issues, 3 of which are bugs, though two are marked as fixed in the latest release
• Usage stats:
  • 4 sites
• Module features and usage
  • With this module installed, when you select "Show" in the Format modal for any views display, you'll see a new option for "Single Directory Component", in addition to standard options like "Content view mode" or "Fields"
  • You can then select which of the site's available SDCs you want to use to format each result, and then you can map fields defined in the view to the properties and slots defined for the selected component
  • You can also place a view using this format into a Drupal Canvas layout by having a block display
  • SDCs and Canvas are the new hotness in Drupal theming, so this module gives you some additional ways to incorporate theme into your own Drupal site

If your Drupal website spoke in acronyms, it might sound like this: “DNS hands the request to the CDN, TLS encrypts the connection, and the CTA waits patiently at the end.” 

These clusters of capital letters can feel like jargon and confuse non-technical users. Yet acronyms, words formed from the first letters of longer phrases, are everywhere because they make complex concepts quicker to say and easier to remember.

A problem I've been struggling with for a while now is managing my bookmarks. Every time I come across an interesting article I want to read, a good resource I want to keep, or a neat tool I want to try I create a bookmark.

Over time I have collected a large collection of bookmarks so when I add a new one to the list it gets lots in the pile. I've tried to create directories to keep "new" bookmarks or organise them into sections, but I always end up scrabbling to find them.

The problem is that web browsers don't allow you to categorise or search bookmarks so I can never find them again. Also when I swap browsers (which I have done twice this year) I end up having to migrate them over and set up synchronising between computers. This always removes the favicons of the sites so I have even more trouble finding the right link.

After losing yet another bookmark again recently I decided to do something about it. I realised that #! code was the best place for it as I'm always logged into the site, so I set about creating a link directory on the site. I didn't just want a big list of links though. In my mind a good link directory takes a screenshot of the site when the link is created so that it is easy to see what links are there from the screenshot of the original site.

In this article I will go through how I set up the link directory, how links are added, and how the site is able to take screenshots of the links as they are added to the directory. 

Creating The Link Content Type

To store the links I created a content type called "Link" and added a few fields to it.

Read more