I just learned that http://spreadfirefox.com is running on Drupal as well as:
http://gnomedesktop.org/ http://kerneltrap.org/
I also found videos (ogg in torrent) from Drupal conference:
http://drupal.org/drupalcon-2005-media
-- Thomas Chung FedoraNEWS.ORG (http://fedoranews.org) "..where you can free your knowledge for your free community!"
Thomas Chung wrote:
I just learned that http://spreadfirefox.com is running on Drupal as well as:
http://gnomedesktop.org/ http://kerneltrap.org/
I also found videos (ogg in torrent) from Drupal conference:
http://drupal.org/drupalcon-2005-media
-- Thomas Chung FedoraNEWS.ORG (http://fedoranews.org) "..where you can free your knowledge for your free community!"
So, would that be the same spreadfirefox.com that has been compromised three time in the last few months? The same one that required users to keep changing their might-have-been-compromised information? Kind of leaves me curious...
Do we have any information on Drupal's security track record? PHP has had its fair share of problems.
I'm not meaning to bash on Drupal or PHP, but these are important concerns. I'm not going to pretend that Python and the Python software currently in use are perfect, but security was one of the considerations in their selection. It would be helpful to know how spreadfirefox.com was compromised. If their failures were problems with Drupal or PHP, or if they were problems elsewhere would be nice to know. Assuming we'll not learn that, we need to at least thoroughly investigate the security records of any software we consider.
So, would that be the same spreadfirefox.com that has been compromised three time in the last few months? The same one that required users to keep changing their might-have-been-compromised information? Kind of leaves me curious...
Do we have any information on Drupal's security track record? PHP has had its fair share of problems.
Drupal has had a fair share of issues. The xml-rpc issues hit it hard and b/c there are an ever-growing set of modules for drupal, which, of course, we'd want to use ALL of - then we'll have to audit more and more code that is OUTSIDE of the base package. Audits that we have no one to conduct or focus on, in fact.
DANGEROUS behavior is what that is.
I'm not meaning to bash on Drupal or PHP, but these are important concerns. I'm not going to pretend that Python and the Python software currently in use are perfect, but security was one of the considerations in their selection. It would be helpful to know how spreadfirefox.com was compromised. If their failures were problems with Drupal or PHP, or if they were problems elsewhere would be nice to know. Assuming we'll not learn that, we need to at least thoroughly investigate the security records of any software we consider.
http://blog.sethdot.org/index.cgi/263.html
The ubuntu people have had a good deal of success focusing their efforts on a single dynamic typed and web-interfacing language.
for proof of this look at launchpad.net, ubuntulinux.org, their wiki, etc etc etc
-sv
On Sat, 12 Nov 2005 16:16:38 -0500, seth vidal wrote
http://blog.sethdot.org/index.cgi/263.html
The ubuntu people have had a good deal of success focusing their efforts on a single dynamic typed and web-interfacing language.
for proof of this look at launchpad.net, ubuntulinux.org, their wiki, etc etc etc
Speaking of ubuntu, their community site called "Fridge" is also running on Drupal.
-- Thomas Chung FedoraNEWS.ORG (http://fedoranews.org) "..where you can free your knowledge for your free community!"
for proof of this look at launchpad.net, ubuntulinux.org, their wiki, etc etc etc
Speaking of ubuntu, their community site called "Fridge" is also running on Drupal.
At the risk of sounding like I'm measuring dicks:
Thomas, how long have you been a system and/or security administrator?
Are you willing to watch drupal, maintain the package, and audit ALL of the modules that we decide to use?
Are you a php programmer, even?
In other words - who is expecting to do the work here? B/c if the drupal site is going to run on fedoraproject.org and you're expecting me to monitor and watch the drupal devel process for problems or security alerts you have another thing coming.
-sv
Hi
At the risk of sounding like I'm measuring dicks:
Thomas, how long have you been a system and/or security administrator?
Are you willing to watch drupal, maintain the package, and audit ALL of the modules that we decide to use?
Are you a php programmer, even?
In other words - who is expecting to do the work here? B/c if the drupal site is going to run on fedoraproject.org and you're expecting me to monitor and watch the drupal devel process for problems or security alerts you have another thing coming.
Peace everyone. I am going to repeat the same suggestion. If the cms needs to be run within fedoraproject.org it has already been made clear that Seth doesnt want a PHP based solution due to security concerns from a administrative point of view. Python is generally what Fedora prefers too. So we can look at the python based CMS and check which one fits our needs or just set a redirect from news.fedoraproject.org to fedoranews.org and let Thomas Chung continue to administrate and setup Drupal or anything else that he prefers.
Any other suggestions?
regards Rahu
Peace everyone. I am going to repeat the same suggestion. If the cms needs to be run within fedoraproject.org it has already been made clear that Seth doesnt want a PHP based solution due to security concerns from a administrative point of view. Python is generally what Fedora prefers too. So we can look at the python based CMS and check which one fits our needs or just set a redirect from news.fedoraproject.org to fedoranews.org and let Thomas Chung continue to administrate and setup Drupal or anything else that he prefers.
I will quote here what I said to Elliot(sopwith) off list a few weeks ago:
Begin Quote:
However, if drupal is the "final decision" and you wish to insist on using it then at the very least I want to see: - a drupal and drupal-module packages show up in fedora extras LONG before we implement it.
No matter what system is chosen I want to see: - all modules we write for it MUST live in fedora cvs and the developers will NOT have direct write access to the web server running the website and from where the system runs. This is for the system's protection and to enforce rigor among the people maintaining the site. - Programming standards like the process we have implemented for extras packages. So no one person can push through some crack onto the live system.
I think we're making a mistake by developing our website using a language which is not the primary development language for applications and utilities we write for the distribution we work on. We're dividing our programming resources and we're sending a mixed message on language use. Not to mention encouraging poor programming practices.
End Quote
-sv
As long as there is multi-lingual support for news.fedoraproject.org, I am very happy. I have been translating fedoranews.org to Japanese, but because of administrating cost of CMS, I have been using static web site. So there was very little contribution from Japanese community members.
It seems drupal's multi-language support needs "quite a bit of extra maintenance".
From http://fridge.ubuntu.com/about
"We really wanted to have deep internationalisation support for The Fridge as soon as it launched, but unfortunately it will have to wait. The i18n support for Drupal requires quite a bit of extra maintenance, but hopefully we can demonstrate a good use case to the Drupal community, and work with them to get it into an upcoming release."
-Yoshihiro
Rahul Sundaram wrote:
Hi
At the risk of sounding like I'm measuring dicks:
Thomas, how long have you been a system and/or security administrator? Are you willing to watch drupal, maintain the package, and audit ALL of the modules that we decide to use?
Are you a php programmer, even?
In other words - who is expecting to do the work here? B/c if the drupal site is going to run on fedoraproject.org and you're expecting me to monitor and watch the drupal devel process for problems or security alerts you have another thing coming.
Peace everyone. I am going to repeat the same suggestion. If the cms needs to be run within fedoraproject.org it has already been made clear that Seth doesnt want a PHP based solution due to security concerns from a administrative point of view. Python is generally what Fedora prefers too. So we can look at the python based CMS and check which one fits our needs or just set a redirect from news.fedoraproject.org to fedoranews.org and let Thomas Chung continue to administrate and setup Drupal or anything else that he prefers.
Any other suggestions?
regards Rahu
On Sat, 12 Nov 2005 16:35:47 -0500, seth vidal wrote
Thomas, how long have you been a system and/or security administrator?
Are you willing to watch drupal, maintain the package, and audit ALL of the modules that we decide to use?
Are you a php programmer, even?
In other words - who is expecting to do the work here? B/c if the drupal site is going to run on fedoraproject.org and you're expecting me to monitor and watch the drupal devel process for problems or security alerts you have another thing coming.
-sv
It's not just me and you who will make the decision. I'm just throwing my ideas and recommendation. We should consider *all* recommendations from *all* us then put it on vote as we are living in a democratic world. I don't want to see a *single* individual make all the decisions for *all* of us.
As for my website, I'm going with Drupal for next CMS. Yes, I'm going to maintain the package and audit the modules on my server.
No, I'm not a PHP programer and I probably don't have as much experience as you do.
(breathing a moment)
Perhaps, we started in wrong foot. All I wanted and the primary reason to join Fedora WebGroup was to help develop/maintain Fedora Community Website. I'm not really interested in *system administration* of fedoraproject.org
I'll step aside for now so *real* system administrators can make the decision. I'll accept whatever CMS as a WebGroup decides. -- Thomas Chung FedoraNEWS.ORG (http://fedoranews.org) "..where you can free your knowledge for your free community!"
It's not just me and you who will make the decision. I'm just throwing my ideas and recommendation. We should consider *all* recommendations from *all* us then put it on vote as we are living in a democratic world. I don't want to see a *single* individual make all the decisions for *all* of us.
We're not a democracy. We never have been one. anyone who thinks fedora has been democratic hasn't been paying attention. Moreover it SHOULD NOT be democratic. It should focus on the merits of the items involved.
So let's stop talking about voting on things. That way lies madness.
As for my website, I'm going with Drupal for next CMS. Yes, I'm going to maintain the package and audit the modules on my server.
No, I'm not a PHP programer and I probably don't have as much experience as you do.
I'm not a php programmer and don't have any desire to learn. After years of php exploits affecting hundreds of programs I did everything I could to disable php everywhere I encountered it.
Perhaps, we started in wrong foot. All I wanted and the primary reason to join Fedora WebGroup was to help develop/maintain Fedora Community Website. I'm not really interested in *system administration* of fedoraproject.org
Right and that's ALL I'm interested in. The maintenance and the security of the website.
I'll step aside for now so *real* system administrators can make the decision. I'll accept whatever CMS as a WebGroup decides.
I'm not asking anyone to step aside - but I am asking that we try to focus on on languages and packages that have:
1. programmers who use and develop on in the project. 2. some history of a security infrastructure 3. the package in fedora core or extras with an active maintainer.
-sv
Hi
Perhaps, we started in wrong foot. All I wanted and the primary reason to join Fedora WebGroup was to help develop/maintain Fedora Community Website. I'm not really interested in *system administration* of fedoraproject.org
I'll step aside for now so *real* system administrators can make the decision. I'll accept whatever CMS as a WebGroup decides.
Would it possible for you to evaluate any python based CMS systems?. If anyone has good ideas or recommendations on this, speak up.
regards Rahul
On Sat, 2005-11-12 at 16:16 -0500, seth vidal wrote:
As one of the people who has been the 'person' in this conversation, please allow me to publicly back your position. You are perfectly correct.
But ...
We have been laboring for months without needed functionality on fedoraproject.org
_If_ there is an end in site, then great. But I want to know that our RFEs are not going to sink into a blackhole.
Obviously, you have been a one-person show, which explains much of this.
So, I'm going to pledge my efforts to find you more resources, probably from within Red Hat. They can work in Python, put up a Python-based CMS, add functionality to Moin Moin, and support whatever packages into FE that we need.
If I can do that, can you, Seth, as the fp.o Chief SA, and to everyone else on this list, make this pledge: to make these additional functions a high priority? Provide status updates on when they can be completed? Give us some chances to work with beta versions? Etc.
Here is a quick list:
* Two-way editing of XML in CVS using the Wiki. * CMS back-end to allow us to have: - More writers and editors of content using a workflow that forces approval before content can be posted. - More Web-based functionality to attract contributors, without compromising on the extreme value of having all in XML * The ability to do more automagic with aggregation and building of content on the fly (RSS feeding into XML templates, or whatever)
Anyone else have anything to add here?
I think we need a separate thread to discuss the functionality of our CMS, separate from a discussion of specific solutions and languages. This topic may already be going, but I can't tell because all the messages seem to be about "[Fedora-websites-list] Re:..." and I haven't read through them yet. :)
- Karsten
On Mon, 2005-11-14 at 05:08 -0800, Karsten Wade wrote:
On Sat, 2005-11-12 at 16:16 -0500, seth vidal wrote:
As one of the people who has been the 'person' in this conversation, please allow me to publicly back your position. You are perfectly correct.
But ...
We have been laboring for months without needed functionality on fedoraproject.org
_If_ there is an end in site, then great. But I want to know that our RFEs are not going to sink into a blackhole.
Obviously, you have been a one-person show, which explains much of this.
So, I'm going to pledge my efforts to find you more resources, probably from within Red Hat. They can work in Python, put up a Python-based CMS, add functionality to Moin Moin, and support whatever packages into FE that we need.
If I can do that, can you, Seth, as the fp.o Chief SA, and to everyone else on this list, make this pledge: to make these additional functions a high priority? Provide status updates on when they can be completed? Give us some chances to work with beta versions? Etc.
Yes. And as we did with the buildsystem systems those people who are willing to be security-minded and consistent with their application of that should and will have access to all aspects of the system.
Here is a quick list:
- Two-way editing of XML in CVS using the Wiki.
- CMS back-end to allow us to have:
- More writers and editors of content using a workflow that forces
approval before content can be posted.
- More Web-based functionality to attract contributors, without
compromising on the extreme value of having all in XML
- The ability to do more automagic with aggregation and building of
content on the fly (RSS feeding into XML templates, or whatever)
I was contacted by the lead of the django project (djangoproject.com) as a result of my rant in my blog. He's a fedora user and he says he's interested in helping out. Django is one of the python web toolkits that is rapidly advancing up the stack of things. I responded to him to join this list and let's start figuring out what to implement.
-sv
(sorry if you're getting a duplicate message)
On Sat, 12 Nov 2005 14:59:02 -0600, Patrick Barnes wrote
Do we have any information on Drupal's security track record? PHP has had its fair share of problems.
I'm not meaning to bash on Drupal or PHP, but these are important concerns. I'm not going to pretend that Python and the Python software currently in use are perfect, but security was one of the considerations in their selection. It would be helpful to know how spreadfirefox.com was compromised. If their failures were problems with Drupal or PHP, or if they were problems elsewhere would be nice to know. Assuming we'll not learn that, we need to at least thoroughly investigate the security records of any software we consider.
Here is a list of security track records for Drupal 4.x from secunia.
http://secunia.com/product/342/
Basically there were 1 security advisory in 2002, 2003 then 5 security advisories in 2005.
Also I would suggest to check out the video with title "100% availability, scalability and security with Drupal" from Drupal conference:
http://drupal.org/drupalcon-2005-media
-- Thomas Chung FedoraNEWS.ORG (http://fedoranews.org) "..where you can free your knowledge for your free community!"
On Sat, 2005-11-12 at 14:18 -0800, Thomas Chung wrote:
(sorry if you're getting a duplicate message)
On Sat, 12 Nov 2005 14:59:02 -0600, Patrick Barnes wrote
Do we have any information on Drupal's security track record? PHP has had its fair share of problems.
I'm not meaning to bash on Drupal or PHP, but these are important concerns. I'm not going to pretend that Python and the Python software currently in use are perfect, but security was one of the considerations in their selection. It would be helpful to know how spreadfirefox.com was compromised. If their failures were problems with Drupal or PHP, or if they were problems elsewhere would be nice to know. Assuming we'll not learn that, we need to at least thoroughly investigate the security records of any software we consider.
Here is a list of security track records for Drupal 4.x from secunia.
http://secunia.com/product/342/
Basically there were 1 security advisory in 2002, 2003 then 5 security advisories in 2005.
Thomas, it'd be more interesting to look on the defacement sites and find out how many sites were defaced running drupal - as that metric gives us the more worrisome result.
moreover - you need to count every remotely-exploitable issue in php in a module that drupal uses.
php-xml-rpc, specifically, should be fun to watch.
-sv
websites@lists.fedoraproject.org