Introduction About Site Map

XML
RSS 2 Feed RSS 2 Feed
Navigation

Main Page | Blog Index

Thursday, October 23rd, 2014, 8:45 pm

Our Drupal Interview With Jeffrey A. “jam” McGuire, Open Source Evangelist at Acquia

Tux Machines has run using Drupal for nearly a decade (the site is older than a decade) and we recently had the pleasure of speaking with Jeffrey A. “jam” McGuire, Open Source Evangelist at Acquia, the key company behind Drupal (which the founder of Drupal is a part of). The questions and answers below are relevant to many whose Web sites depend on Drupal.

1) What is the expected delivery date for Drupal 8 (to developers) and what will be a good point for Drupal 6 and 7 sites to advance to it?

 

Drupal 8.0.0 beta 1 came out on October 1, 2014, during DrupalCon Amsterdam. It’s a little early for designers to port their themes, good documentation to be written, or translators to finalise the Drupal interface in their language – some things are still too fluid. For coders and site builders, however, it’s a great time to familiarise yourself with the new system and start porting your contributed modules. Read this post by Drupal Project Lead, Dries Buytaert; it more thoroughly describes who and what the beta releases are and aren’t good for: “Betas are good testing targets for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs, and who are prepared to rebuild their test sites from scratch when necessary. Beta releases are not recommended for non-technical users, nor for production websites.”

 

With a full Release Candidate or 8.0.0 release on the cards for some time in 2015, now is the perfect time to start planning and preparing your sites for the upgrade to Drupal 8. Prolific Drupal contributor Dave Reid gave an excellent session at DrupalCon Amsterdam, “Future-proof your Drupal 7 Site”, in which he outlines a number of well-established best practices in Drupal 7 that will help you have a smooth migration when it is time – as well as a number of deprecated modules and practices to avoid.

 

2) What is the importance of maintaining API and module compatibility in future versions of Drupal and how does Acquia balance that with innovation that may necessitate new/alternative hooks and functions?

 

The Drupal community, which is not maintained or directed by Acquia or any company, has always chosen innovation over backward compatibility. Modules and APIs of one version have never had to be compatible with other versions. The new point-release system that will be used from Drupal 8.0.0 onwards – along with new thinking among core contributors and the broader community – may change this in future. There has been discussion, for example, of having APIs valid over two releases, guaranteeing that a Drupal 8 module would still work in Drupal 9 and that a Drupal 9 module would work in Drupal 10. Another possibility is that this all may be obviated in the future as moves toward broad intercompatibility in PHP lead to the creation of PHP libraries with Drupal implementations rather than purely Drupal modules.

 

3) Which Free/libre software project do you consider to be the biggest competitor of Drupal?

 

The “big three” FOSS CMSs – Drupal, WordPress, and Joomla! – seem to have settled into roughly defined niches. There is no hard and fast rule to this, but WordPress runs many smaller blogs and simpler sites; Joomla! projects fall into the small to medium range; and Drupal projects are generally medium to large to huge and complex. Many tech people with vested interests in one camp or another may identify another project as “frenemies” and compete with these technologies when bidding for clients, but the overall climate between the various PHP and open source projects is friendly and open. Drupal is one of the largest free/libre projects out there and doesn’t compete with other major projects like Apache, Linux, Gnome, KDE, or MySQL. Drupal runs most commonly on the LAMP stack and couldn’t exist or work at all without these supporting free and open source technologies.

 

NB – I use the term “open source” as synonymous shorthand for “FOSS, Free and Open Source Software, and/or Free/libre software”.

 

4) Which program — proprietary or Free/libre software — is deemed the biggest growth opportunity for Drupal?

 

Frankly, all things PHP. Drupal’s biggest growth opportunity at present is its role as an innovator and “meta-project” in the current “PHP Renaissance”. While fragmented at times in the past, the broader PHP community is now rallying around common goals and standards that allow for extensive compatibility and interoperability between projects. For the upcoming Drupal 8 release, the project has adopted object-oriented coding, several components from the Symfony2 framework, a more up-to-date minimum version of PHP (5.4 as of October 2014), and an extensive selection of external libraries.

 

On the one hand, Drupal being at the heart of the action in PHP-Land allows it and its community of innovators to make a more direct impact and spread its influence. On the other hand, it is now also able to attract even more developers from a variety of backgrounds to use and further develop Drupal. A Symfony developer (who has had a client website running on Drupal 8 since summer 2014) told me that looking under the hood in Drupal 8, “felt very familiar, like looking at a dialect of Symfony code.”

 

NB – I use the term “open source” as synonymous shorthand for “FOSS, Free and Open Source Software, and/or Free/libre software”.

5) To what degree did Drupal succeed owing to the fact that Drupal and all contributed files are licensed under the GNU GPL (version 2 or 3)?

 

“Building on the shoulders of giants” is a common thread in free and open source software. The GPL licenses clearly promote a culture of mutual sharing. This certainly applies to Drupal, where I can count on huge advantages thanks to benefitting from more than twelve years of development, 100k+ active users, running something like 2% of the Web for thousands of businesses, and millions of hours of coding and best practices by tens of thousands of active developers. Our code being GPL-licensed and collected in a central repository on Drupal.org has allowed us to build upon the strengths of each other’s work in a Darwinian environment (”bad code dies or gets fixed” – Jeff Eaton) where the best code rises to the top and becomes even better thanks to the attention of thousands of site owners and developers. The same repository has contributed to a reputation economy where bad actors and dubious or dangerous code has little chance of survival.

 

The GPL 2 is business friendly in that the license specifically allows for commercial activity and has been court tested. As a result, there is very little legal ambiguity in adopting GPL-licensed code. It also makes clear cases for when code needs to be shared as open source and when it doesn’t (allowing for sites to use Drupal but still have “proprietary” code). The so-called “Web Services Loophole” caused some controversy and discussion, but also opened the way to SaaS products being built on free/libre GPL code. Drupal Project Lead Dries Buytaert explained this back in 2006 (read the full post here):

 

“The General Public License 2 (GPL 2), mandates that all modifications also be distributed under the GPL. But when you are providing a service through the web using GPL’ed software like Drupal, you are not actually distributing the software. You are providing access to the software. Thus, a way to make money with Drupal is to sell access to a web service built on top of Drupal. This is commonly referred to as the web services loophole.”

 

Business models remain challenging in a GPL world; nothing is stopping me from selling you GPL code, but nothing is stopping you from passing it on to anyone else either. App stores, for example, are next to impossible to realise under these conditions. Most Drupal businesses are focused on value add services like site building, auditing and consulting of various kinds, hosting, and so on, with a few creating SaaS or PaaS offerings of one kind or another.

 

NB – I use the term “open source” as synonymous shorthand for “FOSS, Free and Open Source Software, and/or Free/libre software”.

 

6) What role do companies that build, maintain and support Drupal sites play in Acquia’s growth and in Drupal’s growth?

 

Acquia was the first company to offer SLA-based commercial support for Drupal (a Service Level Agreement essentially says, “In return for your subscription, Acquia promises to respond to your problems within a certain time and in a certain manner”). The specifics of response time and action vary according to the level of subscription, but these allowed a new category of customer to adopt Drupal: The Enterprise.

 

Enterprise adoption – think Whitehouse.gov, Warner Music, NBC Universal, Johnson & Johnson – of Drupal resulted in increased awareness and therefore even further increased adoption (and improvement) of the platform over time. Everyone who delivers a successful Drupal project for happy clients improves Drupal for everyone else involved. The more innovative projects there are, the more innovation flows back into our codebase. The more happy customers there are, the more likely their peers are to adopt Drupal, too. Finally, the open source advantage also comes into play: it behooves Drupal service providers to give the best possible service and deliver the highest-quality sites and results. If they don’t, there is no vendor lock-in and being open source at scale also means you can find another qualified Drupal business to work with if it becomes necessary. Acquia and the whole, large Drupal vendor ecosystem simultaneously compete, cooperatively grow the project (in code and happy customer advocates), and act as each other’s safety net and guarantors.

 

NB – I use the term “open source” as synonymous shorthand for “FOSS, Free and Open Source Software, and/or Free/libre software”.

 

7) How does Acquia manage and coordinate the disclosure of security vulnerabilities, such as the one disclosed on October 15th?

Acquia as an organisation is an active, contributing member of the Drupal community and it adheres strictly to the Drupal project’s security practices and guidelines, including the Drupal project’s strict procedure for reporting security issues. Many of Acquia’s technical employees are themselves active Drupal contributors; as of October 2014, ten expert Acquians also belong to the Drupal Security Team. Acquia also works closely with other service providers, whether competitors or partners, in the best interests of all of us who use and work with Drupal. This blog post, “Shields Up!”, by Moshe Weizman explains how Acquia, in cooperation with the Drupal Security Team and some other Drupal hosting companies, dealt with the recent “Drupalgeddon” security vulnerability.

Thursday, October 23rd, 2014, 7:33 pm

Currys/PC World (UK) Voids Warranty on Hardware If Buyer Installs GNU/Linux

200px-PC_World

TODAY I learned something somewhat shocking. A policy which I believed was some kind of controversial fringe policy from way back in the days of Vista is still in place, and it’s in place right here in the UK. Currys/PC World is totally overzealous with its GNU/Linux-hostile policy, which is almost definitely dictated by non-technical management, maybe in collusion with Microsoft.

To start this story from the very beginning, an old desktop of mine died on me and I sought a replacement immediately (within the hour). My wife and I quickly grabbed our stuff and rushed to a nearby computer store. There are not many such stores anymore because Currys pretty much devoured the competition, including Dixons.

So over 3 hours later we are back home and there is still no replacement. We were eager to pay as much as it takes for what we needed, but Currys has an unacceptable policy. Not only does it put Windows (Vista 8) on virtually every machine that’s not “Apple”-branded (there are barebone boxes only for desktop and they’re available online only) but it has an outrageous policy regarding warranty.

As it turns out — and this was confirmed to us by multiple people (in multiple PC World stores) after arguing for more than half an hour — once you install GNU/Linux (even if it’s dual boot with Windows) no damage to hardware would be covered by the warranty (keyboard, screen, and so on). One of the sellers, who follows the Linux Action Show, regretted this but also defended this policy because it’s imposed from above. No matter how ridiculous a policy it is, changes to zeroes and ones on the hard-drive (to remove spyware), according to Currys, would void the warranty on what clearly is not connected to software.

After many chats with colourful language and even car analogies or other such arguments about the separability of hardware and software we decided we just couldn’t do business at PC World. The company is inherently GNU/Linux-hostile. Avoid Currys.

Friday, October 10th, 2014, 4:27 pm

Health Club Awards 2014

Health Club Awards 2014

The Midland Hotel’s health club, the club I have been going to since my teenage years, has won Health Club Awards 2014 for the north west and ranked 3rd overall nationally. This is the second year running that our club wins this award and today the staff took this photo of Rianne and I with the awards for this year. The staff there is wonderful.

Friday, August 29th, 2014, 8:29 pm

How to Patch Drupal Sites

My experience patching Drupal sites is years old and my general ‘policy’ (habit) is to not upgrade unless or until there is a severe security issue. It’s the same with WordPress, which I’ve been patching in several sites for over a decade. Issues like role escalation are not serious if you trust fellow users (authors) or if you are the sole user. In the case of some agencies that use Drupal, it might be safe to say that the risk introduced by change to code outweighs the safety because as far as one can tell, visitors of such sites do not even register for a username. All users are generally quite trusted and they work closely (one must have checked the complete list to be absolutely sure). There is also ‘paper trail’ of who does what, so if one was to exploit a bug internally, e.g. to do something s/he is not authorised to do, it would be recorded, which in itself acts as a deterrent.

If the security issue is trivial to fix with a trivial patch, then I typically apply it manually. When the SQL injection bug surfaced some months back that’s what many people did for the most part. For larger releases (not bug fixes) the same applies, until there is no other alternative. What one needs to worry more about are module updates, especially those that are security updates. One should make a list of all modules used and keep track of news or new releases (watching general FOSS news is usually not enough until it’s too late). Thankfully, detailed information on what the flaws are becomes available, along with associated risks both for core and additional/peripheral modules.

Then there’s testing, which I guess one needs to do for any changes that are made, assuming time permits this. The last major Drupal flaw had a 7-hour window between publication and exploitation in vast numbers (maybe millions). It means one cannot always follow the formal procedure of testing, albeit testing in an ad hoc way or minimising the risk by applying a patch ought to work well. This leads me to suggesting that developers don’t need to have one uniform workflow/process for changing Drupal but a multi-faceted one. Proposal:

If the flaw is

1. severe
2. not back-end (i.e. not related to role management)

consider the complexity of the patch and test immediately on an existing copy of the site, then deploy on ‘live’.

If the patch is a core patch, no alternatives exist. If the patch is to be applied to a module, study the effect of disabling the module (assuming no dependents), consider temporarily keeping it out of reach (public site/s).

For less severe flaws:

1) merge into git on a dedicated branch
2) test on a local vagrant installation
3) schedule for deployment to “development” for testing
4) schedule for deployment to “staging”
5) run regressions (one needs to define these)
6) Client to do any required acceptance testing
7) schedule for deployment to production.

Suffice to say, the changes should not only be made through git (not directly) but a database dump too (or snapshot) should be taken, both for quick fixes and for longer testing purposes because even if changes are revoked (git rollback) the database can be left in a sub-par/inadequate state.

Regressions of interest for Drupal are not just site-specific. There are some nice templates for these and one needs to consider which modules to use in the site. Intuition and general familiarity with the CMS loop/hooks help one predict what impact a change would have on modules, if any. Drupal has good documentation of functions (by names), so these too can be studied before changes are made. To avoid some modules ‘silently’ breaking, following any change to core (or even modules) one may need to go through a list of tests. specified in advance, that help verify no module spits out PHP errors or behaves oddly. It is common to test critical pages first, e.g. finding an authority, research reports, etc. Sometimes it should be possible to also automate the testing by basically making local snapshot of pages of interest and then diff‘ing them after changes are made, using sophisticated tools like Versionista or a manual side-by-side comparison by a human operator. There are browser extensions that further facilitate this, but caching such as Cloudflare, varnish cache etc. can impede this process (even though changes to underlying code may invoke an override, at least for varnish).

Regressions are nice, but in many cases developers don’t have time to run them and a simpler set of manual checks can help gain confidence that changes made have no detrimental effects.

I cannot recall ever having major issues patching (as opposed to upgrading) the core or WordPress and Drupal and I have done this hundreds of times. The quality of testing when it comes to core (not external/additional) is quite high, but another worthy step is, before making any changes, look around forums to see what experience other people have had. There were cases where patches were problematic and this quickly became public knowledge; sometimes workarounds or patches for the patches are circulated within hours.

Background reading

Tuesday, July 15th, 2014, 8:30 am

Lawyers Who Don’t Use Encryption When Suing Government Entities With Access to Intercepted Material (Mass Surveillance)

And why every law school should teach everyone about encryption before any other “IT skills”

Industry

THERE IS a disturbing trend which is shared among pretty much all lawyers and other ‘legal’ professionals. I know because I checked. I also know because I saw how my friend, Pamela Jones (the paralegal behind Groklaw), got spooked by the spooks and stopped writing online after she had rejected my offer to use encryption about 8 years ago (saying it would only attract more attention). These are smart people who seem to be ignoring the threat of surveillance even when the threat is out there in the open, thanks to people like Edward Snowden. A lot of what Snowden showed had been known to me for years, but now there is undeniable truth which even the NSA’s chronic lies cannot cover up and shed uncertainty on. Ignorance is no longer a valid excuse.

I currently have a very strong case against a decision from the British government. I am sure I’ll win, the only question is when and at what cost (I have already spent thousands of pounds on it). I am not going to elaborate on it until the case is over, whereupon I will also release sensibly redacted papers (removing personal information) and explain the abuses which I have become aware of and personally suffered from. These abuses have impacted at least 4 people that my solicitor alone (an activist against torture) is working with. Nationwide, therefore, there may be thousands of such victims. It’s hard to say for sure how widespread this type of abuse has become, but one can estimate by extrapolation. In the future I will also file a formal complaint about it, then pressure my Member of Parliament to take action (not just yet).

Now, let’s deal with the key issue — or ‘beef’ — of this post. As in any legal case, papers are being sent back and forth, often electronically. It’s a practical thing to do because of speed (instantaneous for images and text). The stuff which the solicitor and I have already exchanged over E-mail is known about to the respondent, which has copies (this includes a request for appeal). Some stuff does not necessarily need to stay under the table, especially when it is accessible to both sides. Just as one requires no anonymity when purchasing a flight ticket (because the ticket itself already eliminates any chances of anonymity), for some documents it is fine to be visible to the opponent. There is not much to lose there.

But then there’s more sensitive stuff, like strategy.

Lawyers and barristers should always send sensitive stuff encrypted and sent over securely (to secure client-solicitor privacy/privileges). E-mail is one of the least secure methods of transferring data. It’s almost as thought it was designed for surveillance and profiling/linking people, but in reality it just got exploited by spooks and the protocols never adapted to counter these inherent deficiencies (encrypted mail still exposes the identity of the sender and recipient/s). Face-to-face or snail mail are better because bugging is hard and in the latter case it’s hard to achieve un-obtrusively, e.g. opening envelopes and re-sealing them. Since GCHQ and some government departments (e.g. Home Office) work together on increasing surveillance, right now under the guise of ‘emergency’ as if we’re in wartime, we can assume — pessimistically — that they may be studying the cases against them based on interception and preparing themselves based on this prior knowledge, or increased awareness. This is of course not acceptable, but then again, we already know that obeying the law is not our government’s best strength. That’s a debate for another day. In another circumstance one could probably chat or write about these issues (I know that my solicitor too advocates human rights at some capacity), but this is not the subject of this post.

As one who write prolifically on issues of national security, I have good reasons to suspect I have no privacy, unless technical measures are taken to protect it. I encrypt mail where possible. But I depend on others doing the same. Encryption is not a one-end preference, it needs to be agreed on and embraced by both ends.

People don’t want to jeopardise a case by unnecessarily giving away strategic arguments to the opposing side; I have seen people (usually in the US, some of whom I know online) on whom subversive means were used (illegal actions by those in power) to intimidate, harass, libel, etc. Completely bogus charges can be made up and hyped up in the media, framing of a person is very common (digitally too), and drainage of one’s resources through legal fees is also a common tactic of vendetta.

Any solicitor who wants to take on the government of his/her country absolutely must learn to encrypt. But this should not be limited to cases like these. Several months ago it turned out that the US government had spied on a US law firm which was working to advise a foreign nation on trade negotiations (this is a corporate matter). We know these types of abuses do happen in the West, so lawyers must learn to protect themselves. Unless they can sue to stop these practices (illegal actions by their government), they will need to adopt technical means of overcoming these dangers.

Perhaps I have become too cynical or too pessimistic when it comes to my government obeying the rule of law, but based on some recent revelations, the record supports me. We are living at times of lawlessness for the rich and powerful and oppression (through tyrannical laws and overreach) for the rest.

Sunday, June 29th, 2014, 8:34 am

The Darker Side of the Three Towers and RMG

RMG

USUALLY, the Three Towers are a good place to be. The residents are quiet, the place is relatively clean, but RMG tends to neglect it, leaving the gates, for example, unfixed for years.

It is also very hard to communicate with RMG, which refuses to provide basic information and impressively enough offers zero cooperation in case of serious incidents.

RMG is ruining what could otherwise be decent. The utility company (with a monopoly on the service) is apparently connected to the building’s operator (an incestuous relationship), so a form of corruption is likely, too.

Today I wish to deal with more serious matters and put them out there for our own safety, as well as to warn others.

Crime in our building recently took place, but RMG seems apathetic and unresponsive about it. I don’t believe we were personally targeted, but just in case something happens, I believe RMG should be held partly accountable or at least liable. No company should follow the example of RMG.

I am hereby, with some hesitation, writing regarding a very serious matter which seemed more serious after the police had reported gunshots near our apartment in Christabel (this was confirmed by the police in a letter).

The gunshots happened a short while after my wife was assaulted inside our building, Christabel. Two young boys stalked her in the elevator and then followed her into the bin room. When she entered they locked her inside and propped the door locked with a broom. She yelled for help and a nearby neighbour came to the ground floor and scared the boys away, after they had admitted (to him) they did not even live in the building. How did these boys get inside?

My wife was horrified, but this was never investigated. RMG did not even bother looking at the CCTV footage that it had captured. What is CCTV good for if one can’t be bothered to even use it? The individuals probably cannot be identified, but the way in which they infiltrated the building matters. RMG does not seem to care. Yes, they let it slide.

A couple of hours later we both saw two dodgy-looking people in their 40s or 50s hanging about in a nearby apartments building (marionette) which are still waiting to be demolished. Their behaviour could be described as odd and we thought about calling the police though saying two people are “up to no good” is a spurious complaint (the police would not appreciate it). I had other menacing incidents like this in the past, but never a gunshot (domestic violence across the hall, intruder in my house, and the nearby building routinely had ambulances and police vans next to it).

At 11PM gunshot was fired at a window (the police confirms this) and the following morning the road below us was closed by the police with two vans, including TAU (special police unit in Manchester), parked at both ends. One of the guys we saw last night (one of the two dodgy-looking one) was carried to a police van in a wheelchair. The police does not say much about the incident except the gunshots. This is far from reassuring. We now feel unsafe even inside our house.

I demanded that RMG should investigate all these incidents and inform residents what exactly was happening. They failed to do so, so in my view they are now liable and I decided to spread the word about what happened in this area, holding accountable those who are not doing enough to protect the residents (we pay a lot of money for RNG to do so every year). There is a risk to life here and since intruders assaulted my wife inside the building we cannot tolerate this.

Cooperation with the police has proved useless in the past (in fact it put me at risk because the criminals then perceived me as their enemy), so I was approaching RMG first. RMG should have extensive CCTV footage inside the building and around it. Given the separation of just 4 hours between these events there is likelihood that they are related and one took place right inside Christabel. Why did RMG never investigate or even respond? Total neglect. Even criminal neglect.

I asked RMG not to share my identity with the police (it would most likely not help as much as a testimony to RMG).

I recently thought about buying a property here, but after these incidents I have other, less favourable plans.

People’s safety seems to be at stake, not just RMG’s reputation. For what it’s worth, avoid RMG, wherever they are. All they’re good at it collecting money annually.

Update: three hours after I published this post (on a Sunday even) RMG contacted me and said they had forwarded the case, well over a week after the CCTV footage got taken (the rotation of footage may mean that relevant footage might already be erased). It would not be unreasonable to suggest that this post had something to do with their late reactions.

Update #2 (30/6/2014: Today I was issued the following face-saving response:

Dear Dr Schestowitz,

Thank you for contacting RMG recently.

Unfortunately, our CCTV expires after 14 days and we are unable to access footage after this point. We are now unable to access any CCTV from 16th June or before.

Having spoken to the Property Manager, she has made us aware that was onsite, and visited apartment [redacted] the day after the reported assault, but was not at that point made aware of any allegations. At that point, Claire would’ve been able to access any CCTV footage required.

Additionally, if there are any future queries of this nature, we would strongly recommend that you contact us over the telephone rather than via email. Over the phone, we will be able to assist instantly.

Most importantly, if there are any further crimes at the property, you would need to contact the police as the first matter of course, especially considering the nature of the reported crime.

If you have any further queries, please don’t hesitate to contact us.

Thanks, and kind regards

It is regretful that CCTV footage was left to expire and response over E-mail was so slow, probably due to bureaucracy. I will keep this in mind in the future.

Thursday, June 12th, 2014, 9:55 am

EasyJet Turns Away People With Tickets

EasyJet

EASYJET is an airline that should be blacklisted. It’s not just overpriced and does not arrange seatings; today it shocked my family when it turned down pre-booked tickets, saying that the flight was “overbooked”. Yes, apparently even when you book a flight with EasyJet (whose broken Web site makes it virtually impossible to check in) the airline can refuse to let the passengers board the plane. Even bus services don’t do such stuff!

EasyJet might be the crappiest airlines ever to exist. How can they legally turn back passangers with ticket they purchased for a flight? Way to ruin one’s vacation.

Real-time Posts



Retrieval statistics: 23 queries taking a total of 0.413 seconds • Please report low bandwidth using the feedback form
Original styles created by Ian Main (all acknowledgements) • PHP scripts and styles later modified by Roy Schestowitz • Help yourself to a GPL'd copy
|— Proudly powered by W o r d P r e s s — based on a heavily-hacked version 1.2.1 (Mingus) installation —|