Slashdot Mirror
White House Website Switches To Open Source
Falc0n writes "WhiteHouse.gov has gone Drupal. After months of planning, says an Obama Administration source, the White House has ditched the proprietary content management system that had been in place since the days of the Bush Administration in favor of the latest version of the open-source Drupal software. Dries Buytaert reflected on this, adding: 'this is a clear sign that governments realize that Open Source does not pose additional risks compared to proprietary software, and furthermore, that by moving away from proprietary software, they are not being locked into a particular technology, and that they can benefit from the innovation that is the result of thousands of developers collaborating on Drupal.'"
Are you a troll, naive or stupid?
A CMS is required if you want content to be updatable by non-programmers, which is almost always a very requirement on larger corporates pages.
A CMS will also allow versioning of content, making it easy to publish new content at specific points in time.
No reinventing of the wheel.
All kinds of stuff that can be used as is, or modified.
Features, features, features.
Easy separation of presentation / Data.
Workflow.
Yeah, and since you are at it, instead of generating webpages with a database for, say, 10,000 products, let builds each of them individually. A database always limits what you can do or how you should do it... Great logic.
Both of those things can be accomplished on your own code too, so thats not really a reason. Maybe you / your coders don't have to do as much work, but then it will limit you to that CMS's features, limitations and ways to do things.
Just a few reasons:
* You want to automatically use templates and not replicate formatting code
* You want different people that are not programmers to be able to update different parts of the website; you want to let them do it from their browser in a wysiwyg editor; you want to let them to easily first publish their articles on a staging host and then authorize somebody else to go online with it
* You want to allow commenting, feedback forms, registered users etc.
* You easily want to keep track of versions and revisions of published pages
* You want to automatically index the pages for searches
* You want to easily include dynamic(computed) data into your web pages
Now they're locked in to PHP.
Error: password can't contain reverse spelling of ancient Chinese emperor
A better question is why so many practically static web sites use online content management systems. Is it just for convenience? Lack of thought? A life content management system on the server is a serious security liability. Many web sites could just as well use an offline CMS and push the data to the server when an update is made. A typical web server can handle orders of magnitude more visitors when there is only static content. Even if you aggressively cache the CMS output, that still leaves the security aspect. I guess it takes a Slashdotting / Digg effect before most authors realize that having a web site which can't handle 10 concurrent visitors is rather pointless.
Why reinvent the wheel?
Sure, you can program everything from scratch and that might even appeal to you if you're the CEO of a company that sells programming services, but in many cases it makes more sense to use off-the-shelf software (which drupal is - well, off an imaginery shelf where everything is free as long as you give back).
For one, the weight a CMS adds is compensated by all of the code that is already present, all of the plugins that can be added without any trouble, the possibility for non-coders to easily modify website content ...
Especially for large websites, this can dramatically improve how fast you can update and improve your site.
Also, if you don't want to use a CMS, a framework like Django or Ruby on Rails is the way to go. These allow you to program everything yourself, but already have a lot of functionality built-in, to avoid reinventing the wheel.
Join the anonymous, help develop the network: http://www.i2p2.de
The problem with using Drupal for the White House is that it's a popular CMS and has lots of people looking for exploits and vulnerabilities. The second a proof of concept piece of code or an easy exploit is discovered, a few thousand script kiddies will decend to get their 15 minutes of fame.
I'm not sure how Drupal fares with bugs and patching speed (I know Wordpress seems to get some high profile holes discovered) but even if all vulns are patched before someone takes advantage of it, you're still going to need an admin who's going to be constantly alert to patching it.
I'm not arguing against closed source vs open, more about popular vs obscure.
Businesses have come to accept the limitations of software, and will often adjust the way they do things to fit in with whatever the software requires, sad but true.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
do you write you own operating system?
Forget the OS - do you reckon he designs and fabricates his own CPUs?
Ok, Netcraft's history seems to be screwed up, but I can tell you this:
Right after BO was inagurated, I checked the site. It had just switched over from Bush's site to BO's. Netcraft reported that Bush's site had been Apache on Linux, and BO's new site was IIS on MS.
OK, guys, now everyone should shut up about anything the government does, because it went open-source, right?
*crickets*
Does the Obama administration really think they can buy us off that easily? It's a significant step forward, but I don't think we should bother to praise them in any way.
Huh. Now to me, this is a clear sign that they hired a new web guy who happens to have experience with and a preference for Drupal. I don't think there's a necessarily a political statement here.
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
I just wish they'd pull through in their promises of being open as in transparent. I don't give a fuck what they do with their web site but what lobbyists are showing up for the meetings is important to me.
I guess it's hard to be openly honest when it will prove that you're a liar. Obama had the chance to change the way his office works from the ground up and fumbled the ball. Now we're getting the same old same old.
I wish they used something Python based:
def askPresidentQuestion(q):
if president == "Bush":
misSpeak()
elif president == "Obama":
pass
Yes, but I don't want Whitehouse.gov doing that. Allowing feedback on the high profile website is STUPID and ignorant.
They should have a static website with automatic refreshes from a dynamic back end where uses can edit and publish whatever they like.
They will be hacked, it is just a matter of time.
Just out of curiosity, what were they using before?
"...and that they can benefit from the innovation that is the result of thousands of developers collaborating on Drupal.'"
All located in countries hostile to the west.
theres alot of good reasons people use cms... and let me try and use your own words... say you wanted a website that looked like cisco's.
In a CMS, (such as drupal)... heres who does what:
1) designer writes a theme for the website (to give it the look)
2) content producers write the pages
3) codes do the bits the cms doesn't already do.
The point is, the CMS gives you alot to begin with without limiting you, sure you could code a website from scratch but something as powerfull as drupal is going to take a long time. You may not need everything drupal does so you can cut that down a bit. But ultimately you'll end up with something that allows people to do their jobs (i.e. content producers to write pages). Drupal CMS is also especially good at being extended (and there are virtually no limits that I can think of). So rather then writing a whole heap of code to do your website, your coders just write what they need to extend the CMS - "dang, drupal doesnt do rsa based two factor auth, we're going to have to code it in" as apposed to "ok, lets get started on coding a website - quick grab 15 people who know architecture".
I make my own fucking ELECTRONS!
So when you write your own code, you've written a CMS. But you just passed one up because it was too heavy-weight...
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
My first reaction to seeing this article was how long it will take for Fox News and friends to declare open source software as socialist and how comrade Obama has taken jobs away from hard working capitalist programmers. It's really not a stretch given their track record.
Yes, I do.
And no drupal is not a solution. Most CMS products are insecure pieces of shit. I would not use a CMS for a high profile target like that. They should be publishing static files with a custom system. Only pages that must be dynamic should be. It's just dumb. Did you guys forget how the web worked before CMSs came around?
Yet, even as the White House becomes more efficient and the website costs less to build and operate, this is one more step towards a post-scarcity future that the White House is not otherwise directly engaging, like by promoting a "basic income" for all regardless of whether someone "works":
"Why limited demand means joblessness"
http://www.beyondajoblessrecovery.org/2009/10/03/why-limited-demand-means-joblessness/
"Summary: Mainstream economics assumes demand for almost anything is infinite. Thus, the theory goes, when human workers get replaced by robots, or better design means less human labor is needed, then there will soon be new jobs making new things; the only issue might be retraining. But, if demand is limited (because the best things in life are free or cheap, and everything you own also owns you), then when people get laid off, the jobs are gone for good, because there is nothing more that anybody wants then is already produced. And people having more time outside of compulsory work would be a good thing, if we more evenly shared the wealth from automation and better design, but we don't -- yet."
http://en.wikipedia.org/wiki/Basic_income
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
You are one dumb motherfucker sopssa. Never forget that.
If some of the people who post here were as smart as they think they are, they'd figure out:
* Whitehouse.gov is not running Drupal on a ten-dollar shared server at GoDaddy.com.
* Building and maintaining a large, continuously updated website is not something you do in a weekend with Notepad, a giant bag of Cheetos, and a case of diet Coke.
* Any Drupal project of this scale involves layers of extremely high-performance caching and multiple firewalls.
* The site's administrative tools aren't available from the outside. (This is not difficult to implement.)
* Life does not begin and end with your personal favorite programming language, database server, etc., or with the boundaries of your parents' basement.
* Security reports are reports of vulnerabilities that have been fixed, not vulnerabilities that lie in wait to ambush your site. A properly run open-source project has a documented process for handling security issues.
I don't know any details of the site's technical architecture beyond the obvious, but it's blazingly fast. My bet is that when you hit the site, you're pulling completed pages out of RAM on a customized and hardened Varnish, but that's just a guess. The HTTP headers identify the server technology as "White House."
Will the White House hold a press conference if Obama switches to Firefox from IE?
Hopefully this will drive a push to utilize open source in other aspects of government. Specifically secondary education. School districts across the country are locked in symbiotic dependency to profit driven computing / IT services and systems. Linux offers a robust full service option but gets NO (very little) attention from the department of education. DOE, Please support those of us who are trying to save money with open source in the schools!
As of now, there are 471 pending bugs on the Drupal project. It is your patriotic duty as a geek to go fix some bugs.
"Both of those things can be accomplished on your own code too"
Yes, of course. And do you know how the internal app you developed so to allow non-programmers to update content, so PHBs can review the content prior to go public, so you can version contents and pre stablish the date it will go alive, etc. will be called? It will be called a "Content Management System".
So in the end you won't avoid the CMS you'll just develop your own internal one: reinventing the wheel, at a cost, and probably worse.
Pretty sure noone in the world wants a website that looks like Cisco's. It's the worst site by a major technology company I've ever used. To get to anything I normally have to login 3-4 times because it randomly forgets your logged in, only to find out that what I was trying to get to was just a link back to where I started. And forget trying to download the software my account privileges say I should be entitled to, I always wind up using someone else's account because despite several attempts on Cisco's part to fix it it STILL won't let me. Honestly for the company that practically runs the internet, their website is just shameful.
Are there many static-CMSes (for want of a better term) like that available?
"Did you guys forget how the web worked before CMSs came around?"
Yes: it did work slower, more expensive and less functional. I even remember why first intranet efforts used to fail: because content stagnated due to the fact that only programers that didn't produce the information in first place were the only ones allowed and/or with the knowledge to modify contents.
"Most CMS products are insecure pieces of shit. I would not use a CMS for a high profile target like that. They should be publishing static files with a custom system. Only pages that must be dynamic should be. It's just dumb?"
You do know you can have your CMS administrative backend opened only to your internal networks so from the Internet all you have access to is an static, pre-cached, read-only version, do you?
Because if I change it, I have to have a service request, check it into svn, build, file a request for change, deploy during a change window, etc. If the users can change content in a CMS, no paperwork required.
First off, most leaders of the left wing imagine a future where scarcity is the norm, largely because they see the consumption of natural resources by the West as unethical in a larger world view. In their eyes, Americans already have "too much" and therefor should have to make due with less. This faux-conservatism, coupled with the right wing's stupid devotion to "free trade", is the underlying cause of this current economic crisis. It is that people want more stuff, resources are capped by environmental and ideological considerations, so, prices of goods are shooting up and people have less. Demand falls off, and unemployment shoots up. You add in free trade, and take away America's advantage in energy prices and expose our disadvantage in labor, and the country is totally fucked up.
It's pretty simple, actually.
Let's just think this through for a minute. Let's say that instead of having to borrow or raise taxes to have national health care, the USA simply turned around and issued permits to drill in ANWR and off the coasts. Instead of scraping to come up with 900B to pay for it, we would have that money coming in from ANWR alone, without a tax increase. Let's say for a minute that we build nuclear power plants everywhere, and lowered the price of energy to something like the 2 cents per kwh it is to operate a nuclear plant. Everyone would have effectively a 20% raise because of the energy savings not only for themselves but in the cost of every product or service that they buy, and that in turn would lower the price of medicine. If gasoline were a dollar a gallon, and electric bills not more than $20 a month, and food was cheap as well, everyone would feel pretty darned rich. Consumers would spend, tax revenues to the government would go up, and you could have an administration that throws national health care on the table coupled with a modest tax cut.
Bottom line is, regardless of whether you want to have the government doling out the goodies, or get yourself a tax cut, or even a combination of both, the most effective thing the government could do to do that would be to say screw the environmentalists and get cheap energy, no matter what. Energy -is- wealth, and the more wealth you have, the more stuff you can swing.
If everyone felt rich, than putting a national health care plan would be no big deal.
This is my sig.
Seriously, when the government starts talking about hosting, they can just throw hardware at it. When you are able to print money, the capital costs of anything are pretty much irrelevant.
This is my sig.
It's not necessarily a bad thing. Yes, sometimes it cuts off new and creative ideas. Often, those are bad ideas, and everybody else is doing it the regular way for a reason.
This is especially true when a business is getting outside of its domain. If you're the best bottle-maker or book-binder on the block, do that. But your accounting and web site is almost certain to be identical to any other businesses, and crafting roll-your-own accounting or web management software specialized to your thing is quite likely the wrong thing.
Not always, but I've found too many businesses err on the Not Invented Here side.
You must be new here!
Sent from my ASR33 using ASCII
did they hold a press conference when they switched to Drupal? No, then why would they for a browser change. This news was reported by the AP and picked up by other third party sources: no press conference.
I'd like to know what commercial CMS the white house dropped... Tridion, Interwoven, Fatwire, Windows Notepad? It's kind of weird that's not being mentioned.
That's your opinion and just because you have one doesn't make it the correct choice.
In fact, I do remember how the web was before CMS came around. I remember people handing me MS Word documents saved as 150KB+ HTML files. Or having to clean up sections of the corporate site where someone cut-and-pasted from MS Word into the site.
Heck, people made a living off writing software just to clean up the mess. Eliminate clutter in Microsoft Word generated HTML files with the Office 2000 HTML Filter
And to Sopssa, He fails to realize that Drupal can be hardened and has the benefit of several years of testing and user feedback unlike a custom system.
I clearly remember the days before CMS and it looked like this.
<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40" > <head > <meta name=Title content="This is normal unformatted text" > <meta name=Keywords content="" > <meta http-equiv=Content-Type content="text/html; charset=utf-8" > <meta name=ProgId content=Word.Document > <meta name=Generator content="Microsoft Word 10" > <meta name=Originator content="Microsoft Word 10" > <link rel=File-List href="WordtoHTML_files/filelist.xml" > <title >This is normal unformatted text </title > <!--[if gte mso 9] > <xml > <o:DocumentProperties > <o:Author >Elizabeth Pyatt </o:Author > <o:Template >Normal </o:Template > <o:LastAuthor >Elizabeth Pyatt </o:LastAuthor > <o:Revision >1 </o:Revision > <o:TotalTime >1 </o:TotalTime > <o:Created >2003-10-22T19:05:00Z </o:Created > <o:LastSaved >2003-10-22T19:06:00Z </o:LastSaved > <o:Pages >1 </o:Pages > <o:Company >ETS </o:Company > <o:Lines >1 </o:Lines > <o:Paragraphs >1 </o:Paragraphs > <o:Version >10.2418 </o:Version > </o:DocumentProperties > </xml > <![endif]-- > <!--[if gte mso 9] > <xml > <w:WordDocument > <w:DisplayHorizontalDrawingGridEvery >0 </w:DisplayHorizontalDrawingGridEvery > <w:DisplayVerticalDrawingGridEvery >0 </w:DisplayVerticalDrawingGridEvery > <w:UseMarginsForDrawingGridOrigin/ > <w:Compatibility > <w:SpaceForUL/ > <w:BalanceSingleByteDoubleByteWidth/ > <w:DoNotLeaveBackslashAlone/ > <w:ULTrailSpace/ > <w:DoNotExpandShiftReturn/ > <w:AdjustLineHeightInTable/ > </w:Compatibility > </w:WordDocument > </xml > <![endif]-- > <style > <!-- /* Font Definitions */
@font-face
{font-family:"Times New Roman";
panose-1:0 2 2 6 3 5 4 5 2 3;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:50331648 0 0 0 1 0;}
@font-face
{font-family:Arial;
panose-1:0 2 11 6 4 2 2 2 2 2;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:50331648 0 0 0 1 0;}
@font-face
{font-family:Palatino;
panose-1:0 2 0 5 0 0 0 0 0 0;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:50331648 0 0 0 1 0;} /* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Palatino;}
h3
{mso-style-next:Normal;
margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
mso-pagination:widow-orphan;
page-break-after:avoid;
mso-outline-level:3;
font-size:13.0pt;
font-family:Helvetica;}
p.MsoBodyText, li.M
I've lost all my marbles except one & It's fun to test angular & centripetal acceleration in my skull
Building and maintaining a large, continuously updated website is not something you do in a weekend with Notepad, a giant bag of Cheetos, and a case of diet Coke.
NONSENSE! Everyone knows that there's no software project so complex that it can't be done in 3 days by an 8-year old kid, who'll do it for the Cheetos and Coke alone. And we've got any number of big-name sites and systems that demonstrate that that's exactly what must have happened.
Netscape 4.x came with something like that. It's latest descendant, SeaMonkey, has it too.
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
Not only that, but using Drupal means you have a built-in security/programming team, constantly updating, improving, looking for bugs, etc. If you write your own software, YOU have to maintain it, by yourself. Are you as good as the Drupal devs? (I know I'm not)
You do know you can have your CMS administrative backend opened only to your internal networks so from the Internet all you have access to is an static, pre-cached, read-only version, do you?
Ever heard of Akamai?? ;; QUESTION SECTION: ;www.whitehouse.gov. IN A ;; ANSWER SECTION:
www.whitehouse.gov. 2034 IN CNAME www.whitehouse.gov.edgekey.net.
www.whitehouse.gov.edgekey.net. 16434 IN CNAME e2561.g.akamaiedge.net.
Dries Buytaert reflected on this, adding: 'this is a clear sign that governments realize that Open Source does not pose additional risks compared to proprietary software, and furthermore, that by moving away from proprietary software, they are not being locked into a particular technology, and that they can benefit from the innovation that is the result of thousands of developers collaborating on Drupal.'"
Or, more likely, the PHB in charge is running with Drupal because it's popular and CMS's are faddish right now, or worse yet maybe Drupal is the favorite one-size-fits-all solution of the head techie at the White House.
lol
>/dev/null 2>&1
I think it's great that the White House and The Onion have even more in common!
does this even offset a Administration which takes all the bad habits of the last and compounds them with super sized bills that no one gets to review and a good dose of intimidation against any who speak up?
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Insightful post. Completely off-topic but, still, you make some damned good points.
This space for rent!
Insightful post. Completely off-topic but, still, you make some damned good points.
Yeah, totally off topic, but inspired somewhat by the commentary that inevitably follows an FOSS product adoption decision made by a major enterprise..., it's like "the movement" won. Maybe the gov't just picked the better product?
This is my sig.
With all due respect, are you a web developer?
For starters, a well-developed CMS and some competent IT people can produce a site every bit as quick as a static HTML site, because that's exactly what they'll be serving up with good server-side caching. Any "weight" in the backend is more than offset by the increased ease with which content can be updated.
Moreover, a CMS allows non-technical people to be involved in the process. Most likely, people from the press and communications offices are going to be the ones in charge of the content on this website, and it's not at all unreasonable to assume that most of them aren't going to be any good with HTML.
And why should they be? CMS is exactly what it says it is -- a content management system, letting people focus on content by hiding away the markup and technical nonsense they're not concerned with anyway. Sometimes it's fully inappopriate; sometimes a custom one is better than off-the-shelf. But you really can't see why anybody would want to use one? Ever?
They're using the Akamai CDN, has been for many years. That's probably why it's so bloody fast
This is Awesome, now all the Drupal vulnerabilities will be highlighted on a daily basis!
I like Drupal, but security isn't really their strong point, nor is proper testing of their modules.
Oh well.
Do any of you have a recommendation on what to use instead? Preferably PHP-based, so it has a realistic shot of being supported on most hosting plans?
Yes there are.
It's done in two ways.
1. Firstly, it can be built-into the CMS at two levels:
A. Firstly, the CMS can output HTML. When the server comes to serving the page, it can just look for HTML. There are quite a few products that do this, but you lose some flexibilty because you can't include 'live' content: things that are changing all the time.
B. Or it can be baked into the CMS at cache level - so a page is constructed on-the-fly, but from fragments which are drawn from cache and which are straight HTML. Any serious CMS has some variation on doing this.
2. Or final delivery can be handed to a caching front-end or proxy, like Varnish, which is often used with Drupal for high-end sites. Varnish can delive pages from files, but is also smart enough that you can cache some things, but not others. You can also deconstruct a page, caching elements for different times. This can be valuable if your CMS does not have sophisticated caching strategies for personalised content. Varnish has other benefits - for instance it can be used to balance load.
Most CMS's have plugins that generate the static content or serve it directly from memory. Drupal has a bunch of such modules. Boost, memcache, cacherouter, etc.
The security team also looks for security holes in the modules, as well as in Drupal core.
-Myke
You must be new here!
Yeah everybody knows, programmers drink Jolt.
-Myke
I don't know any details of the site's technical architecture beyond the obvious, but it's blazingly fast. My bet is that when you hit the site, you're pulling completed pages out of RAM on a customized and hardened Varnish, but that's just a guess. The HTTP headers identify the server technology as "White House."
I don't know where you came up with Varnish . . . there are lots of ways to get performance that's just as snappy. A CDN is a good start. And it's pretty easy to tell that that's exactly what's being used here:
$ dig +short www.whitehouse.gov
www.whitehouse.gov.edgekey.net.
e2561.g.akamaiedge.net.
96.16.18.135
They're using Akamai for most of their content, it seems. I get 35ms ping to www.whitehouse.gov from machines in New York, Denver, Holland, and Washington (the state). My Washington machine gets 2 ms ping, actually, so I'm guessing Akamai has a machine in the same data center. Varnish alone isn't going to get you anywhere close to that kind of performance – it can't beat light speed.
MediaWiki developer, Total War Center sysadmin
Those who haven't had a hand or two blown off by Obama's cluster bombs, that is...
UNITE with the Campaign for a Free Internet because today, our future begins with tomorrow!
Actually most people have been praising Drupal for its excellent security. You aren't going to find a CMS with a much better track record than Drupal.
What they were mainly saying is that Drupal is extremely popular with lots of people looking to exploit it, so it might theoretically be a high risk. A less well known CMS would not have many people looking (well, that would definitely change overnight if whitehouse.gov chose it :) and is therfore a lower risk, but also has tons of exploits not found yet.
Stick with Drupal if you want a tested, secure, and reliable CMS.
I clearly remember the days before CMS and it looked like this
Ha! The planetarium scheduler for the the school I work at has an HTML file she edits in Word to create the current month's calendar. This file has been used for some 2-3 years. Pulling it up right now, it is 682 KB in size and has over 6,000 lines of CSS at the top of the document. Here's a snippet:
The actual body of the document is about 400 lines of the most awful HTML table markup the universe has ever seen.
To see this file in its entirety is a most humbling experience.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
Absolutely. Cicso's web site is in dire need of a CMS like Drupal. Just trying to use the website for solving technical problems is a good reason to seriously consider another network product.
Every mans' island needs an ocean; choose your ocean carefully.
e107.
Of course the flip-side is that your off-the-shelf software also has off-the-shelf exploits, sometimes in functionality you don't use or even know existed. That's more a reason to upgrade such software frequently though, than reason to avoid it entirely.
But your accounting and web site is almost certain to be identical to any other businesses
Is that why I can't find any accounting software to deal with non-taxable stock dividend distributions from investment activities?
You don't know what you're talking about.
After all, I am strangely colored.
Communist Management System?
Supported on most hosting plans? I'm pretty sure the Federal Government's hosting plan includes whatever they want. For a high enough price, they could get a TCP over Carrier Pigeon server and run a mirror off that.
Security is most certainly not an afterthought for Drupal. ... The upcoming Drupal 7 has SSL login support in core.
Equating SSL with security is emblematic of the Drupal code base. It is, in my experience, the least secure CMS available. Just look at how regular and often Drupal vulnerabilities are announced. Even the Apache configuration requires you to enable FollowSymLinks!. The website says this was a security workaround but it is also as big a hole as the one it fixed. RewriteEngine also cannot be disabled. And the database load is far, far greater than any well designed CMSs. Pile PHP on top of that and you have, well, a pretty insecure webapp (to be diplomatic). I'm sure the Feds will do all sorts of extra stuff to monitor and patch this particular site, and I hope they contribute patches back, but I would not recommend Drupal to anyone who does not have a relatively extensive background in system monitoring, PHP, MySQL or Postgres, and Apache.
Yes, whitehouse.gov is a very attacked site, for all sorts of reasons, and I bet it will be the very first place to try out any new Drupal vulnerability, and at least one of those will succeed sometime in the next couple of years.
But, um...who cares if it does? It's not a mission critical web site. It's stupid fluff pieces about the president and his initiatives. If something goes wrong it gets flipped offline, restored from backup, patched, and brought back online.
It's interesting to see the government try OSS, and that might be an interesting discussion, but way too many people(1) here instantly leapt to the non-existence security implications, acting like important government computers were going to be exposed via any security issues in Drupal.
1) And half the remaining people appear to be morons talking about how CMS are useless. They haven't realized that stating 'people don't need CMSes' doesn't, like they think, show that they're some elite HTML coder, it just reveals them as someone who's never been hired to make a web site for someone else who then can add and remove content.
If corporations are people, aren't stockholders guilty of slavery?
I love Drupal and I think it is a good choice. Outside the concept of it being a in a three tier system, drupal's strengths lie it in it's scalability, high availability. and the very easy plug-in architecture. CCK is one of the best designed plug-ins ever written.
One of the worse I have ever had the misfortune to come across, and I have been forced to work with drupal in a few jobs. Granted is has a fantastic plug in system, it easily extendible, and has great scalability features. Read: crap, very crap, granny's blog.
It would appear that your experience doesn't stretch terribly far; off the top of my head I can name several much less secure systems. Finding, fixing and announcing vulnerabilities is a good thing: by your measure a hugely exploited CMS with no fixes would be better!
Regarding you assertion that the rewrite engine cannot be disabled; this is just plain wrong. The Apache rewrite engine can be disabled without any problem. If you do this, then you won't enjoy clean URLs, instead you'll have URLs like www.somesite.com/index.php?q=some/path instead of www.somesite.com/some/path. Internally Drupal always works with the first form. However, the rewrite engine is a widely used Apache module - with perhaps millions(?) of sites using it. It may very well have exploits - just as any software may - but it is trusted by lots of users.
Followsymlinks can be disabled too. It's required for rewriting and for one form of upload. Drupal works without problems without it. However, there's nothing inherently insecure in symlinks, and the default Drupal directory layout does not symlink to outside of the install tree.
Database load. I note that your assertion about load is without any reference to figures. I'm not certain which CMS you think is well written. However I'll note that there is a general problem with CMSs which are designed to be easily extensible: tightly integrated system usually use a single SQL statement to retrieve data - the designer knows all the constraints at design-time. A loosely coupled system is usually not able to do this: the designer has little idea of what will be present at run time. So it's in the nature of most loosely coupled system to run one query or more for each additional module. Drupal uses a loosely coupled callback orientated architecture. This means its very easy to extend. However the downside is that each module will usually include extra tables. Drupal is fairly smart about loading this extra data, but beyond that, to counteract the tendency for growth in queries, Drupal has a caching subsystem that is active in several layers. For anonymous users, Drupal only runs a few queries which determine where in the cache the data sits, and returns it.
Perhaps you'd like to elaborate with some firm figures and an example of a CMS that in your opinion does it right.
Regarding PHP security. Again - have you any firm facts to show that PHP is inherently less secure than any other language? The consensus in security circles is that openness is better for security. *You* are able to download the PHP source code and contribute patches. If you know of a security issue, I'd urge you to help fix it. Or is this opinion without facts to back it up?
Again, I'd be interested to know which CMS you do recommend to the person in the street. I would not at the moment recommend Drupal for most brochureware sites, though it is capable of brochureware, however for sites in excess of about 100 pages, for sites where there is a heavy community aspect, and for sites which hope to change and grow, Drupal is an excellent choice.
Are you complaining that the security team takes time to go through the 2000+ components, find problems and notify you?
You can unsubscribe from the list, and rely only upon the status subsystem, which if you have not switched it off, will notify you on a regular basis about upgrades and security fixes for the only modules you are using.
In contrast to your assertion: Drupal has an _excellent_ security history, and the fact that you are alerted about updates serves to highlight this.
You may wish to switch to a CMS which has no security warnings, but I would not feel comforted by lack of warnings.
"Dries Buytaert reflected on this, adding: 'this is a clear sign that governments realize that Open Source does not pose additional risks compared to proprietary software"
Uh... Not it's not. It's not like there is classified data on the whitehouse.gov CMS. What's the worst that's going to happen? Some right wing nut hacker like Eric Raymond is going to have in and replace Obama's picture with one of Joseph Stalin?
This will harden Drupal. Worth while.
Inventor, Artist http://www.Rubber-Power.com
I'm sorry, but Plone kills drupal when it comes to design expandability and security. I like Drupal a lot but unless you have a huge in house PHP team already or you're not interested in ever utilizing any enterprise level features on your CMS, it is a mistake to use Drupal over Plone or an enterprise level CMS. It's all about the right tool for the right job...
So, let me get this straight. They've decided to go for open source so that they aren't locked in to a proprietary solution provider. Just to be clear: you live in a country that has no problem over-throwing their own government every 4 years, and in fact insists that it happen every 8 years, but refuses to rebuild their web-site ever again?
How about this. How about every 4 years, when there's a new president, who proceeds to fire everybody, bring in his entire team, and spend six months appointing all sorts of other positions from scratch, how about he then, and only then, rebuilds the web-site -- you know, with new technologies and new ideas -- instead of leaving the 8-year-old web-site from the last administration to sit and grow dust.
There are great reasons to benefit from an open source web-site. But I guarantee the following super ideas won't actually be put forward by anyone but me:
- academic (school) assignments to improve a page of the country's web-site
- national challenges to build interesting and useful public features
- the olympics, for web developers -- you know, a task that actually has some value, unlike figure skating. Really, I think we've pushed ice-skate technology far enough. Even NASA can't find enough ice.
- every government employee to build 1 web page
- in order to apply for a government position, you must improve an existing web-page
- national web-page development day! everybody program.
- $100 of your annual income tax if you build a web page
But, in the end, you know as well as I do:
- fewer than 15 people will ever touch a single line of code for this thing
- fewer than 50 people will ever generate any content for this thing -- CMS or not
- it won't last 8 years
- it won't last 4 years
- it won't launch on-time
- it won't launch complete
- it won't ever reach initial completion
- it'll suck. (that's a period my friends)
- it won't help anyone with anything
- it'll be marginally better than a computerized telephone answering machine
- it'll be a waste of a lot of time
- somehow it'll manage to cost tax payers way too much money
- it won't create jobs. it won't save jobs. it won't improve the economy. it won't feed people. it won't save the auto industry. it won't save the oil industry.
- it won't solve a single current actual problem
Amazing how much easier it was to write that second list as compared to the first.
November 1999, Slashdot interview with "the Queen's webmaster".
What happened since? The consultants moved in. Just in case you missed it, an Open solution doesn't bring in half as much money and customer lock in as proprietary solutions, so the door was thrown wide open to Microsoft based IT. "Come in, all is forgiven, we've relegated those nasty sandal wearing people to some unimportant jobs. Now, what were you saying about a nice position after I retire again? What? Naah, we don't need to to save money, it's TAXpayer's money. As long as we can sell a halfway plausible reason which it's not Open we'll be OK. Something like "not ready for industrial use" or something will do, I'm sure you can cook up some feasibility studies that "prove" that. We'll be nice to each other, won't we? Got any retiring people we can stick in the audit commission?
I'm glad the administration is showing signs of intelligence here, but it's a mighty strong lobby..
Insert
"you're admitting that you're not as good of a developer..."
logic says he doesn't, failtroll.
When Obama's inauguration speech was published using Silverlight I thought that the Whitehouse IT had succumbed to Microsoft lobbying. So this actually good news for once. Lobbyists will have to be more careful in their rhetorics when arguing against free and open source software.
Now lets hope they start publishing their videos from Adobe Flash to HTML5 VIDEO tag based on User-Agent strings. Looking forward to watch some Theora content from whitehouse.gov.
404 Not Found
Plone's security is much higher than Drupal's and most other PHP frameworks. For some stats and analysis see here:
http://plonemetrics.blogspot.com/2009/04/plone-security.html
Whilst the analysis will be a bit biased as it is by someone who uses Plone, the stats there are all independent.
Alos both cia.gov and fbi.gov are Plone sites. Nuff said.
-Matt
heh, I can see all the windows-1252 curved quotes showing up as garbage text even now...
I've lost all my marbles except one & It's fun to test angular & centripetal acceleration in my skull
Did you mean "throw"? It looks like that's what you meant but I'm not sure.
Free Martian Whores!
Let me relate a recent situation that happened to me. I was asked to come in and look at a proof-of-concept website that someone was designing for a customer. It was a reasonably impressive website that he showed us. He told us this POC took him about 100 hours to implement. The customer asked how long it would take to add certain features, particularly the ability for his staff to create pages on the fly without having to download files, modify them, and FTP them into place, and was told several hundred more hours.
I suggested the site could be created using an existing CMS in significantly less time and with all the functionality they were looking for. I was asked to develop a POC as well using Drupal. I returned 48 hours later with a site that had everything the customer wanted, including the ability to easily add an ecommerce store at a later date.
Who do you think has the contract now to build the site? Let me give you a hint... it isn't the guy who put 100 hours in.
Oh, I was thinking of Varnish because:
1. It's currently quite hot in the Drupal world.
2. It's part of the secret Norwegian plan for world domination by proxy. Oh God, did I really say that?