White House Website Switches To Open Source

Falc0n writes "WhiteHouse.gov has gone Drupal. After months of planning, says an Obama Administration source, the White House has ditched the proprietary content management system that had been in place since the days of the Bush Administration in favor of the latest version of the open-source Drupal software. Dries Buytaert reflected on this, adding: 'this is a clear sign that governments realize that Open Source does not pose additional risks compared to proprietary software, and furthermore, that by moving away from proprietary software, they are not being locked into a particular technology, and that they can benefit from the innovation that is the result of thousands of developers collaborating on Drupal.'"

Re:Why CMS

[jopet]

Just a few reasons:
* You want to automatically use templates and not replicate formatting code
* You want different people that are not programmers to be able to update different parts of the website; you want to let them do it from their browser in a wysiwyg editor; you want to let them to easily first publish their articles on a staging host and then authorize somebody else to go online with it
* You want to allow commenting, feedback forms, registered users etc.
* You easily want to keep track of versions and revisions of published pages
* You want to automatically index the pages for searches
* You want to easily include dynamic(computed) data into your web pages

Re:Why CMS

[Mathiasdm]

For one, the weight a CMS adds is compensated by all of the code that is already present, all of the plugins that can be added without any trouble, the possibility for non-coders to easily modify website content ...
Especially for large websites, this can dramatically improve how fast you can update and improve your site.
Also, if you don't want to use a CMS, a framework like Django or Ruby on Rails is the way to go. These allow you to program everything yourself, but already have a lot of functionality built-in, to avoid reinventing the wheel.

Re:High profile target and popular CMS'

[kamelkev]

I run a fairly high profile drupal site - and this has always been a large concern for us.

Our solution was basically to disable user logins completely. An overwhelming number of the exploits require you to login, so by removing this prerequisite, we basically avoided the problem.

Security isn't exactly a priority for drupal either, it's almost added as an afterthought. To put things in perspective, their login page doesn't even support SSL by default in either drupal 5 or drupal 6. To me that's verging on pathetic.

We were lucky because user logins weren't a core part of our site concept when we implemented the site, but I am now thinking that it might be a good way to go in the future, but I'm mostly petrified of this problem.

On the bright side of things they include a large number of extensions, and things mostly work as advertised, so we found this to be our best option out of all the open source CMSes we tried.

Re:High profile target and popular CMS'

[Bozovision]

I think you are misinformed. Morpheus seemed to be targeted at a range of software, including Joomla, but not Drupal: as far as I can see, none of the URL's it scanned are Drupal-based. See http://zeroq.kulando.de/post/2008/08/20/morfeus-fucking-scanner for example, but there are others out there.

In fact, Drupal has an excellent history of security. We find holes, fix them and issue patches. There is a security mailing list that anyone can sign up to. You will receive mail on the latest security fixes. Your Drupal installation will tell you when components are out of date, and when there are security updates. It will also email you on a regular basis if you don't care to look at your status, or ignore the status message at the top of the page when you log in as an administrator. Drupal will not download and install components without human intervention: components require manual installation.

Just like any software, I'm certain that Drupal has as yet undiscovered exploits. What's important is whether they are found and fixed, and we have a good track record of doing this.

Re:Why CMS

[turbidostato]

"Did you guys forget how the web worked before CMSs came around?"

Yes: it did work slower, more expensive and less functional. I even remember why first intranet efforts used to fail: because content stagnated due to the fact that only programers that didn't produce the information in first place were the only ones allowed and/or with the knowledge to modify contents.

"Most CMS products are insecure pieces of shit. I would not use a CMS for a high profile target like that. They should be publishing static files with a custom system. Only pages that must be dynamic should be. It's just dumb?"

You do know you can have your CMS administrative backend opened only to your internal networks so from the Internet all you have access to is an static, pre-cached, read-only version, do you?

Re:Why CMS

[jbezorg]

That's your opinion and just because you have one doesn't make it the correct choice.

In fact, I do remember how the web was before CMS came around. I remember people handing me MS Word documents saved as 150KB+ HTML files. Or having to clean up sections of the corporate site where someone cut-and-pasted from MS Word into the site.

Heck, people made a living off writing software just to clean up the mess. Eliminate clutter in Microsoft Word generated HTML files with the Office 2000 HTML Filter

And to Sopssa, He fails to realize that Drupal can be hardened and has the benefit of several years of testing and user feedback unlike a custom system.

I clearly remember the days before CMS and it looked like this.

<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40" > <head > <meta name=Title content="This is normal unformatted text" > <meta name=Keywords content="" > <meta http-equiv=Content-Type content="text/html; charset=utf-8" > <meta name=ProgId content=Word.Document > <meta name=Generator content="Microsoft Word 10" > <meta name=Originator content="Microsoft Word 10" > <link rel=File-List href="WordtoHTML_files/filelist.xml" > <title >This is normal unformatted text </title > <!--[if gte mso 9] > <xml > <o:DocumentProperties > <o:Author >Elizabeth Pyatt </o:Author > <o:Template >Normal </o:Template > <o:LastAuthor >Elizabeth Pyatt </o:LastAuthor > <o:Revision >1 </o:Revision > <o:TotalTime >1 </o:TotalTime > <o:Created >2003-10-22T19:05:00Z </o:Created > <o:LastSaved >2003-10-22T19:06:00Z </o:LastSaved > <o:Pages >1 </o:Pages > <o:Company >ETS </o:Company > <o:Lines >1 </o:Lines > <o:Paragraphs >1 </o:Paragraphs > <o:Version >10.2418 </o:Version > </o:DocumentProperties > </xml > <![endif]-- > <!--[if gte mso 9] > <xml > <w:WordDocument > <w:DisplayHorizontalDrawingGridEvery >0 </w:DisplayHorizontalDrawingGridEvery > <w:DisplayVerticalDrawingGridEvery >0 </w:DisplayVerticalDrawingGridEvery > <w:UseMarginsForDrawingGridOrigin/ > <w:Compatibility > <w:SpaceForUL/ > <w:BalanceSingleByteDoubleByteWidth/ > <w:DoNotLeaveBackslashAlone/ > <w:ULTrailSpace/ > <w:DoNotExpandShiftReturn/ > <w:AdjustLineHeightInTable/ > </w:Compatibility > </w:WordDocument > </xml > <![endif]-- > <style > <!-- /* Font Definitions */ @font-face {font-family:"Times New Roman"; panose-1:0 2 2 6 3 5 4 5 2 3; mso-font-charset:0; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:50331648 0 0 0 1 0;} @font-face {font-family:Arial; panose-1:0 2 11 6 4 2 2 2 2 2; mso-font-charset:0; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:50331648 0 0 0 1 0;} @font-face {font-family:Palatino; panose-1:0 2 0 5 0 0 0 0 0 0; mso-font-charset:0; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:50331648 0 0 0 1 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:Palatino;} h3 {mso-style-next:Normal; margin-top:12.0pt; margin-right:0in; margin-bottom:3.0pt; margin-left:0in; mso-pagination:widow-orphan; page-break-after:avoid; mso-outline-level:3; font-size:13.0pt; font-family:Helvetica;} p.MsoBodyText, li.M

Re:High profile target and popular CMS'

[blakhol]

Security is most certainly not an afterthought for Drupal.

Up though version 6 you needed to turn on a module like Securepages module to enable SSL logins.

The upcoming Drupal 7 has SSL login support in core.

See http://crackingdrupal.com/blog/greggles/drupal-and-ssl-multiple-recipes-possible-solutions