Slashdot Mirror
White House Website Switches To Open Source
Falc0n writes "WhiteHouse.gov has gone Drupal. After months of planning, says an Obama Administration source, the White House has ditched the proprietary content management system that had been in place since the days of the Bush Administration in favor of the latest version of the open-source Drupal software. Dries Buytaert reflected on this, adding: 'this is a clear sign that governments realize that Open Source does not pose additional risks compared to proprietary software, and furthermore, that by moving away from proprietary software, they are not being locked into a particular technology, and that they can benefit from the innovation that is the result of thousands of developers collaborating on Drupal.'"
I've never understood the need to use some kind of CMS behind websites. It just adds unnecessary weight and complicates things, and always limits what you can do or how you should do it. Why not just code the website completely to begin with?
It's a lot better way to go, even more so for large websites.
Now they're locked in to PHP.
Error: password can't contain reverse spelling of ancient Chinese emperor
The problem with using Drupal for the White House is that it's a popular CMS and has lots of people looking for exploits and vulnerabilities. The second a proof of concept piece of code or an easy exploit is discovered, a few thousand script kiddies will decend to get their 15 minutes of fame.
I'm not sure how Drupal fares with bugs and patching speed (I know Wordpress seems to get some high profile holes discovered) but even if all vulns are patched before someone takes advantage of it, you're still going to need an admin who's going to be constantly alert to patching it.
I'm not arguing against closed source vs open, more about popular vs obscure.
Ok, Netcraft's history seems to be screwed up, but I can tell you this:
Right after BO was inagurated, I checked the site. It had just switched over from Bush's site to BO's. Netcraft reported that Bush's site had been Apache on Linux, and BO's new site was IIS on MS.
OK, guys, now everyone should shut up about anything the government does, because it went open-source, right?
*crickets*
Does the Obama administration really think they can buy us off that easily? It's a significant step forward, but I don't think we should bother to praise them in any way.
Huh. Now to me, this is a clear sign that they hired a new web guy who happens to have experience with and a preference for Drupal. I don't think there's a necessarily a political statement here.
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
I just wish they'd pull through in their promises of being open as in transparent. I don't give a fuck what they do with their web site but what lobbyists are showing up for the meetings is important to me.
I guess it's hard to be openly honest when it will prove that you're a liar. Obama had the chance to change the way his office works from the ground up and fumbled the ball. Now we're getting the same old same old.
I wish they used something Python based:
def askPresidentQuestion(q):
if president == "Bush":
misSpeak()
elif president == "Obama":
pass
Yes, but I don't want Whitehouse.gov doing that. Allowing feedback on the high profile website is STUPID and ignorant.
They should have a static website with automatic refreshes from a dynamic back end where uses can edit and publish whatever they like.
They will be hacked, it is just a matter of time.
Just out of curiosity, what were they using before?
"...and that they can benefit from the innovation that is the result of thousands of developers collaborating on Drupal.'"
All located in countries hostile to the west.
I make my own fucking ELECTRONS!
My first reaction to seeing this article was how long it will take for Fox News and friends to declare open source software as socialist and how comrade Obama has taken jobs away from hard working capitalist programmers. It's really not a stretch given their track record.
Yet, even as the White House becomes more efficient and the website costs less to build and operate, this is one more step towards a post-scarcity future that the White House is not otherwise directly engaging, like by promoting a "basic income" for all regardless of whether someone "works":
"Why limited demand means joblessness"
http://www.beyondajoblessrecovery.org/2009/10/03/why-limited-demand-means-joblessness/
"Summary: Mainstream economics assumes demand for almost anything is infinite. Thus, the theory goes, when human workers get replaced by robots, or better design means less human labor is needed, then there will soon be new jobs making new things; the only issue might be retraining. But, if demand is limited (because the best things in life are free or cheap, and everything you own also owns you), then when people get laid off, the jobs are gone for good, because there is nothing more that anybody wants then is already produced. And people having more time outside of compulsory work would be a good thing, if we more evenly shared the wealth from automation and better design, but we don't -- yet."
http://en.wikipedia.org/wiki/Basic_income
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
And then there was light ... this is fucking great! Maybe there is Hope after all. Being a committed pessimistic, I feel the need for some restraint, but goddamit!
If some of the people who post here were as smart as they think they are, they'd figure out:
* Whitehouse.gov is not running Drupal on a ten-dollar shared server at GoDaddy.com.
* Building and maintaining a large, continuously updated website is not something you do in a weekend with Notepad, a giant bag of Cheetos, and a case of diet Coke.
* Any Drupal project of this scale involves layers of extremely high-performance caching and multiple firewalls.
* The site's administrative tools aren't available from the outside. (This is not difficult to implement.)
* Life does not begin and end with your personal favorite programming language, database server, etc., or with the boundaries of your parents' basement.
* Security reports are reports of vulnerabilities that have been fixed, not vulnerabilities that lie in wait to ambush your site. A properly run open-source project has a documented process for handling security issues.
I don't know any details of the site's technical architecture beyond the obvious, but it's blazingly fast. My bet is that when you hit the site, you're pulling completed pages out of RAM on a customized and hardened Varnish, but that's just a guess. The HTTP headers identify the server technology as "White House."
Will the White House hold a press conference if Obama switches to Firefox from IE?
Hopefully this will drive a push to utilize open source in other aspects of government. Specifically secondary education. School districts across the country are locked in symbiotic dependency to profit driven computing / IT services and systems. Linux offers a robust full service option but gets NO (very little) attention from the department of education. DOE, Please support those of us who are trying to save money with open source in the schools!
As of now, there are 471 pending bugs on the Drupal project. It is your patriotic duty as a geek to go fix some bugs.
First off, most leaders of the left wing imagine a future where scarcity is the norm, largely because they see the consumption of natural resources by the West as unethical in a larger world view. In their eyes, Americans already have "too much" and therefor should have to make due with less. This faux-conservatism, coupled with the right wing's stupid devotion to "free trade", is the underlying cause of this current economic crisis. It is that people want more stuff, resources are capped by environmental and ideological considerations, so, prices of goods are shooting up and people have less. Demand falls off, and unemployment shoots up. You add in free trade, and take away America's advantage in energy prices and expose our disadvantage in labor, and the country is totally fucked up.
It's pretty simple, actually.
Let's just think this through for a minute. Let's say that instead of having to borrow or raise taxes to have national health care, the USA simply turned around and issued permits to drill in ANWR and off the coasts. Instead of scraping to come up with 900B to pay for it, we would have that money coming in from ANWR alone, without a tax increase. Let's say for a minute that we build nuclear power plants everywhere, and lowered the price of energy to something like the 2 cents per kwh it is to operate a nuclear plant. Everyone would have effectively a 20% raise because of the energy savings not only for themselves but in the cost of every product or service that they buy, and that in turn would lower the price of medicine. If gasoline were a dollar a gallon, and electric bills not more than $20 a month, and food was cheap as well, everyone would feel pretty darned rich. Consumers would spend, tax revenues to the government would go up, and you could have an administration that throws national health care on the table coupled with a modest tax cut.
Bottom line is, regardless of whether you want to have the government doling out the goodies, or get yourself a tax cut, or even a combination of both, the most effective thing the government could do to do that would be to say screw the environmentalists and get cheap energy, no matter what. Energy -is- wealth, and the more wealth you have, the more stuff you can swing.
If everyone felt rich, than putting a national health care plan would be no big deal.
This is my sig.
Seriously, when the government starts talking about hosting, they can just throw hardware at it. When you are able to print money, the capital costs of anything are pretty much irrelevant.
This is my sig.
You must be new here!
Sent from my ASR33 using ASCII
did they hold a press conference when they switched to Drupal? No, then why would they for a browser change. This news was reported by the AP and picked up by other third party sources: no press conference.
I have a center right wing site. It turns on ASP.NET. I am rewriting it for a Linux hosted roll out because it is better. My reasons are thus.
Windows 7 is a better desktop OS, for sure, but, for programmers, Linux is hands down better.
a) You can transplant Linux, but not Windows. I ripped a hard drive out of an Opteron, put it in a Xeon, and booted my Linux right away. All I had to do was google a bit and comment out sbp2 from /etc/modules because my new motherboard did not have firewire support, and any instability was solved. Microsoft can take its TCO numbers and shove it up their ass, as I'm looking at hours of labor to get Windows up and rolling, versus being done for Linux. Meanwhile, the best answer Microsoft has is to do a Windows 7 REINSTALL, meaning that, my data and applications are completely f--- up, and I still have to come up with a goddamned license key for Windows.
b) Linux has built in support for ISOs and DVD burning and every other file system that there is. I do not have google for 80 different spyware tools to get a utility. I can type sudo apt get install and be done with it.
c) Linux comes with every tool imaginable, and has no baked in limits. With Windows, you develop on a desktop and deploy to a server, and the two are different. Linux -is- the server, so its simpler. There are more languages for linux, more evil things you can do to Apache, more off the wall out of the box ways to get things done. Visual Studio is a great product, but its really all there is. It's like a Versaille, a beautiful building for sure, amazing wonder, but no place to take a shit, because the designers thought shitting was bad. Meanwhile, Linux is the land of trailer parks and porta poddies. Might not smell so good, but at least you aren't shitting your pants.
d) bash is still better than powershell. On paper, powershell is better, but only MS could come up with a shell that requires so much fricking typing and looks so ugly.
e) Linux feels faster.
f) And, Linux yes, is cheaper. I paid 0.0000 dollars for an operating system that works to be transplanted and gives me lots of great tools. I have to lay out almost $1000 for Windows + Visual Studio.
It's like, I can be working on my web site on my new computer now, with an OS that's free and asked me to do little to migrate from one machine to another, or I can pay down a bunch more money to get at the data I already had, just because I'm using a new computer with it. I'm not a big socialist. I don't care about the ideology of FOSS, but Windows, you fucking suck!
Seriously, if Linux gets its act together enough to have a vision where your hard drive is transplantable from computer to computer, like it doesn't matter, with tools, data, operating system, preferences, everything, Wndows is dead meat. And Linux now, is getting very close to that.
This is my sig.
I'd like to know what commercial CMS the white house dropped... Tridion, Interwoven, Fatwire, Windows Notepad? It's kind of weird that's not being mentioned.
Building and maintaining a large, continuously updated website is not something you do in a weekend with Notepad, a giant bag of Cheetos, and a case of diet Coke.
NONSENSE! Everyone knows that there's no software project so complex that it can't be done in 3 days by an 8-year old kid, who'll do it for the Cheetos and Coke alone. And we've got any number of big-name sites and systems that demonstrate that that's exactly what must have happened.
Dries Buytaert reflected on this, adding: 'this is a clear sign that governments realize that Open Source does not pose additional risks compared to proprietary software, and furthermore, that by moving away from proprietary software, they are not being locked into a particular technology, and that they can benefit from the innovation that is the result of thousands of developers collaborating on Drupal.'"
Or, more likely, the PHB in charge is running with Drupal because it's popular and CMS's are faddish right now, or worse yet maybe Drupal is the favorite one-size-fits-all solution of the head techie at the White House.
lol
>/dev/null 2>&1
I think it's great that the White House and The Onion have even more in common!
does this even offset a Administration which takes all the bad habits of the last and compounds them with super sized bills that no one gets to review and a good dose of intimidation against any who speak up?
* Winners compare their achievements to their goals, losers compare theirs to that of others.
They're using the Akamai CDN, has been for many years. That's probably why it's so bloody fast
This is Awesome, now all the Drupal vulnerabilities will be highlighted on a daily basis!
I like Drupal, but security isn't really their strong point, nor is proper testing of their modules.
Oh well.
Do any of you have a recommendation on what to use instead? Preferably PHP-based, so it has a realistic shot of being supported on most hosting plans?
Yes there are.
It's done in two ways.
1. Firstly, it can be built-into the CMS at two levels:
A. Firstly, the CMS can output HTML. When the server comes to serving the page, it can just look for HTML. There are quite a few products that do this, but you lose some flexibilty because you can't include 'live' content: things that are changing all the time.
B. Or it can be baked into the CMS at cache level - so a page is constructed on-the-fly, but from fragments which are drawn from cache and which are straight HTML. Any serious CMS has some variation on doing this.
2. Or final delivery can be handed to a caching front-end or proxy, like Varnish, which is often used with Drupal for high-end sites. Varnish can delive pages from files, but is also smart enough that you can cache some things, but not others. You can also deconstruct a page, caching elements for different times. This can be valuable if your CMS does not have sophisticated caching strategies for personalised content. Varnish has other benefits - for instance it can be used to balance load.
You must be new here!
Yeah everybody knows, programmers drink Jolt.
-Myke
I don't know any details of the site's technical architecture beyond the obvious, but it's blazingly fast. My bet is that when you hit the site, you're pulling completed pages out of RAM on a customized and hardened Varnish, but that's just a guess. The HTTP headers identify the server technology as "White House."
I don't know where you came up with Varnish . . . there are lots of ways to get performance that's just as snappy. A CDN is a good start. And it's pretty easy to tell that that's exactly what's being used here:
$ dig +short www.whitehouse.gov
www.whitehouse.gov.edgekey.net.
e2561.g.akamaiedge.net.
96.16.18.135
They're using Akamai for most of their content, it seems. I get 35ms ping to www.whitehouse.gov from machines in New York, Denver, Holland, and Washington (the state). My Washington machine gets 2 ms ping, actually, so I'm guessing Akamai has a machine in the same data center. Varnish alone isn't going to get you anywhere close to that kind of performance – it can't beat light speed.
MediaWiki developer, Total War Center sysadmin
Those who haven't had a hand or two blown off by Obama's cluster bombs, that is...
UNITE with the Campaign for a Free Internet because today, our future begins with tomorrow!
Actually most people have been praising Drupal for its excellent security. You aren't going to find a CMS with a much better track record than Drupal.
What they were mainly saying is that Drupal is extremely popular with lots of people looking to exploit it, so it might theoretically be a high risk. A less well known CMS would not have many people looking (well, that would definitely change overnight if whitehouse.gov chose it :) and is therfore a lower risk, but also has tons of exploits not found yet.
Stick with Drupal if you want a tested, secure, and reliable CMS.
e107.
Communist Management System?
Supported on most hosting plans? I'm pretty sure the Federal Government's hosting plan includes whatever they want. For a high enough price, they could get a TCP over Carrier Pigeon server and run a mirror off that.
Security is most certainly not an afterthought for Drupal. ... The upcoming Drupal 7 has SSL login support in core.
Equating SSL with security is emblematic of the Drupal code base. It is, in my experience, the least secure CMS available. Just look at how regular and often Drupal vulnerabilities are announced. Even the Apache configuration requires you to enable FollowSymLinks!. The website says this was a security workaround but it is also as big a hole as the one it fixed. RewriteEngine also cannot be disabled. And the database load is far, far greater than any well designed CMSs. Pile PHP on top of that and you have, well, a pretty insecure webapp (to be diplomatic). I'm sure the Feds will do all sorts of extra stuff to monitor and patch this particular site, and I hope they contribute patches back, but I would not recommend Drupal to anyone who does not have a relatively extensive background in system monitoring, PHP, MySQL or Postgres, and Apache.
Yes, whitehouse.gov is a very attacked site, for all sorts of reasons, and I bet it will be the very first place to try out any new Drupal vulnerability, and at least one of those will succeed sometime in the next couple of years.
But, um...who cares if it does? It's not a mission critical web site. It's stupid fluff pieces about the president and his initiatives. If something goes wrong it gets flipped offline, restored from backup, patched, and brought back online.
It's interesting to see the government try OSS, and that might be an interesting discussion, but way too many people(1) here instantly leapt to the non-existence security implications, acting like important government computers were going to be exposed via any security issues in Drupal.
1) And half the remaining people appear to be morons talking about how CMS are useless. They haven't realized that stating 'people don't need CMSes' doesn't, like they think, show that they're some elite HTML coder, it just reveals them as someone who's never been hired to make a web site for someone else who then can add and remove content.
If corporations are people, aren't stockholders guilty of slavery?
I love Drupal and I think it is a good choice. Outside the concept of it being a in a three tier system, drupal's strengths lie it in it's scalability, high availability. and the very easy plug-in architecture. CCK is one of the best designed plug-ins ever written.
One of the worse I have ever had the misfortune to come across, and I have been forced to work with drupal in a few jobs. Granted is has a fantastic plug in system, it easily extendible, and has great scalability features. Read: crap, very crap, granny's blog.
It would appear that your experience doesn't stretch terribly far; off the top of my head I can name several much less secure systems. Finding, fixing and announcing vulnerabilities is a good thing: by your measure a hugely exploited CMS with no fixes would be better!
Regarding you assertion that the rewrite engine cannot be disabled; this is just plain wrong. The Apache rewrite engine can be disabled without any problem. If you do this, then you won't enjoy clean URLs, instead you'll have URLs like www.somesite.com/index.php?q=some/path instead of www.somesite.com/some/path. Internally Drupal always works with the first form. However, the rewrite engine is a widely used Apache module - with perhaps millions(?) of sites using it. It may very well have exploits - just as any software may - but it is trusted by lots of users.
Followsymlinks can be disabled too. It's required for rewriting and for one form of upload. Drupal works without problems without it. However, there's nothing inherently insecure in symlinks, and the default Drupal directory layout does not symlink to outside of the install tree.
Database load. I note that your assertion about load is without any reference to figures. I'm not certain which CMS you think is well written. However I'll note that there is a general problem with CMSs which are designed to be easily extensible: tightly integrated system usually use a single SQL statement to retrieve data - the designer knows all the constraints at design-time. A loosely coupled system is usually not able to do this: the designer has little idea of what will be present at run time. So it's in the nature of most loosely coupled system to run one query or more for each additional module. Drupal uses a loosely coupled callback orientated architecture. This means its very easy to extend. However the downside is that each module will usually include extra tables. Drupal is fairly smart about loading this extra data, but beyond that, to counteract the tendency for growth in queries, Drupal has a caching subsystem that is active in several layers. For anonymous users, Drupal only runs a few queries which determine where in the cache the data sits, and returns it.
Perhaps you'd like to elaborate with some firm figures and an example of a CMS that in your opinion does it right.
Regarding PHP security. Again - have you any firm facts to show that PHP is inherently less secure than any other language? The consensus in security circles is that openness is better for security. *You* are able to download the PHP source code and contribute patches. If you know of a security issue, I'd urge you to help fix it. Or is this opinion without facts to back it up?
Again, I'd be interested to know which CMS you do recommend to the person in the street. I would not at the moment recommend Drupal for most brochureware sites, though it is capable of brochureware, however for sites in excess of about 100 pages, for sites where there is a heavy community aspect, and for sites which hope to change and grow, Drupal is an excellent choice.
Are you complaining that the security team takes time to go through the 2000+ components, find problems and notify you?
You can unsubscribe from the list, and rely only upon the status subsystem, which if you have not switched it off, will notify you on a regular basis about upgrades and security fixes for the only modules you are using.
In contrast to your assertion: Drupal has an _excellent_ security history, and the fact that you are alerted about updates serves to highlight this.
You may wish to switch to a CMS which has no security warnings, but I would not feel comforted by lack of warnings.
"Dries Buytaert reflected on this, adding: 'this is a clear sign that governments realize that Open Source does not pose additional risks compared to proprietary software"
Uh... Not it's not. It's not like there is classified data on the whitehouse.gov CMS. What's the worst that's going to happen? Some right wing nut hacker like Eric Raymond is going to have in and replace Obama's picture with one of Joseph Stalin?
This will harden Drupal. Worth while.
Inventor, Artist http://www.Rubber-Power.com
I'm sorry, but Plone kills drupal when it comes to design expandability and security. I like Drupal a lot but unless you have a huge in house PHP team already or you're not interested in ever utilizing any enterprise level features on your CMS, it is a mistake to use Drupal over Plone or an enterprise level CMS. It's all about the right tool for the right job...
So, let me get this straight. They've decided to go for open source so that they aren't locked in to a proprietary solution provider. Just to be clear: you live in a country that has no problem over-throwing their own government every 4 years, and in fact insists that it happen every 8 years, but refuses to rebuild their web-site ever again?
How about this. How about every 4 years, when there's a new president, who proceeds to fire everybody, bring in his entire team, and spend six months appointing all sorts of other positions from scratch, how about he then, and only then, rebuilds the web-site -- you know, with new technologies and new ideas -- instead of leaving the 8-year-old web-site from the last administration to sit and grow dust.
There are great reasons to benefit from an open source web-site. But I guarantee the following super ideas won't actually be put forward by anyone but me:
- academic (school) assignments to improve a page of the country's web-site
- national challenges to build interesting and useful public features
- the olympics, for web developers -- you know, a task that actually has some value, unlike figure skating. Really, I think we've pushed ice-skate technology far enough. Even NASA can't find enough ice.
- every government employee to build 1 web page
- in order to apply for a government position, you must improve an existing web-page
- national web-page development day! everybody program.
- $100 of your annual income tax if you build a web page
But, in the end, you know as well as I do:
- fewer than 15 people will ever touch a single line of code for this thing
- fewer than 50 people will ever generate any content for this thing -- CMS or not
- it won't last 8 years
- it won't last 4 years
- it won't launch on-time
- it won't launch complete
- it won't ever reach initial completion
- it'll suck. (that's a period my friends)
- it won't help anyone with anything
- it'll be marginally better than a computerized telephone answering machine
- it'll be a waste of a lot of time
- somehow it'll manage to cost tax payers way too much money
- it won't create jobs. it won't save jobs. it won't improve the economy. it won't feed people. it won't save the auto industry. it won't save the oil industry.
- it won't solve a single current actual problem
Amazing how much easier it was to write that second list as compared to the first.
November 1999, Slashdot interview with "the Queen's webmaster".
What happened since? The consultants moved in. Just in case you missed it, an Open solution doesn't bring in half as much money and customer lock in as proprietary solutions, so the door was thrown wide open to Microsoft based IT. "Come in, all is forgiven, we've relegated those nasty sandal wearing people to some unimportant jobs. Now, what were you saying about a nice position after I retire again? What? Naah, we don't need to to save money, it's TAXpayer's money. As long as we can sell a halfway plausible reason which it's not Open we'll be OK. Something like "not ready for industrial use" or something will do, I'm sure you can cook up some feasibility studies that "prove" that. We'll be nice to each other, won't we? Got any retiring people we can stick in the audit commission?
I'm glad the administration is showing signs of intelligence here, but it's a mighty strong lobby..
Insert
When Obama's inauguration speech was published using Silverlight I thought that the Whitehouse IT had succumbed to Microsoft lobbying. So this actually good news for once. Lobbyists will have to be more careful in their rhetorics when arguing against free and open source software.
Now lets hope they start publishing their videos from Adobe Flash to HTML5 VIDEO tag based on User-Agent strings. Looking forward to watch some Theora content from whitehouse.gov.
404 Not Found
Plone's security is much higher than Drupal's and most other PHP frameworks. For some stats and analysis see here:
http://plonemetrics.blogspot.com/2009/04/plone-security.html
Whilst the analysis will be a bit biased as it is by someone who uses Plone, the stats there are all independent.
Alos both cia.gov and fbi.gov are Plone sites. Nuff said.
-Matt
Did you mean "throw"? It looks like that's what you meant but I'm not sure.
Free Martian Whores!
Oh, I was thinking of Varnish because:
1. It's currently quite hot in the Drupal world.
2. It's part of the secret Norwegian plan for world domination by proxy. Oh God, did I really say that?