Slashdot Mirror
White House Website Switches To Open Source
Falc0n writes "WhiteHouse.gov has gone Drupal. After months of planning, says an Obama Administration source, the White House has ditched the proprietary content management system that had been in place since the days of the Bush Administration in favor of the latest version of the open-source Drupal software. Dries Buytaert reflected on this, adding: 'this is a clear sign that governments realize that Open Source does not pose additional risks compared to proprietary software, and furthermore, that by moving away from proprietary software, they are not being locked into a particular technology, and that they can benefit from the innovation that is the result of thousands of developers collaborating on Drupal.'"
Are you a troll, naive or stupid?
A CMS is required if you want content to be updatable by non-programmers, which is almost always a very requirement on larger corporates pages.
A CMS will also allow versioning of content, making it easy to publish new content at specific points in time.
No reinventing of the wheel.
All kinds of stuff that can be used as is, or modified.
Features, features, features.
Easy separation of presentation / Data.
Workflow.
Yeah, and since you are at it, instead of generating webpages with a database for, say, 10,000 products, let builds each of them individually. A database always limits what you can do or how you should do it... Great logic.
Just a few reasons:
* You want to automatically use templates and not replicate formatting code
* You want different people that are not programmers to be able to update different parts of the website; you want to let them do it from their browser in a wysiwyg editor; you want to let them to easily first publish their articles on a staging host and then authorize somebody else to go online with it
* You want to allow commenting, feedback forms, registered users etc.
* You easily want to keep track of versions and revisions of published pages
* You want to automatically index the pages for searches
* You want to easily include dynamic(computed) data into your web pages
A better question is why so many practically static web sites use online content management systems. Is it just for convenience? Lack of thought? A life content management system on the server is a serious security liability. Many web sites could just as well use an offline CMS and push the data to the server when an update is made. A typical web server can handle orders of magnitude more visitors when there is only static content. Even if you aggressively cache the CMS output, that still leaves the security aspect. I guess it takes a Slashdotting / Digg effect before most authors realize that having a web site which can't handle 10 concurrent visitors is rather pointless.
Why reinvent the wheel?
Sure, you can program everything from scratch and that might even appeal to you if you're the CEO of a company that sells programming services, but in many cases it makes more sense to use off-the-shelf software (which drupal is - well, off an imaginery shelf where everything is free as long as you give back).
For one, the weight a CMS adds is compensated by all of the code that is already present, all of the plugins that can be added without any trouble, the possibility for non-coders to easily modify website content ...
Especially for large websites, this can dramatically improve how fast you can update and improve your site.
Also, if you don't want to use a CMS, a framework like Django or Ruby on Rails is the way to go. These allow you to program everything yourself, but already have a lot of functionality built-in, to avoid reinventing the wheel.
Join the anonymous, help develop the network: http://www.i2p2.de
The problem with using Drupal for the White House is that it's a popular CMS and has lots of people looking for exploits and vulnerabilities. The second a proof of concept piece of code or an easy exploit is discovered, a few thousand script kiddies will decend to get their 15 minutes of fame.
I'm not sure how Drupal fares with bugs and patching speed (I know Wordpress seems to get some high profile holes discovered) but even if all vulns are patched before someone takes advantage of it, you're still going to need an admin who's going to be constantly alert to patching it.
I'm not arguing against closed source vs open, more about popular vs obscure.
Businesses have come to accept the limitations of software, and will often adjust the way they do things to fit in with whatever the software requires, sad but true.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
do you write you own operating system?
Forget the OS - do you reckon he designs and fabricates his own CPUs?
Ok, Netcraft's history seems to be screwed up, but I can tell you this:
Right after BO was inagurated, I checked the site. It had just switched over from Bush's site to BO's. Netcraft reported that Bush's site had been Apache on Linux, and BO's new site was IIS on MS.
Huh. Now to me, this is a clear sign that they hired a new web guy who happens to have experience with and a preference for Drupal. I don't think there's a necessarily a political statement here.
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
Now they're locked in to PHP.
It's part of Obama's economic recovery program. Just think how many IT jobs this will create: maintenance, debugging, modifications, and security. Maybe we could have a Slashdot poll on who will pwn the website first. I think it'll be the Chinese as payback for the tariffs on tires.
It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
It's a significant step forward
It's quite a sad state of affairs when moving to one of the most common and widely used back-ends for a website is considered "a significant step forward".
Pretty good is actually pretty bad.
I wish they used something Python based:
def askPresidentQuestion(q):
if president == "Bush":
misSpeak()
elif president == "Obama":
pass
Hey, at least it's open source, so it must be a good thing!
As stated in the article, this wasn't done to earn your praise.
If libertarians are so opposed to effective government, why don't they all move to Somalia?
What do you mean "buy us off"? Do you honestly think this is going to get them any real favor? People around here have a way of overestimating the value of open source to the man on the streets or even the geek on the streets for that matter.
Dedicated Cthulhu Cultist since 4523 BC.
Just out of curiosity, what were they using before?
"It's quite a sad state of affairs when moving to one of the most common and widely used back-ends for a website is considered "a significant step forward"."
Bullshit - it's not a "step" anywhere.
This is ONE part of the government changing ONE system over to open source. That's it. The whole "since the Bush Administration" comment is a red herring:
a) Drupal only went Open Source in 2001. "Hey, it's time to update the Whitehouse.gov back end, and there's this new cool thing that just got released. It's maintained by a bunch of enthusiasts, and has no support, but I think it's a great idea!" "Perkins, go back to trolling for porn."
b) Does anyone really think the president in ANY administration gives a rats ass about the back-end of the website? Remember, Bush was ridiculed for not even using email, but somehow it's his policy that only proprietary software be used for invisible parts of the website? Likewise, Obama was a lawyer, "community activist", professor, and politician. Which one of those would make him care about this?
I'm more than happy another Open Source effort has been used for a high profile installation. But please - this isn't "Change", or even a policy change, or even an operations change from the White House point of view. This is changing from "Tide" to "Bold" to wash the Presidential underwear.
"As God is my witness, I thought turkeys could fly." A. Carlson
theres alot of good reasons people use cms... and let me try and use your own words... say you wanted a website that looked like cisco's.
In a CMS, (such as drupal)... heres who does what:
1) designer writes a theme for the website (to give it the look)
2) content producers write the pages
3) codes do the bits the cms doesn't already do.
The point is, the CMS gives you alot to begin with without limiting you, sure you could code a website from scratch but something as powerfull as drupal is going to take a long time. You may not need everything drupal does so you can cut that down a bit. But ultimately you'll end up with something that allows people to do their jobs (i.e. content producers to write pages). Drupal CMS is also especially good at being extended (and there are virtually no limits that I can think of). So rather then writing a whole heap of code to do your website, your coders just write what they need to extend the CMS - "dang, drupal doesnt do rsa based two factor auth, we're going to have to code it in" as apposed to "ok, lets get started on coding a website - quick grab 15 people who know architecture".
I make my own fucking ELECTRONS!
So when you write your own code, you've written a CMS. But you just passed one up because it was too heavy-weight...
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
You are one dumb motherfucker sopssa. Never forget that.
My first reaction to seeing this article was how long it will take for Fox News and friends to declare open source software as socialist and how comrade Obama has taken jobs away from hard working capitalist programmers. It's really not a stretch given their track record.
Take a look at the drupal logo. I think this calls for a big investigation to confirm that Obama is an alien!
If some of the people who post here were as smart as they think they are, they'd figure out:
* Whitehouse.gov is not running Drupal on a ten-dollar shared server at GoDaddy.com.
* Building and maintaining a large, continuously updated website is not something you do in a weekend with Notepad, a giant bag of Cheetos, and a case of diet Coke.
* Any Drupal project of this scale involves layers of extremely high-performance caching and multiple firewalls.
* The site's administrative tools aren't available from the outside. (This is not difficult to implement.)
* Life does not begin and end with your personal favorite programming language, database server, etc., or with the boundaries of your parents' basement.
* Security reports are reports of vulnerabilities that have been fixed, not vulnerabilities that lie in wait to ambush your site. A properly run open-source project has a documented process for handling security issues.
I don't know any details of the site's technical architecture beyond the obvious, but it's blazingly fast. My bet is that when you hit the site, you're pulling completed pages out of RAM on a customized and hardened Varnish, but that's just a guess. The HTTP headers identify the server technology as "White House."
Will the White House hold a press conference if Obama switches to Firefox from IE?
Yes, but I don't want Whitehouse.gov doing that. Allowing feedback on the high profile website is STUPID and ignorant.
Apparently, allowing feedback attracts the stupid and ignorant.
Hopefully this will drive a push to utilize open source in other aspects of government. Specifically secondary education. School districts across the country are locked in symbiotic dependency to profit driven computing / IT services and systems. Linux offers a robust full service option but gets NO (very little) attention from the department of education. DOE, Please support those of us who are trying to save money with open source in the schools!
"Both of those things can be accomplished on your own code too"
Yes, of course. And do you know how the internal app you developed so to allow non-programmers to update content, so PHBs can review the content prior to go public, so you can version contents and pre stablish the date it will go alive, etc. will be called? It will be called a "Content Management System".
So in the end you won't avoid the CMS you'll just develop your own internal one: reinventing the wheel, at a cost, and probably worse.
Pretty sure noone in the world wants a website that looks like Cisco's. It's the worst site by a major technology company I've ever used. To get to anything I normally have to login 3-4 times because it randomly forgets your logged in, only to find out that what I was trying to get to was just a link back to where I started. And forget trying to download the software my account privileges say I should be entitled to, I always wind up using someone else's account because despite several attempts on Cisco's part to fix it it STILL won't let me. Honestly for the company that practically runs the internet, their website is just shameful.
Are there many static-CMSes (for want of a better term) like that available?
"Did you guys forget how the web worked before CMSs came around?"
Yes: it did work slower, more expensive and less functional. I even remember why first intranet efforts used to fail: because content stagnated due to the fact that only programers that didn't produce the information in first place were the only ones allowed and/or with the knowledge to modify contents.
"Most CMS products are insecure pieces of shit. I would not use a CMS for a high profile target like that. They should be publishing static files with a custom system. Only pages that must be dynamic should be. It's just dumb?"
You do know you can have your CMS administrative backend opened only to your internal networks so from the Internet all you have access to is an static, pre-cached, read-only version, do you?
Because if I change it, I have to have a service request, check it into svn, build, file a request for change, deploy during a change window, etc. If the users can change content in a CMS, no paperwork required.
First off, most leaders of the left wing imagine a future where scarcity is the norm, largely because they see the consumption of natural resources by the West as unethical in a larger world view. In their eyes, Americans already have "too much" and therefor should have to make due with less. This faux-conservatism, coupled with the right wing's stupid devotion to "free trade", is the underlying cause of this current economic crisis. It is that people want more stuff, resources are capped by environmental and ideological considerations, so, prices of goods are shooting up and people have less. Demand falls off, and unemployment shoots up. You add in free trade, and take away America's advantage in energy prices and expose our disadvantage in labor, and the country is totally fucked up.
It's pretty simple, actually.
Let's just think this through for a minute. Let's say that instead of having to borrow or raise taxes to have national health care, the USA simply turned around and issued permits to drill in ANWR and off the coasts. Instead of scraping to come up with 900B to pay for it, we would have that money coming in from ANWR alone, without a tax increase. Let's say for a minute that we build nuclear power plants everywhere, and lowered the price of energy to something like the 2 cents per kwh it is to operate a nuclear plant. Everyone would have effectively a 20% raise because of the energy savings not only for themselves but in the cost of every product or service that they buy, and that in turn would lower the price of medicine. If gasoline were a dollar a gallon, and electric bills not more than $20 a month, and food was cheap as well, everyone would feel pretty darned rich. Consumers would spend, tax revenues to the government would go up, and you could have an administration that throws national health care on the table coupled with a modest tax cut.
Bottom line is, regardless of whether you want to have the government doling out the goodies, or get yourself a tax cut, or even a combination of both, the most effective thing the government could do to do that would be to say screw the environmentalists and get cheap energy, no matter what. Energy -is- wealth, and the more wealth you have, the more stuff you can swing.
If everyone felt rich, than putting a national health care plan would be no big deal.
This is my sig.
It's not necessarily a bad thing. Yes, sometimes it cuts off new and creative ideas. Often, those are bad ideas, and everybody else is doing it the regular way for a reason.
This is especially true when a business is getting outside of its domain. If you're the best bottle-maker or book-binder on the block, do that. But your accounting and web site is almost certain to be identical to any other businesses, and crafting roll-your-own accounting or web management software specialized to your thing is quite likely the wrong thing.
Not always, but I've found too many businesses err on the Not Invented Here side.
You must be new here!
Sent from my ASR33 using ASCII
It will be interesting to see the first bug report from the White House. With all the layers of security they need, they are undoubtedly going to push Drupal's envelope in some novel ways.
Or maybe we will see evidence of a White House bug stomping party, or contributed code, first. I'm sure that the tech guys at whitehouse.gov will give back to the community somehow.
Is there a way to monitor drupal.org for White House activity? Can we see some "First sighting!" competitions? Or should we look for press releases: "White House fixes 37 bugs; reports 17 new ones"
This could change some things.
Will
Giving praise does not mean you're no longer critical of the government. Governments are like dogs, give praise when they do little things right so they will do bigger things right. Correct them when they do things wrong so they will do them right. This is a small step that could lead to more open source in government, why not tell them you like it and ask for more?
This is a good first step, but I doubt any of us have forgotten/forgiven who is 2 and 3 and the DoJ.
I'd like to know what commercial CMS the white house dropped... Tridion, Interwoven, Fatwire, Windows Notepad? It's kind of weird that's not being mentioned.
I work for the government, and uh, bullshit.
// This is not a sig.
That's your opinion and just because you have one doesn't make it the correct choice.
In fact, I do remember how the web was before CMS came around. I remember people handing me MS Word documents saved as 150KB+ HTML files. Or having to clean up sections of the corporate site where someone cut-and-pasted from MS Word into the site.
Heck, people made a living off writing software just to clean up the mess. Eliminate clutter in Microsoft Word generated HTML files with the Office 2000 HTML Filter
And to Sopssa, He fails to realize that Drupal can be hardened and has the benefit of several years of testing and user feedback unlike a custom system.
I clearly remember the days before CMS and it looked like this.
<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40" > <head > <meta name=Title content="This is normal unformatted text" > <meta name=Keywords content="" > <meta http-equiv=Content-Type content="text/html; charset=utf-8" > <meta name=ProgId content=Word.Document > <meta name=Generator content="Microsoft Word 10" > <meta name=Originator content="Microsoft Word 10" > <link rel=File-List href="WordtoHTML_files/filelist.xml" > <title >This is normal unformatted text </title > <!--[if gte mso 9] > <xml > <o:DocumentProperties > <o:Author >Elizabeth Pyatt </o:Author > <o:Template >Normal </o:Template > <o:LastAuthor >Elizabeth Pyatt </o:LastAuthor > <o:Revision >1 </o:Revision > <o:TotalTime >1 </o:TotalTime > <o:Created >2003-10-22T19:05:00Z </o:Created > <o:LastSaved >2003-10-22T19:06:00Z </o:LastSaved > <o:Pages >1 </o:Pages > <o:Company >ETS </o:Company > <o:Lines >1 </o:Lines > <o:Paragraphs >1 </o:Paragraphs > <o:Version >10.2418 </o:Version > </o:DocumentProperties > </xml > <![endif]-- > <!--[if gte mso 9] > <xml > <w:WordDocument > <w:DisplayHorizontalDrawingGridEvery >0 </w:DisplayHorizontalDrawingGridEvery > <w:DisplayVerticalDrawingGridEvery >0 </w:DisplayVerticalDrawingGridEvery > <w:UseMarginsForDrawingGridOrigin/ > <w:Compatibility > <w:SpaceForUL/ > <w:BalanceSingleByteDoubleByteWidth/ > <w:DoNotLeaveBackslashAlone/ > <w:ULTrailSpace/ > <w:DoNotExpandShiftReturn/ > <w:AdjustLineHeightInTable/ > </w:Compatibility > </w:WordDocument > </xml > <![endif]-- > <style > <!-- /* Font Definitions */
@font-face
{font-family:"Times New Roman";
panose-1:0 2 2 6 3 5 4 5 2 3;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:50331648 0 0 0 1 0;}
@font-face
{font-family:Arial;
panose-1:0 2 11 6 4 2 2 2 2 2;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:50331648 0 0 0 1 0;}
@font-face
{font-family:Palatino;
panose-1:0 2 0 5 0 0 0 0 0 0;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:50331648 0 0 0 1 0;} /* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Palatino;}
h3
{mso-style-next:Normal;
margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
mso-pagination:widow-orphan;
page-break-after:avoid;
mso-outline-level:3;
font-size:13.0pt;
font-family:Helvetica;}
p.MsoBodyText, li.M
I've lost all my marbles except one & It's fun to test angular & centripetal acceleration in my skull
Netscape 4.x came with something like that. It's latest descendant, SeaMonkey, has it too.
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
Not only that, but using Drupal means you have a built-in security/programming team, constantly updating, improving, looking for bugs, etc. If you write your own software, YOU have to maintain it, by yourself. Are you as good as the Drupal devs? (I know I'm not)
You do know you can have your CMS administrative backend opened only to your internal networks so from the Internet all you have access to is an static, pre-cached, read-only version, do you?
Ever heard of Akamai?? ;; QUESTION SECTION: ;www.whitehouse.gov. IN A ;; ANSWER SECTION:
www.whitehouse.gov. 2034 IN CNAME www.whitehouse.gov.edgekey.net.
www.whitehouse.gov.edgekey.net. 16434 IN CNAME e2561.g.akamaiedge.net.
Dries Buytaert reflected on this, adding: 'this is a clear sign that governments realize that Open Source does not pose additional risks compared to proprietary software, and furthermore, that by moving away from proprietary software, they are not being locked into a particular technology, and that they can benefit from the innovation that is the result of thousands of developers collaborating on Drupal.'"
Or, more likely, the PHB in charge is running with Drupal because it's popular and CMS's are faddish right now, or worse yet maybe Drupal is the favorite one-size-fits-all solution of the head techie at the White House.
lol
>/dev/null 2>&1
I think it's great that the White House and The Onion have even more in common!
does this even offset a Administration which takes all the bad habits of the last and compounds them with super sized bills that no one gets to review and a good dose of intimidation against any who speak up?
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Insightful post. Completely off-topic but, still, you make some damned good points.
This space for rent!
Insightful post. Completely off-topic but, still, you make some damned good points.
Yeah, totally off topic, but inspired somewhat by the commentary that inevitably follows an FOSS product adoption decision made by a major enterprise..., it's like "the movement" won. Maybe the gov't just picked the better product?
This is my sig.
With all due respect, are you a web developer?
For starters, a well-developed CMS and some competent IT people can produce a site every bit as quick as a static HTML site, because that's exactly what they'll be serving up with good server-side caching. Any "weight" in the backend is more than offset by the increased ease with which content can be updated.
Moreover, a CMS allows non-technical people to be involved in the process. Most likely, people from the press and communications offices are going to be the ones in charge of the content on this website, and it's not at all unreasonable to assume that most of them aren't going to be any good with HTML.
And why should they be? CMS is exactly what it says it is -- a content management system, letting people focus on content by hiding away the markup and technical nonsense they're not concerned with anyway. Sometimes it's fully inappopriate; sometimes a custom one is better than off-the-shelf. But you really can't see why anybody would want to use one? Ever?
This is Awesome, now all the Drupal vulnerabilities will be highlighted on a daily basis!
I like Drupal, but security isn't really their strong point, nor is proper testing of their modules.
Oh well.
Why do you assume they're not doing that? I would expect that given the high traffic whitehouse.gov receive all pages will be heavily cached.
Do any of you have a recommendation on what to use instead? Preferably PHP-based, so it has a realistic shot of being supported on most hosting plans?
Most CMS's have plugins that generate the static content or serve it directly from memory. Drupal has a bunch of such modules. Boost, memcache, cacherouter, etc.
The security team also looks for security holes in the modules, as well as in Drupal core.
-Myke
You must be new here!
Yeah everybody knows, programmers drink Jolt.
-Myke
I don't know any details of the site's technical architecture beyond the obvious, but it's blazingly fast. My bet is that when you hit the site, you're pulling completed pages out of RAM on a customized and hardened Varnish, but that's just a guess. The HTTP headers identify the server technology as "White House."
I don't know where you came up with Varnish . . . there are lots of ways to get performance that's just as snappy. A CDN is a good start. And it's pretty easy to tell that that's exactly what's being used here:
$ dig +short www.whitehouse.gov
www.whitehouse.gov.edgekey.net.
e2561.g.akamaiedge.net.
96.16.18.135
They're using Akamai for most of their content, it seems. I get 35ms ping to www.whitehouse.gov from machines in New York, Denver, Holland, and Washington (the state). My Washington machine gets 2 ms ping, actually, so I'm guessing Akamai has a machine in the same data center. Varnish alone isn't going to get you anywhere close to that kind of performance – it can't beat light speed.
MediaWiki developer, Total War Center sysadmin
Actually most people have been praising Drupal for its excellent security. You aren't going to find a CMS with a much better track record than Drupal.
What they were mainly saying is that Drupal is extremely popular with lots of people looking to exploit it, so it might theoretically be a high risk. A less well known CMS would not have many people looking (well, that would definitely change overnight if whitehouse.gov chose it :) and is therfore a lower risk, but also has tons of exploits not found yet.
Stick with Drupal if you want a tested, secure, and reliable CMS.
I clearly remember the days before CMS and it looked like this
Ha! The planetarium scheduler for the the school I work at has an HTML file she edits in Word to create the current month's calendar. This file has been used for some 2-3 years. Pulling it up right now, it is 682 KB in size and has over 6,000 lines of CSS at the top of the document. Here's a snippet:
The actual body of the document is about 400 lines of the most awful HTML table markup the universe has ever seen.
To see this file in its entirety is a most humbling experience.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
Absolutely. Cicso's web site is in dire need of a CMS like Drupal. Just trying to use the website for solving technical problems is a good reason to seriously consider another network product.
Every mans' island needs an ocean; choose your ocean carefully.
e107.
Of course the flip-side is that your off-the-shelf software also has off-the-shelf exploits, sometimes in functionality you don't use or even know existed. That's more a reason to upgrade such software frequently though, than reason to avoid it entirely.
But your accounting and web site is almost certain to be identical to any other businesses
Is that why I can't find any accounting software to deal with non-taxable stock dividend distributions from investment activities?
You don't know what you're talking about.
After all, I am strangely colored.
Why do you assume they're not doing that?
Because he's a moron who doesn't understand how CMSes are actually used in the real world, and thinks the only point of them is for 'dynamic' content.
When in actual fact something like half of all CMS sites are mostly 'static', with maybe a forum and an RSS feed block being their sole 'automatically changing' area, and then rest is so that people who don't know a hell of a lot about web sites can fricking manage the site, or at least their area of it, and add and remove content.
If corporations are people, aren't stockholders guilty of slavery?
Supported on most hosting plans? I'm pretty sure the Federal Government's hosting plan includes whatever they want. For a high enough price, they could get a TCP over Carrier Pigeon server and run a mirror off that.
My first reaction to seeing this article was how long it will take for Fox News and friends to declare open source software as socialist and how comrade Obama has taken jobs away from hard working capitalist programmers. It's really not a stretch given their track record.
foxnews.com's server runs on Linux according to Netcraft.
The Gospel according to lolcat
Security is most certainly not an afterthought for Drupal. ... The upcoming Drupal 7 has SSL login support in core.
Equating SSL with security is emblematic of the Drupal code base. It is, in my experience, the least secure CMS available. Just look at how regular and often Drupal vulnerabilities are announced. Even the Apache configuration requires you to enable FollowSymLinks!. The website says this was a security workaround but it is also as big a hole as the one it fixed. RewriteEngine also cannot be disabled. And the database load is far, far greater than any well designed CMSs. Pile PHP on top of that and you have, well, a pretty insecure webapp (to be diplomatic). I'm sure the Feds will do all sorts of extra stuff to monitor and patch this particular site, and I hope they contribute patches back, but I would not recommend Drupal to anyone who does not have a relatively extensive background in system monitoring, PHP, MySQL or Postgres, and Apache.
Yes, whitehouse.gov is a very attacked site, for all sorts of reasons, and I bet it will be the very first place to try out any new Drupal vulnerability, and at least one of those will succeed sometime in the next couple of years.
But, um...who cares if it does? It's not a mission critical web site. It's stupid fluff pieces about the president and his initiatives. If something goes wrong it gets flipped offline, restored from backup, patched, and brought back online.
It's interesting to see the government try OSS, and that might be an interesting discussion, but way too many people(1) here instantly leapt to the non-existence security implications, acting like important government computers were going to be exposed via any security issues in Drupal.
1) And half the remaining people appear to be morons talking about how CMS are useless. They haven't realized that stating 'people don't need CMSes' doesn't, like they think, show that they're some elite HTML coder, it just reveals them as someone who's never been hired to make a web site for someone else who then can add and remove content.
If corporations are people, aren't stockholders guilty of slavery?
It would appear that your experience doesn't stretch terribly far; off the top of my head I can name several much less secure systems. Finding, fixing and announcing vulnerabilities is a good thing: by your measure a hugely exploited CMS with no fixes would be better!
Regarding you assertion that the rewrite engine cannot be disabled; this is just plain wrong. The Apache rewrite engine can be disabled without any problem. If you do this, then you won't enjoy clean URLs, instead you'll have URLs like www.somesite.com/index.php?q=some/path instead of www.somesite.com/some/path. Internally Drupal always works with the first form. However, the rewrite engine is a widely used Apache module - with perhaps millions(?) of sites using it. It may very well have exploits - just as any software may - but it is trusted by lots of users.
Followsymlinks can be disabled too. It's required for rewriting and for one form of upload. Drupal works without problems without it. However, there's nothing inherently insecure in symlinks, and the default Drupal directory layout does not symlink to outside of the install tree.
Database load. I note that your assertion about load is without any reference to figures. I'm not certain which CMS you think is well written. However I'll note that there is a general problem with CMSs which are designed to be easily extensible: tightly integrated system usually use a single SQL statement to retrieve data - the designer knows all the constraints at design-time. A loosely coupled system is usually not able to do this: the designer has little idea of what will be present at run time. So it's in the nature of most loosely coupled system to run one query or more for each additional module. Drupal uses a loosely coupled callback orientated architecture. This means its very easy to extend. However the downside is that each module will usually include extra tables. Drupal is fairly smart about loading this extra data, but beyond that, to counteract the tendency for growth in queries, Drupal has a caching subsystem that is active in several layers. For anonymous users, Drupal only runs a few queries which determine where in the cache the data sits, and returns it.
Perhaps you'd like to elaborate with some firm figures and an example of a CMS that in your opinion does it right.
Regarding PHP security. Again - have you any firm facts to show that PHP is inherently less secure than any other language? The consensus in security circles is that openness is better for security. *You* are able to download the PHP source code and contribute patches. If you know of a security issue, I'd urge you to help fix it. Or is this opinion without facts to back it up?
Again, I'd be interested to know which CMS you do recommend to the person in the street. I would not at the moment recommend Drupal for most brochureware sites, though it is capable of brochureware, however for sites in excess of about 100 pages, for sites where there is a heavy community aspect, and for sites which hope to change and grow, Drupal is an excellent choice.
Are you complaining that the security team takes time to go through the 2000+ components, find problems and notify you?
You can unsubscribe from the list, and rely only upon the status subsystem, which if you have not switched it off, will notify you on a regular basis about upgrades and security fixes for the only modules you are using.
In contrast to your assertion: Drupal has an _excellent_ security history, and the fact that you are alerted about updates serves to highlight this.
You may wish to switch to a CMS which has no security warnings, but I would not feel comforted by lack of warnings.
This will harden Drupal. Worth while.
Inventor, Artist http://www.Rubber-Power.com
I'm sorry, but Plone kills drupal when it comes to design expandability and security. I like Drupal a lot but unless you have a huge in house PHP team already or you're not interested in ever utilizing any enterprise level features on your CMS, it is a mistake to use Drupal over Plone or an enterprise level CMS. It's all about the right tool for the right job...
So, let me get this straight. They've decided to go for open source so that they aren't locked in to a proprietary solution provider. Just to be clear: you live in a country that has no problem over-throwing their own government every 4 years, and in fact insists that it happen every 8 years, but refuses to rebuild their web-site ever again?
How about this. How about every 4 years, when there's a new president, who proceeds to fire everybody, bring in his entire team, and spend six months appointing all sorts of other positions from scratch, how about he then, and only then, rebuilds the web-site -- you know, with new technologies and new ideas -- instead of leaving the 8-year-old web-site from the last administration to sit and grow dust.
There are great reasons to benefit from an open source web-site. But I guarantee the following super ideas won't actually be put forward by anyone but me:
- academic (school) assignments to improve a page of the country's web-site
- national challenges to build interesting and useful public features
- the olympics, for web developers -- you know, a task that actually has some value, unlike figure skating. Really, I think we've pushed ice-skate technology far enough. Even NASA can't find enough ice.
- every government employee to build 1 web page
- in order to apply for a government position, you must improve an existing web-page
- national web-page development day! everybody program.
- $100 of your annual income tax if you build a web page
But, in the end, you know as well as I do:
- fewer than 15 people will ever touch a single line of code for this thing
- fewer than 50 people will ever generate any content for this thing -- CMS or not
- it won't last 8 years
- it won't last 4 years
- it won't launch on-time
- it won't launch complete
- it won't ever reach initial completion
- it'll suck. (that's a period my friends)
- it won't help anyone with anything
- it'll be marginally better than a computerized telephone answering machine
- it'll be a waste of a lot of time
- somehow it'll manage to cost tax payers way too much money
- it won't create jobs. it won't save jobs. it won't improve the economy. it won't feed people. it won't save the auto industry. it won't save the oil industry.
- it won't solve a single current actual problem
Amazing how much easier it was to write that second list as compared to the first.
November 1999, Slashdot interview with "the Queen's webmaster".
What happened since? The consultants moved in. Just in case you missed it, an Open solution doesn't bring in half as much money and customer lock in as proprietary solutions, so the door was thrown wide open to Microsoft based IT. "Come in, all is forgiven, we've relegated those nasty sandal wearing people to some unimportant jobs. Now, what were you saying about a nice position after I retire again? What? Naah, we don't need to to save money, it's TAXpayer's money. As long as we can sell a halfway plausible reason which it's not Open we'll be OK. Something like "not ready for industrial use" or something will do, I'm sure you can cook up some feasibility studies that "prove" that. We'll be nice to each other, won't we? Got any retiring people we can stick in the audit commission?
I'm glad the administration is showing signs of intelligence here, but it's a mighty strong lobby..
Insert
When Obama's inauguration speech was published using Silverlight I thought that the Whitehouse IT had succumbed to Microsoft lobbying. So this actually good news for once. Lobbyists will have to be more careful in their rhetorics when arguing against free and open source software.
Now lets hope they start publishing their videos from Adobe Flash to HTML5 VIDEO tag based on User-Agent strings. Looking forward to watch some Theora content from whitehouse.gov.
404 Not Found
Yeah, they should write it in a generic all-purpose language that can be translated to any programming language, proprietary or open. I guess reading the brainwaves and converting it to a website could do.
Plone's security is much higher than Drupal's and most other PHP frameworks. For some stats and analysis see here:
http://plonemetrics.blogspot.com/2009/04/plone-security.html
Whilst the analysis will be a bit biased as it is by someone who uses Plone, the stats there are all independent.
Alos both cia.gov and fbi.gov are Plone sites. Nuff said.
-Matt
heh, I can see all the windows-1252 curved quotes showing up as garbage text even now...
I've lost all my marbles except one & It's fun to test angular & centripetal acceleration in my skull
Yes, but I don't want Whitehouse.gov doing that. Allowing feedback on the high profile website is STUPID and ignorant.
Apparently, allowing feedback attracts the stupid and ignorant.
Here's some feedback for yah, ... oh wait?!?
Did you mean "throw"? It looks like that's what you meant but I'm not sure.
Free Martian Whores!
Oh, I was thinking of Varnish because:
1. It's currently quite hot in the Drupal world.
2. It's part of the secret Norwegian plan for world domination by proxy. Oh God, did I really say that?
"Bush WAS pro-Microsoft, he backed their side in the antitrust trial, and very soon after the election, almost all their punishment was dropped. I have no doubt that he went proprietary, or hired the advisors who would guarantee that."
Of course, that had nothing to do with the first judge shooting his mouth off, or the appellate court voiding the penalties, or the second judge (a Clinton appointee, btw) agreeing to a lesser penalty, OR the appellate court confirming the settlement, OR the governments lead prosecutor running like hell from his "success" in the MS case to lead such efforts as Bush v. Gore and the SCO lawsuit.
No, it had to be that Bush could only pause fellating Gates long enough to call the Justice Department and have the case spiked because of his personal reservations about the GPL.
Or you are an idiot. I'm not sure which one more likely.
"As God is my witness, I thought turkeys could fly." A. Carlson
Considering Obama's stated love for his Blackberry and his understanding of technology, I wouldn't be too surprised if he actually knew what open source was or heard about Drupal or CMSes... ...but that's not really the point. We're talking about the Executive Branch here, not Obama himself. The whole point is that the IT people Obama brought in with him have no problem embracing open source. Compare with previous administrations that were ideologically opposed to open source, and you'll see why it's significant. I think this story is highly indicative of the cabinet Obama brought in. Look at what's happening in the FCC regarding net neutrality, EPA actually starting to do their job again, etc.
SWM seeks new sig for a brief fling
You are still thinking too low level. "The IT people Obama brought in with him?" Do you really think he has his own Geek Squad? He brought in the WH Chief of Staff, and that was the end of that (for him at least).
Yes, Obama definitely has a different ideology than Bush did. But I don't know how that applied to Open Source. For instance, you say that "previous administrations ... were ideologically opposed to open source." Really? I can't remember it being mentioned in any official context AT ALL, much less negatively.
And drawing a direct equivalence along the lines of "liberal:Open Source::conservative:proprietary" is not necessarily valid. There's only a small, small set of people that make an ideological distinction between Libre software and Free Beer software - a lot of them just happen to hang out on /.. But for the vast majority, software is a tool. Some aspects of the tool may have ideological ramifications - for instance, when I went to buy a new floor jack to work on my car, I tried to buy one made in America. But in the end, whatever I bought, it's most important trait is it's usefulness as a tool.
The Obama Administration is certainly ideologically different than the Bush Administration (although I believe less so than his supporters think). But that doesn't mean it applies to all aspects of everything the Administration touches. I'm glad Drupal scored a win - let's just not read too much into it, shall we?
"As God is my witness, I thought turkeys could fly." A. Carlson