Slashdot Mirror
White House Website Switches To Open Source
Falc0n writes "WhiteHouse.gov has gone Drupal. After months of planning, says an Obama Administration source, the White House has ditched the proprietary content management system that had been in place since the days of the Bush Administration in favor of the latest version of the open-source Drupal software. Dries Buytaert reflected on this, adding: 'this is a clear sign that governments realize that Open Source does not pose additional risks compared to proprietary software, and furthermore, that by moving away from proprietary software, they are not being locked into a particular technology, and that they can benefit from the innovation that is the result of thousands of developers collaborating on Drupal.'"
Are you a troll, naive or stupid?
A CMS is required if you want content to be updatable by non-programmers, which is almost always a very requirement on larger corporates pages.
A CMS will also allow versioning of content, making it easy to publish new content at specific points in time.
Just a few reasons:
* You want to automatically use templates and not replicate formatting code
* You want different people that are not programmers to be able to update different parts of the website; you want to let them do it from their browser in a wysiwyg editor; you want to let them to easily first publish their articles on a staging host and then authorize somebody else to go online with it
* You want to allow commenting, feedback forms, registered users etc.
* You easily want to keep track of versions and revisions of published pages
* You want to automatically index the pages for searches
* You want to easily include dynamic(computed) data into your web pages
A better question is why so many practically static web sites use online content management systems. Is it just for convenience? Lack of thought? A life content management system on the server is a serious security liability. Many web sites could just as well use an offline CMS and push the data to the server when an update is made. A typical web server can handle orders of magnitude more visitors when there is only static content. Even if you aggressively cache the CMS output, that still leaves the security aspect. I guess it takes a Slashdotting / Digg effect before most authors realize that having a web site which can't handle 10 concurrent visitors is rather pointless.
Why reinvent the wheel?
Sure, you can program everything from scratch and that might even appeal to you if you're the CEO of a company that sells programming services, but in many cases it makes more sense to use off-the-shelf software (which drupal is - well, off an imaginery shelf where everything is free as long as you give back).
For one, the weight a CMS adds is compensated by all of the code that is already present, all of the plugins that can be added without any trouble, the possibility for non-coders to easily modify website content ...
Especially for large websites, this can dramatically improve how fast you can update and improve your site.
Also, if you don't want to use a CMS, a framework like Django or Ruby on Rails is the way to go. These allow you to program everything yourself, but already have a lot of functionality built-in, to avoid reinventing the wheel.
Join the anonymous, help develop the network: http://www.i2p2.de
The problem with using Drupal for the White House is that it's a popular CMS and has lots of people looking for exploits and vulnerabilities. The second a proof of concept piece of code or an easy exploit is discovered, a few thousand script kiddies will decend to get their 15 minutes of fame.
I'm not sure how Drupal fares with bugs and patching speed (I know Wordpress seems to get some high profile holes discovered) but even if all vulns are patched before someone takes advantage of it, you're still going to need an admin who's going to be constantly alert to patching it.
I'm not arguing against closed source vs open, more about popular vs obscure.
Businesses have come to accept the limitations of software, and will often adjust the way they do things to fit in with whatever the software requires, sad but true.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
do you write you own operating system?
Huh. Now to me, this is a clear sign that they hired a new web guy who happens to have experience with and a preference for Drupal. I don't think there's a necessarily a political statement here.
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
Now they're locked in to PHP.
It's part of Obama's economic recovery program. Just think how many IT jobs this will create: maintenance, debugging, modifications, and security. Maybe we could have a Slashdot poll on who will pwn the website first. I think it'll be the Chinese as payback for the tariffs on tires.
It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
I wish they used something Python based:
def askPresidentQuestion(q):
if president == "Bush":
misSpeak()
elif president == "Obama":
pass
As stated in the article, this wasn't done to earn your praise.
If libertarians are so opposed to effective government, why don't they all move to Somalia?
Just out of curiosity, what were they using before?
In other words, what did they switch from.
They switched from capitalism to communism, silly.
"His name was James Damore."
"It's quite a sad state of affairs when moving to one of the most common and widely used back-ends for a website is considered "a significant step forward"."
Bullshit - it's not a "step" anywhere.
This is ONE part of the government changing ONE system over to open source. That's it. The whole "since the Bush Administration" comment is a red herring:
a) Drupal only went Open Source in 2001. "Hey, it's time to update the Whitehouse.gov back end, and there's this new cool thing that just got released. It's maintained by a bunch of enthusiasts, and has no support, but I think it's a great idea!" "Perkins, go back to trolling for porn."
b) Does anyone really think the president in ANY administration gives a rats ass about the back-end of the website? Remember, Bush was ridiculed for not even using email, but somehow it's his policy that only proprietary software be used for invisible parts of the website? Likewise, Obama was a lawyer, "community activist", professor, and politician. Which one of those would make him care about this?
I'm more than happy another Open Source effort has been used for a high profile installation. But please - this isn't "Change", or even a policy change, or even an operations change from the White House point of view. This is changing from "Tide" to "Bold" to wash the Presidential underwear.
"As God is my witness, I thought turkeys could fly." A. Carlson
theres alot of good reasons people use cms... and let me try and use your own words... say you wanted a website that looked like cisco's.
In a CMS, (such as drupal)... heres who does what:
1) designer writes a theme for the website (to give it the look)
2) content producers write the pages
3) codes do the bits the cms doesn't already do.
The point is, the CMS gives you alot to begin with without limiting you, sure you could code a website from scratch but something as powerfull as drupal is going to take a long time. You may not need everything drupal does so you can cut that down a bit. But ultimately you'll end up with something that allows people to do their jobs (i.e. content producers to write pages). Drupal CMS is also especially good at being extended (and there are virtually no limits that I can think of). So rather then writing a whole heap of code to do your website, your coders just write what they need to extend the CMS - "dang, drupal doesnt do rsa based two factor auth, we're going to have to code it in" as apposed to "ok, lets get started on coding a website - quick grab 15 people who know architecture".
I make my own fucking ELECTRONS!
So when you write your own code, you've written a CMS. But you just passed one up because it was too heavy-weight...
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
Maybe the parent wished to be modded as funny. What happened along the years is that CMS products have been turned into commodities. The White House recognized that and switched the investment into the service of updating the contents. Optimizing the way one spends money looks a basic precept of capitalism to me, very American.
If some of the people who post here were as smart as they think they are, they'd figure out:
* Whitehouse.gov is not running Drupal on a ten-dollar shared server at GoDaddy.com.
* Building and maintaining a large, continuously updated website is not something you do in a weekend with Notepad, a giant bag of Cheetos, and a case of diet Coke.
* Any Drupal project of this scale involves layers of extremely high-performance caching and multiple firewalls.
* The site's administrative tools aren't available from the outside. (This is not difficult to implement.)
* Life does not begin and end with your personal favorite programming language, database server, etc., or with the boundaries of your parents' basement.
* Security reports are reports of vulnerabilities that have been fixed, not vulnerabilities that lie in wait to ambush your site. A properly run open-source project has a documented process for handling security issues.
I don't know any details of the site's technical architecture beyond the obvious, but it's blazingly fast. My bet is that when you hit the site, you're pulling completed pages out of RAM on a customized and hardened Varnish, but that's just a guess. The HTTP headers identify the server technology as "White House."
Yes, but I don't want Whitehouse.gov doing that. Allowing feedback on the high profile website is STUPID and ignorant.
Apparently, allowing feedback attracts the stupid and ignorant.
Hopefully this will drive a push to utilize open source in other aspects of government. Specifically secondary education. School districts across the country are locked in symbiotic dependency to profit driven computing / IT services and systems. Linux offers a robust full service option but gets NO (very little) attention from the department of education. DOE, Please support those of us who are trying to save money with open source in the schools!
"Both of those things can be accomplished on your own code too"
Yes, of course. And do you know how the internal app you developed so to allow non-programmers to update content, so PHBs can review the content prior to go public, so you can version contents and pre stablish the date it will go alive, etc. will be called? It will be called a "Content Management System".
So in the end you won't avoid the CMS you'll just develop your own internal one: reinventing the wheel, at a cost, and probably worse.
"Did you guys forget how the web worked before CMSs came around?"
Yes: it did work slower, more expensive and less functional. I even remember why first intranet efforts used to fail: because content stagnated due to the fact that only programers that didn't produce the information in first place were the only ones allowed and/or with the knowledge to modify contents.
"Most CMS products are insecure pieces of shit. I would not use a CMS for a high profile target like that. They should be publishing static files with a custom system. Only pages that must be dynamic should be. It's just dumb?"
You do know you can have your CMS administrative backend opened only to your internal networks so from the Internet all you have access to is an static, pre-cached, read-only version, do you?
Parent was not trying to be modded funny. I am genuinely trying to understand what the previous proprietary CMS was: Vignette? FileNet? Documentum? Stellent?
If libertarians are so opposed to effective government, why don't they all move to Somalia?
Because if I change it, I have to have a service request, check it into svn, build, file a request for change, deploy during a change window, etc. If the users can change content in a CMS, no paperwork required.
First off, most leaders of the left wing imagine a future where scarcity is the norm, largely because they see the consumption of natural resources by the West as unethical in a larger world view. In their eyes, Americans already have "too much" and therefor should have to make due with less. This faux-conservatism, coupled with the right wing's stupid devotion to "free trade", is the underlying cause of this current economic crisis. It is that people want more stuff, resources are capped by environmental and ideological considerations, so, prices of goods are shooting up and people have less. Demand falls off, and unemployment shoots up. You add in free trade, and take away America's advantage in energy prices and expose our disadvantage in labor, and the country is totally fucked up.
It's pretty simple, actually.
Let's just think this through for a minute. Let's say that instead of having to borrow or raise taxes to have national health care, the USA simply turned around and issued permits to drill in ANWR and off the coasts. Instead of scraping to come up with 900B to pay for it, we would have that money coming in from ANWR alone, without a tax increase. Let's say for a minute that we build nuclear power plants everywhere, and lowered the price of energy to something like the 2 cents per kwh it is to operate a nuclear plant. Everyone would have effectively a 20% raise because of the energy savings not only for themselves but in the cost of every product or service that they buy, and that in turn would lower the price of medicine. If gasoline were a dollar a gallon, and electric bills not more than $20 a month, and food was cheap as well, everyone would feel pretty darned rich. Consumers would spend, tax revenues to the government would go up, and you could have an administration that throws national health care on the table coupled with a modest tax cut.
Bottom line is, regardless of whether you want to have the government doling out the goodies, or get yourself a tax cut, or even a combination of both, the most effective thing the government could do to do that would be to say screw the environmentalists and get cheap energy, no matter what. Energy -is- wealth, and the more wealth you have, the more stuff you can swing.
If everyone felt rich, than putting a national health care plan would be no big deal.
This is my sig.
It's not necessarily a bad thing. Yes, sometimes it cuts off new and creative ideas. Often, those are bad ideas, and everybody else is doing it the regular way for a reason.
This is especially true when a business is getting outside of its domain. If you're the best bottle-maker or book-binder on the block, do that. But your accounting and web site is almost certain to be identical to any other businesses, and crafting roll-your-own accounting or web management software specialized to your thing is quite likely the wrong thing.
Not always, but I've found too many businesses err on the Not Invented Here side.
I work for the government, and uh, bullshit.
// This is not a sig.
That's your opinion and just because you have one doesn't make it the correct choice.
In fact, I do remember how the web was before CMS came around. I remember people handing me MS Word documents saved as 150KB+ HTML files. Or having to clean up sections of the corporate site where someone cut-and-pasted from MS Word into the site.
Heck, people made a living off writing software just to clean up the mess. Eliminate clutter in Microsoft Word generated HTML files with the Office 2000 HTML Filter
And to Sopssa, He fails to realize that Drupal can be hardened and has the benefit of several years of testing and user feedback unlike a custom system.
I clearly remember the days before CMS and it looked like this.
<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40" > <head > <meta name=Title content="This is normal unformatted text" > <meta name=Keywords content="" > <meta http-equiv=Content-Type content="text/html; charset=utf-8" > <meta name=ProgId content=Word.Document > <meta name=Generator content="Microsoft Word 10" > <meta name=Originator content="Microsoft Word 10" > <link rel=File-List href="WordtoHTML_files/filelist.xml" > <title >This is normal unformatted text </title > <!--[if gte mso 9] > <xml > <o:DocumentProperties > <o:Author >Elizabeth Pyatt </o:Author > <o:Template >Normal </o:Template > <o:LastAuthor >Elizabeth Pyatt </o:LastAuthor > <o:Revision >1 </o:Revision > <o:TotalTime >1 </o:TotalTime > <o:Created >2003-10-22T19:05:00Z </o:Created > <o:LastSaved >2003-10-22T19:06:00Z </o:LastSaved > <o:Pages >1 </o:Pages > <o:Company >ETS </o:Company > <o:Lines >1 </o:Lines > <o:Paragraphs >1 </o:Paragraphs > <o:Version >10.2418 </o:Version > </o:DocumentProperties > </xml > <![endif]-- > <!--[if gte mso 9] > <xml > <w:WordDocument > <w:DisplayHorizontalDrawingGridEvery >0 </w:DisplayHorizontalDrawingGridEvery > <w:DisplayVerticalDrawingGridEvery >0 </w:DisplayVerticalDrawingGridEvery > <w:UseMarginsForDrawingGridOrigin/ > <w:Compatibility > <w:SpaceForUL/ > <w:BalanceSingleByteDoubleByteWidth/ > <w:DoNotLeaveBackslashAlone/ > <w:ULTrailSpace/ > <w:DoNotExpandShiftReturn/ > <w:AdjustLineHeightInTable/ > </w:Compatibility > </w:WordDocument > </xml > <![endif]-- > <style > <!-- /* Font Definitions */
@font-face
{font-family:"Times New Roman";
panose-1:0 2 2 6 3 5 4 5 2 3;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:50331648 0 0 0 1 0;}
@font-face
{font-family:Arial;
panose-1:0 2 11 6 4 2 2 2 2 2;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:50331648 0 0 0 1 0;}
@font-face
{font-family:Palatino;
panose-1:0 2 0 5 0 0 0 0 0 0;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:50331648 0 0 0 1 0;} /* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Palatino;}
h3
{mso-style-next:Normal;
margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
mso-pagination:widow-orphan;
page-break-after:avoid;
mso-outline-level:3;
font-size:13.0pt;
font-family:Helvetica;}
p.MsoBodyText, li.M
I've lost all my marbles except one & It's fun to test angular & centripetal acceleration in my skull
Not only that, but using Drupal means you have a built-in security/programming team, constantly updating, improving, looking for bugs, etc. If you write your own software, YOU have to maintain it, by yourself. Are you as good as the Drupal devs? (I know I'm not)
does this even offset a Administration which takes all the bad habits of the last and compounds them with super sized bills that no one gets to review and a good dose of intimidation against any who speak up?
* Winners compare their achievements to their goals, losers compare theirs to that of others.
With all due respect, are you a web developer?
For starters, a well-developed CMS and some competent IT people can produce a site every bit as quick as a static HTML site, because that's exactly what they'll be serving up with good server-side caching. Any "weight" in the backend is more than offset by the increased ease with which content can be updated.
Moreover, a CMS allows non-technical people to be involved in the process. Most likely, people from the press and communications offices are going to be the ones in charge of the content on this website, and it's not at all unreasonable to assume that most of them aren't going to be any good with HTML.
And why should they be? CMS is exactly what it says it is -- a content management system, letting people focus on content by hiding away the markup and technical nonsense they're not concerned with anyway. Sometimes it's fully inappopriate; sometimes a custom one is better than off-the-shelf. But you really can't see why anybody would want to use one? Ever?
I don't know any details of the site's technical architecture beyond the obvious, but it's blazingly fast. My bet is that when you hit the site, you're pulling completed pages out of RAM on a customized and hardened Varnish, but that's just a guess. The HTTP headers identify the server technology as "White House."
I don't know where you came up with Varnish . . . there are lots of ways to get performance that's just as snappy. A CDN is a good start. And it's pretty easy to tell that that's exactly what's being used here:
$ dig +short www.whitehouse.gov
www.whitehouse.gov.edgekey.net.
e2561.g.akamaiedge.net.
96.16.18.135
They're using Akamai for most of their content, it seems. I get 35ms ping to www.whitehouse.gov from machines in New York, Denver, Holland, and Washington (the state). My Washington machine gets 2 ms ping, actually, so I'm guessing Akamai has a machine in the same data center. Varnish alone isn't going to get you anywhere close to that kind of performance – it can't beat light speed.
MediaWiki developer, Total War Center sysadmin
Actually most people have been praising Drupal for its excellent security. You aren't going to find a CMS with a much better track record than Drupal.
What they were mainly saying is that Drupal is extremely popular with lots of people looking to exploit it, so it might theoretically be a high risk. A less well known CMS would not have many people looking (well, that would definitely change overnight if whitehouse.gov chose it :) and is therfore a lower risk, but also has tons of exploits not found yet.
Stick with Drupal if you want a tested, secure, and reliable CMS.
I clearly remember the days before CMS and it looked like this
Ha! The planetarium scheduler for the the school I work at has an HTML file she edits in Word to create the current month's calendar. This file has been used for some 2-3 years. Pulling it up right now, it is 682 KB in size and has over 6,000 lines of CSS at the top of the document. Here's a snippet:
The actual body of the document is about 400 lines of the most awful HTML table markup the universe has ever seen.
To see this file in its entirety is a most humbling experience.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
But your accounting and web site is almost certain to be identical to any other businesses
Is that why I can't find any accounting software to deal with non-taxable stock dividend distributions from investment activities?
You don't know what you're talking about.
After all, I am strangely colored.
Why do you assume they're not doing that?
Because he's a moron who doesn't understand how CMSes are actually used in the real world, and thinks the only point of them is for 'dynamic' content.
When in actual fact something like half of all CMS sites are mostly 'static', with maybe a forum and an RSS feed block being their sole 'automatically changing' area, and then rest is so that people who don't know a hell of a lot about web sites can fricking manage the site, or at least their area of it, and add and remove content.
If corporations are people, aren't stockholders guilty of slavery?
My first reaction to seeing this article was how long it will take for Fox News and friends to declare open source software as socialist and how comrade Obama has taken jobs away from hard working capitalist programmers. It's really not a stretch given their track record.
foxnews.com's server runs on Linux according to Netcraft.
The Gospel according to lolcat
Yes, whitehouse.gov is a very attacked site, for all sorts of reasons, and I bet it will be the very first place to try out any new Drupal vulnerability, and at least one of those will succeed sometime in the next couple of years.
But, um...who cares if it does? It's not a mission critical web site. It's stupid fluff pieces about the president and his initiatives. If something goes wrong it gets flipped offline, restored from backup, patched, and brought back online.
It's interesting to see the government try OSS, and that might be an interesting discussion, but way too many people(1) here instantly leapt to the non-existence security implications, acting like important government computers were going to be exposed via any security issues in Drupal.
1) And half the remaining people appear to be morons talking about how CMS are useless. They haven't realized that stating 'people don't need CMSes' doesn't, like they think, show that they're some elite HTML coder, it just reveals them as someone who's never been hired to make a web site for someone else who then can add and remove content.
If corporations are people, aren't stockholders guilty of slavery?
It would appear that your experience doesn't stretch terribly far; off the top of my head I can name several much less secure systems. Finding, fixing and announcing vulnerabilities is a good thing: by your measure a hugely exploited CMS with no fixes would be better!
Regarding you assertion that the rewrite engine cannot be disabled; this is just plain wrong. The Apache rewrite engine can be disabled without any problem. If you do this, then you won't enjoy clean URLs, instead you'll have URLs like www.somesite.com/index.php?q=some/path instead of www.somesite.com/some/path. Internally Drupal always works with the first form. However, the rewrite engine is a widely used Apache module - with perhaps millions(?) of sites using it. It may very well have exploits - just as any software may - but it is trusted by lots of users.
Followsymlinks can be disabled too. It's required for rewriting and for one form of upload. Drupal works without problems without it. However, there's nothing inherently insecure in symlinks, and the default Drupal directory layout does not symlink to outside of the install tree.
Database load. I note that your assertion about load is without any reference to figures. I'm not certain which CMS you think is well written. However I'll note that there is a general problem with CMSs which are designed to be easily extensible: tightly integrated system usually use a single SQL statement to retrieve data - the designer knows all the constraints at design-time. A loosely coupled system is usually not able to do this: the designer has little idea of what will be present at run time. So it's in the nature of most loosely coupled system to run one query or more for each additional module. Drupal uses a loosely coupled callback orientated architecture. This means its very easy to extend. However the downside is that each module will usually include extra tables. Drupal is fairly smart about loading this extra data, but beyond that, to counteract the tendency for growth in queries, Drupal has a caching subsystem that is active in several layers. For anonymous users, Drupal only runs a few queries which determine where in the cache the data sits, and returns it.
Perhaps you'd like to elaborate with some firm figures and an example of a CMS that in your opinion does it right.
Regarding PHP security. Again - have you any firm facts to show that PHP is inherently less secure than any other language? The consensus in security circles is that openness is better for security. *You* are able to download the PHP source code and contribute patches. If you know of a security issue, I'd urge you to help fix it. Or is this opinion without facts to back it up?
Again, I'd be interested to know which CMS you do recommend to the person in the street. I would not at the moment recommend Drupal for most brochureware sites, though it is capable of brochureware, however for sites in excess of about 100 pages, for sites where there is a heavy community aspect, and for sites which hope to change and grow, Drupal is an excellent choice.