Slashdot Mirror
Australian Government To Standardise On Drupal
angry tapir (1463043) writes "The Australian government is eyeing the introduction of a government-wide content-management system, with the preferred choice almost certain to be Drupal. Government documents indicate that part of the appeal is that Drupal modules can be easily shared between government agencies and with the public."
Because a drachma won't get you much!
Working with drupal is a nightmare. Drupal 8 is looking much better but all below are just terrible to work with.
As opposed to what? WordPress? Joomla? Drupal does have a steeper learning curve than some of the other open source CMS's but it has more flexibility, and if you're going to standardize on one, that flexibility is important. I'm curious to know if you have a specific alternative in mind.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
Hopefully the Personal Home Page (PHP) software will be up to the task of running mission critical government CMSs! It would be a real shame if the govt has chosen years of security problems for themselves.
Easy to learn (as long as you know programming) and ridiculously flexible and simple compared to Drupal, with the ability to scale up to more complex frameworks with apps. Pretty sure the Australian government is targeting this for more complex frameworks, instead of just blogs.
Django itself is more of an app development environment, although using it for blogging and such would be as simple as adding one of the existing blogging apps to it, or you could roll your own with a few lines of code.
The Django tutorial is great... so glad I found it after looking at Wordpress, Joomla, Drupal, and other less popular ones.
Disclaimer: Website developer that has used Drupal, Joomla and Wordpress, not liking any of them.
I find that Silverstripe to be a pretty neat CMS for developers and clients. Find it much easier to work with than the other major players like you listed.
The New Zealand Government actually use Silverstripe themselves and they seem to be pretty happy.
Seriously though, it is actually enjoyable to work with for the variety of projects I have used it for. In time like the others, it might reach a point that it is no longer fantastic to work with and at that point, I will find the next system to adopt.
Probably should have added that I don't actually work for Silverstripe, it just is what I use currently to build websites.
Coding a custom CMS is a start. Programming web-based systems isn't that hard. I do it for a living, but I use Wordpress or Joomla when the customer wants it. Generally a custom CMS offers better flexibility - if you have a competent web staff that knows how to code, you can get something slick finished pretty quickly.
There's a lot of fear mongering when it comes to picking CMSes in the first place. Generally you will see people that aren't qualified to make decisions force technical staff members into a corner to "standardize" things, pissing everyone off equally. These types of decisions, in my opinion, should be left to the individual web teams that serve these separate units of government throughout the country. They have to use it every day - let them decide.
It doesn't sound like the Australian Government even knows what it needs a CMS for. At the end of the day, KISS is the best practice to follow. They're just webpages after all. You don't need a CMS that has 26,000 modules (point was made in the article) to plop up a website with a slideshow, a bunch of PDF files, an event listing, different pages full of text. You only need to determine what you want your website to do and let the technical staff make the best choice. One CMS to rule them all is quite stupid in this case, because they think they're solving a problem that doesn't really exist. They also think there will be some kind of magical collaboration that will save everyone money.
http://agov.com.au/features - Half of the features on this page are purely fluff, pointless, or outright misleading:
1.) Reponsive design - Responsive design is tied to the template and CSS - not the fucking CMS. ... image sliders. Really now? This is a reason? Every Australian Government website must have this eh?
2.) Event management - every CMS out there features some kind of event management plugin, or you can just code one yourself. This isn't a good reason to "standardize" on. Again, let the web team working on the site pick the best option.
3.) Feature carousel - They're
4.) Rich content editing - Good, finally they found one reason to standardize their CMS onto every agency - because this is such a huge problem with CMSes - wait, what? No, it's not.
You know, there's more to this than the stuff I managed to quickly slap together at 3:30 AM.
My viewpoint is the following:
Making blanket assumptions on how things are used and forcing decisions across an entire Government will only lead to unhappy workers, stifling of innovation, and harm to other great CMSes and developers out there.
That said, if every agency felt that Drupal was their best option... so be it.
3.) Feature carousel - They're ... image sliders. Really now? This is a reason? Every Australian Government website must have this eh?
Yeah, I know what you mean.
Should I use a carousel?
It doesn't sound like the Australian Government even knows what it needs a CMS for.
To be fair, neither do 90% of companies providing Drupal-related services, including the Dark Lord of the Enslaved Community.
What's wrong with Drupal? It's modular, very flexible, free, secure, and has been demonstrated to be good enough by other major organisations (ie, the Whitehouse, and Australia is essentially America's lapdog these days).
It's not easy to set up, but, that doesn't make it a poor choice, and what other alternative can you suggest which is proven to be secure, is flexible, modular and has a huge community base?
I hate our government for so many things, but, it's very easy to implement a powerful search engine in Drupal, and there are so many modules available that its a good choice for projects designed to last well into the future.
Also, one of my mates found a serious backdoor in a CMS system used often in Europe (and it was open source). So, since the Whitehorse has likely done some auditing of the Drupal code, it makes sense for the AU government to build on top of their work/testing.
Only requirements were:-
1) Free, since this government thinks they should get everything free while screwing over anyone in need...
2) Server must run off a 15Mb/1Mb internet connection since that's what the rest of us are doomed to...
"We know what happens to people who stay in the middle of the road. They get run over." - Aneurin Bevan
As a sysadmin who's likely to maintain a lot of hosting environments that host these sites, I can't say its a terrible choice. I reckon they could do worse.
I've certainly seen drupal done right more frequently than, say, wordpress.
Working with drupal is a nightmare.
Yeah? I was a web admin for a part of the Northern Territory government a few years ago and we used some really ugly thing, built in house with ColdFusion. Anything would be better than that. Drupal's a bit of a pain in the arse, but i'm sure it's an improvement on a lot of government CMSs.
I've been developing public and corporate web sites large and small since 1996 and I've not been able to work out why any major organisation would employ a developer who isn't
1) instantly repulsed by PHP, a play language whose increasing popularity says a lot about the change in quality of developers and little about the change in quality of the language;
2) capable of using the same old patterns for knocking out a decent, scalable framework for any web site requiring basic services (session management, authentication, article submission+publishing) in a weekend;
3) capable of writing better quality documentation to go along with it than any 3rd party open source project, which invariably omits the hundreds of gotchas one comes across.
At some point in the last decade it became fashionable to decide that not doing any work yourself, but restricting yourself to what others do for you, was a sign of competence. The third party stuff is tried, tested and secure, they said. You can rely on the third parties, they said. Nobody ever got fired from delegating to someone else. Well, this may be true if you're in no hurry to be productive, and if you enjoy homogenous ecosystems which are the target for every zero-day effort. But no enterprise should compromise on quality when it has the necessary resources to decide otherwise.
You use Linux on the servers because there's no way you could do better than the maturity, security and stability of Linux. You use Microsoft Office on the desktops because a couple hundred dollars is worth the best featured and the most familiar product. But any competent team can write a decent web framework.
Never used drupal nor wordpress
Proven to be secure? Number of user up == number of vulnerabilities found up. Just because it's "proven" secure now, if you add a massive incentive to find more vulnerabilities (standardized governmental roll out sounds like a tasty hacker target to me) and increase the user base significantly then lets see how long it remains so proven. How proven is the security of the modules that are available that you tout as a boon for the CMS? They're mostly third party aren't they? Just like all the other OS web CMS's. Not a cat in hells chance that all those modules are as secure as the core CMS, so how is having those modules available a good thing when they'll have to write their own if they want them secure?
I love how you think that the US government may have shared their experience with Australia about a web CMS too. Governments barely manage to communicate between internal departments, let alone internationally.
Lets not forget that the preferred operating system for governments is still Windows. If you're thinking security is a major factor in governmental software decision making then this fact ought to indicate either just how little they care, how little they know, or how much they've been lobbied.
May I remind you of the HBGary Federal break-in by Anonymous?
Part of the break-in was classical social engineering, but if I remember correctly another important part was played by their roll-your-own CMS that had a classical vulnerability.
Rolling your own CMS seems easy enough for the core functionality of slapping up and managing a web site, but security is not trivial and it's a, by definition, net facing program.
From a security and general bug perspective of at least the core system, going with a widely used open source package with active bug fixing is probably the smarter move for a large organization, never mind a government.
As someone that has seen several of the drupal sites developed by the Aus government I can assure you they AREN'T been done right. They are a mess of vulnerabilities and poor configuration and most of them seem to be run by pods of developers themselves rather than the IT departments which probably explains the atrocious security practises on a lot of them.
I stopped using CMS's a couple of years ago for anything important. A good python framework like Web2Py or Django, or even Rails (anything but PHP ffs), is easier to maintain than Drupal, Wordpress or any other CMS. And any back end development (even just templating) with a framework is miles ahead. It's amazing so many Drupal and CMS loyalists don't yet know what a proper framework is, or the power it can offer them! Web2Py is by far the easiest of the bunch. I challenge any CMS developer give it a go, and then go back to Drupal.
4.) Rich content editing - Good, finally they found one reason to standardize their CMS onto every agency - because this is such a huge problem with CMSes - wait, what? No, it's not.
As far as I'm aware, all available editors are based on contenteditable functionality, which has been bug-ridden for years and simply was not designed to offer a rich content editing experience to the end user of a CMS. Yes, this is a huge problem with CMSes, including Drupal. For this reason, this is not fluff, pointless of misleading, it is an outright lie.
0x or or snor perron?!
If they're genuinely only going to use it as a CMS then Drupal might serve. But what I see with Drupal is that someone wrote a CMS and then tried to build a general web framework on top of it. It would make more sense to take a general web framework, such as Symfony, and then build a CMS on top. That way you have a platform which is suitable for websites which go beyond being a CMS. As an added bonus, Symfony is built around a type system rather than associative arrays nested like Russian dolls.
May I remind you of Heartbleed?
Security is fundamentally a social problem, and the solutions are primarily social, involving the cooperation of everyone in the relevant community.
You can't "pick secure software" - you can only build a secure environment. This doesn't start by plugging in a black box which other people have assured is okay.
A lot of them currently use HP TRIM, hell I'd prefer Drupal 0.1 alpha over TRIM.
All CMSs I've had the pleasure to work with are a nightmare. It's usually a lot harder to get the CMS to do what you want than to just slap together the pages and headers yourself.
As for Drupal specifically, it's written in PHP. I have found through extensive experience that sooner or later you need to dive into the code of the CMS itself, and if you want to change or extend functionality, you also tend to need to code in whatever language the CMS was coded in. So for your own sanity, pick one that's written in something else.
Django, Magnolia, Umbraco, Hippo, ... There's plenty choice, so you don't need to inflict PHP upon yourself.
(If you're unfamiliar with PHP you're probably wondering why I'd consider this the most important requirement. Go read these:
PHP: a fractal of bad design
PHP turtles
There are plenty more sites documenting PHP's failings. I've done a lot of professional development in PHP and I can testify that it's the absolute worst programming language that's still in common use.)
Drupal 8 is built on Symfony.
Drupal is written by amateurs. Whoever thought it was a good idea to have code run from the database is a pure idiot.
How come?
"Terrible to work with"? Because you are not able to read the easily available documentation or can't be bothered to?
I've been working with Drupal for about as long as it has existed. My company have based its core business on Drupal. But truth be told, we do not deliver "simple CMS" pages. We seldom touch projects with budgets around or lower than 20' USD and most projects are in the 100' USD++ range and even some reaching the million mark during the project lifespan. For such projects Drupal is a great "toolbox" / framework. I have yet to see any comparable system.
I hate to tell you this but there are several commercial websites that serve tens of thousands per day that run on PHP based content management systems. I know, I've helped build some.
The Drupal project is one of the largest open source projects in the world. It's architected to be a flexible, secure, and very customizable platform which consists of thousands of different modules. It's more than a CMS... it's a platform for building your own custom CMS.
>php
I thought they didn't want insecure sites
It is also a huge bucket of SHIT. They tried to make it a tool to do everything and in the end all they got was a god aweful mess, Also Secure is NOT one of its shining points, nearly every drupal site I have had to review was riddled with vulnerabilities, cross site scripting and aweful coding practises which seem to be fostered by the terrible development environment that is Drupal.
Secure?? you have got to be fucking joking. https://drupal.org/security that is not the record of a product with good security practises. The vulnerabilities in the core alone are bad enough, but add in all the vulnerabilities from common modules and you have a pigs breakfast.
From this - "GovCMS is intended to support more effective web channel delivery functions " it looks like they are talking about web sites - intranet and internet.
In Australian government the major CMS products in use are Sharepoint Documentum Drupal and Confluence
Coding a custom CMS is a start.
Why does everyone want everyone to reinvent the wheel? It's cheaper to do it this way. Drupal mostly works. If you can get 99% of the functionality you need out of the box, why not use it?
It doesn't sound like the Australian Government even knows what it needs a CMS for.
Presumably, to make it easier for departments to maintain content. That's the usual reason. It's a pretty good one.
That said, if every agency felt that Drupal was their best option... so be it.
Right, let every agency decide, and/or wait for consensus. What could possibly go wrong?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Wasn't Facebook originally on PHP..?
-Myke
Who wants PHP version 1?!? It's been PHP:Hypertext Preprocessor since version 2 or so.. =)
-Myke
Generally a custom CMS offers better flexibility - if you have a competent web staff that knows how to code, you can get something slick finished pretty quickly.
True. But where I work, we plan for everything. Like upper management firing most of our "Competent web staff" Who's going to support your custom code then? If you're using an industry standard, it may not be as flexible but if the shit hits the fan at least you can pull in contractors and not have to rely on what would basically amount to the top tier of web developers out there as your only hiring resource. Use Joomla (or whatever) and you have an immediate pool of talent to hire from.
PHP input filter is disabled by default from Drupal 7 on... really it's only good for prototyping.
-Myke
Anything would be better than ColdFusion, eh?
Let me introduce you to ExpressionEngine. Learn about its parsing order then go in the corner to cry. It's pure madness that a real coder cannot accept.
Get free satoshi (Bitcoin) and Dogecoins
which consists of thousands of different modules
Fabulous! what every project wants - nay, needs - is to import THOUSANDS of different modules.
Yeah, and that's exactly how many modules are used in a typical Drupal site... why are people who truly know nothign about Drupal posting bad things about it..?
-Myke
Whitehouse.gov is Drupal. Along with many many more USA and othe country gov sites
https://groups.drupal.org/government-sites#USA
Cheap hosting providers won't be serving anything important.
But why would the government of Australia use cheap shared hosting? The web server process on any VPS should be able to speak FastCGI or SCGI to your Python application server. Or is the problem that the vast majority of potential candidates for web developer positions have PHP experience because they learned web development while maintaining a portfolio of web applications on cheap shared hosting?
Should I use a carousel?
They're OKAY, as long as they are merely things like feature ads for your product, as opposed to essential interface elements. It's a display, like a rotating billboard. There should be no requirement to interact with it.
And they should be relatively small, the delay should be no more than 6-8 seconds max, and they should be based on JS, not Flash. And one more thing:
For f*s sake, people, get the tags and CSS for your sliders right. If someone uses a script blocker, they should see the first panel of your slider clearly, not the entire set stacked on top of each other. I've seen major websites get this wrong.
What's wrong with Drupal? It's modular, very flexible, free, secure, and has been demonstrated to be good enough by other major organisations (ie, the Whitehouse, and Australia is essentially America's lapdog these days).
The problem is that it's based on PHP, which is more than just showing its age.
There are better, more stable, and more consistent languages to build your web framework around today. Why anybody would start a new project today and build it in PHP is totally beyond me. In fact I have made quite a bit of money taking sites that were built in PHP and rebuilding them in something more modern.
Making things up is fun and all, but PHP is the most popular language on the internet, and shows no signs of decreased usage whatsoever.
So in the light of actual data, your "strong opinion" that it's like COBOL and "on the way out", is fucking moronic.
There's plenty of valid reasons to criticize PHP, but this isn't one of them.
Silverstripe is IMHO currently the CMS to build sites on. After dealing with drupal, wordpress, modX and a few others I find Silverstripe the easiest and the most "civilized" way to build custom things. If someone wants something that works out of the box on the other hand it might be not the very best choice.
So in order of people who hate their jobs and life...
1) Exchange mail managers
2) Backup server managers
3) Drupal admins
That sound about right ?
Yeah I used my own hand-written framework too. Like a decade ago.
Every hand-rolled CMS/framework my company (and previous companies) has taken over has been a complete fucking nightmare. Every single one.
Your dismissal of the benefits of a standardized platform that you can actually hire experienced developers for is astounding.
There's plenty of PHP, ASP.NET, Django, Java, etc. developers out there. I would argue that there would be fewer developers for something like Joomla than it's parent programming language - PHP. This is because a Joomla developer needs to understand the idiosyncrasies of the CMS itself. They also need to understand how PHP works. So at the very least, they need to be able to code in PHP, otherwise you've just hired a crappy Joomla developer that probably Googles everything and copy and pastes stuff.
Coding a custom CMS or "reinventing the wheel" does have benefits. It provides security benefits by having less code, less eyeballs looking at the code, and alternative ways of configuration that may lead to better security (how it works with different server modules and such). It also allows for more rapid bug fixes for problems that arise, rather than waiting for a fix for 3 months after submitting it to a bug tracker.
You also have to think about how important the website is. Does this website provide a basic press release listing, PDF files, and a couple of pages? It probably doesn't need a massive CMS.
Let the web team decide what they would like to work with.
"Australia Gov: It was a bad move to standardize on drupal." Let's see how long it takes.
Ah, another newbie to PHP who blames the tool instead of the person using the tool.
why are people who truly know nothign about Drupal posting bad things about it..?
Because A.) it's the popular kid in class, B.) it's the kid in class that gets all the chicks, and C.) they just don't get it and never will.
People fear what they can't understand--so in many cases, they worry about their job security.
But there are so many features that customers eventually want that you end up reinventing lots of wheels hand-adding them along the way, eventually ending up with a Big Ball of Mud.
It may be good job security for the original coder, but for the organization it can be a bear to write up contracts and pay for new coding for various features that are add-ons with packaged CMS.
Maybe if OSS community offered kits that allowed easier add-ons to semi-customized CMS, we could approach the best of both. For example, settle on a generic data model so that add-ons can hook directly onto the data model. Custom programming can still be done using that data model.
Table-ized A.I.
Ah, another newbie to PHP who blames the tool instead of the person using the tool.
Sorry to have to disabuse you of your fantasy, but I've worked with PHP for more than 8 years. And I am glad to be free of it, thank you very much.
But there are so many features that customers eventually want that you end up reinventing lots of wheels hand-adding them along the way, eventually ending up with a Big Ball of Mud.
If you plan the structure properly first, this doesn't happen. You also imply that a CMS must do all sorts of things, it really doesn't. They're web pages. This is not a "toast your bread, clean your dishes, do your laundry" system.
It may be good job security for the original coder, but for the organization it can be a bear to write up contracts and pay for new coding for various features that are add-ons with packaged CMS.
It's perfectly possible to code features for a CMS as a team effort very quickly.
Maybe if OSS community offered kits that allowed easier add-ons to semi-customized CMS, we could approach the best of both. For example, settle on a generic data model so that add-ons can hook directly onto the data model. Custom programming can still be done using that data model.
These are called plugins. Most CMSes have them. Even custom-designed CMSes can have plugins without spending much time.
You have to change nearly everything about how Drupal works to make it work well on a large site, or a large number of sites. So where is the "standard"? What it does with MySQL DB by default, as one example, is an absolute travesty. Then you run into, oh I can't build my massive site using nodes, it will blow up, so lets use templates, but now we have to mange templates, lets build something for that, oh now caching, how well does it deal with a big server farm, oh need patches and work on that too. Oh it isn't OOP so I have to do alot of extra work and process to keep the maintaince programmers from blowing everything up on multiple sites because they just know a little PHP and want to work in that all of the time vs the system you built. It is like so many other things, people spend tens of thousands of man hours on making it work, then say, Drupal is great! Just fucking amazes me. Of course Drupal isn't unique in that.
Yep, there is the "standard" Heh.. It is so flexable.... :p
You know, this could be a really good thing. Hire local firms to make modules for each department.
Tie everything to the user account or property record
Water/sewer department
Power/lights department
Phone / Internet / Cable department
Building department
Schools
Library
Public Works
Police/fire
Tax department
In one place, using one account, the user can log in, pay their bills, check kids homework, renew a library book. Its a powerful idea. Build the local economy, make life easier for the citizens, I think its a grat idea.
You do it first.
The majority of Facebook is still PHP.
A lot of it no longer runs on the official PHP software but on their own called HipHop (uses a Just in Time compiler) but the code their programmers write is PHP.
What are you using instead?
Far from being a standard, but consistently selected for technical capabilities, and for attending accessibility requirements among other criteria, Brazil federal and several other government branches have selected Plone, as one can see in nationwide portals such as "http://brasil.gov.br"
Hi,
Can you share an e-mail address? I am interested in putting together a site using Silverstripe and it'd be nice to see if you're available to help.
Coding a custom CMS is a start. Programming web-based systems isn't that hard. I do it for a living, but I use Wordpress or Joomla when the customer wants it.
I'm a consultant, and you're not thinking this through. You shouldn't start writing a new CMS from scratch whenever you start a new project. When I start a new project, say for a moderately complex web site, I go back to the beginning and design a new CPU. The new system that the CPU will fit into has to be designed, built and tested, and then a new OS written and debugged. Next a new communications protocol has to be designed, written and tested. Finally, a new set of applications written for the new OS, and then, finally, a web site.
This approach is the only reasonable way to turn a three month contract into a 15-year failed project. You've grasped the basic consulting creed of re-inventing the wheel at every opportunity, but you're not going far enough.
Work like no one is watching. Dance like you've never been hurt. Make love like you don't need the money.
+pypy, nginx and/or wsgi, postgresql, zurb foundation (or bootstrap 3 if they really know/prefer it), jquery, D3, maybe something like angular.js down the road (go for easy as apposed to powerful).
Maybe some haskell or racket for backend stuff. All you need is a few good programmers for this. Stick to functional style. Worship the state.
The future will be more functional I think, however. In order to maximize utility the computer and it's master both need to understand the difference between state and function. And data types. And better development tools. Perhaps something more like nodebox / lighttable / sublime. But web2py built-in IDE and API interface are pretty bad ass though. Try it out.
This selection of tools is all about maximization of utility.
Silverstripe is great, I've used it quite a bit and it does stand head & shoulders above the competition. But, possibly this is because it's written in PHP, it's dog-slow. Odd that the four comments above are all AC...
Drupal sites I run don't use thousands of modules. But they do use dozens, and I'm nervous as shit because there is really no way for me to evaluate the security of all that module code that's originated in god-knows-where.
SpyDock: Scientific Python in a Docker container
I think some of them are serving millions, some 10s of millions per day. I'm not sure if you can count Facebook, since they are running their own engine, but I believe the 'pages' still look like PHP. Whitehouse.gov, data.gov are both Drupal. So are all of the Ivy League schools, soon if not already. Of course, Whitehouse.gov has more than 80 people working on their website but that's not all coding. I would think most of that is content development and other stuff.
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
Ah, the good old days. I started with PHP 1.9s - one step past shell scripting. :) Things have come a long way. Nowadays of course I don't do it for my real job, just some side stuff I do to keep my hand in. One of those is manhandling Drupal - not a fun thing for newbies, but having tried WordPress (the other biggie), I would say Drupal is much more robust, more adaptable to real enterprise applications, more secure, and has a more involved community.
Which reminds me - I'm going to my first Drupal Con June 2-6 in Austin! Shameless plug: my employer Bright Plaza, Inc. is going public at the conference with its Drupal module for Picture Passwords for the Web! We are going to have a cool special offer for websites that install the module and sign up.
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
IDK anything about Silverstripe, this is the first I've heard of it. But if you are having slowness it could be a lot of things besides PHP per se. In my experience many if not most PHP and other applications are actually database-limited, so it could be that. I've had PHP scripts that spent 95% of their time in the database, both in elapsed microtime when wrapping the database calls, and in CPU load. I only occasionally have seen Apache/PHP at the top of the list in "top".
Failing that, there are almost always particular functions that seem to be the ones that take up most of the time, which can be recoded, split up, etc. Anything involving creation of large arrays of objects is a candidate, especially if you are memory limited.
If you have access, try dropping microtime calls into the code, for instance at the top of each class or even each function, and log the results somewhere to see where the time goes. I like to just keep the difference between each step, which shows the elapsed time for each function. But you can also keep the start time and print the total elapsed time at the end of the page.
In my experience slowness is almost always due to these few pathological points in the code. Sometimes it's as simple as some piece of code that needs to do a DNS request (for a curl fetch), or a bunch of NFS file accesses that take a long time.
Once you know it's not just one or two pathological functions, then there are multiple strategies. For database, consider using the MEM-whatever database engine if you have enough memory. I haven't used PHP cacheing, the Zend speedups, nor the HipHop tools but I assume they are pretty useful.
Finally, one thing that all these CMS systems have in common is that they do a lot of work compared to a simple web page - I am guessing that every single web page requires the CMS to open, read and parse as many as 100 files. It's rather amazing to me that they work as fast as they do.
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
That's the thing - it's been in use by a number of *big* government sites (whitehouse.gov, data.gov), and enterprise and academic sites for quite a while so there's been a lot of work on the security for quite some time. From what I've seen Drupal has been much less prone to security problems than, for example, WordPress, not to mention roll-your-own.
A big security advantage of using a well-vetted CMS is that the framework has abstracted much of the vulnerability. If you use the built-in input functions, they are built to prevent most of the classic problems such as XSS, SQL injection, etc. So your newbie programmers are not as likely to leave the front door of your website open by coding a naive input function.
This applies to the various modules as well. They *should* be using those same input functions. There are now at least two Drupal module certification groups, Top Shelf Modules and another I forget. I think CommerceGuys also does this for modules they support. Part of the certification includes code review. This is a level of inspection that few companies can afford to do to their own roll-your-own code (and also an advantage of open source BTW).
Drupal does have a steep learning curve, and especially now with big transitions in the way things are done, it's easy to get lost in the module sea. But it, and the other CMS, provide an amazing amount of functionality without having to write a single line of code. And for a government with dozens or hundreds of departments, having a single CMS standard means a lot of synergy, it allows the central government to establish and *maintain* a common policy for all departments, and it means that IT people can move from one department to another with almost no learning curve.
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
There is a burgeoning (maybe that's too strong) module certification effort now happening. Top Shelf Modules is one group; I think CommerceGuys does it for things in their catalog, there's another that I always forget. So, progress occurs.
Realize that there are still lots of vulnerabilities in core C libraries - not to mention that C is inherently unsafe and must be handled with care. Many of the vulnerabilities in Drupal, PHP and other tools are really just exposing the failings of C. But not to start a flame war... :)
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
You're not a programmer. You're not thinking this through. ;)
CMSes don't take 15 years to create. They take about 3 months for a fairly complex one.
Beyond the mess of semi-maintained modules (not to mention the reluctance of many "maintainers" to admit design flaws as bugs), Drupal has one serious shortcoming for serious website development - the database. Without bringing up the performance issues you get when you've got 20 modules, each having to join in it's own set of tables to a basic Node query, it's still the weak spot for using Drupal for serious work.
Nearly everything, from content to configuration, is stored in the database. Migrating changes from development, through staging/testing instances and finally onto production servers is an error-prone nightmare. It doesn't matter if you're trying to do it by hand or using home-grown scripts to suck changes out of the DB and push them onto a new server, there's just too many places for something to get missed or for some reference to an auto-generated node ID to not mesh up between systems.
It's difficult to predict the future. I work for Type A managers who flitter all over the place on a whim.
They also ask for mobile-friendly, Atom feeds, ADA-compliant, image resizers, CRUD-like features, etc. because they can and they want it. Oh, and it has to be super-duper simple for users because they don't want to spend money on training.
Table-ized A.I.
drupal is total crap - it really is. The code behind it is of the poorest quality, they will definitely regret the decision. I know it has a module for *everything* - but that is also it's hugest problem. I've worked on drupal sites with hundreds of modules... such a nightmare. It really isn't that hard to write a good web application - they should hire a couple of engineers and choose a solid framework like Zend to build software that does what they need it to do, make that open source and cultivate it over time into something good.
not really a good comparison, almost every site I've ever worked on [numbering in the hundreds now] has requested some custom development that fits their business practices - sometimes writing a new system [based on a solid framework] is FAR more effective than kludging together functionality from some lousy CMS modx/drupal/etc.