Category: Professional

Here’s a list, in order from my PNW Drupal Summit notes, of some things I’d like to do/learn/try:

answer 1 support request a day (in install support forum?).

make progress on one issue per day. (views or another module you know well) mark duplicate, answer support request, etc.

when you learn something new, document it as you go.

/contribute – places to jump in. but she prefers /community-initiatives. highlights things that are important.

irc

git

try D7, possibly for the feedreader pet project

documentation patches, “novice” tag

look into D7 multigroup issues

themekey: re-read code of the alternate themes, also just try reinstalling at next update.

review ALL the tips in the server optimization notes.

try yslow

idea: create map/app of walking tour brochure. experiment with map of recreation facilities (see maps notes, also http://github.com/tylor/quickmaps)

create a personal/site issue queue: view ads ctr counting, quickrates loan issue, ecard

write blog post about drupal/enterprise and/or “year with drupal” (see JK keynote notes)

upgrade to webforms 3 [notes]; write bolt-on module to connect with campaign monitor. if ENA goes to Drupal use webform for membership signup.

drush.

try login_security

look at role_delegation for intranet?

“scrum” meetings in our department: what you did, what you will do, what’s blocking you – under 15 mins total meeting

features & context, for real this time.

web widget for rates?

about.opengardenproj.org

research tools that they would like to make

putting technological & non-tech people.

alphabet as organizing projects

alphabet garden: a real garden, someone who works for civic actions. blogging about the garden by letter, then starting over after Z, facilitating community storytelling – aha! give people prompts to get themselves going.

command line = chef knife (I would love to be able to take a command line 101 class)

codelandstorytimecollective.org

she’s a museum person! background in explaining science – how can that be done with technology?

explaining memory links & garbage collection using bunnies. inspired by commoncraft videos

resource sharing technologies

mapping!

vozmob

fun games with git, “cubby holes” – “nobody wants to waste their time learning something useless”

human internet game – using real people to act out aspects of the internet. “what’s going on behind the beachball” (oh, freegeek chicago)

web-based irc – and using chat, skype, etc to talk about what was going on with irc.

chach is very enthusiastic, but this is a little drifty.

“spot-check” on individual learning projects.

jing – free cross-platform for making screencasts – free is 5 mins/200mb only, but that’s actually a plus, makes you condense. takes 1-2 hrs to make a really good 2-5 mins vid.

“lab hours”

she just jumped past the concept of “neutral space” – wonder what’s that about.

I wonder if we should have “scrum” meetings in our department: what you did, what you will do, what’s blocking you – under 15 mins total meeting.

to be honest, I think I got more out of the conversation we had hanging out in the lobby.

web widgets module – embed drupal content on another site – gives you a script to use on wordpress, etc, tho not facebook

http://garden.localbiology.org/

about 50 people involved – 10 learners – plus mentors, etc. just about the right size for a single main teacher.

where from here:

she’s delightful but rambly!

http://www.drumbeat.org/festival

http://github.com/chachasikes/opengarden

evil robots, scripts.

wow, unfiltered xss put site in maint mode, changed password, locked out of site.

48% of security advisories for drupal are XSS (core & contrib)

[note to self for webform/campaign monitor integration: suggestion from prev presenter to create submodule based on webformphp]

71% of sites tested by whitehat have xss vulnerabilities.

a month of bugs…only 1 was really severe, about half were xss, more moderate.

changing the default input format. (done. actually, I think my default is a plain text version.) better formats module, which I’m using, and like a lot. html purifier module for use w/wysiwyg.

unsafe: script, object, embed, style, iframe, img (maybe: can be used as a vector for other attacks; don’t use for anon users) – but other tags can run into problems, whitelist is better.

dangerous permissions: administer… filters, users, permissions, content types, site configuration, views. “least privilege” side benefit: makes the interface much simpler for those users.

devel module – anon permission to execute php. (an actual live .edu site. jeez.) “I swear it was that way when I found it”

same criteria you’d use to evaluate the quality of a module can be used to evaluate security of the module. indirect & subjective, but a good starting place.

University of Pennsylvania “drupal approved modules” – staff who have audited the code, no guarantees, but has been reviewed.

coder module will give information about use of coding standards, another way of judging attention to detail. someone’s working on an add-on “secure code review”

xsrf – request forgery – anytime where visiting a page does something…potential flaw – if you see big crazy number (token) at the end, that’s good. (same sort of thing happens in ob.)

test for access bypass, with a variety of roles and permissions: what features still work if logged out? a flaw in code may allow inappropriate access: node access control + filefield – private node files could still be accessed as if public.

securepages – oh, our apache config is already set up for that (redirect to ssl version) – but has some maintenance issues

password_policy or password_strength

role_delegation – moderator can give moderator access to others, w/out full admin users permission

video_filter – safe way to post youtube, etc. w/out allowing script. difference from mfield?

adminrole – which I’m using and really like. (I turn the admin user off most of the time.)

always test updates before going live. drush pm-update. all updates w/single command – time-saver! read the advisories: not all issues apply to everybody.

crackingdrupal.com, owasp.org

discussion of password security, expiration, enforcing strong passwords. greggles talked about false sense of security about strong passwords, better to work on detecting brute force attacks. (there’s a module for the latter, login_security)

webform 3

“now more abusable than ever!”

oh, he’s one of the using drupal co-authors. (get book signed? 🙂 )

pnwsummit coupon code thru next week. (might have to talk to matt abt that)

doesn’t use entities in D7 – database tables issue. nor fields (ie CCK)

trying to remember what my really weird webforms use-case was. chat survey?

was looking bleak about a year ago: more than 650 open issues, but all better now! scaled back the scope of webform 3. still lots of people on webform 2.

conditional fields! yay. “choose your own adventure”

save draft of form and resume later. (works for anon, but that disables caching for that user; interesting discussion of edge/use cases)

can multiple have webform-enabled content types

“basic” views support – eg, listing of submissions – but not yet listings of submitted data, patch has it working. (I think the latter is what I had trouble with, and had to write some custom php for.)

better data integrity, harder to break by end users. oh, like the problem with changing values of locations for holidays.

form builder integration did NOT happen, there’s a project – visual interface – too much work, but may include backwards (????)

lots of API stuff. include ability to create dynamic select lists.

was it webform that I wrote custom stuff for to talk to campaign monitor?

options moved to step 2, so as to not stuff everything into regular node form.

email config is in its own tab – who gets the email. includes template options for the actual email text. handy. template option not yet fully developed.

and then a separate tab for all those options.

(what about upgrading existing forms?)

CSV doesn’t support UTF-8? huh. nice: Excel format is just TSV with .xls extension. 🙂

separate receipt template for multiple recipients

mimemail module – can send html email & attachments. oh, so then webform can email attachments!

webform will automatically use date popup module if it’s turned on. lots of other modules that if you turn them on, more options automatically appear in webform.

page breaks. conditional logic. and conditional logic WITH page breaks. whee!

“select or other” module – that works too. (all this stuff is listed on the module page)

integration between pay module and webform – example of a donation form. very cool. way easier than doing something with ubercart.

ah, someone else who ran into “oh, hey, canada is a different country!” problem.

what’s up with the “losing your hair” theme?

the theme also of “playing together”

graph of technology adoption.

“the enterprise” – long terms, have tech staff, have existing tech that they’re committed to keeping. risk-averse. concerned with downtime, bugs, security. and all the enterprise sites he just showed are all drupal.

case study, but can’t tell some specifics…including the name of the company. 22 content types, 16 modules, etc., etc. (we have 29 content types, altho a couple aren’t actually used.)

have a plan! (imagine that.) views, blocks, menus, etc. – being consistent with what to use where. pick naming conventions, do it consistently. (damn straight.) export as much as possible – features, core exportables. config in code, which gets into maintainability. have to use version control. hudson/selenium (testing tools? lost track for a sec) aegir, drush. need to figure out drush.

“make the robots do the f’ng work” using code instead of ui.

scaling. no longer a crazy unknown thing.

project mgmt, biggest challenge.

able to fund drupal improvements via enterprise client. panels inplace editor. interesting. hmmmm. (actually, that’s EXACTLY what C has been talking about wanting to do with a site.)

hurdles: sales, and interestingly acquia is helping with this because they have a sales staff; scope creep, esp because may not know what’s easy & what’s hard; multiple stakeholders, don’t know who’s the boss, dealing with issues that have nothing to do with you/the project. Platform requirements, moving outside your comfort zone, esp mentions MS issues. “The Pager” – uptime requirements, someone avail as emergency contact.

“this is already a big thing for them” minimize other newness.

human challenges > technical challenges. (all problems are social.)

tool: hudson, automated testing (java), selenium for browsing testing, coder.module. (also goes with one of my other pet theories: let the computers do the part they’re good at.)

aegirproject.org – automated building.

his new thing: pantheon, platform, high performance, best practice git – “trying to build the robots” http://getpantheon.com/ (I’m wondering if I should use something like this or Drupal Gardens to build out my test intranet. Way easier than what I’ve been trying to do!)

I think I have a blog post in me about this stuff, being in a (smallish) enterprise.

warning about only talking to the people that you know “uid ain’t nothin’ but a number” – most intelligent creative people may have just walked into the room; continue to be welcoming.

bring our ideals into the enterprise.

oh, or I might do a post about a year with Drupal. (not unlike my “year with Xtracycle” post!)

Q&A

“going to agile is as big a change as going with drupal” – “do one new thing at a time on a project” – but doing agile (or whatever) internally, with him as the interface with the customer in their process.

affinity bridge

more open data! how to make maps beautiful. (neat)

dude is reading his f’ng slides. boo. tuning out a bit. this is the part I know: what is open data, why is it awesome. localized, yay! ah, cross-mention w/ckan & datadotgc.ca project. disadvantages: privacy concerns, cost. (random thought: he looks like the kid from Arrested Development, esp with the askew tie. [updated: he was in the big dinner gang on Sunday, sat across from me. Really nice guy.])

map in 10 minutes: drinking fountains data, csv file. create content type: location, add fields: lat/long. choosing just a text field for simplicity. wouldn’t want to do with a large database, tho. set up gmap, api, bigger size, autozoom. using node import to bring in csv file. create view. interesting: using gmap view w/out using location module. 7 minutes flat. snazzy. (oh, this is the one mentioned in this morning’s presentation)

in 2 minutes: with install profile!

storage: cck, geo module, location (can be heavy), geotaxonomy – adds fields to a taxonomy term: tag content with a city and then pull lat/long from elsewhere, openlayers wkt. (“well-known text”?)

display: google maps, openlayers. (have wanted to play with openlayers. I wonder if it would be usable w/out security issue on branches page)

overlays/markers: heatmaps for non-point data?

tilesets: google, bing, mapbox, open street map. or generate your own! holy mackerel. big list. quantum gis – widely used open source mapping tool. mapnik. cascadenik a bit like css for ??? – missed something here.

ah, got distracted.

sleepy. dammit.

now I want data to play with! data.gov to try thing? (start w/http://www.data.gov/raw/1517?) github.com/tylor/quickmaps

got distracted looking at data. 🙂

oh, hey: http://data.wa.gov/

geocode module for taking db of address and translating to lat/long.

shape files are input to quantum gis. hard to interact w/shape file polygons? not 100% sure I understood that. polygons are a heavy server load?

“because I have crashed servers that weren’t optimized” indeed.

suggestion from Adam (at lunch) to look at the actual theme(s) that were used with themekey, see if those have any squirrelly sql-type stuff in them. (also, I wonder about the recent memory upgrade. maybe I should just *try* it and see what happens.)

shared hosting (ie this site), virtual private server (no personal experience), dedicated server (ie, work)

apache: RAM hog. 20mb+ usage? list of items: keepalivetimeout – time waiting to kill process. 1-3 seconds for drupal. maxclients – simultaneous connections. maxrequestsperchild – don’t want to force unnec restarts. no caching for authenticated users! big issue for an intranet. advanced caching module? static & dynamic content on different apache servers. intriguing. image sprites may be more useful than zlib. ramdisk for most commonly used files. memcached daemon. loadmodule.conf file, remove unused (apache) modules.

mysql – pick good option file. my-huge.conf. log slow queries. (set for abt 5 secs) need to fix all to get improved performanced. query caching, in config file for mysql, 124mb (?). innodb tables, supposed to be good for writing a lot.

php – php cache option, accelerators (like Zend, APC) apc apparently to become standard w/php6. 2 confi options in php.ini: max_execution_time (30 secs, but test!), memory_limit, usually turns to 124/148mb.

load testing. ab = apache benchmark. ab -n 50 -c 2 http://example.com gives a command-line report.

performance monitoring – uptime, free -m. if all memory is in swap, you don’t have enough ram.

top -d: how to see what processes are using how much.

vmstat: input/output speed.

wtf is this app, for performance monitoring? nagios? yes: http://www.nagios.org/

based on a question: nginex – for the static stuff, then apache only does the dynamic. or I think I hear someone saying they use it for the whole thing instead of apache.

what’s causing overload, apachetop or top to see what process. apachetop sounds really useful. also a mysqltop. cacti.

better to use performance-related modules or do stuff on the server? getting a balance between overcaching & undercaching. don’t want to double-compress.

reduce css calls. I’ve got to dig back into that.

gtmetrics (gpmetrics?)

far-future expiration headers. yslow was really helpful, and almost all front-end.

pressflow – install profile? fork. http://pressflow.org/