Friday, November 5, 2010

The sales pitch to developers …

Last night I attended the local Linux Group meeting with a presentation on  a MS Access/OO.Base to Drupal presentation described as:

 

“Most people think of drupal as a website framework system. However, it can also serve effectively as a replacement to the forms/reports/tables system utilized by access and base. (as well as many other things, but we won't discuss that formally tonight) No prior knowledge of Drupal is required, and for those who do understand drupal, we will go through using cck and views, as well as a few other modules to develop a replacement for a small access database.”

Since this is a Windows Blog, it appears to be off target – however since it’s a emotionally-detached example to illustrate what is also seen with Windows stuff. As a FYI, I grew up on CP/M and ran Mark Williams Unix (Coherent) in the mid 1980’s, we have three Linux boxes in the house.

 

The first  thing that I struck me during the talk was that the speaker was laying smoke (as in a destroyer laying smoke to hide ships behind it) and did not know/research fundamentals. Some quotes:

  • “Base/Access are a flat file system” – wrong both are databases. A CSV file is a flat file system.
  • “Access can only handle 65K rows”,
    • Access can handle as many rows that will fit into 2GB of storage.
    • Excel 2007 can handle up to 1,000,000 rows

This always raised concerns because it means that the presenter is clearly not knowledgeable (and thus give one-sided perception and recitation of justification against the other product). Always ask detail questions and press for hard answers. If you present, do not wing it – do solid research with URLs from the officials authoritative sources to backup claims.

 

For example, I asked if Drupal supported RBAC. The prompt answer was that it does – fortunately we live in the age of the Internet, so I googled “Drupal RBAC” and the first hit was on the drupal.org site, it was still unanswered… The speaker appeared to be not informed (or did not know what RBAC is – often people think MAC or DAC is RBAC, it’s not. The National Institutes Of Standards and Technology [NIST.gov] has a clear statement of what RBAC is – I would love the speaker to point me to the RBAC implementation that Drupal has – as a FYI Linux has RBAC available at the operating system. See SELinux.

 

The speaker also claimed that it was “Secure” to the highest level. Again, the internet is there to verify information.  Well, the Drupal site has FIVE pages of Security Advisories. I then checked the authoritative source, the National Vulnerability Database [NVD], another Nist.Gov, site which listed 364 software flaws security advisories  for the search “Drupal”. Results from other searches:

  • “OpenOffice Base” – 24
  • “Excel” – 161
  • “Microsoft Access” -- 218

Now the speaker recommended doing an install from acquia which bundles it with a bunch of other software, two items I checked on NVD:

  • “PHP” – 18512 Software flaws known
  • “Apache” – 446

I always use NVD to get an objective evaluation of how secure a software product is. It’s your taxpayer dollars doing good work.  Bottom line, it is far less secure.

 

Part of the same sales pitch was that the Obama White House used it. I google “drupal whitehouse” and the first hit was a Feb 2009 announcement that pointed to http://recovery.gov Well, when I went to the site, I saw the site currently deliver pages with “.aspx” – AspNet, not drupal. Evidently Drupal was yanked.  I did find a Whitehouse announcement about Drupal from April 2010.  There was also claims that the DOD used Drupal in it’s line of business– I was unable to find any significant google items confirming this is happening, there is an announcement of  a pilot study for social networking.  The speaker hinted that it was being used for DOD secure information projects….

 

Bottom line, I would not port from Base or Access to Drupal: There is nothing clearly gained and a lot of clear losses:

  • Lost of a relational database structure (native Drupal storage is not a RDBMS)
  • Steeper learning curves – increased cost of business
    • Easier to find general (cheap) office staff that know how to use Access or Base – the two are very similar so if you know one, you know the other – this is not the case with Drupal.
  • You need a lot more IT expertise to be secure:
    • Drupal uses Apache – if the PC is connected to the internet and you don’t have all of the firewalls and gateways properly configured, you may be hacked.
      • Classic issue is not changing default passwords…  or using weak passwords
    • A lot of software flaws

To me, for most “alternative” approaches there are three dimensions of concern:

  • Security – protecting corporate data
  • Cost to maintain – ongoing expense
    • Learning curve
    • Availability of up-to-speed individual today and in 7 years  Business systems should last at least 7 years without needing a refactor.
    • Often magnitudes above original licensing cost (if any).
  • Lock-in Degree – upgrade path
    • How easy is it to move to upscale platforms? Access –> SQL Server Express; BASE –> MySQL
    • Products die – even very very good ones. What happens if this happens. Drupal could be hit with an IP infringement and the open source project ordered removed from the web. Microsoft kill stuff, I still have copies of Microsoft FORTRAN, Borland Turbo Prolog,  and Microsoft PASCAL around. What is the recovery plan?

6 comments:

  1. Thanks for attending. Its good to have some people not 'drinking the cool-aid' attend. It keeps us on our toes.

    Secondly, many of the things you've talked about were not in scope for this talk. What the talk was mainly about concerned implementing small scale applications with drupal instead of access/excel, etc. This assumes that people are building these apps internally (apache/mysql hosted onsite, behind a firewall). However, a benefit of using drupal is the ability to expand past the simplicity of a single, on-site install. With that comes other things implications that are past the scope of this talk. The difference is, its possible. Which isn't with Access.

    Lastly, and to my fault, that drupal is a framework to build data driven applications, not a database management tool (like phpMyAdmin or sql manager) While in essence it replaces the need to manage the database, the main point of the talk was building applications on a platform. And for most people, they don't care about databases or storage, just that they can effectively manage their data and have it portable so they can get it from one app to another.

    Some responses to your points above:
    1) RBAC: Drupal's main permissions system is role based, and gives granular control out of the box. Each module has its own set of permissions which allows the administrator to grant particular access control to users. Additionally, with the LDAP auth module, you can integrate drupal in the AD, eDir, OpenLDAP, etc to recognize the roles already established by an organization.
    http://drupal.org/handbook/modules/user
    http://drupal.org/project/nodeaccess
    http://drupal.org/project/ldap_integration


    2) Drupal has had security issues pop up, just like all other applications. But its response time is second to none. Just like any other software application, maintaining updates is key to keeping secure. Like other F/OSS applications, security is obtained with more eyes on the code. http://www.wired.com/software/coolapps/news/2004/12/66022
    http://drupal.org/security
    As well as a framework that encourages developers to write secure code.
    http://drupal.org/writing-secure-code

    Because of its security record, many large governments around the world are moving to drupal:
    http://buytaert.net/tag/government

    ReplyDelete
  2. Continued..

    But moving back to small-scale rollouts, people should (and would) be running the stack (mysql,apache,php,drupal) only listening on localhost. it wouldn't be available for the internet.

    Recovery.gov is an interesting example of lack of execution. When it went out to bid for phase two, a .net company won the bid. I'd say this reflects less on drupal and more on the original company implementing it. Which can be poor no matter what technology you're using.

    While Drupal's storage system is not a strict RDBMS, its api layer gives the same functionality. Again, the typical small IT shop should be not worrying about the storage underneath.
    http://fourkitchens.com/blog/2009/07/05/how-schema-got-bad-name

    There is somewhat of a learning curve to drupal from a development standpoint, but I'd argue that its similar to access or base. The advantage is that you're now working with enterprise grade software, instead of small business software. There is a reason why people aren't using access to manage data in a fortune 500 company. But they do use drupal.

    Which leads to the survivability of drupal. This year it will be turning 10 years old. Its arguably the largest CMS out there, free or not.
    Its built on MySQL, and has a fairly database storage schema, something a dba could ramp up on in little time. Its portable, meaning you can export data to almost any format you wish; and lastly its built on php, which has been around even longer and is even more widely used.

    You mention upscale platforms, however drupal already is considered an upscale platform. Its handling millions of hits per day (mtv, lifetime, radaronline, playboy) and millions of rows of data. The nice thing about drupal is you can start small, and then when the budget is available, you can ramp up the other things needed to make it scale. You're not stuck in a dead-end application like access.

    Microsoft 'kills' stuff is very true, and a reason not to be tied into Access. But this is open source. You can't 'kill it', the code is out there and the community is out there. A good example is OpenOffice. Oracle is trying its best to kill it, but people are revolting and splintering off to make Libre office.

    Drupal is here to stay, its one of the largest growing developer segments compared to other CMS's: http://buytaert.net/drupal-can-help-pay-for-your-rent
    (indeed.com: .Net nuke: 63 jobs, Drupal : 3000+ jobs, Microsoft Access developer: 5000 jobs)

    ReplyDelete
  3. Comment received by email: "One myth about open source is that it is magically more secure/ less security risks. Last night I heard a talk on Drupal and then did a...
    You compared Drupal, a web application, to Excel, a desktop application? That's like comparing Apples to Washing Machines.

    All source code has bugs. Drupal's are going to be more public and more easily found."


    Agreed that it's wash tubs and washing machines -- but one of the bugs that I saw was incorrect implementation of some standard encryption algorithms. A "closed" shop is more likely to deeply test for correctness, open source coding(especially contributed add-on) tend to go for apparent sufficiency.

    In the case of the encryption/decryption issue it creates a nasty problem -- the encrypted data can be handled within the component -- but if there is a need to pass it encrypted elsewhere for some other component (correctly done) to decrypt it breaks.

    Worst yet, if there is much data saved into a database and then they fix it, the old data may become inaccessible.

    There's an important difference between open-source originating and managed by hard-core professional (funding sufficient testing) and community-generated open-source (which then to do surface testing and not deep testing...)

    An unfortunate situation that is not always apparent or discussed. In short 10-% of open source code has reasonable quality assurance, 90+% does not (There's bragging rights to saying "I contributed a module" those rights are not there for "I wrote 100 unit tests for this module and found 15 bugs")

    ReplyDelete
  4. Jakob,
    You are clearly a Drupal evangelist. You are trying to build a business focused on Drupal which is good. My role for many years have been in the areas of Development Manager, Senior Software Architect etc and that means "Ken does not suffer a-promise-too-far-evangelists or fools".

    IMHO, you are overstating things. One example from your supply -- I cited the reference NIST/RBAC implementation and you responded with LDAPs and 3 URLs. I checked each of the three pages and RBAC is not cited on any of those pages.

    This implies that you are not listening to the customer (giving them what you think is good for them and not what they asking for) or do not understand what RBAC is about. I note that you have a B.S. in Computer Science --- so unless standards have dropped a lot further then when I was teaching 3rd and 4th Computer Science courses for various universities, I must suspect the former explanation.

    You will do your customers and yourself, better service by knowing the true boundaries of drupal and give up your belief that it(and open source) is a true panacea. There's are spots where is is clearly white, areas where it is clearly black and rather long expansions where it is various shades of gray. In the gray-zone, there are many many islands of whiteness that are other products.

    Put your customers on the best white islands for their current and near-term (5 yr) future. You need to recognize that they are white islands and not coral reefs to terrorize the customers away from.

    IMHO

    ReplyDelete
  5. There seems to be a lot of hostility coming from Ken here. Flatly stating things like:

    " A "closed" shop is more likely to deeply test for correctness, open source coding(especially contributed add-on) tend to go for apparent sufficiency. "

    That are simply not true and just the opinion of the author.

    The comments left imply that open source software is more buggy based on looking at a security report searching for Drupal....? I'm not a drupal fan, actually I don't really like Drupal at all, but to state that because it has "National Vulnerability Database [NVD], another Nist.Gov, site which listed 364 software flaws security advisories for the search “Drupal”." That drupal is insecure is not very intelligent at all....

    Of course it does, the software is "open source" the bugs get found. As a matter of fact if you looked a bit deeper at those results you would see that most of those are related to older versions of drupal.

    Closed Source Systems don't reveal their source code; as a result the
    only people who can debug the source code are some of those who work in the company. The debugging process depends on the policy of the company and how much the company is ready to pay - both time and money - for debugging. The budget for the debugging is almost always limited.

    This thread just gets uglier as you continue on and question the presenters intelligence (totally unnecessary) and after requesting URLS to back things up you quickly shut him down saying the URLS did not mention RBAC when he was obviously implying RBAC through AD and LDAP.

    I for one would take my business elsewhere just to not have to deal with someone who is on such a high-horse-island as I would feel I can't relate to you as a customer.

    ReplyDelete