Last night I attended the local Linux Group meeting with a presentation on a MS Access/OO.Base to Drupal presentation described as:
“Most people think of drupal as a website framework system. However, it can also serve effectively as a replacement to the forms/reports/tables system utilized by access and base. (as well as many other things, but we won't discuss that formally tonight) No prior knowledge of Drupal is required, and for those who do understand drupal, we will go through using cck and views, as well as a few other modules to develop a replacement for a small access database.”
Since this is a Windows Blog, it appears to be off target – however since it’s a emotionally-detached example to illustrate what is also seen with Windows stuff. As a FYI, I grew up on CP/M and ran Mark Williams Unix (Coherent) in the mid 1980’s, we have three Linux boxes in the house.
The first thing that I struck me during the talk was that the speaker was laying smoke (as in a destroyer laying smoke to hide ships behind it) and did not know/research fundamentals. Some quotes:
- “Base/Access are a flat file system” – wrong both are databases. A CSV file is a flat file system.
- “Access can only handle 65K rows”,
- Access can handle as many rows that will fit into 2GB of storage.
- Excel 2007 can handle up to 1,000,000 rows
This always raised concerns because it means that the presenter is clearly not knowledgeable (and thus give one-sided perception and recitation of justification against the other product). Always ask detail questions and press for hard answers. If you present, do not wing it – do solid research with URLs from the officials authoritative sources to backup claims.
For example, I asked if Drupal supported RBAC. The prompt answer was that it does – fortunately we live in the age of the Internet, so I googled “Drupal RBAC” and the first hit was on the drupal.org site, it was still unanswered… The speaker appeared to be not informed (or did not know what RBAC is – often people think MAC or DAC is RBAC, it’s not. The National Institutes Of Standards and Technology [NIST.gov] has a clear statement of what RBAC is – I would love the speaker to point me to the RBAC implementation that Drupal has – as a FYI Linux has RBAC available at the operating system. See SELinux.
The speaker also claimed that it was “Secure” to the highest level. Again, the internet is there to verify information. Well, the Drupal site has FIVE pages of Security Advisories. I then checked the authoritative source, the National Vulnerability Database [NVD], another Nist.Gov, site which listed 364 software flaws security advisories for the search “Drupal”. Results from other searches:
- “OpenOffice Base” – 24
- “Excel” – 161
- “Microsoft Access” -- 218
Now the speaker recommended doing an install from acquia which bundles it with a bunch of other software, two items I checked on NVD:
- “PHP” – 18512 Software flaws known
- “Apache” – 446
I always use NVD to get an objective evaluation of how secure a software product is. It’s your taxpayer dollars doing good work. Bottom line, it is far less secure.
Part of the same sales pitch was that the Obama White House used it. I google “drupal whitehouse” and the first hit was a Feb 2009 announcement that pointed to http://recovery.gov Well, when I went to the site, I saw the site currently deliver pages with “.aspx” – AspNet, not drupal. Evidently Drupal was yanked. I did find a Whitehouse announcement about Drupal from April 2010. There was also claims that the DOD used Drupal in it’s line of business– I was unable to find any significant google items confirming this is happening, there is an announcement of a pilot study for social networking. The speaker hinted that it was being used for DOD secure information projects….
Bottom line, I would not port from Base or Access to Drupal: There is nothing clearly gained and a lot of clear losses:
- Lost of a relational database structure (native Drupal storage is not a RDBMS)
- Steeper learning curves – increased cost of business
- Easier to find general (cheap) office staff that know how to use Access or Base – the two are very similar so if you know one, you know the other – this is not the case with Drupal.
- You need a lot more IT expertise to be secure:
- Drupal uses Apache – if the PC is connected to the internet and you don’t have all of the firewalls and gateways properly configured, you may be hacked.
- Classic issue is not changing default passwords… or using weak passwords
- A lot of software flaws
To me, for most “alternative” approaches there are three dimensions of concern:
- Security – protecting corporate data
- Cost to maintain – ongoing expense
- Learning curve
- Availability of up-to-speed individual today and in 7 years… Business systems should last at least 7 years without needing a refactor.
- Often magnitudes above original licensing cost (if any).
- Lock-in Degree – upgrade path
- How easy is it to move to upscale platforms? Access –> SQL Server Express; BASE –> MySQL
- Products die – even very very good ones. What happens if this happens. Drupal could be hit with an IP infringement and the open source project ordered removed from the web. Microsoft kill stuff, I still have copies of Microsoft FORTRAN, Borland Turbo Prolog, and Microsoft PASCAL around. What is the recovery plan?