tag:blogger.com,1999:blog-3923359343089034996.post3338527911851940775..comments2023-06-14T08:47:52.501-07:00Comments on Project 31-A: The sales pitch to developers …Wayne Walter Berryhttp://www.blogger.com/profile/07116744675621334568noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-3923359343089034996.post-58987172903592068092010-11-09T16:03:20.970-08:002010-11-09T16:03:20.970-08:00There seems to be a lot of hostility coming from K...There seems to be a lot of hostility coming from Ken here. Flatly stating things like:<br /><br />" A "closed" shop is more likely to deeply test for correctness, open source coding(especially contributed add-on) tend to go for apparent sufficiency. " <br /><br />That are simply not true and just the opinion of the author. <br /><br />The comments left imply that open source software is more buggy based on looking at a security report searching for Drupal....? I'm not a drupal fan, actually I don't really like Drupal at all, but to state that because it has "National Vulnerability Database [NVD], another Nist.Gov, site which listed 364 software flaws security advisories for the search “Drupal”." That drupal is insecure is not very intelligent at all....<br /><br />Of course it does, the software is "open source" the bugs get found. As a matter of fact if you looked a bit deeper at those results you would see that most of those are related to older versions of drupal.<br /><br />Closed Source Systems don't reveal their source code; as a result the<br />only people who can debug the source code are some of those who work in the company. The debugging process depends on the policy of the company and how much the company is ready to pay - both time and money - for debugging. The budget for the debugging is almost always limited.<br /><br />This thread just gets uglier as you continue on and question the presenters intelligence (totally unnecessary) and after requesting URLS to back things up you quickly shut him down saying the URLS did not mention RBAC when he was obviously implying RBAC through AD and LDAP.<br /><br />I for one would take my business elsewhere just to not have to deal with someone who is on such a high-horse-island as I would feel I can't relate to you as a customer.silverstartradinghttps://www.blogger.com/profile/04855959917861654644noreply@blogger.comtag:blogger.com,1999:blog-3923359343089034996.post-90501509515954065932010-11-06T10:52:37.010-07:002010-11-06T10:52:37.010-07:00Jakob,
You are clearly a Drupal evangelist. You...Jakob,<br /> You are clearly a Drupal evangelist. You are trying to build a business focused on Drupal which is good. My role for many years have been in the areas of Development Manager, Senior Software Architect etc and that means "Ken does not suffer a-promise-too-far-evangelists or fools".<br /><br />IMHO, you are overstating things. One example from your supply -- I cited the reference NIST/RBAC implementation and you responded with LDAPs and 3 URLs. I checked each of the three pages and RBAC is not cited on any of those pages.<br /><br />This implies that you are not listening to the customer (giving them what you think is good for them and not what they asking for) or do not understand what RBAC is about. I note that you have a B.S. in Computer Science --- so unless standards have dropped a lot further then when I was teaching 3rd and 4th Computer Science courses for various universities, I must suspect the former explanation.<br /><br />You will do your customers and yourself, better service by knowing the true boundaries of drupal and give up your belief that it(and open source) is a true panacea. There's are spots where is is clearly white, areas where it is clearly black and rather long expansions where it is various shades of gray. In the gray-zone, there are many many islands of whiteness that are other products. <br /><br />Put your customers on the best white islands for their current and near-term (5 yr) future. You need to recognize that they are white islands and not coral reefs to terrorize the customers away from.<br /><br />IMHOKen Lassesen, Dr.Gui (MSDN) retiredhttps://www.blogger.com/profile/13429731290092618600noreply@blogger.comtag:blogger.com,1999:blog-3923359343089034996.post-80436422669417742462010-11-06T10:06:19.355-07:002010-11-06T10:06:19.355-07:00Comment received by email: "One myth about op...Comment received by email: "One myth about open source is that it is magically more secure/ less security risks. Last night I heard a talk on Drupal and then did a...<br />You compared Drupal, a web application, to Excel, a desktop application? That's like comparing Apples to Washing Machines. <br /><br />All source code has bugs. Drupal's are going to be more public and more easily found."<br /><br /><br />Agreed that it's wash tubs and washing machines -- but one of the bugs that I saw was incorrect implementation of some standard encryption algorithms. A "closed" shop is more likely to deeply test for correctness, open source coding(especially contributed add-on) tend to go for apparent sufficiency.<br /><br />In the case of the encryption/decryption issue it creates a nasty problem -- the encrypted data can be handled within the component -- but if there is a need to pass it encrypted elsewhere for some other component (correctly done) to decrypt it breaks.<br /><br />Worst yet, if there is much data saved into a database and then they fix it, the old data may become inaccessible.<br /><br />There's an important difference between open-source originating and managed by hard-core professional (funding sufficient testing) and community-generated open-source (which then to do surface testing and not deep testing...)<br /><br />An unfortunate situation that is not always apparent or discussed. In short 10-% of open source code has reasonable quality assurance, 90+% does not (There's bragging rights to saying "I contributed a module" those rights are not there for "I wrote 100 unit tests for this module and found 15 bugs")Ken Lassesen, Dr.Gui (MSDN) retiredhttps://www.blogger.com/profile/13429731290092618600noreply@blogger.comtag:blogger.com,1999:blog-3923359343089034996.post-30139414074231049652010-11-05T11:46:53.297-07:002010-11-05T11:46:53.297-07:00Continued..
But moving back to small-scale rollou...Continued..<br /><br />But moving back to small-scale rollouts, people should (and would) be running the stack (mysql,apache,php,drupal) only listening on localhost. it wouldn't be available for the internet.<br /><br />Recovery.gov is an interesting example of lack of execution. When it went out to bid for phase two, a .net company won the bid. I'd say this reflects less on drupal and more on the original company implementing it. Which can be poor no matter what technology you're using.<br /><br />While Drupal's storage system is not a strict RDBMS, its api layer gives the same functionality. Again, the typical small IT shop should be not worrying about the storage underneath.<br />http://fourkitchens.com/blog/2009/07/05/how-schema-got-bad-name<br /><br />There is somewhat of a learning curve to drupal from a development standpoint, but I'd argue that its similar to access or base. The advantage is that you're now working with enterprise grade software, instead of small business software. There is a reason why people aren't using access to manage data in a fortune 500 company. But they do use drupal.<br /><br />Which leads to the survivability of drupal. This year it will be turning 10 years old. Its arguably the largest CMS out there, free or not.<br />Its built on MySQL, and has a fairly database storage schema, something a dba could ramp up on in little time. Its portable, meaning you can export data to almost any format you wish; and lastly its built on php, which has been around even longer and is even more widely used.<br /><br />You mention upscale platforms, however drupal already is considered an upscale platform. Its handling millions of hits per day (mtv, lifetime, radaronline, playboy) and millions of rows of data. The nice thing about drupal is you can start small, and then when the budget is available, you can ramp up the other things needed to make it scale. You're not stuck in a dead-end application like access.<br /><br />Microsoft 'kills' stuff is very true, and a reason not to be tied into Access. But this is open source. You can't 'kill it', the code is out there and the community is out there. A good example is OpenOffice. Oracle is trying its best to kill it, but people are revolting and splintering off to make Libre office. <br /><br />Drupal is here to stay, its one of the largest growing developer segments compared to other CMS's: http://buytaert.net/drupal-can-help-pay-for-your-rent<br />(indeed.com: .Net nuke: 63 jobs, Drupal : 3000+ jobs, Microsoft Access developer: 5000 jobs)Jakobhttps://www.blogger.com/profile/00682420458006030933noreply@blogger.comtag:blogger.com,1999:blog-3923359343089034996.post-68257173818315840592010-11-05T11:46:23.900-07:002010-11-05T11:46:23.900-07:00Thanks for attending. Its good to have some people...Thanks for attending. Its good to have some people not 'drinking the cool-aid' attend. It keeps us on our toes. <br /><br />Secondly, many of the things you've talked about were not in scope for this talk. What the talk was mainly about concerned implementing small scale applications with drupal instead of access/excel, etc. This assumes that people are building these apps internally (apache/mysql hosted onsite, behind a firewall). However, a benefit of using drupal is the ability to expand past the simplicity of a single, on-site install. With that comes other things implications that are past the scope of this talk. The difference is, its possible. Which isn't with Access.<br /><br />Lastly, and to my fault, that drupal is a framework to build data driven applications, not a database management tool (like phpMyAdmin or sql manager) While in essence it replaces the need to manage the database, the main point of the talk was building applications on a platform. And for most people, they don't care about databases or storage, just that they can effectively manage their data and have it portable so they can get it from one app to another.<br /><br />Some responses to your points above: <br />1) RBAC: Drupal's main permissions system is role based, and gives granular control out of the box. Each module has its own set of permissions which allows the administrator to grant particular access control to users. Additionally, with the LDAP auth module, you can integrate drupal in the AD, eDir, OpenLDAP, etc to recognize the roles already established by an organization.<br />http://drupal.org/handbook/modules/user<br />http://drupal.org/project/nodeaccess<br />http://drupal.org/project/ldap_integration<br /><br /><br />2) Drupal has had security issues pop up, just like all other applications. But its response time is second to none. Just like any other software application, maintaining updates is key to keeping secure. Like other F/OSS applications, security is obtained with more eyes on the code. http://www.wired.com/software/coolapps/news/2004/12/66022<br />http://drupal.org/security<br />As well as a framework that encourages developers to write secure code. <br />http://drupal.org/writing-secure-code<br /><br />Because of its security record, many large governments around the world are moving to drupal:<br />http://buytaert.net/tag/governmentJakobhttps://www.blogger.com/profile/00682420458006030933noreply@blogger.com