GVS is now part of Acquia. Acquia logo

Recent Blog Posts

Greg's picture

Drupal Security Report: Connect with Fans, Reason to Sponsor

Recently our company worked with partners and sponsors to create a thoroughly researched, high quality document about the state of security in the open source Drupal project. You can download the report from DrupalSecurityReport.org, but right now I want to talk about the motivations, the audience, and the funding model behind the report because we feel that we've solved a tricky problem: funding expensive work in an easily copied medium (PDF downloads). We decided to try a variation on Techdirt's strategy to "Connect with Fans and give them a Reason to Buy".

This report was something that my colleague Ben Jeavons and I had wanted to do for a long time, but we couldn't fund it entirely from our own company resources. The target audience for the report is people who are considering Drupal and we didn't feel that they would be willing to spend money purchasing the report.

Connect with Fans

Fortunately, we have built up an audience among people interested in Drupal Security. Last fall I did a security webinar for a few hundred folks leveraging Acquia's webinars. Our blogs are directly read by a few thousand people interested in Drupal and are syndicated to over 20,000 readers readers interested in the topic. We've also done several presentations on Drupal security.

So, with a purpose and some fans in tow, we turned to business contacts we've made over the years to see if they could help with funding.

Reason to Sponsor

Based on discussions with them, our sponsors were motivated to sponsor the report based on three major ideas (and one sub-idea).

  1. They sell Drupal in the enterprise space and are often confronted with questions about security and don't have a good answer. They wanted something they could point to.
Greg's picture

What content is HOT on my site? Drupal's Radioactivity module to the rescue

Earlier this year we supported the IxDA in launching a new version of their IxDA.org site. One of the many interesting new features of this site is the ability to sort content by "hotness". The goal of this tool is to create a list of interesting content on the site. Their analytics show them that most people who are involved in the site visit it at least twice a month. So, they wanted a system to highlight content over the last two to three weeks. Enter the radioactivity module.

Radioactivity Module for Drupal

The Radioactivity module works on the concept of adding energy to a piece of content which then "decays" (or diminishes) with a particular half-life. The exact behavior is up to the site administrator, but on IxDA.org we originally set it up with values roughly similar to:

  • Posting content adds a lot of energy so that the hotness favors recent items.
  • Commenting on a post adds some energy
  • Voting up adds a bit of energy, voting down subtracts some energy
  • Favoriting a post adds some energy as well

We've got a few other elements that affect energy to help offset any potential gaming.

We set the half-life for decay to 15 days. So, if a piece of content gets posted and 3 comments and 2 vote ups and 1 favorite with 100 views on the first day it will have about 500 units of energy. If it gets no new energy, it would decay down to 250 units of energy after 15 days, and then down to 125 after 30 days and so on. Eventually the energy and decay are really small and for efficiency the module simply deletes all records with less than 2 units of energy.

Ben's picture

Security training and sessions at Drupalcon Copenhagen

Carl, Ezra, Lisa, and I will be at DrupalCon Copenhagen later this month. We're giving a handful of sessions and running a training. So, if you're in Copenhagen on August 23rd and interested in getting security training, for identifying and fixing common security risks on your site, join us! Check out Security: Process, code & hands-on training to signup.

Our Sessions at Drupalcon

Drupal Security Paper update

Last week we published a minor update to the Drupal Security Paper, a report on the state of Drupal security and how it addresses security risks and concerns. We expanded some of the Security Advisory analysis data and made a few minor corrections. If you have not read it, now is a great time to take a few minutes and give it a read.

Greg's picture

Ubuntu cron Isn't Running? Some things to check:

I had some issues where cron wasn't running the scripts that I had placed into /etc/cron.hourly nor /etc/cron.daily and I spent a bit of time trying out different things to figure out how to fix it. Here are some of the things I fixed. I think the problems were, in fact, not all present but several were which meant every time I thought I had it fixed I would come back later and see it was still wasn't running.

An Extension on Your Program Name in /etc/cron.*/

Cron has very specific rules about file names. In fact, those rules are:

same naming convention as used by run-parts(8): they must consist solely of upper- and lower-case letters, digits, underscores, and hyphens.

So, don't put a period nor file "extension" on those files.

Cron Scripts Inherit A Limited Environment

Unless you've added information to the top of your /etc/crontab, the environment for the user that runs cron jobs will be very limited. All commands and shell scripts should be prefixed with the path (i.e. "/usr/bin/mysqldump" instead of "mysqldump"). Specifically state the shell at the top of the file.

Make Sure The Jobs are in /etc/crontab and Cron/Anacron are installed

Just because you're using "Ubuntu" doesn't mean it's the same Ubuntu that you're used to. Make sure that appropriate jobs have been added to the /etc/crontab file. It's possible that cron/anacron won't be installed on the system. If not, try:

sudo apt-get install cron anacron

Make a Basic Script and Check the Cron Log

Depending on your system this may be in different places, but for me it was in /var/log/syslog. If that isn't helpful, try adding debugging statements to different scripts to make sure they are running and test different assumptions along the way. You can also try creating a script that will get executed first ("aaa_test_script" is my favorite) and make it do something really trivial like

echo $PATH > /tmp/cron_path.txt

Ben's picture

Drupal Security Report

Last week at DrupalCon SF we released the Drupal Security White Paper on drupalsecurityreport.org. The paper has been under development for the last several months and we worked hard to complete it in time for DrupalCon.

Addressing ongoing questions about Drupal security, the paper analyzes the Security Team's Security Advisories and discusses how Drupal 6 and 7 address common and critical security risks, including those of the OWASP Top Ten.

We couldn't have done it without the help of our sponsors, including Cydeck and Examiner.com among others, and without the help of our reviewers. Thank you!

If you're evaluating Drupal for use on your site, this report is for you. Or, if you're just curious to know more about Drupal and how it addresses security risks please give it a read.

Greg's picture

Get a Druplicon Hat: CertifiedToRock score of 6 and tweet about it

We've got a few exciting announcements here at Drupalcon. Two of those are related to a new site we launched yesterday, CertifiedToRock.com.

Woven Druplicon Hats

We got some beautiful hand-made, wool Druplicon hats from Peru with the help of my good friend Fernando Garcia (develcuy) and the artisans that his lovely wife Nancy works with. Now we're ready to give these hats away - for free - but of course there's a catch ;)

Webchick and Vauxia in Druplicon hats

Certification for Drupal with CertifiedToRock.com

We've built a super simple (and yet, we think, still valid) certification for Drupal users based on their involvement with the Drupal project. It's located at CertifiedtoRock.com where you can enter a drupal.org username and see the corresponding certification level of that individual. Learn more about CertifiedToRock.

certified to rock screenshot for webchick

If you want a hat, tweet a link to your score with @certifiedtorock and we'll hook you up if your score is 6 or higher. After noon on Wednesday we'll be giving out hats to anyone with a score of 5 or higher.

Files from my DrupalCon San Fransisco session on theme preprocess functions

Attached to this post at the bottom is an archive of the theme I was using including my theme files that I used today in my session on theme preprocess functions.

Don't forget to get the devel module in order to use the function dpm()

For those of you who witnessed the problems I was having today, the reason I couldn't get load the right data was because I was getting a MySQL error because I was trying to push too much information using dpm().

Warning: Got a packet bigger than 'max_allowed_packet' bytes query: ...

This is because I was pushing data into $messages with dpm() in mytheme_preprocess_page() on subsequent page requests, which means $vars['messages'] was recursing. Eventually, I exceeded the PHP memory limit and PHP would die in the theme layer which is output buffered so $_SESSION wasn't being refreshed. Anyway, live debugging at it's finest.

To avoid this problem yourself, make sure you aren't using dpm() in preprocess_page() on too many successive requests. Do it once, refresh twice, then comment it out next time.

If you attended the talk and didn't take the survey, please visit the survey page to do so.

Thanks!

Greg's picture

Example Sprint Burn Down Chart: Excel, Google Spreadsheet, OpenOffice.org

I've written about the Burn Down Art site before. One unexpected result of the site is that people are visiting it based on a variety of different search terms and a few aren't getting the data they really need.

Template Burn Down Chart - Excel, Google Spreadsheet, OpenOffice.org

One thing that a lot of people have been looking for is an example or template version of a burn down chart that they can use for themselves. I won't claim that this is the best chart, but it's simple and it works pretty well.

A couple of suggestions:

  • It counts your stories and sets them for number of stories to burn down
  • It will count the days in your sprint and decrement the expected stories remaining row by that amount
  • There is a row to show how to add a story mid-way through the sprint
  • Some people like to add more columns to the raw data showing the priority and the status
  • Some people like to add formatting to the 0/1 cells to show when it became a 0 as a more visual indicator on the data sheet.

Regarding the Google Spreadsheet - I created both of these documents using Google Spreadsheets and then exported them. But there's no way for me to share the current burn down spreadsheet from Google Docs to the rest of the world to use as a template. Bummer! However, you can import either of the attached documents and it will work just fine. Enjoy!

Ben's picture

Drupal 7 multistep forms using variable functions

I like building forms. So much so that I've even been teased about it. Despite that I want to share how multistep forms have changed for Drupal 7 and to expand on how you can use variable functions to achieve cleaner and easier form step logic, including easily moving backwards in forms. Understanding multistep in Drupal 7 was prompted by my need to create easy forms for an internal GVS project that will hopefully launch soon.

Multistep in Drupal 7

In Drupal 6 to carry data back to your form builder you set the storage key of $form_state in your submit handler. In Drupal 7, upon return to your builder after submission, you carry data over by keeping the Form API from pulling the form array out of cache*. You do so by setting $form_state['rebuild'] to TRUE in your validate or submit handlers. Another change is the first argument of your builder must be $form because of changes to drupal_get_form(). &$form_state is now your second argument to your form builder.

Update: 'rebuild' existed in Drupal 6 (thanks Wim) but now seems to be required for multistep to work in Drupal 7.

Drupal 7:

<?php
// Form builder definition.
function my_form($form, &$form_state) {...}

// Form submit handler.
function my_form_builder_submit($form, &$form_state) {
 
// Trigger multistep.
 
$form_state['rebuild'] = TRUE;
 
// Store values that will be available when we return to the definition.
 
$form_state['storage']['values'] = $values;
}
?>

Let's look at a example:
<?php
// multistep_simple, our form builder function.
function multistep_simple($form, &$form_state) {
// Check if storage contains a value. A value is set only after the form is submitted and 'rebuild' is set to TRUE.
if (!empty($form_state['storage']['myvalue'])) {
// Display a message with the submitted value.

Greg's picture

April 4th D7CX Sprint: Upgrade contrib to Drupal 7 at GVS Office

The D7CX movement is based around the idea that while it's really important that we launch Drupal 7 by finishing off the critical issue queue it's also enormously important that we have our many contributed modules ready to go the day that Drupal 7 is launched.

Drupal core is an amazing piece of software, but Drupal core without the many wonders of contributed modules and themes is nowhere near as much fun.

GVS Hosts D7CX Sprint Day

So, April 4th we are hosting a D7CX Sprint Day here at our office. We will provide power strips, internet, coffee, camraderie. You should bring your laptop, and some skills in testing out and upgrading Drupal's contributed modules. The sprint will run from 9:30 AM until about 6:00PM - but you are welcome to show up for any part of that time.

Some possible tasks:

  • Rewriting documentation for Drupal 7
  • Helping to write simpletests so that contributed modules can benefit from a test-driven-development cycle much like core has benefited from it
  • Creating patches for the modules and themes to work with the new api.

Folks will be available to help provide instruction in checking out code with cvs, rolling patches, and posting responses in the issue queue.

Some people on hand with specific module experience

Syndicate content

GVS projects

The Hyperlocal News installation profile is an "internal project" for some of the folks at GVS. Profiles are ways to bundle together Drupal, some contributed modules, and the configuration necessary to make the site actually do something cool. Users are presented with an wizard that sets up...

GVS is now part of Acquia.

Acquia logo

Contact Acquia if you are interested in a Drupal Support or help with any products GVS offered such as the Conference Organizing Distribution (COD).

We Wrote the Book On Drupal Security:

Cracking Drupal Book Cover