System Overlord

A blog about security engineering, research, and general hacking.

Drupalcon 2011: Keynote by Dries

08 Mar 2011 in Drupal (Reading time: 2 minute)

[NB: Video of Dries' keynote has been posted here: http://chicago2011.drupal.org/live] Dries opened Drupalcon with an inspiring keynote, discussing the successes and failures of the Drupal 7 development cycle, and the proposed changes for the Drupal 8 development cycle.  (Yes, we're already talking Drupal 8.) He started off with some statistics:

  • This Drupalcon has 3000 attendees.
  • The attendees will consume $100,000 in coffee.
  • Every major government uses Drupal in some fashion.
  • 1.7% of websites run on Drupal.
  • Drupal.org has 551,392 community members

He noted that he would open the Drupal 8 branch today, as soon as one of the git masters shows him how to: "I'm not quite sure how to do branches yet in git." In Drupal 8, we will see a cap in the number of outstanding critical bugs at a time at 15 (any more than that and new features will not be accepted).  We will see feature maintainers as different aspects are developed, adopting a Linux-kernel like development model, and there will be several quality checks on each feature before it is committed into the D8 mainline. Check out the video of Dries's keynote if you want to hear more, and ask yourself: "What have you done today to make you feel proud?"

Drupalcon 2011: Code-Driven Development: Using Features Effectively

07 Mar 2011 in Drupal (Reading time: 7 minutes)
Summary
One of the biggest barriers to using Drupal effectively is managing the Dev->Test->Production->Update lifecycle.  Most problematic is making structural changes to a site already in production.  You don't want to break/modify production while live, you don't want to blow away data by copying data from Dev to Prod, and you don't want to try to make the changes in two places.  Based on my readings, I had decided that Features would play a major role in solving this problem.  The training class presented by Nuvole today showed that Features can make life-cycle management much, much, easier.  In fact, as best as I can tell, code-driven development is the way to produce, manage, and deploy enterprise-quality sites.
Nuvole has posted slides on SlideShare.  (These may not be the exact slides used at Drupalcon, as they seem to be a few weeks old, but look very similar to what I'm seeing on the screen.)
Thanks to Antonio and Andrea for a great presentation -- it was really content-rich, and they managed to work through the technical glitches of student laptops quite smoothly.

Read More...

Drupalcon 2011

07 Mar 2011 in Drupal (Reading time: 1 minute)

Tom (my boss) and I arrived in Chicago last night for Drupalcon 2011.  I will be blogging my notes from training classes & sessions, but I will not be placing them in the "planet" category, so they will not be syndicated on Planet Ubuntu & Planet Georgia, unless there is content significantly relevant to the Ubuntu community.  (If you're interested in my Drupalcon 2011 coverage, please check my site or subscribe to its feed.)

Many of the notes will be intended for my later consumption, but I'm hoping they may also help others address the same issues.  Let me know if there are confusing parts you'd like me to expand upon.

Memo to Self when Moving Databases

05 Mar 2011 in Linux (Reading time: 1 minute)

As a memo to myself, and in case others aren't aware of this:

If you move the entirety of a mysql server (e.g., all databases, especially the "mysql" database) to a new Debian-based (Debian, Ubuntu, etc.) server, you need to make sure the debian-sys-maint user is created or updated.

If moving from a non-Debian-ish environment, try: 

GRANT ALL PRIVILEGES ON *.* TO 'debian-sys-maint'@'localhost' IDENTIFIED BY '--password--' WITH GRANT OPTION;

where "--password--" comes from /etc/mysql/debian.cnf.

If moving from another Debian-ish environment, copy the password from /etc/mysql/debian.cnf on the old server to the same file on the new server.

HTH.

Password Generating Webpages

02 Mar 2011 in Security (Reading time: 4 minutes)

First off, let me say that I commend Steve Gibson's attempts to bring information security to the masses.  I think it's important to educate the user base, and most of the time, he does a great job of it.  Unfortunately, a lot of his advice also seems to be filled with either "marketing speak", or (worse) just plain incorrect information.

In February, the Atlanta Linux Enthusiasts mailing list had a long discussion about the merits of "CLOSED" vs "STEALTHED" ports as advocated by Steve Gibson of grc.com.  I, for one, love spirited discussion, and thought it was good to discuss a variety of viewpoints and issues.  I believe that >90% of the discussion was very professional and mature discussion, which is something I attribute largely to the membership of the ALE mailing list.  Many other mailing lists would have resulted in a very quick flame war.  During that discussion, I stated that I felt that much of his advice (though overall sound advice) was misleading to users, and I still believe that.  Even if the end result is users taking corrective action, misleading them is not helpful in the long run.

Today, I saw a link to Steve's page password generation page.  Looking at it, I had several concerns about the page.

Read More...