Drupal

I often get asked for advice about picking a Drupal theme. Themes are extensions of the Drupal content management system which allow a site admin to quickly change the look and feel of their site. You just download the theme you like, install it, select it, and your whole site has a new design.

However, like finding high quality Drupal modules there are some good rules of thumb to follow in your theme search.

Strategy 1: Find A Drupal Theme Close to What you Want

Drupal Introduction for Denver Linux Group

Tuesday night the folks at CLUE South (in the Denver Tech Center) had a "CMS Panel" that ended up collapsing into a Drupal and Mambo/Joomla! discussion. As I was writing my presentation I happened upon Gabor Hojtsy's request for new maintainers for modules including the S5 module. It seemed like a nice coincidence and since I found the S5 module to be useful in preparing my presentation I'm now the maintainer.

So, you can now see the slides that I used last night as a Drupal book or as an s5 presentation - including Drupal style theming.

Drupal as Presentation Maker - s5 Module

This is, in my opinion, a real boon for conferences and organizations that host presentations. You no longer need to worry about "which slideshow technology do we use" or "where do participants go to download the slides. Now everyone can use html or markdown syntax to make bulleted lists in Drupal book pages and then click the "export to s5" button and your presentation is all set to go.

Once I figure out a few details to make the system easier to use and the theme a little stronger I'll be committing the changes, release an improved version of that Drupal s5 theme, and branch s5 for Drupal5. If you want to try out the s5 module for Drupal5 now, the HEAD in CVS is currently compatible with Drupal5.

Future of Drupal Presentations

I had heard weeks ago from chatting with Mike Hostetler that he was working on a code repository for jQuery plugins which got me quite excited. Historically getting specific versions of jQuery plugins has been a little difficult. Now there's a great jQuery Plugin Repository that replaces the Wiki. The recent jQuery Blog post discusses the new system:

The new repository comes with a few features that are sure to help users to find what they’re looking for and determine which plugins will best suit their needs. There’s the (jQuery-based) ratings widget to let you know how highly others value each plugin. The ratings are viewable by all, and you can rate them yourself by simply registering on the site with a user name and email address. You’ll also have easier access to change logs, demos, and documentation, as well as bug reporting and feature requests.

Of course the site has tell-tale signs that it's running Drupal and other signs show that it's running the well regarded project module to manage the releases, issues, feature requests, and module listings.

Congrats to Mike and the jQuery web team on an important job well done and congrats to Drupal and Derek Wright (dww) for being selected as the platform behind yet another plugin repository. Now, if we can only see about getting those fivestar ratings available on the Drupal.org module download page ;)

Background on the Numbers

The lowest level that registered in Analog this month was 113. So, if your project or release was downloaded fewer than 113 times it won't register. I say project OR release because it's possible that the 5.x-1.20 release of your module was quickly followed by the 5.x-1.21 release - the 5.x-1.20 version may not register even if the module is fairly popular. So, 1) the numbers are inherently flawed a little bit 2) project maintainers should only create new releases when there has been a significant enough change to warrant it. Doing so on every new commit to the project is a waste of your time, your users time, and reduces the quality of these metrics.

That said, on with the report...

The other day I broached the idea of a security bounty in the Drupal project. I had first heard about this concept from the Mozilla Foundation's Security Bug Bounty which appears to be the most famous of these.

Why Security Bug Bounty's are a good idea

This is pretty simple:

1. It provides at least some motivation for folks to actually look at the code and find security bugs making the software more secure.
2. More folks looking at the code is always a good thing.
3. Just the concept and the existence of the program reminds people that we take security seriously, and informs them of the proper way to report a bug.
4. In the case of the Drupal Association - which can't make decisions about the code based about the statutes (en pdf) (more formats/languages).

Generalized Security Bug Bounty System

This concept seems to me like it could be generalized for any software project. Here are the rules I came up with, based upon the Mozilla foundation's rules.

<

ul>

I feel very happy today and I think you should feel happy too. Pathauto is a great module that has served millions of visitors to thousands of sites very well over the years. But Pathauto, along with all of Drupal, is getting a little bit better!

Enter Token Module

At the very end of 2006 Jeff Eaton started work on a token module which took the pattern logic out of Pathauto into its own module (and extended it a bit further). All those little strings of text like [title] and [cat] and [user] which Pathauto uses were all placed into a separate API. This provides two great benefits - first, it makes them available to other modules such as the custom breadcrumb, autonodetitle and other modules. Second, I instantly recognized the personal benefits from this decision because the token parsing part of Pathauto was the source of most of the bugs. I thought that if I outsourced the patterns I'd also outsource the bugfixing! In the end I'm now a co-maintainer of the token.module providing some bug fixes, features, design reviews for the module. At least I have a partner in crime on the issue and at least the work can benefit all of Drupal instead of just Pathauto users.

Call to module developers

This call is two fold:

First, to modules that implement pathauto hooks: now's the time to start implementing the token hooks. This will open up your module to interaction with a much broader set of modules and is a much better long term solution than the Pathauto hooks. To learn more about token or discuss it's use, join the tokens group on groups.drupal.org.

So, I'm writing from Drupalcon Is Drupal an Enterprise Solution? which is an interesting and awesome presentation.

Web application security

Secondly, Rasmus this morning had some great quotes this morning. jeff captured one that I really liked:

When I'm surfing around to find hackable sites, I love to find hand-rolled CMS systems. I know I can hack them in a heartbeat. If I see a site is running on Drupal, or Joomla!, or another CMS? I know there may be a hole, but as soon as they fix that hole, everyone using them is safe.

But there was another fun one from Rasmus. He was talking about his XSS XSRF scanner and how about half of the major banks that he scanned with it had major security problems. He wanted to release his tool as an open source tool, but was concerned about the frequency of the bugs it found and how many companies would be exposed overnight with problems that would ruin their banks/customers. That would be sad. So, as he discussed this he was like "yeah it would be nice to release to the world because it works pretty well but..."

"I didn't want to be the guy that released the tool that broke the whole web."

Yeah. I think we all agree that we don't want to be "that guy."

Open Source in the "enteprise"

Someone from the audience (who works for the US government) dropped this quote:

"build" vs. "buy" vs "assemble and extend"

That's really valid and I hadn't heard it before. "build vs. buy" we're all familiar with. But where does open source fit into that equation?

Getting More Folks to Adopt Drupal

Final quote I just heard was in response to the question of how do we get everyone to drink the Drupal "Kool-Aid"?

Chant! Chant! Drink! Die!