Weblog
Lightning talks Friday
Lightning talks on Friday at Plone conference 2023, Eibar, Basque Country.
Jakob Kahl: Beethoven Sprint
We will again host the Beethoven Sprint in Bonn, 13-17 May 2024.
Lukas: PloneGov-BR
Plone portal from Brasil. https://github.com/plonegovbr
1.2 billion page view per year, 28 sites, 800k+ content items.
Plone conference Brasilia 18-24th November 2024.
Victor Fernandez de Alba: Volto PLIPs
PLone Improvement Proposals for Volto. See on GitHub.
Mikel Larreategi: Version inspection
What to do when Maurits tells you to update five packages with security fixes? We made a product for this. DigitalOcean API to get all the project lists, scp to get the instance files (bin.instance, yarn.lock), and search.
CodeSyntax: #PrettyEibar awards ceremony
The winner is Kim Nguyen with a picture of a blue house.
Michael McFadden: Have you heard about Tau?
The Tau manifesto. Tau is 2 times pie. Pie is only half the story. 1 tau is 1 turn. Much easier to teach to children. See https://tauday.com/tau-manifesto.
Kim Nguyen: Do you want customers?
Do you want glory? Do you want to help Plone? Help Plone help you. Get your Plone provider listing today!
Go to https://plone.org/providers and register.
Dylan Jay: Python meetups
In 2014 I moved from Australia to Bangkok. I started a meetup for Python. We are at meetup 94 now. There is a PyCon in Thailand December 13-15 this year.
Do you live in a town that does not have Python meetups? Create one! Build it and they will come. You need a venue. Anyone who is interested in developers, can help you. How do you get people to talk: twist their arm, get them drunk. Have two short talks rather than one big one.
The Python foundation now pays for meetups. You can use meetup.com, but you do not have to. You need a code of conduct. I needed a page, I used pyscript, Python in the browser.
Philip Bauer: Erico, I want a beer
Erico promised me a beer if I did something useful for him. Open an Plone site, do exportimport, you can now export it to one file per item.
Mikel Larreategi: Some random things
I had ideas for talks, but did not do it, so quickly they are here.
pas.plugins.oidc. Created by Mauro Amico. OpenID Connect is a layer of identification. You can install the PAS plugin in Plone and talk to such a server [works in a test setup for me as well, Maurits]. Works with various identity providers, like Google Workspace, Keycloak, EU Login. Click a link, redirect to the provider and identify there, callback, internal connection to provider, user is created in Plone and group management granted. We use it in production in two scenarios. See https://github.com/collective/pas.plugins.oidc.
Lichess: Open source chess server. Free, free, free, no ads, no tracking. 93M games played last month. I wanted to translate it into Basque. They use CrowdIn. Can we use something similar for Plone? Weblate maybe? We use this at CodeSyntax. Perhaps I will work on this the coming months for the core Plone translations.
This Plone conference started at Beethovensprint 2022. Last of of the sprint, after last dinner, with last beer in our hands, a few guys were there and approached us: "You are going to organise the conference, right?"
Thank you everyone!
Plone Foundation annual meeting
Open annual meeting of the Plone Foundation membership at Plone conference 2023, Eibar, Basque Country.
This year the Foundation membership voted in favour of a change to the bylaws, making it more inclusive, and moving to two cohorts for the Plone Foundation board, each cohort serving for two years.
New Foundation members this year: Mauro, Tanya, Jan, Karel, André, Brian, Joao, Martin. We have 100 active members from 21 countries. It you are an emeritus member and want to reactivate, contact the board.
There is a new contributor agreement process, more digital now, not fully automated yet, but easier to handle. There were 43 real new contributors, not including some hopeful GSoc students that never did anything. There were 5 real active GSoc students, thank you for your work, and thank you Google for sponsoring this. Others see that we are handling this well as organisation. And we try to bring the students here to the conference to present their work. Unfortunately there are strict rules in the EU making it hard to get visa for everyone.
Election for the next Plone Foundation Board of Directors. The result of the vote is in. For a one year term: Brian Davis, Kim Paulissen, Martin Peeters, Paul Roeland. For a two year term: Eric Brehault, Guido Stevens, Mikel Larreategi. Congratulations. Thank you outgoing directors: William, Jens, T. Kim and Erico.
Meeting adjourned.
Jon Pentland: Security considerations for Plone providers
Talk by Jon Pentland at Plone conference 2023, Eibar, Basque Country.
Our company PretaGov did an accreditation process. We have lots of government contracts, so this got important. It is a self assessment process.
What I want to do in this talk is talk about holistic security, the kinds of things we needed to do for the accreditation.
Organisational security
How do you manage your secrets? High quality, unique passwords. Not written down. We use a password manager across the organisation. This also finds compromised passwords.
Secure your devices: firewalls, antivirus, automatic updates, have a software policy (what software can you install, do you need approval for this), no out of date/legacy software. Last part is tricky when you still need to maintain Plone 4.3 sites. We worked around this by doing it on Docker, so at least our own development machines are not vulnerable.
Cloud/Saas: have an audited list of services, individual accounts where possible, don't give admin access to everybody, close unused accounts, use MFA if possible.
Infrastructure security
Define the scope: understand what you have, for example by creating an image with users, machines, internet boundaries, cloud services, networking equipment.
Secure servers and cloud infrastructure. Control the access to servers. A VPN with two factor can help here. Have a minimum required access. Keep servers up to date, firewall, antivirus where applicable. Backup and disaster recovery system: if your data is encrypted and held ransom, you want to be able to get back a recent version.
Web security
The browser goes to the proxy or load balancer and then your app (Plone). It is 2023, every site must be encrypted with https, this is free with lets encrypt, including auto-renewal.
Think about the Cipher suites. Older suites are insecure to for example the heartbleed or beast attacks. You should use TLSv3. You might need an older version if you need to support older browsers. Check the security with automated tools.
Setup https strict transport security. This tells the browser to remember that this site uses https. This makes the site harder to spoof when an attacker controls the wifi. Check https://hstspreload.org/
Click jacking: tricking users to click somewhere that they did not mean. Can be done with invisible iframes. Prevent this by setting X-Frame-Options header, either DENY or ALLOWORIGIN. Cookies should have the Secure setting so it will not be sent on http and in some cases the httpOnly setting so it can't be read from javascript.
XSS, Cross Site Scripting Attack. Plone protects you from this usually, and the security team looks at this. You can set a Content-Security-Policy header. It can be tricky as it can disable functionality that you rely on. You can set "report-to" to get browsers to send you a report about things it would have blocked, so you can try your policy for a while. Check https://www.uriports.com/
If you see security problems in plone, mail security@plone.org.
Plone security
Change the default admin password. Block access to the ZMI (manage, manage_*), you should normally not need this. Install hotfixes, see https://plone.org/security/hotfixes. Use Python 3. If you really still need Python 2, your OS vender may offer paid support.
Protect logins. collective.PasswordStrengthPlugin, there is a branch for Plone 5/6. collective.googleauthenticator, also here Plone 5/6 support coming. Products.LoginLockout: brute force protection, after some failed logins, block the user for a time. Or block all users except a few specific ones. pas.plugins.authomatic hands off your authentication to Google or GitHub, etc.
Volto security
Content-Security-Policy gets tricky because Volto sets inline scripts and styles, so this requires "unsafe-inline" in the policy. @plone-collective/volto-csp and volto-middleware-helmet help here, they are coming soon.
CORS, Cross Origin Resource Sharing. A lot of browsers block javascript from accessing other domains. Volto needs to access data from the Plone api, so if you host this api on a different domain, you will need to set headers with Access-Control-Allow-Origin and Credentials. Configure this on the backend. Only use a single origin. You can use *.example.com, but then the Credentials will not be passed.
Security for the build stack. Use cookiecutter-plone-starter for a good base setup. Use dependandabot to warn you about vulnerabilities in packages that you use. Use a CI/CD setup to ease rolling out fixes.
Assorted security
Some more things that are worth doing.
Rate limiting, for example with haproxy, to prevent someone hammering your site. Fail2Ban, mostly just getting rid of traffic you do not want. See also Fail2Ban.WebExpoits for custom checks.
Email: SPF, DKIM, DMARC.
Feature Policy Header let's you control what javascript features are allowed on your site, for example disable microphone and camera.
With a Referrer Policy Header you can instruct the browser to not send a Referer header to the next site.
Audience:
- GSoc project: https://github.com/collective/plone.webauthn
- In Plone 6 you can use per-user keyring.
Fred van Dijk: How the Plone Foundation AI-team manages its websites with CI/CD
Talk by Fred van Dijk at Plone conference 2023, Eibar, Basque Country.
What do you need for CI, Continuous Integration?
- A correct automatic repeatable setup of your project.
- tests, so you can tell automatically if the project works
- configured up to date servers to run those tests
- testing triggered automatically after a change
- feedback flowing to the developers
Okay, that works, with cookiecutter-plone-starter, plone/meta, Ansible, Docker Swarm, GitHub Actions. Most of them open source.
Continuous Delivery:
- Only when CI is green, no test failures.
- You need servers for this
- a CD orchestrator
- persistent data management, including possibly copy of production to test or development
So you not only need to know 100% of the software code, but all on top, maybe 400% more knowledge. No wonder you are burned out! You need to specialise to get this back to having to know only 100%. I like knowing about a lot of things, but it is hard to maintain over years.
We use GitHub. Not open source, so I asked internally if we really want this, as you never now what will happen with commercial companies. But it is there and we use it. With GitLab you could be more open source, but then you would need to run it yourself preferably.
So code is on GitHub. commit to a branch or main: code analysis is run. When we merge to main in certain directories: automatically deploy to testing. Create a tag release: deploy to live environment.
Other implementations are possible, like chat based: add a comment in a PR to ask the CD to deploy to testing.
There are some organisation and security challenges. GitHub.com/plone is open and writeable for a few hundred people. You don't want all of them to be able to change something in the plone.org repo and automatically deploy it live. We can't be this open anymore. So there are restrictions in place.
If you are a sysadmin and are interested in this stuff, please help us, talk to the AI Team (Admin and Infrastructure).
Would be good to get "devcontainers" up and running.
We have this setup for plone.org now, but also for plone.de, 2023.ploneconf.org, plone.nl.
Another thing that we have setup, is for when there is a new Plone backend or Volto version. We update a few version numbers in the repos for the Docker images, and then they get created, tested, and pushed to Docker.
Iñaki Maurtua: Beyond pre-programmed robots for repetitive tasks
Keynote talk by Iñaki Maurtua at Plone conference 2023, Plone conference 2023, Eibar, Basque Country
I work at Tekniker. We research and build modern industrial products for lots of sectors.
My talk is about robotics. What is a robot. You may think of a machine in a factory doing repetetive tasks. Or a human-like robot or insect-like cars moving over uneven terrain.
What can a robot learn? They can learn how to move, understand a scene, interact with humans, collaborate with humans and robots. Learn to manipulate objects. Learn to assemble objects, with kinaesthetic learning (you move the robot arm) or mimic learning (you move your arm, robot mimics you). We coordinate the HARTU project that researches this.
Innovate with an eye to the future, exploiting the intermediate results achieved.
[Sorry, hard to summarise, but cool to watch.]