I am a full stack dev, over 15 years of experience with Plone, attended several conferences around 2010, and I never thought I would own a company. Fun fact: I immigrated during Covid to the US, to join my lovely wife!

I founded webcould7 in April 2022, in Lucerne, Switzerland, together with Christoph Brütsch. We wanted to build and ship an actually standardized product. Release management: 4 times a year.

Problem: we are a new, small company, upgrades for some Plone 4 and 5 clients were urgent, I am not a designer, and how to deploy?

We chose Plone 6 Classic UI. We had pressure to go to market fast, and I had experience with the Classic UI. We could focus on the backend, and have content be created there. And then the rest api as interface to the world. This way we can have a slower release cycle on the backend, and the frontend can move faster. The frontend is 100% geared to the customer, and backend to the content creators. I begin with TTW content types, and some Python Scripts, to get a quick start.

Why not Volto? For e a steep learning curve: React, Next, new design patterns. Volto is good for wysiwyg, but that is not important for me at all. We wanted a different UI for editors and visitors.

We have our product: 7inOne. In the theme we only changed the color, so it is pretty standard Plone. If anything is changed in core, we get it quickly.

We made a Page Builder. Using grid from Bootstrap, and add blocks in there. Similar structure to Volto, really. I implemented a Trash option. Since we don't have wysiwyg, we have a preview split screen so you can see how it looks. Also mobile preview.

I have built a working copy / versioning variant. I could not use plone.app.iterate for various reasons. You can ask multiple co-editors for reviews.

PDF with weasyprint.

External API integration. You can load data from an external API. Stores results in a Dexterity field, or in Redis. Json only. You can tell it how often it should load data automatically.

We use collective.elasticsearch. We added an endpoint @es-search if you want to explicitly search there in the normal Plone way. Implemented @raw-search endpoint where you basically send raw elastic search queries, except that we add allowedRoledAndUser=[] as security measure.

We use pas.plugins.oidc for SAML/oidc authentication. And wcs.samlauth.

Then we want to improve performance:

• With Py-spy we can make flamegraphs to see what is happening.
• We made opinionated improvements to the REST API, some internal caching (navigation), automatically prevent recursive "expands", always disable diazo (so the transforms), auto apply a sort_limit to queries where possible.
• Cache as much as possible.

We use Redis and RQ Python for async and scheduled tasks.

It is all built on Kubernetes, and using CloudFlare.

The backend and API are on different sub domains. Backend is only for authenticated users.

For some clients we do the frontend ourselves, for others there is a third party. We give them the Plone REST API documentation, with some extra guidelines:

• Do not use expand for @navigation and @contextnavigation.
• Dedicated frontend routes for search, dashboards, etc, with limited caching.
• Implement a small client to handle redirects and status like 404 and 500

baselland.ch was the first customer with which we went live with this system. In 1 year the frontend had no downtime. The backend 45 minutes, due to a Kubernetes upgrade and some CloudFlare issues. Total of 29 releases installed. From Plone 6.0 beta to 6.1.2.

For all clients the backend is always the same (7inOne). Just the configuration differs.

Some of the challenges:

• Performance of the Kubernetes cluster, it remains a bit of a mystery to me. Storage I/O speed, especially catalog access is slow after a restart.
• There is one developer for the backend: me. I'm always right... Only one opinion, no diversity.
• Testing: where to start and where to stop.

Lessons learned:

• The Plone REST API is great. Its documentation is awesome.
• Using Plone as a headless CMS works.
• Technical documentation are usually too late, but AI helps.
• Not everything needs to be automated, even though I love to do that, it is not always worth the time.
• Kubernetes: the ZODB needs fast storage, use physical servers (cheaper)
• Get help! I should have asked other people first in some cases.
• Caching, caching, caching. Try to cache everything and invalidate.

The website for PyCon Brasil in 2006-2010. This used a package called Products.PyConBrasil, developed by Dorneles Tremea, Jean Ferri, Erico Andrei. Archetypes based. We had registration forms (you don't need Google Forms for that, come on), call for papers, certificates. 7 content types, workflows. We would improve this year after year for the next conference. Simples Consultoria would come up with a new theme.

PythonBrasil 2011 plus Plone Symposium South America. I had separate packages for each part. Dexterity based. Support for multiple conference editions.

PloneConf 2013. Problem: multilingual, Plone people from all over the world do not all speak Portuguese. Dexterity based, and with Grok.

Plone Conf 2020-2023. Copy-paste-rinse-repeat. Covid happened, so we needed an online conference. Every conference: a repo on github.com/plone. Classic then, later upgraded to Volto. Features: Speaker, Talk, Training, Keynote, Sponsor. In 2022: a schedule block (created by Affinitic). Talk submission: via Google Forms. Registration with TiTo (2022, 2023).

PloneConf 2024: copy-paste plus crazy ideas. Registrations with Eventbrite. Call for Proposals: with Pretalx. So some new blocks needed. Change some colors in the theme. But we wanted Volto Light Theme. Last minute "requirements": online experience, "My schedule", training registrations and certificates, attendee check-in.

I got personally involved with 3 distinct conferences this year. Easy, right, because I got all this experience just a few months before. Copy the Plone Conference code, change some colors, put it live, in uder two hours. It worked! March: copy-paste for Plone conference here. Also fine. But then Python Cerrado conference: this had some more challenges. More frontend and backend add-ons needed. How can I find time and energy to do anything on my own? But: okay, just do it. In 4 days from cookieplone to collective.techevent reality.

So: no longer copy-paste, but use this add-on as base. Not from scratch.

• Code: https://github.com/collective/tech-event, which is a mono repo.
• Backend: collective.techevent (Plone add-on) provides content types, behaviors, and REST endpoints (e.g., /@schedule, /@sponsors).
• Frontend: @plone-collective/volto-techevent (Volto add-on) provides the UI: views, blocks, schedule, sponsors, listings, etc.

Asko Soukka is the main driving force behind tech-event: working-copy support, performance fixes, revamped schedule block to be able to handle even six parallel talks.

Wish list:

• Registration:
  • I want an Attendee content type with Membrane.
  • Check-in
  • Integration with Presenter profile
• CfP (workflow and permissions)
• "My schedule" / bookmark / calender export
• "Smart" talk materials listing, embedding
• Training life cycle: registration, certificates

How to do: create new project with cookieplone, add kitconcept.voltolighttheme and collective.techevent to backend, some to frontend.

Other events would benefit: World Plone Day, Plone Tagung.

I am releasing collective-techevent 1.0.0b1 right now in this presentation.

This talk is a long analogy about maintaining and customizing a large web portal.

My father for a long time was cleaning tap installation in bars. I saw both groggy bar owners and Chinese restaurant owners and personnel. Cultural differences.

In the Netherlands, Chinese restaurants are tailored to Dutch tastes, often including some Indonesian tastes. How do you start? You get a building, a kitchen, a dining area, a bar, a takeway. You need to decorate it. You need personnel. He learns that he cannot just build on his own tastes, but needs to adapt to Dutch tastes.

He starts, two months later the city closes the parking lot for reparations, people need to park further away, so less customers. So: challenges, but it works. Food inspection has some comments, gives a fine, but he improves.

But everything has to work all the time, 7 days a week. Kitchen, waitress, bar tender, both takeaway and restaurant, etc.

After a few years he needs to do some maintenance, renovations. But business is slowing down, the people have tasted the food enough, have seen the fishes, there is another nice restaurant. So: a make over. New dishes, extra cooks because he wants to prepare food at the table. Take away in a more separate area. The owner stays as the face of the restaurant, is always there. And it works, he doesn't go bankrupt.

The end.

Let's disect this analogy. This is running a website, what I have been telling you for the past 20 minutes.

The website is the dining area. Or the take away area with the restapi. The building is the hosting environment. There are rules (food inspection). The food is the content. Who are the waiters? The editors. The tables and chairs are the software. Kitchen is backend, dining area is frontend. Website needs to be restyled every few years. So if you have an enterprisey website, you are a restaurant manager. And you don't have everything under control, you have to change with the times. You cannot stay with Python 2 and yarn, you need to go to Python 3 and pnpm.

What we try to pull off, is doing 8 to 10 things together. A website is not easy, it is as complex as a restaurant.

BTW, the restaurant is the Rose Garden in Barneveld.

Here are the talk slides.

Using less javascript can be good for performance (less big bundles) and accessibility.

Simple example: lazy image loading:

<img `loading="lazy"` src... 

date, time, datetime-local inputs have good support on mobile without needing extra javascript:

<input type="datetime-local" ...

With javascript it could look nicer though.

In audio and video tags you can specify sources with different types, and have links or other html as fallback.

The details/summary element avoids the need for special accordeon javascript:

<details>
  <summary>More info</summary>
  <p>This is additional information, shown when you click the summary.</p>
</details>

If you give the details the open attribute, it will be shown expanded by default. The details element is for example used in the Plone 6.1 resource registries. Previously, if you did something wrong here, the control panel would be broken and you could not fix it here. Now with the plain html it is no problem. You can also use this for form tabbing.

For a slider/carousel there is a lot you can do with CSS. Coming soon: scroll buttons. And the ::scroll-marker element.

Form validation. Add the required attribute to an input, and use this CSS:

input:invalid {
  border: 2px solid red;
}
input:valid {
  border: 2px solid green;
}

dialog element for modals.

Future: masonry, with nice alignment of images of varying sizes on a page. It is experimental.

Future: maps.

Naomi Woods

I am Doctor Naomi Woods, Research coordinator in this university. And my colleague doctor Hanna Paananen, University Teacher here. Both on cybersecurity.

Pur research group examines human interaction in the digital world within cybersecurity context. See our research group page.

My background is in psychology. I apply that to the cybersecurity context. Can mental health affect information security behavior.

ISP (Information Security Policy): detail how employees should behave in order to prevent, identify, and respond to security incidents. This is hard to comply with for an "average" employee. Research tries to understand this, and find approaches to improve. There is research about the effect of presuasive security messaging, or awareness of sanctions.

Mental health is an issue for many. Most common: depressive disorder and anxiety disorders. Both types can lead to cognitive slowness and avoidance behavior. Many people have symptoms, but are still able to work professionally. You can be more vulnerable: a more easy victim of social engineering, online harassment, fishing, etc.

We did a study on the effect on deterrence factors: perceived risks of sanctions and shame by an employer or peers. With anxiety there is more intention to comply with ISPs. With depression they are more likely to violate their ISPs.

Neutralization techniques (NT) are used to help individuals rationalize their less desirable or deviant behaviors. It allows them to justify it to themselves. For example rationalization: "My boss expects me to make really long passwords, so I will just use the same password everything." We did a study with four groups with combinations from low anxiety and low depression to medium-higher anxiety and medium-higher depression. The group with medium-higher anxiety and low depression had the highest use of NT to justify intentions to violate ISPs. So an increase in depression has a damping effect on use of NT: they care less.

This means there is no one-size-fits-all approach. With different mental health issues, you need to interact and motivate employees differently. Be inclusive, and do not set users up to fail at security.

Audience question: Would this mean it is better to reserve a part of the cybersecurity budget of your organisation to keep your employees happy?

Interesting question. You need a holistic approach: security is not just technical solutions, you also need to look at what employees can handle in terms of security on top of their already demanding jobs.

Hanna Paananen

Collaboration intoduces cybersecurity risk. There are threats against value chains. There have been lots of examples the last year with malicious code, intrusion attempts, fraud and deception, sabotage. A Russian-backed hack in software to access water treatment systems caused a water tank to overflow in one city in the US But also just errors and omissions, like with the CloudStrike problem earlier this year.

Inter-organisational cybersecurity is a necessity. Regulation and best practice as drivers. The EU cyber strategy tackles value chain threats. Organisations try to control compliance of their partners, with contracts, audits, standards certifications, technical measures, training. But high-level compliance requirements can be more a checklist than working instructions. It may lead to low visibility on actual risk control.

Management practices are needed across organizational boundaries. A company approached us. They focused on their core processes, and outsourced the rest. But they had no control there, so it posed risk.

Building a common understanding with people from other communities can be done in different ways. In one-on-one meetings we may get to know one another and learn. Immersion: visits, an in-house consultant. But the consultant learns about the organisation, but the organisation does not learn much about the consulting firm. Delegations: agreements, conferences. That is good, but does not really support the daily challenges.

Build a community between organisations. This is a way to build collaborative cybersecutiry management practices to match the requirements. It helps you know who to talk to when a jointly used asset is under attack, either to warn them or to get help.

We had three value networks in our project: with energy, water, and transport, all very different in how value was created. What practices should be built?

• Specify goals, reduce barriers.
• Get a mandate for practices: get a boss to allow you to spend time on inter-organisational cybersecurity. Let it be not for one person, but tied to a job, so also for your successor. Connect contracts to practice.
• Competence building. Learning from others. Small companies have different means than a big company.
• Materia for practices. Materia can be a contract, a ritual. "We have meetings, and this is what we do in them." It helps translates meanings. Makes conflict explicit.

So answer this question for yourself: What is my role in building cybersecurity with people from other communities?