Weblog
Eric Bréhault - 'We, Plone'
Talk by Eric Bréhault at the Plone Conference 2016 in Boston.
This talk is about psychoanalysis of a community, psychology of developers. What motivates 'us', the Plone community? How do we feel? We do technical stuff, but we are humans, so we have feelings.
Open source, free software: you work for free for people you don't know. That is how your father-in-law would think about it. He thinks you are either stupid or generous.
Jessie J: "It's not about the money, we just want to make the world dance."
We work because we need to eat, and belong, and have a shared ideal, participating in something.
Study: only 16 percent of employees would recommend their company's products. Disaster! Okay, this was in France, we love to be critical, even about things we don't care about.
100 percent of community members would recommend their product.
Two times:
- Otium: free time, but not just leasure, also time for caring.
- Negotium: the very opposite of negotium. Time for business.
In English: business and busyness. Being busy. Business is about not caring? That may be exaggerated.
Doesn't it happen to us? A client says something does not work, we don't care. Someone on the other side of the ocean says something does not work in our favorite project: we fix it even in the middle of the night.
Kant talks about minority and majority. Minor: dependent, unfree. Major: autonomous, a scholar among scholars. Developers are grown-ups. But software industry tends to reduce our responsibility. You cannot make developers responsible. Communities value their grown-up status. You do not face clients or a boss, but your co-developers. We discuss with equal people. We feel more committed in this kind of group than in a private company.
Writing software is a full process. You do everything. You are going to iterate over versions. This process induces parenthood. You spend time with the code. You want to fix it, want to feel proud about it, mainly if we show this code to someone. We want to be prepared for the future. In English, software 'runs'. In French it walks, it marches ('il marche'). My kids don't wake me up at night anymore, my 10 year old Plomino software project sometimes does.
Communities are adoption structures. They make sure a piece of software always has loving parents to raise it. It is not just a bunch of developers sharing code. It works like a family, and we welcome new members into the family.
Another concept: how do we build our identity? 'I' needs a 'We'. Gilbert Simondon says: "Becoming myself is a process, which is both individual and collective." Belonging to a group makes me feel more myself. You imitate others.
We want to be Plone. The community is more than the sum of its contributors. The fact that developers want to be a community, makes it a community.
Bernard Stiegler: transindividuation. Plone participates in our 'We' and each of our 'I' processes. We and I influence one another. We change I, and I change We.
Plone-the-thing is just the software itself. Code. Not perfect, lots of bugs. It is real.
Plone-the-concept is a moral ideal. We want it to be perfect, 100 percent tested, fully secure. It is the community's super-ego, in German an Über-Ich. The concept rises above the thing. And the concept influences the thing. The concept stays in the mind of the community, even as individual members may leave or enter.
What keeps Plone going? Love!
Phil Lombardi - An Illustrated Guide to Microservices
Talk by Phil Lombardi at the Plone Conference 2016 in Boston.
Datawire is a first-class Python shop. Python and microservices complement each other really well.
What is a microservice? Small service, self contained, narrow in scope. It is like a lego block. Simpler: it is a unit of business logic. It could send a mail, or fill out a row in a database, anything. You wire them together by combining them in a topology, like a ring, map, star, fully connected, line. Fully connected topology is what I a focusing on in this talk. Netflix five years ago had more than 500 microservices. Twitter too.
Developers are the ones who should define the topology. Business logic is distributed, rather than central. It can help when you need to scale up, integrate various systems, or have really high reliability. If one part of the topology fails, the rest should still remain functioning as much as possible.
Linear topology lends itself for scaling and optimising each part separately: ingest data (network heavy), have one source of truth for data (disk heavy), transform data (disk and cpu), present data (network and cpu).
Microservices are about service oriented development. Thinking about architecture up front can sound nice, but when this takes months without actually building anything, you are probably out of date before you get started. An architecture should think less up front, and do more experimentation, and enable developers.
You need to move away from DNS to service discovery. And from central load balancers to smart end points, to update routing tables in real time. A microservices client should be a smart endpoint that can do the routing, that knows how to discover working and available services.
A microservice is a node in an agile service topology. And it is service oriented development. Needed mindset: from architecture to experimentation.
See the company at https://datawire.io and the microservices development kit at https://github.com/datawire/mdk
Twitter: @TheBigLombowski
Nathan Vangheem - Building a Castle
Talk by Nathan Vangheem at the Plone Conference 2016 in Boston.
I work at Wildcard, mostly on highly secure websites. I am on the Plone Security Team.
CastleCMS is an opinionated version of Plone. It packages all kinds of things up for Plone that we have been doing for security.
It is not a fork and it won't ever be. We want to work with the Plone community and want to continue to innovate with Plone. It gives us a place to innovate. Performance is important for us, and we have integrations like CloudFlare for that. ElasticSearch indexes all your content, with an asynchronous implementation of the search api. We heavily use Redis, using it as a cache that is shared between clients or threads. ZRS (Zope Replication Services) to share the load over databases. A lot of ReactJs. z3c.unconfigure for some adapters. And sometimes just monkey patches if there is no better way.
Security is integrated 2-factor authentication. Too many login attempts lock you out. The root Zope user can only login at the root of Zope, not in Plone.
Adding content is done slightly differently, and everything is Mosaic. No display menu, no default pages. All videos are compiled to a web compatible format asynchronously when uploaded. We have a Map tile for OpenStreetmap. Focal point image tile, where you can indicate what the main focus point of an image is, which is then using during image cropping. Social media tiles. All tiles are integrated with patternslib. We have a preview for different screen sizes.
We have a plugin for ElasticSearch to let the search results order be impacted by Google Analytics and social media popularity, for anonymous users.
You can audit what users have been doing. You can login as a different user. We have additional integrations with Google Analytics, archiving of content in S3, sms support, twitter. Recycle bin. Celery integration for asynchronous tasks like video conversion or pushing large files or moving lots of documents.
What is missing? Diazo (you could use it for theming, but we don't, and you don't need it for moving html content around), portlets and viewlets (just use tiles, also possibly inheriting from parent pages), default pages and display menu (we use Mosaic).
When stuff is not open sourced yet, bug me about it.
Roadmap: chat (rocketchat, ask Sam Fords about it), Mosaic enhancement, built-in A/B-testing, continue to refine the UI, more rich tiles, on the long term use plone.server.
We use React because it is better for small parts of the page. If you create a whole app, Angular2 would be better I think. We can fight.
Alexander Loechel - Plone Security in Context
Talk by Alexander Loechel at the Plone Conference 2016 in Boston.
In Europe there is the CMS Garden project: combined marketing for open source CMSes. We are partners and learn from each other.
Is Plone secure? It depends. Core is pretty secure. But security of an installation is dependent upon maintenance: if you don't apply hotfixes, it is not secure.
You can look at number of hacked sites, but security is a process, not a state. You may get a zero day export today. Are you ready for it? Are there bugfix or hotfix release processes? How do you discover those?
OWASP has a top ten report on common vulnerabilities in web sites. Plone is handling them. [Edit: alternative link, as the main OWASP list is in a PDF, is from vpnmentor. Thanks to Paola Cherlan.]
Study from BSI 2013: the vulnerabilities in Plone are in the core, mostly not the add-ons, which is different in other systems. So Plone actually protects the add-ons: you don't usually make a site insecure with an add-on. New BSI study this year, not yet published, raw number may seem not so good for Plone, but there was only one really important issue, they were looking at the fresh Plone 5.0, and most problems have meanwhile been fixed.
For most of the other CMSes you need a lot of add-ons to come to a comparable functionality as Plone, and that may be less secure: their add-ons have more problems. On my university I see hacks for wordpress and Typo3 sites every week, for Plone: none.
Plone has a different focus. It is good for intranets, and is not only a CMS, but a portal engine. Security is built in, with RestrictedPython, AccessControl. There is no SQL database, which means you avoid a whole category of problems. We have generators for add-ons, giving a secure base for adding features, so you don't make beginner's faults.
Plone's market share is not so large, so large botnets will mostly ignore us. That does not mean we are more secure, but it does help in practice. But we are used by several high value targets, like the FBI, which will normally get attacked first. Zope/Plone users are usually more aware of security.
Permissions and workflow are a real strength in Zope and Plone. An institute like BSI will give Plone at most a medium security level. Not high security, because admins can see all information. If you really would want this, you could actually build it with workflow.
In PHP, data and code are mixed, also for add-ons. In Plone, code is on the filesystem, and you cannot change it.
Sanitised input. Warning: don't use the structure keyword to display unfiltered user input. We do automatic csrf protection.
Plone does not enforce active bans of ip addresses, and security studies may complain about it missing out of the box, but you can simply use fail2ban in front of it. Use tools like that. And use good caching to avoid your site going down under an attack. There are ways outside of Plone, or any other CMS, that you can use.
The Joomla security team does a good job of communication, we could learn from that.
But other security teams often belong to one company. Often only bug fix releases, not security hotfixes. Bug fix releases may contain all kinds of small or large feature updates. Sometimes no security information is available, especially for add-ons, which is where most of the issues may be.
Never use a system 'as is'. Think about extra security you can apply in front of it. Spend fifteen minutes a day per system to maintain it.
If you have a strong security need, check out the Zope Replication Service to have a read-only front-end.
Audience: shameless promotion for Radio Free Asia. It is using Plone, and it is a constant target of attacks, and we have a clean record, no successful hacks.
Eric Steele - Integrating SQL Data into your Plone Site
Talk by Eric Steele at the Plone Conference 2016 in Boston.
It's nice to do a tech talk again, instead of always doing a keynote about the future of Plone. Sorry, I can't show you details, because I got laid off and there is a non disclosure agreement.
SQLAlchemy allows you to talk to SQL databases in a Pythonic way, getting Python objects as results.
Martijn Faassen created Traject, combining routing and traversal. Izhar Firdaus wrote collective.trajectory to do this in Plone. We use this to traverse to SQLAlchemy objects, by registering functions. We hooked the results up to plone.app.contentlisting as well, so they show up correctly in listings, like the standard tabular view.
A trajectory example project: https://github.com/esteele/example.trajectory It has add and edit forms which talk to the SQL database.
We had really a lot of tabular data, so it made sense to do this in SQL, not in a normal Plone portal type.