Thinking as a non-developer..... I will start with one comment. I am not a developer. After over two years of Drupal use, I still do not know php. Despite this, I still have figured out how to run TortoiseCVS and have local CVS copies of 4.6, 4.7 and the CVS branches of Drupal from the instructions in the handbook. The policy for current and one previous version was established last year and I, a non-developer was asked for my input on it. It is documented in the handbook on (http://drupal.org/node/27362) "Drupal version numbers or which version you should use" and the last line "Supported versions for security patches and availability for download are the current stable release and one version previous." 4.5 is insecure. It is not responsible to provide easy download of 4.5 Drupal core that exposes from the start people to known exploited security vulnerabilities. Microsoft has taken a lot of heat and a serious publicity beating on security issue's and I do not wish us to ever do so. Drupal is known as a fairly secure application but we've had some recent issue's which have generated a good response to build and develop better conscious security practices. Instituted a security mail list and notifications. Added signup recommendations to the Best Pracitces section. As a 'not developer' I rely on others to maintain secure code. I am not a vender I admit, but I directly maintain 14 sites and support 5 friends who maintain 10-15 additional sites. These sites are a mix of 4.6 and 4.7 latest releases. I send them notes and help them with upgrades because they are my friends but they are also my customers. I learn from them neat things I would not otherwise do with Drupal and theming and they get a really neat CMS that their peers are using and help me in areas where their skills are better then mine.. In my view, given the pain and suffering people who did not and do not upgrade due to security issue's, it is ir-responsible to make such vulnerable releases easily available. It does an incredible disservice to both the people still running insecure sites and the Drupal community at large. If I recall, part of the reason for this decision originally was such a public exploit. Spreadfirefox was running an old unpatched codebase. We had to deal with the fallout from that for several months and we had provided many notices to many people. This is the worst posible publicity. I understand people want to run discontinued products, but I also understand people's desire to bad decisions and do not want to help enable them.... In this case it is a very bad idea. On a personal level, some parts of a company I worked for refused to update their systems to account for vulnerabilities. One day, a virus came in. It cost the company a million dollars in people's time, support, and lost business. I went into work at 7am and ended up going home at 2:30am while my co-workers stayed until 8am when I and a few others came back to continue cleaning things up. 1,000 people could not work productively for an entire day due to this and had to work the following two saturdays to catch up and some systems took 2-3 more days to fully secure and restore. An expensive lesson. One which resulted in management taking the support teams recommendation that has a hard timeline for testing and applying patches and a documented process for exceptions and timelines that those exceptions must be resolved in. It should not be convenient for people to get insecure product... Ever! There should be an effort involved. As an IT Support professional who has had to help deal with and clean up the cost of breaches in security. Salvaging data/systems and the lose of work hours and data that it entails, I am 100% against exposing people to this risk easily. I do not wish to see more forum posts form people who have been hacked and lost their data. I wrote the start of the best practices to help people deal with and avoid this and the number of people who have had problems has been reduced in the forums significantly because we promote this information. How bout this. A front page announcement reminding people of this policy? I will try and get time to write a more step by step TortiseCVS page on downloading branches of the CVS but my wife is pregnant and not well so no guarantees on how soon with some other commitments. -sepeck
-----Original Message----- From: development-bounces@drupal.org [mailto:development-bounces@drupal.org] On Behalf Of blogdiva@culturekitchen.com Sent: Saturday, May 27, 2006 10:24 AM To: development@drupal.org Cc: blogdiva@culturekitchen.com Subject: Re: [infrastructure] Re: [development] Drupal 4.5 unsupported
Ber , Morbus and all,
Would you consider stepping back a moment and thinking as a non- developer? This is the kind of decision that ought to fall on the shoulders of a user-relations team and not developers.
I worked at Colgate-Palmolive as the tech and communications writer for their Consumer Affairs department. Colgate-Palmolive is the largest manufacturer of toothpaste in the world, among many other products. They produce everything from dentistry pharmaceuticals to dog food.
For four years I wrote the manual on how to handle all sorts of inquiries, complaints and suggestions coming from consumers. My job, was to write human-readable instructions and communications guides for our Consummer Affairs representatives. I was dead against scripts because they show a lack of training and understanding of the products and consumers; and at that time my bosses agreed.
Knowledge of all products, past and present, was a part of the training for our reps. I was instrumental in making that happen in the least of techie ways given that this was BEFORE the internet was used by major companies for doing business (1994). I mean, the system I was using was written in a pre-WYSIWYG DOS system. So you can imagine how "cutting edge" and scary for non-techie people that must have been. My job was twofold : I had to help transition consumer-to- company communications from an analog system of communications to this new digital system while also transitioning and streamlining the internal communications all departments affected by consumers (Legal, Marketing, Sales, R&D).
One of the biggest percentages of communications was on discontinued products. People would always call or write about products the company had stopped manufacturing for years. Loyal consumers sensing the disappearance of the product would stock up on it. CP spent a lot of time and effort on these particular people. Why? Because if consumers were bound to look for that product high and low it meant they were loyal consumers. The challenge for the company was to transition those consumers to newer products and keep them as word-of- mouth evangelizers.
One of the most frustrating aspects of working with Drupal is the lack of forethought on word-of-mouth evangelizing and user loyalty that goes in the development, implementation and the dissemination of the product --and yes, I am calling Drupal a product because that is what it is.
Given that you have an open source product it is a mystery to me why you have decided to disappear from your site the history of the product's development. This is a huge loss for future developers who come to the site looking to learn more about the product. If it were up to me, I'd curate a whole section on the development of Drupal. I'd keep each release for historical documentation and, if possible, annotate it with some commentary from not just from developer but particularly from loyal users of Drupal.
A product's success does not lie just on it's design or development. A product's success lies on it's word-of-mouth reputation among users. Word-of-mouth is what makes or breaks products and it's why most of the shittiest products succeed. Toys like "Pet Rock" to celebrities like "Paris Hilton" make it all by the grace of their word-of-mouth god. It's not fair but it's what happens in the real world.
Back to Ber and Morbuss and most of the developers of Drupal : I just think that as developers, you're way of thinking works best with code. I honestly do not know what it is about this group of developers but you definitely think and work differently than developers in the Movabletype, TextPattern and WordPress development groups. For me, as someone who has been 'looking from the outside in', in all these groups, it's really interesting to see how differently coders work from one product to another ---and it proves software development is a very personal and subjective process; even when done by a group of people.
You have a good product and a growing base of non-developers eager to use it. Open archival access to your past success needs to be an important part of how you engage the people who use Drupal. It should be integral to your documentation, which gets better with each passing day.
You still need people who are part of core who deal solely with community/user/consumer issues and think about these things. You need more than one person so that developers don't get the opportunity to gang against him/her (as in the Dilbert effect). Which is why, these people need to be regarded as part of the core group of developers.
Yes, I do have to agree with the common belief that it's rare to find developers who understand the nuances of community/consumer affairs. They are out there, and you do have some right here within your ranks. But as a development groups go, you have to decide that dealing with the community is just as important as dealing with the code. And more importantly, you need decide on a process on how to go about that, even if it means developers won't be part of that decision making.
Which is why I insist : Give away those decisions to people who can do that person-to-person heavy lifting. It will make Drupal.org an infinitely better experience.
Best, l i z a sabater www.lizasabater.com
AIM - cultkitdiva SKYPE - lizasabater TEL - 646.552.7365
On 27.May.2006, at 11:36, Khalid B wrote:
On 5/27/06, Morbus Iff <morbus@disobey.com> wrote:
Why do you need to remove this stuff? There are those who like I have
Leaving it up is, to some, an admission of *support*.
Lisa
Also, remember that 4.5 is not patched for the latest exploits, so it is very dangerous to continue to run with that, regardless if it is supported or not ...