answer 1 support request a day (in install support forum?).

make progress on one issue per day. (views or another module you know well) mark duplicate, answer support request, etc.

when you learn something new, document it as you go.

/contribute – places to jump in. but she prefers /community-initiatives. highlights things that are important.

irc

git

try D7, possibly for the feedreader pet project

documentation patches, “novice” tag

look into D7 multigroup issues

themekey: re-read code of the alternate themes, also just try reinstalling at next update.

review ALL the tips in the server optimization notes.

try yslow

idea: create map/app of walking tour brochure. experiment with map of recreation facilities (see maps notes, also http://github.com/tylor/quickmaps)

create a personal/site issue queue: view ads ctr counting, quickrates loan issue, ecard

write blog post about drupal/enterprise and/or “year with drupal” (see JK keynote notes)

upgrade to webforms 3 [notes]; write bolt-on module to connect with campaign monitor. if ENA goes to Drupal use webform for membership signup.

drush.

try login_security

look at role_delegation for intranet?

“scrum” meetings in our department: what you did, what you will do, what’s blocking you – under 15 mins total meeting

features & context, for real this time.

web widget for rates?

missed a chunk for a phone call.

I’m still really intrigued by deploy, generally speaking.

important to note that there’s a bunch of stuff that needs to be turned on in the live site.

sessionid authentication: how does it work?

[I REALLY need to move the awards section to a totally different site. For reals.]

have to manage site title by hand after deploying. so would it be most appropriate to run during the OMG EARLY updates? not so great for regular content updates. hm.

[to go on the to-do list, for the 987th time: drush.]

what? cck fields can be difficult? o.O wondering what 3rd party modules are problematic.

what’s left to do for deploy to get out of dev? well, he does want to get it done before leaving for sweden, so that’s something.

seen in irc: “You could set the $site_name in the settings.php file in the $conf array”

no cck3 support, does that also mean existing multigroups? (multigroups are a BFD for me.)

oh, am I remembering correctly that services requires PHP5.2? hrm.

argh, all this is way too distracting! not just the webinar window & audio, but IRC, the usual distractions of the web, and the usual noises of the office.

ah, of course PHP’s implementation of uuid isn’t actually standard. :\

and zooooom, went over my head. I’ve got lots of other things on my list, I think deploy will, alas, have to continue to wait.

research tools that they would like to make

putting technological & non-tech people.

alphabet as organizing projects

alphabet garden: a real garden, someone who works for civic actions. blogging about the garden by letter, then starting over after Z, facilitating community storytelling – aha! give people prompts to get themselves going.

command line = chef knife (I would love to be able to take a command line 101 class)

codelandstorytimecollective.org

she’s a museum person! background in explaining science – how can that be done with technology?

explaining memory links & garbage collection using bunnies. inspired by commoncraft videos

resource sharing technologies

mapping!

vozmob

fun games with git, “cubby holes” – “nobody wants to waste their time learning something useless”

human internet game – using real people to act out aspects of the internet. “what’s going on behind the beachball” (oh, freegeek chicago)

web-based irc – and using chat, skype, etc to talk about what was going on with irc.

chach is very enthusiastic, but this is a little drifty.

“spot-check” on individual learning projects.

jing – free cross-platform for making screencasts – free is 5 mins/200mb only, but that’s actually a plus, makes you condense. takes 1-2 hrs to make a really good 2-5 mins vid.

“lab hours”

she just jumped past the concept of “neutral space” – wonder what’s that about.

I wonder if we should have “scrum” meetings in our department: what you did, what you will do, what’s blocking you – under 15 mins total meeting.

to be honest, I think I got more out of the conversation we had hanging out in the lobby.

web widgets module – embed drupal content on another site – gives you a script to use on wordpress, etc, tho not facebook

http://garden.localbiology.org/

about 50 people involved – 10 learners – plus mentors, etc. just about the right size for a single main teacher.

where from here:

she’s delightful but rambly!

http://www.drumbeat.org/festival

http://github.com/chachasikes/opengarden

wow, unfiltered xss put site in maint mode, changed password, locked out of site.

48% of security advisories for drupal are XSS (core & contrib)

[note to self for webform/campaign monitor integration: suggestion from prev presenter to create submodule based on webformphp]

71% of sites tested by whitehat have xss vulnerabilities.

a month of bugs…only 1 was really severe, about half were xss, more moderate.

changing the default input format. (done. actually, I think my default is a plain text version.) better formats module, which I’m using, and like a lot. html purifier module for use w/wysiwyg.

unsafe: script, object, embed, style, iframe, img (maybe: can be used as a vector for other attacks; don’t use for anon users) – but other tags can run into problems, whitelist is better.

dangerous permissions: administer… filters, users, permissions, content types, site configuration, views. “least privilege” side benefit: makes the interface much simpler for those users.

devel module – anon permission to execute php. (an actual live .edu site. jeez.) “I swear it was that way when I found it”

same criteria you’d use to evaluate the quality of a module can be used to evaluate security of the module. indirect & subjective, but a good starting place.

University of Pennsylvania “drupal approved modules” – staff who have audited the code, no guarantees, but has been reviewed.

coder module will give information about use of coding standards, another way of judging attention to detail. someone’s working on an add-on “secure code review”

xsrf – request forgery – anytime where visiting a page does something…potential flaw – if you see big crazy number (token) at the end, that’s good. (same sort of thing happens in ob.)

test for access bypass, with a variety of roles and permissions: what features still work if logged out? a flaw in code may allow inappropriate access: node access control + filefield – private node files could still be accessed as if public.

securepages – oh, our apache config is already set up for that (redirect to ssl version) – but has some maintenance issues

password_policy or password_strength

role_delegation – moderator can give moderator access to others, w/out full admin users permission

video_filter – safe way to post youtube, etc. w/out allowing script. difference from mfield?

adminrole – which I’m using and really like. (I turn the admin user off most of the time.)

always test updates before going live. drush pm-update. all updates w/single command – time-saver! read the advisories: not all issues apply to everybody.

crackingdrupal.com, owasp.org

discussion of password security, expiration, enforcing strong passwords. greggles talked about false sense of security about strong passwords, better to work on detecting brute force attacks. (there’s a module for the latter, login_security)

“now more abusable than ever!”

oh, he’s one of the using drupal co-authors. (get book signed? )

pnwsummit coupon code thru next week. (might have to talk to matt abt that)

doesn’t use entities in D7 – database tables issue. nor fields (ie CCK)

trying to remember what my really weird webforms use-case was. chat survey?

was looking bleak about a year ago: more than 650 open issues, but all better now! scaled back the scope of webform 3. still lots of people on webform 2.

conditional fields! yay. “choose your own adventure”

save draft of form and resume later. (works for anon, but that disables caching for that user; interesting discussion of edge/use cases)

can multiple have webform-enabled content types

“basic” views support – eg, listing of submissions – but not yet listings of submitted data, patch has it working. (I think the latter is what I had trouble with, and had to write some custom php for.)

better data integrity, harder to break by end users. oh, like the problem with changing values of locations for holidays.

form builder integration did NOT happen, there’s a project – visual interface – too much work, but may include backwards (????)

lots of API stuff. include ability to create dynamic select lists.

was it webform that I wrote custom stuff for to talk to campaign monitor?

options moved to step 2, so as to not stuff everything into regular node form.

email config is in its own tab – who gets the email. includes template options for the actual email text. handy. template option not yet fully developed.

and then a separate tab for all those options.

(what about upgrading existing forms?)

CSV doesn’t support UTF-8? huh. nice: Excel format is just TSV with .xls extension.

separate receipt template for multiple recipients

mimemail module – can send html email & attachments. oh, so then webform can email attachments!

webform will automatically use date popup module if it’s turned on. lots of other modules that if you turn them on, more options automatically appear in webform.

page breaks. conditional logic. and conditional logic WITH page breaks. whee!

“select or other” module – that works too. (all this stuff is listed on the module page)

integration between pay module and webform – example of a donation form. very cool. way easier than doing something with ubercart.

ah, someone else who ran into “oh, hey, canada is a different country!” problem.

the theme also of “playing together”

graph of technology adoption.

“the enterprise” – long terms, have tech staff, have existing tech that they’re committed to keeping. risk-averse. concerned with downtime, bugs, security. and all the enterprise sites he just showed are all drupal.

case study, but can’t tell some specifics…including the name of the company. 22 content types, 16 modules, etc., etc. (we have 29 content types, altho a couple aren’t actually used.)

have a plan! (imagine that.) views, blocks, menus, etc. – being consistent with what to use where. pick naming conventions, do it consistently. (damn straight.) export as much as possible – features, core exportables. config in code, which gets into maintainability. have to use version control. hudson/selenium (testing tools? lost track for a sec) aegir, drush. need to figure out drush.

“make the robots do the f’ng work” using code instead of ui.

scaling. no longer a crazy unknown thing.

project mgmt, biggest challenge.

able to fund drupal improvements via enterprise client. panels inplace editor. interesting. hmmmm. (actually, that’s EXACTLY what C has been talking about wanting to do with a site.)

hurdles: sales, and interestingly acquia is helping with this because they have a sales staff; scope creep, esp because may not know what’s easy & what’s hard; multiple stakeholders, don’t know who’s the boss, dealing with issues that have nothing to do with you/the project. Platform requirements, moving outside your comfort zone, esp mentions MS issues. “The Pager” – uptime requirements, someone avail as emergency contact.

“this is already a big thing for them” minimize other newness.

human challenges > technical challenges. (all problems are social.)

tool: hudson, automated testing (java), selenium for browsing testing, coder.module. (also goes with one of my other pet theories: let the computers do the part they’re good at.)

aegirproject.org – automated building.

his new thing: pantheon, platform, high performance, best practice git – “trying to build the robots” http://getpantheon.com/ (I’m wondering if I should use something like this or Drupal Gardens to build out my test intranet. Way easier than what I’ve been trying to do!)

I think I have a blog post in me about this stuff, being in a (smallish) enterprise.

warning about only talking to the people that you know “uid ain’t nothin’ but a number” – most intelligent creative people may have just walked into the room; continue to be welcoming.

bring our ideals into the enterprise.

oh, or I might do a post about a year with Drupal. (not unlike my “year with Xtracycle” post!)

Q&A

“going to agile is as big a change as going with drupal” – “do one new thing at a time on a project” – but doing agile (or whatever) internally, with him as the interface with the customer in their process.