drupal to-do

Here’s a list, in order from my PNW Drupal Summit notes, of some things I’d like to do/learn/try:

answer 1 support request a day (in install support forum?).

make progress on one issue per day. (views or another module you know well) mark duplicate, answer support request, etc.

when you learn something new, document it as you go.

/contribute – places to jump in. but she prefers /community-initiatives. highlights things that are important.



try D7, possibly for the feedreader pet project

documentation patches, “novice” tag

look into D7 multigroup issues

themekey: re-read code of the alternate themes, also just try reinstalling at next update.

review ALL the tips in the server optimization notes.

try yslow

idea: create map/app of walking tour brochure. experiment with map of recreation facilities (see maps notes, also http://github.com/tylor/quickmaps)

create a personal/site issue queue: view ads ctr counting, quickrates loan issue, ecard

write blog post about drupal/enterprise and/or “year with drupal” (see JK keynote notes)

upgrade to webforms 3 [notes]; write bolt-on module to connect with campaign monitor. if ENA goes to Drupal use webform for membership signup.


try login_security

look at role_delegation for intranet?

“scrum” meetings in our department: what you did, what you will do, what’s blocking you – under 15 mins total meeting

features & context, for real this time.

web widget for rates?

open gardens


research tools that they would like to make

putting technological & non-tech people.

alphabet as organizing projects

alphabet garden: a real garden, someone who works for civic actions. blogging about the garden by letter, then starting over after Z, facilitating community storytelling – aha! give people prompts to get themselves going.

command line = chef knife (I would love to be able to take a command line 101 class)


she’s a museum person! background in explaining science – how can that be done with technology?

explaining memory links & garbage collection using bunnies. inspired by commoncraft videos

resource sharing technologies



fun games with git, “cubby holes” – “nobody wants to waste their time learning something useless”

human internet game – using real people to act out aspects of the internet. “what’s going on behind the beachball” (oh, freegeek chicago)

web-based irc – and using chat, skype, etc to talk about what was going on with irc.

chach is very enthusiastic, but this is a little drifty.

“spot-check” on individual learning projects.

jing – free cross-platform for making screencasts – free is 5 mins/200mb only, but that’s actually a plus, makes you condense. takes 1-2 hrs to make a really good 2-5 mins vid.

“lab hours”

she just jumped past the concept of “neutral space” – wonder what’s that about.

I wonder if we should have “scrum” meetings in our department: what you did, what you will do, what’s blocking you – under 15 mins total meeting.

to be honest, I think I got more out of the conversation we had hanging out in the lobby.

web widgets module – embed drupal content on another site – gives you a script to use on wordpress, etc, tho not facebook


about 50 people involved – 10 learners – plus mentors, etc. just about the right size for a single main teacher.

where from here:

she’s delightful but rambly!




evil robots, scripts.

wow, unfiltered xss put site in maint mode, changed password, locked out of site.

48% of security advisories for drupal are XSS (core & contrib)

[note to self for webform/campaign monitor integration: suggestion from prev presenter to create submodule based on webformphp]

71% of sites tested by whitehat have xss vulnerabilities.

a month of bugs…only 1 was really severe, about half were xss, more moderate.

changing the default input format. (done. actually, I think my default is a plain text version.) better formats module, which I’m using, and like a lot. html purifier module for use w/wysiwyg.

unsafe: script, object, embed, style, iframe, img (maybe: can be used as a vector for other attacks; don’t use for anon users) – but other tags can run into problems, whitelist is better.

dangerous permissions: administer… filters, users, permissions, content types, site configuration, views. “least privilege” side benefit: makes the interface much simpler for those users.

devel module – anon permission to execute php. (an actual live .edu site. jeez.) “I swear it was that way when I found it”

same criteria you’d use to evaluate the quality of a module can be used to evaluate security of the module. indirect & subjective, but a good starting place.

University of Pennsylvania “drupal approved modules” – staff who have audited the code, no guarantees, but has been reviewed.

coder module will give information about use of coding standards, another way of judging attention to detail. someone’s working on an add-on “secure code review”

xsrf – request forgery – anytime where visiting a page does something…potential flaw – if you see big crazy number (token) at the end, that’s good. (same sort of thing happens in ob.)

test for access bypass, with a variety of roles and permissions: what features still work if logged out? a flaw in code may allow inappropriate access: node access control + filefield – private node files could still be accessed as if public.

securepages – oh, our apache config is already set up for that (redirect to ssl version) – but has some maintenance issues

password_policy or password_strength

role_delegation – moderator can give moderator access to others, w/out full admin users permission

video_filter – safe way to post youtube, etc. w/out allowing script. difference from mfield?

adminrole – which I’m using and really like. (I turn the admin user off most of the time.)

always test updates before going live. drush pm-update. all updates w/single command – time-saver! read the advisories: not all issues apply to everybody.

crackingdrupal.com, owasp.org

discussion of password security, expiration, enforcing strong passwords. greggles talked about false sense of security about strong passwords, better to work on detecting brute force attacks. (there’s a module for the latter, login_security)


webform 3

“now more abusable than ever!”

oh, he’s one of the using drupal co-authors. (get book signed? 🙂 )

pnwsummit coupon code thru next week. (might have to talk to matt abt that)

doesn’t use entities in D7 – database tables issue. nor fields (ie CCK)

trying to remember what my really weird webforms use-case was. chat survey?

was looking bleak about a year ago: more than 650 open issues, but all better now! scaled back the scope of webform 3. still lots of people on webform 2.

conditional fields! yay. “choose your own adventure”

save draft of form and resume later. (works for anon, but that disables caching for that user; interesting discussion of edge/use cases)

can multiple have webform-enabled content types

“basic” views support – eg, listing of submissions – but not yet listings of submitted data, patch has it working. (I think the latter is what I had trouble with, and had to write some custom php for.)

better data integrity, harder to break by end users. oh, like the problem with changing values of locations for holidays.

form builder integration did NOT happen, there’s a project – visual interface – too much work, but may include backwards (????)

lots of API stuff. include ability to create dynamic select lists.

was it webform that I wrote custom stuff for to talk to campaign monitor?

options moved to step 2, so as to not stuff everything into regular node form.

email config is in its own tab – who gets the email. includes template options for the actual email text. handy. template option not yet fully developed.

and then a separate tab for all those options.

(what about upgrading existing forms?)

CSV doesn’t support UTF-8? huh. nice: Excel format is just TSV with .xls extension. 🙂

separate receipt template for multiple recipients

mimemail module – can send html email & attachments. oh, so then webform can email attachments!

webform will automatically use date popup module if it’s turned on. lots of other modules that if you turn them on, more options automatically appear in webform.

page breaks. conditional logic. and conditional logic WITH page breaks. whee!

“select or other” module – that works too. (all this stuff is listed on the module page)

integration between pay module and webform – example of a donation form. very cool. way easier than doing something with ubercart.

ah, someone else who ran into “oh, hey, canada is a different country!” problem.

keynote – Josh Koenig

what’s up with the “losing your hair” theme?

the theme also of “playing together”

graph of technology adoption.

“the enterprise” – long terms, have tech staff, have existing tech that they’re committed to keeping. risk-averse. concerned with downtime, bugs, security. and all the enterprise sites he just showed are all drupal.

case study, but can’t tell some specifics…including the name of the company. 22 content types, 16 modules, etc., etc. (we have 29 content types, altho a couple aren’t actually used.)

have a plan! (imagine that.) views, blocks, menus, etc. – being consistent with what to use where. pick naming conventions, do it consistently. (damn straight.) export as much as possible – features, core exportables. config in code, which gets into maintainability. have to use version control. hudson/selenium (testing tools? lost track for a sec) aegir, drush. need to figure out drush.

“make the robots do the f’ng work” using code instead of ui.

scaling. no longer a crazy unknown thing.

project mgmt, biggest challenge.

able to fund drupal improvements via enterprise client. panels inplace editor. interesting. hmmmm. (actually, that’s EXACTLY what C has been talking about wanting to do with a site.)

hurdles: sales, and interestingly acquia is helping with this because they have a sales staff; scope creep, esp because may not know what’s easy & what’s hard; multiple stakeholders, don’t know who’s the boss, dealing with issues that have nothing to do with you/the project. Platform requirements, moving outside your comfort zone, esp mentions MS issues. “The Pager” – uptime requirements, someone avail as emergency contact.

“this is already a big thing for them” minimize other newness.

human challenges > technical challenges. (all problems are social.)

tool: hudson, automated testing (java), selenium for browsing testing, coder.module. (also goes with one of my other pet theories: let the computers do the part they’re good at.)

aegirproject.org – automated building.

his new thing: pantheon, platform, high performance, best practice git – “trying to build the robots” http://getpantheon.com/ (I’m wondering if I should use something like this or Drupal Gardens to build out my test intranet. Way easier than what I’ve been trying to do!)

I think I have a blog post in me about this stuff, being in a (smallish) enterprise.

warning about only talking to the people that you know “uid ain’t nothin’ but a number” – most intelligent creative people may have just walked into the room; continue to be welcoming.

bring our ideals into the enterprise.

oh, or I might do a post about a year with Drupal. (not unlike my “year with Xtracycle” post!)


“going to agile is as big a change as going with drupal” – “do one new thing at a time on a project” – but doing agile (or whatever) internally, with him as the interface with the customer in their process.


affinity bridge

more open data! how to make maps beautiful. (neat)

dude is reading his f’ng slides. boo. tuning out a bit. this is the part I know: what is open data, why is it awesome. localized, yay! ah, cross-mention w/ckan & datadotgc.ca project. disadvantages: privacy concerns, cost. (random thought: he looks like the kid from Arrested Development, esp with the askew tie. [updated: he was in the big dinner gang on Sunday, sat across from me. Really nice guy.])

map in 10 minutes: drinking fountains data, csv file. create content type: location, add fields: lat/long. choosing just a text field for simplicity. wouldn’t want to do with a large database, tho. set up gmap, api, bigger size, autozoom. using node import to bring in csv file. create view. interesting: using gmap view w/out using location module. 7 minutes flat. snazzy. (oh, this is the one mentioned in this morning’s presentation)

in 2 minutes: with install profile!

storage: cck, geo module, location (can be heavy), geotaxonomy – adds fields to a taxonomy term: tag content with a city and then pull lat/long from elsewhere, openlayers wkt. (“well-known text”?)

display: google maps, openlayers. (have wanted to play with openlayers. I wonder if it would be usable w/out security issue on branches page)

overlays/markers: heatmaps for non-point data?

tilesets: google, bing, mapbox, open street map. or generate your own! holy mackerel. big list. quantum gis – widely used open source mapping tool. mapnik. cascadenik a bit like css for ??? – missed something here.

ah, got distracted.

sleepy. dammit.

now I want data to play with! data.gov to try thing? (start w/http://www.data.gov/raw/1517?) github.com/tylor/quickmaps

got distracted looking at data. 🙂

oh, hey: http://data.wa.gov/

geocode module for taking db of address and translating to lat/long.

shape files are input to quantum gis. hard to interact w/shape file polygons? not 100% sure I understood that. polygons are a heavy server load?

server optimization

“because I have crashed servers that weren’t optimized” indeed.

suggestion from Adam (at lunch) to look at the actual theme(s) that were used with themekey, see if those have any squirrelly sql-type stuff in them. (also, I wonder about the recent memory upgrade. maybe I should just *try* it and see what happens.)

shared hosting (ie this site), virtual private server (no personal experience), dedicated server (ie, work)

apache: RAM hog. 20mb+ usage? list of items: keepalivetimeout – time waiting to kill process. 1-3 seconds for drupal. maxclients – simultaneous connections. maxrequestsperchild – don’t want to force unnec restarts. no caching for authenticated users! big issue for an intranet. advanced caching module? static & dynamic content on different apache servers. intriguing. image sprites may be more useful than zlib. ramdisk for most commonly used files. memcached daemon. loadmodule.conf file, remove unused (apache) modules.

mysql – pick good option file. my-huge.conf. log slow queries. (set for abt 5 secs) need to fix all to get improved performanced. query caching, in config file for mysql, 124mb (?). innodb tables, supposed to be good for writing a lot.

php – php cache option, accelerators (like Zend, APC) apc apparently to become standard w/php6. 2 confi options in php.ini: max_execution_time (30 secs, but test!), memory_limit, usually turns to 124/148mb.

load testing. ab = apache benchmark. ab -n 50 -c 2 http://example.com gives a command-line report.

performance monitoring – uptime, free -m. if all memory is in swap, you don’t have enough ram.

top -d: how to see what processes are using how much.

vmstat: input/output speed.

wtf is this app, for performance monitoring? nagios? yes: http://www.nagios.org/

based on a question: nginex – for the static stuff, then apache only does the dynamic. or I think I hear someone saying they use it for the whole thing instead of apache.

what’s causing overload, apachetop or top to see what process. apachetop sounds really useful. also a mysqltop. cacti.

better to use performance-related modules or do stuff on the server? getting a balance between overcaching & undercaching. don’t want to double-compress.

reduce css calls. I’ve got to dig back into that.

gtmetrics (gpmetrics?)

far-future expiration headers. yslow was really helpful, and almost all front-end.

pressflow – install profile? fork. http://pressflow.org/

d7 overview

came in late.

performance improvements.

not really taking great notes, but some interesting stuff nonetheless.

Xmas-time release? http://drupal7releasedate.com/

sprint tonite at century plaza hotel lobby.

download, install, test, report bugs. (could I do that w/my pet project? well, there’s a feeds alpha.)

I should make a spreadsheet like the one I did when I was looking towards moving work site to Drupal, waiting for D6 as an option, since it was SO much better.

contextual links module? [update: oh, a lot like the links in the zen theme. but nicer looking.]

documentation patches that need work. o hey. 🙂 “novice” tag.

shouldn’t be any big changes, esp between D7-beta & final.

naming standards for CSS/class names?

they need more themers. ah, that too is something I could look at. (again, the pet project.) theming guide is a critical issue.

sounds like multigroup is solid, altho no gui? would be curious to look into that more, because multigroup is a critical aspect of our site.

open gov data

ok, let’s see how long the battery lasts

not enough milk in my tea, and I steeped too long.

philosophy of open data.

okfn.org – open knowledge foundation.

comprehensive knowledge archive network (ckan)

microsoft open govt data initiative (ogdi), incl a tool


cataloging system, open source, written in python. json-based api. ckan.net

(thinking dorothea would be all over this…or who knows: could give her own version?)

dead battery was dead. I have some paper notes, which hopefully I’ll be able to transcribe later.

paper notes:

showing ckan app, anyone can add data (oly police report, for example?)

URL munging gets JSON data.

ckan & ogdi wouldn’t play together -> drupal in the middle, using ckan api – used drupal because open source, modules, theming, also: tool they knew.

practicalweb.co.uk, made tool to connect ckan & drupal

ogdi: also repository (am kinda confused, could use a graphic)

fun w/small resolutions

I want more detail!


ckan module, caching [I seem to remember some really interesting things in the use of caching]

datatables.net (jquery)

data isn’t in drupal db at all, except as cache. and except ministry list.

themes used instead of views. curious.

I’m still really confused.

oh, if the ckan item also exists as ogdi, then use ogdi for data.

interested data use example: stumble safely, vantrash, water (tyler sherman)


follow-up thoughts: interesting stuff presented in a way that didn’t click very well for me. I think it would have benefited from fewer screenshots and more conceptual diagrams/charts.

keynote – Angela Byron

waking up, sorta.

saving just because.

wishing I’d spent some more time looking up what to do around here.

webchick! (ie, Angela Byron)

(would it be totally dorky to have her sign the book?)

community makes the project. community > technology. (which fits with one of my pet theories.) just shy of a million users on drupal.org?

OMG super qte cat figs!

Do-ocracy – illustrated with the Rosie the Riveter graphic. no one being paid to care about core, or most modules. wtf is that flow chart?

she was a serious f’ng geek – debian (?) linux on 7 floppy disks? “was that guy” re evangelizing free software, starting in 1995 – but didn’t contribute to anything until 2005.

doesn’t want that to be anybody else’s story.

1. see something & say “that’s dumb”

2. I want to see that fixed

3. can do something about it. – but NOT just code! even includes a well-written bug support. “rate of swear words per minutes” (as a usability measure?!)

don’t have to be einstein, lots of “everyone else” – wisdom of crowds.

gina the genius story. but NO. edwina the end user, filing a bug report. (well, in that case I guess I HAVE contributed) and paula the programmer, tatiana the tester, saying WTF? and iterative cycle. Wendy stuck on Windows XP. 🙂 “also, mind your spelling” and so on and so forth.

what is contribution? ginormous list! (issue queue farming?)

the myth of “they” – “there is no cabal” (ala MeFi!)

pie chart that’s basically just one thing: downloaded software. 0.05% registered AND did something with their account.

“you and your fancy ways”

answer 1 support request a day. 12000+ people who can’t figure out how to install drupal!

make progress on one issue per day. (views or another module you know well) mark duplicate, answer support request, etc.

when you learn something new, document it as you go. (which sometimes I do for myself!) ah, the curse of knowledge!

“I’m going to tell that you’re using WP” (guy next to me) 🙂


secret to drupal success: being part of the 0.05%. gives others more incentive to help you, not “newb” but time management thing. learn faster, and save time/money. (more of the networking thing) get more business, attract better people. (WIIFM) keep yr finger on the pulse of drupal, and gives you stronger voice in project.

/contribute – places to jump in. but she prefers /community-initiatives. highlights things that are important.

seek out doers in the areas you’re interested in.

don’t wait for approval.

use the issue queue. (I think I’ve mentioned on twitter that I’m amused by having a bookmark labeled “my issues” – oh, hey, that feeds issue is fixed, isn’t it?)

irc. the people side of things. if it’s got to do w/actual issue, make sure it gets back in the queue!

oh, there’s another irc #drupal-pnw.

trade caring about other people’s patches. 🙂

awesome asshat graphic. a lot about giving people slack and providing guidance. tells the perfectionist pete vs sloppy sam story. which tho I’ve heard it before, but it’s worth repeating to myself, as I have a tendency to go off into a corner by myself.

(saving out of nervousness)

so nobody likes cvs. migrating to git. (I’ve been trying to figure out how the hell revision control works for years now.) “jangly things” multiple copies of the repository, easier to rename files. “break things w/out actually breaking things” “I keep saying I’m going to fix forums, and it never happens” exportable configurations. “butler” refactor something (some jerk w/phone talked over part of that)

I’m pretty excited now, actually.

5 things excited about in D7: image handling in core; usability improvements; automated testing framework; cck in core – fields can be added to anything, not just nodes; under-the-hood improvements for themers (actually, that sounds DELIGHTFUL). “it’s all great!”