Thursday, March 22, 2007

Open Source CMS Summit 2007, Day 1, Part 1


Got up early this morning, and Scott took me over to Yahoo!'s Sunnyvale campus for the conference (Yahoo! was generous enough to sponsor the entire event). They (meaning, Initsoft and Bryght) had some nice rolls and danishes and drinks for us while we were arriving and signing in, and then we had the keynote presentation: Performance and Security by Rasmus Lerdorf, the original developer of PHP. His talk was especially interesting and eye-opening for me; I wasn't aware of the existence of cross-site scripting and cross-site request forgery, let alone how easy it is to do! Puma should try to include more protection against these, and we should especially use tokens! He also told us of PHP 5.2's default filter, which can protect against many of these types of attacks, and that we should avoid recreating its functionality (because 1. it's a duplication of work; 2. the PHP folks have spent a lot of time working on it to make it really really good already; and 3. it takes care of cases one might otherwise miss). Some interesting notes include: Not even PHP's 'HOST' variable is safe to use, since it can be spoofed; IE6 executes javascript in img tags!; javascript treats entities (eg, ') as the raw characters; Apache sends data to the first vhost if it can't find the requested vhost!; PDF plugins can easily be used to do nasty things to the client's computer, so if you must serve PDFs, serve them as application/octet-stream... yes, even local PDFs can be trouble!

Rasmus also gave a brief demo of how to improve performance of scripts using profilers, specifically valgrind, xdebug and kcachegrind (a visualization tool). I haven't yet found a video of this talk, but hopefully there will be one soon.



Next, I attended "OpenID: In Drupal Core and your CMS too" (Google video of the presentation), presented by James "walkah" Walker of Bryght. The first part of the presentation centered around identity: what it is in the physical world, how it has changed, and what it is in the digital world. In the physical world, some authority issues what James called "modern identity," that is, identity that's not dependent on actual social interaction for validity. For example, the government of a nation or state may issue some kind of identity marker, such as a driver's license or a passport, that tells people who you are. They don't have to (necessarily) trust that you're who your ID says you are, just the issuing authority (leaving aside issues of forgery for the moment). The goal of OpenID is to allow a similar situation in the digital world, effectively "identity 2.0": someone issues you an identity marker, which you then use as you go from site to site, so that you don't have to re-establish your identity (such as your name, email address, etc) at each one. This is, in many ways, very similar to Microsoft's Passport. However, as OpenID notes on its site, it aims to be an "open, decentralized, free framework for user-centric digital identity", meaning that no one person or group controls OpenID. If you want to be your own identity authority, for example, then you can. Or you can use an already established provider, or more than one if you like (donning different identities for different genres of sites). Already many sites are using OpenID, including LiveJournal. Go ahead and take a look at the OpenID site; it's a very interesting and exciting project, and I think that, while PumaCMS isn't in need of OpenID very much, Traces could benefit greatly.

The next session I attended was the least interesting one of the day: "Taming the Beast: CMS Integration on the Desktop with CIFS, Office, Dreamweaver and anything else," presented by Paul Holmes-Higgin of Alfresco. Alfresco is a GPL'd "enterprise content management system", which means that, whereas Drupal, Joomla! and PumaCMS are focused almost entirely on HTML documents, Alfresco is focused on the internal document flow of corporations, aiming specifically at providing a desktop-based user experience. While the ideas involved in such a venture are interesting and important, the talk felt more like an extended advertisement for Alfresco. From the title, I was expecting a more in-depth discussion, but perhaps there just wasn't enough time.

Anyway, after that, it was lunch time, which means part 1 of this post is over!
Post a Comment