Drupal Camp Austin 2010 - Day 2

The line-up for today:

• Introduction to Drupal Security
• This code stinks!
• Project management using hybrid agile development
• Profiling Drupal with XHProf (or: Identifying the suck)
• Packaging up Drupal: How distributions, features, and apps save you money and time
• The migration migraine: Drupal migration strategies
• Closing Remarks

Introduction to Drupal Security

10:50am - Greg Knaddison from Acquia talked about a few of the vulnerabilities that a Drupal site admin might have to deal with while running or maintaining a site. By far the worst offender is XSS and there were definitely some scary demonstrations of how easy it could be for a hacker to delete content from a site as an anonymous user with bad coding practices. Some of the points he covered:

• XSS is the most reported vulnerability on Drupal sites
• One of the best ways to keep a Drupal site secure is to keep it up-to-date
• There are modules which can help: Security Review module and the Update module
• Make backups and test them
• Some good resource:
  • drupal.org/security
  • crackingdrupal.com
  • groups.drupal.org/best-practices-drupal-security

This code stinks!

11:50am - Larry Garfield from Palantir.net gave a great session on making your Drupal code better and how to avoid using poor design patterns in your modules and contributions. Larry defined 'code smell' as a symptom in the source code of a program that possibly indicates a deeper problem and could eventually lead to bugs. After Larry's examples of code from with Drupal core and some contributed modules definitely made me feel better about the code I write but also provided some points for improvement. Some of the indicators of code small that Larry talked about:

• The word "and" as in a function that validates and saves
• The word "or" as in a function that could do this or that depending on how you use it
• The word "if" - too many makes your code unpredictable
• DrupalWebTestCase is a system test rather than a unit test. If code can't be unit tested it is broken.
• Poor documentation - if you can't document your code you do not know what it does.
• Inappropriate intimacy - coupling reduces the ability for code to be re-used and makes it easier to break when the systems it depends on change.
• Impurity - a function or method should act the same way every time.

Project management using hybrid agile development

2:30pm - Matthew Saunders talked briefly about the history of project management and some of the different software development methodologies used today including Cowboy, Waterfall, and Agile. His main point was that often times the best methodology to use for projects is a hybrid of methods based on the concerns of the stakeholders and the development team. A couple good points:

• Indecision can be crippling, it is better to make a bad decision than no decision at all
• There is such a thing as a bad client and they can be a major drain on resources

Profiling Drupal with XHProf (or: Identifying the suck)

3:20pm - Mark Sonnabaum gave a demonstration using the XHProf extension for PHP showing how he uses the tool to optimize Drupal 6 and Drupal 7 sites. He covered the preparation needed to use XHProf, showed how to set it up, went over a couple common code issues, and spent the bulk of the time showing how to interpret the all the data you get from XHProf. The best tips: don't profile your site as an admin, do it a an authenticated user and if you start seeing the views or panels are the cause of your headache chances are someone else has probably seen the same issue you have. Greg Knaddison was also on hand to give Mark some friendly ribbing over permissions in the XHProf module.

Packaging up Drupal: How distributions, features, and apps save you money and time

There is a large value in Drupal and its modularity but there are tons of modules, and which ones to use can be difficult to figure out for the Drupal newcomers or those with little to no technical no-how. Karen Borchert of Phase2 Technology talked about the differences between profiles, distributions, apps, and features, who might use them, and the benefits of doing so. Some of the information Karen covered:

• All distributions are profiles but not all profiles are distributions
• Reality check: Writing code costs money, writing code for others to use on an open system like Drupal cost LOTS of money.
• Monetizing some of these types of products is an area that is starting to emerge but there is only so much you can do with open-source code.

After Thoughts

I decided to skip the last session of the day, not because I didn't think learning some tips for managing migrations to Drupal from a non-Drupal site or from from one version to another but because it has been a long weekend and I think I've absorbed just about all I can in two days. My favorite session of the day was Larry Garfield's "This code stinks!" followed closely by Greg Knaddison's "Introduction to Drupal Security." There were other sessions I wanted to see and during the welcoming event yesterday the organizers stated that all the sessions would be available as video in the next couple of weeks so for everybody that wanted to be at Drupal Camp Austin 2011 and couldn't make it you and I should be able to find them online soon. I will update this post with links to session videos when they are available.