Elsewhere

One time consuming task for all software users is testing.

It takes time to find all the download links, to set up a test environment and to install all the additional software you need.

Simplytest.me is an ingenious solution for Drupal. Simplytest will install Drupal sites for you and also install and modules and themes that you want to use. Here's a brief introduction to this very useful site.

TL;DR: {fqdn, "jabber.die-welt.net"}.

So, how many servers do you have, that are still running Squeeze? I count one, mostly because I did not figure out a proper upgrade path from OpenVZ to something else yet, but this is a different story.

This post is about the upgrade of my “communication” machine, dengon.die-welt.net. It runs my private XMPP and IRC servers. I upgraded it to Wheezy, checked that my irssi and my BitlBee still could connect and left for work. There I noticed, that Pidgin could only connect to one of the two XMPP accounts I have on that server. sargentd@jabber.die-welt.net worked just fine, while evgeni@golov.de failed to connect.

ejabberd was logging a failed authentication:
I(<0.1604.0>:ejabberd_c2s:802) : ({socket_state,tls,{tlssock,#Port<0.5130>,#Port<0.5132>},<0.1603.0>}) Failed authentication for evgeni@golov.de

While Pidgin was just throwing “Not authorized” errors.

I checked the password in Pidgin (even if it did not change). I tried different (new) accounts: anything@jabber.die-welt.net worked, nothing@golov.de did not and somethingdifferent@jabber.<censored>.de worked too. So where was the difference between the three vhosts? jabber.die-welt.net and jabber.<censored>.de point directly (A/CNAME) to dengon.die-welt.net. golov.de has SRV records for XMPP pointing to jabber.die-welt.net.

Let’s ask Google about “ejabberd pidgin srv”. There are some bugs. But they are marked as fixed in Wheezy.

Mhh… Let’s read again… Okay, I have to set {fqdn, "<my_srv_record_name>"}. when this does not match my hostname. Edit /etc/ejabberd/ejabberd.cfg, add {fqdn, "jabber.die-welt.net"}. (do not forget the dot at the end) and restart the ejabberd. Pidgin can connect again. Yeah.

0 comment(s) | this blog is flattr enabled

One of the best things about Drupal is the ability to flexibly manage your content. If you're coming from a WordPress background, you'll know that system uses the Post and Page for its content types. In Drupal you have something similar in the Article and Basic page, but also an easy to use interface for creating a virtually unlimited number of other content types.

Before we get into the how, let's briefly discuss why we would want to use custom content types. Some of you may be thinking to yourselves that you've been getting along very nicely without additional content types. Whenever you've needed to organize your content, you've always had your taxonomy terms handy.

Although taxonomy terms (the equivalent of Categories in WordPress) are very useful, they don't solve the same problem as content types. Let's break away for a moment from the idea of our site consisting of pages and instead think of it as being comprised of objects. Of course we still have objects we call pages, but we may also find that our site has other types of objects like products, events, and forum topics.

Ultimately, all of our objects may be expressed as web pages, but they represent different types of things. We can use Drupal's custom content types and the Fields UI to define these objects and give a more logical structure to our site's content. 

Now you may be asking about those taxonomy terms...where do they fit in? Taxonomy terms simply help us differentiate between the variations we find within our objects. For example, a bicycle and a shirt are both products, but certainly quite different. So we can use taxonomy terms to essentially create sub-categories within our content types. In a future lesson in this series we'll take a closer look at taxonomy in Drupal.

Creating a Custom Content Type

Now that we have an idea of why we would want a new content type, let's create one called "Product" for our example site. We'll begin by going to Structure > Content types. You should see something like the screenshot below.

You'll see a link at the upper left that says, "Add content type". Go ahead and click that link. You'll be directed to the screen below where we can define our new content type.

The name and description fields are pretty self explanatory, but we'll briefly go through the other fields in the tabs at the bottom of the form.

Submission form settings
You see three settings under this tab. The first is "Title field label". This is what content creators will see when creating a new piece of content and by default it's set to, "Title". Frequently with custom content types, this isn't as descriptive as we would like. In our case we should change it to something like, "Product name". 

The second setting controls preview options and the last one allows you to create a message that will be displayed at the top of the page providing submission guidelines. This can be very useful if the content type you are creating will be user-generated content.

Publishing options
These setting help you determine the default status of the post when you click 'Save'. For example, should the post be automatically published? Should it be promoted to the front page? If you have the Revisioning module installed you will also see options for creating a new revision - very handy if you want to be able to roll back any changes.

Display settings
You can disable the display of the author and post date information by unchecking this box.

Comment settings
This is where you can adjust the settings for the comments on your site. I personally recommend you consider disabling Drupal comments and use a third party commenting system. I've talked about this in a recent post, but suffice it to say there are significant advantages to not using Drupal's built-in comments.

Menu settings
With this setting, you can optionally make your content assignable to the any menus you may have created for your site.

XML sitemap
This setting isn't present in Drupal by default, but is found in our example site because using a sitemap is such an important - and in my view, fundamental - part of building a website. However, there are times when you may not want a content type indexed by search engines and here is where you can disable that if needed.

Custom breadcrumbs
This is another one that isn't included by default with Drupal, but also very useful for most sites. It exposes the custom breadcrumb information on the node edit form. 

For most of these settings, we'll stick with the defaults. Once we've given our content type a name we'll click the "Save and add fields" button at the bottom of the form. You should then see something similar to the image below.

The Fields UI

The image above is the Fields UI, the administrative interface for adding and configuring the fields for your content types. There are a few fields here that have been added by modules that are installed with the example site (Meta tags, for example) and two that are included by default by Drupal. The default fields are Title - in our case renamed to Product name - and Body.

What we're going to do next is add a new field. Since we're adding a content type for our products,  Price seems like a logical field to start with.

You'll notice in the area highlighted in green how we have the form filled out. Our Field type is set to decimal and we've chosen a text box for the widget - aka input element -  that will appear on the node create form for our content type. Let's go ahead and click Save to continue.

The next screen (not shown) allows us to set the precision of our decimal number as well as how many digits should be to the right of our decimal point. We've kept these at the defaults and continued to the screen below.

We won't go over each of these, but an important point to keep in mind is that these settings will change depending on the content type you set for the field. For example, if you chose the field to be an image, you would have settings for allowable formats, maximum and minimum sizes, as well as for which image style you wanted to use.

In this particular example, one field we may want to change would be the prefix. Maybe setting it to the dollar sign (or pound, euro, etc.) might be a good idea. Let's do this and then click save. You'll then see that our field has been added to our content type and we can change its position on the node create/edit form by dragging it up or down our list of fields.

Before we move on we should briefly note that you can also reuse fields that you may have defined previously using the, "Add existing field" component. One situation where this may come in handy is for an image field. Instead of having multiple image fields, you could reuse a single field for all of your content types and control the display of the image using image styles. Sometimes this may not be what you need, but in general it's a good practice because it will make things less confusing as your site grows in complexity.

Managing Display

The final thing we'll discuss is managing the display of our fields. You'll see a tab on the page titled, "Manage Display". The settings on that tab are pretty straightforward so I won't go into too much detail, but something that new site builders sometimes do is forget to hide the display of the label for certain fields, in particular, those for images. This tab is where you can remove the label for those images as well as other aspects of how the fields for the content type will be displayed on your nodes (aka web pages).

That's it for our discussion of content types and the fields UI. There is a lot going on, but fortunately it is pretty intuitive to use, particularly once you've got a handle on what is happening conceptually. Next time we're going to take a look at using Views - a big and very important topic! If you'd like to keep up to date on this series, you can subscribe to the RSS feed.

In the meantime, if you'd like to comment on this post, you can do so on this discussion forum.

A massive marathon has resulted in my lumail mail client working well.

Functionally the application looks little different to the previous C-client, but it is a lot cleaner, neater, and nicer internally.

The configuration file luamail.lua gives a good flavour of the code, and the github repository has brief instructions.

Initially I decied that the navigation/index stuff was easy and the rest of the program would be hard; dealing with GPG-signatures, MIME-parts, etc.

But I'm stubborn enough to keep going.

If I can get as far as reading messages, with MIME handled properly, and replying then I can switch to using it immediately which will spur further development.

I'm really pleased with the keybinding code, and implementing the built-in REPL-like prompt was a real revelation. Worht it for that alone.

The domain name lumail.org was available. So I figured why not?

I am sick and tired of hearing that the Drupal learning curve is a much steeper than the WordPress learning curve. The reality is, both platforms are starting to converge in several areas.... Read more

I've been working on TPMs lately. It turns out that they're moderately awful, but what's significantly more awful is basically all the existing documentation. So here's some of what I've learned, presented in the hope that it saves someone else some amount of misery.
What is a TPM?TPMs are devices that adhere to the Trusted Computing Group's Trusted Platform Module specification. They're typically microcontrollers[1] with a small amount of flash, and attached via either i2c (on embedded devices) or LPC[2] (on PCs). While designed for performing cryptographic tasks, TPMs are not cryptographic accelerators - in almost all situations, carrying out any TPM operations on the CPU instead would be massively faster[3]. So why use a TPM at all?
Keeping secrets with a TPMTPMs can encrypt and decrypt things. They're not terribly fast at doing so, but they have one significant benefit over doing it on the CPU - they can do it with keys that are tied to the TPM. All TPMs have something called a Storage Root Key (or SRK) that's generated when the TPM is initially configured. You can ask the TPM to generate a new keypair, and it'll do so, encrypt them with the SRK (or another key descended from the SRK) and hand it back to you. Other than the SRK (and another key called the Endorsement Key, which we'll get back to later), these keys aren't actually kept on the TPM - the running OS stores them on disk. If the OS wants to encrypt or decrypt something, it loads the key into the TPM and asks it to perform the desired operation. The TPM decrypts the key and then goes to work on the data. For small quantities of data, the secret can even be stored in the TPM's nvram rather than on disk.

All of this means that the keys are tied to a system, which is great for security. An attacker can't obtain the decrypted keys, even if they have a keylogger and full access to your filesystem. If I encrypt my laptop's drive and then encrypt the decryption key with the TPM, stealing my drive won't help even if you have my passphrase - any other TPM simply doesn't have the keys necessary to give you access.

That's fine for keys which are system specific, but what about keys that I might want to use on multiple systems, or keys that I want to carry on using when I need to replace my hardware? Keys can optionally be flagged as migratable, which makes it possible to export them from the TPM and import them to another TPM. This seems like it defeats most of the benefits, but there's a couple of features that improve security here. The first is that you need the TPM ownership password, which is something that's set during initial TPM setup and then not usually used afterwards. An attacker would need to obtain this somehow. The other is that you can set limits on migration when you initially import the key. In this scenario the TPM will only be willing to export the key by encrypting it with a pre-configured public key. If the private half is kept offline, an attacker is still unable to obtain a decrypted copy of the key.
So I just replace the OS with one that steals the secret, right?Say my root filesystem is encrypted with a secret that's stored on the TPM. An attacker can replace my kernel with one that grabs that secret once the TPM's released it. How can I avoid that?

TPMs have a series of Platform Configuration Registers (PCRs) that are used to record system state. These all start off programmed to zero, but applications can extend them at runtime by writing a sha1 hash into them. The new hash is concatenated to the existing PCR value and another sha1 calculated, and then this value is stored in the PCR. The firmware hashes itself and various option ROMs and adds those values to some PCRs, and then grabs the bootloader and hashes that. The bootloader then hashes its configuration and the files it reads before executing them.

This chain of trust means that you can verify that no prior system component has been modified. If an attacker modifies the bootloader then the firmware will calculate a different hash value, and there's no way for the attacker to force that back to the original value. Changing the kernel or the initrd will result in the same problem. Other than replacing the very low level firmware code that controls the root of trust, there's no way an attacker can replace any fundamental system components without changing the hash values.

TPMs support using these hash values to decide whether or not to perform a decryption operation. If an attacker replaces the initrd, the PCRs won't match and the TPM will simply refuse to hand over the secret. You can actually see this in use on Windows devices using Bitlocker - if you do anything that would change the PCR state (like booting into recovery mode), the TPM won't hand over the key and Bitlocker has to prompt for a recovery key. Choosing which PCRs to care about is something of a balancing act. Firmware configuration is typically hashed into PCR 1, so changing any firmware configuration options will change it. If PCR 1 is listed as one of the values that must match in order to release the secret, changing any firmware options will prevent the secret from being released. That's probably overkill. On the other hand, PCR 0 will normally contain the firmware hash itself. Including this means that the user will need to recover after updating their firmware, but failing to include it means that an attacker can subvert the system by replacing the firmware.
What about using TPMs for DRM?In theory you could populate TPMs with DRM keys for media playback, and seal them such that the hardware wouldn't hand them over. In practice this is probably too easily subverted or too user-hostile - changing default boot order in your firmware would result in validation failing, and permitting that would allow fairly straightforward subverted boot processes. You really need a finer grained policy management approach, and that's something that the TPM itself can't support.

This is where Remote Attestation comes in. Rather than keep any secrets on the local TPM, the TPM can assert to a remote site that the system is in a specific state. The remote site can then make a policy determination based on multiple factors and decide whether or not to hand over session decryption keys. The idea here is fairly straightforward. The remote site sends a nonce and a list of PCRs. The TPM generates a blob with the requested PCR values, sticks the nonce on, encrypts it and sends it back to the remote site. The remote site verifies that the reply was encrypted with an actual TPM key, makes sure that the nonce matches and then makes a policy determination based on the PCR state.

But hold on. How does the remote site know that the reply was encrypted with an actual TPM? When TPMs are built, they have something called an Endorsement Key (EK) flashed into them. The idea is that the only way to have a valid EK is to have a TPM, and that the TPM will never release this key to anything else. There's a couple of problems here. The first is that proving you have a valid EK to a remote site involves having a chain of trust between the EK and some globally trusted third party. Most TPMs don't have this - the only ones I know of that do are recent Infineon and STMicro parts. The second is that TPMs only have a single EK, and so any site performing remote attestation can cross-correlate you with any other site. That's a pretty significant privacy concern.

There's a theoretical solution to the privacy issue. TPMs never actually sign PCR quotes with the EK. Instead, TPMs can generate something called an Attestation Identity Key (AIK) and sign it with the EK. The OS can then provide this to a site called a PrivacyCA, which verifies that the AIK is signed by a real EK (and hence a real TPM). When a third party site requests remote attestation, the TPM signs the PCRs with the AIK and the third party site asks the PrivacyCA whether the AIK is real. You can have as many AIKs as you want, so you can provide each service with a different AIK.

As long as the PrivacyCA only keeps track of whether an AIK is valid and not which EK it was signed with, this avoids the privacy concerns - nobody would be able to tell that multiple AIKs came from the same TPM. On the other hand, it makes any PrivacyCA a pretty attractive target. Compromising one would not only allow you to fake up any remote attestation requests, it would let you violate user privacy expectations by seeing that (say) the TPM being used to attest to HolyScriptureVideos.com was also being used to attest to DegradingPornographyInvolvingAnimals.com.

Perhaps unsurprisingly (given the associated liability concerns), there's no public and trusted PrivacyCAs yet, and even if they were (a) many computers are still being sold without TPMs and (b) even those with TPMs often don't have the EK certificate that would be required to make remote attestation possible. So while remote attestation could theoretically be used to impose DRM in a way that would require you to be running a specific OS, practical concerns make it pretty difficult for anyone to deploy that at any point in the near future.
Is this just limited to early OS components?Nope. The Linux kernel has support for measuring each binary run or each module loaded and extending PCRs accordingly. This makes it possible to ensure that the running binaries haven't been modified on disk. There's not a lot of distribution infrastructure for setting this up, but in theory a distribution could deploy an entirely signed userspace and allow the user to opt into only executing correctly signed binaries. Things get more interesting when you add interpreted scripts to the mix, so there's still plenty of work to do there.
So what can I actually use a TPM for?Drive encryption is probably the best example (Bitlocker does it on Windows, and there's a LUKS-based implementation for Linux here) - while in theory you could do things like use your TPM as a factor in two-factor authentication or tie your GPG key to it, there's not a lot of existing infrastructure for handling all of that. For the majority of people, the most useful feature of the TPM is probably the random number generator. rngd has support for pulling numbers out of it and stashing them in /dev/random, and it's probably worth doing that unless you have an Ivy Bridge or other CPU with an RNG.

Things get more interesting in more niche cases. Corporations can bind VPN keys to corporate machines, making it possible to impose varying security policies. Intel use the TPM as part of their anti-theft technology on education-oriented devices like the Classmate. And in the cloud, projects like Trusted Computing Pools use remote attestation to verify that compute nodes are in a known good state before scheduling jobs on them.
Is there a threat to freedom?At the moment, probably not. The lack of any workable general purpose remote attestation makes it difficult for anyone to impose TPM-based restrictions on users, and any local code is obviously under the user's control - got a program that wants to read the PCR state before letting you do something? LD_PRELOAD something that gives it the desired response, or hack it so it ignores failure. It's just far too easy to circumvent.
Summary?TPMs are useful for some very domain-specific applications, drive encryption and random number generation. The current state of technology doesn't make them useful for practical limitations of end-user freedom.

[1] Ranging from 8-bit things that are better suited to driving washing machines, up to full ARM cores
[2] "Low Pin Count", basically ISA without the slots.
[3] Loading a key and decrypting a 5 byte payload takes 1.5 seconds on my laptop's TPM.

comments

Last Saturday, I was invited to talk about Debian to Hackerspace DF, a group that is starting to work at a very nice place together with other collectives, in a quite centric place (Colonia Obrera). I know several of the people in the group (visited them a couple of times in the space's previous incarnation), and wish them great luck in this new hackerspace!

Anyway — I was invited to give an informal talk about Debian. And of course, I was there. And so was Alfredo, who recorded (most of) it.

So, in case you want to see me talking about how Debian works, mostly on a social organization level (but also regarding some technical details). Of course, given the talk was completely informal (it started by me standing there, asking, "OK, any questions?"), I managed to mix up some names and stuff... But I hope that, in the end, the participants understood better what Debian means than when we started.

Oh, and by the end of the talk, we were all much happier. Not only because I was about to shut up, but because during my talk, we got notice that Debian 7.0 "Wheezy" was released.

Anyway — If you want to see me talking for ~1hr, you can download the video or watch it on YouTube.

Moving a Drupal site to a new location on your server is surprisingly easy.

There is a simple 3 step process to move a Drupal site from one folder to another. In this tutorial we're going to show you those 3 steps.

If you'd like to move a Drupal site to new folder, we recommend using the Backup and Migrate module.

Ordinarily, I’m a big believer that it is important to keep up to date with what every piece of software which competes with yours is doing, to remain educated on the latest concepts. Sometimes, there are concepts that get added which are definitely worth ripping off. We’ve ripped off plenty of the better design choices from Windows or Mac OS, over the years, for use in the Free Desktop.

So, what about Windows 8, the hip new OS on everyone’s lips?

Well, here’s the thing… I’ve been using it on and off for a few months now for running legacy apps, and I can’t for the life of me find anything worth stealing.

Let’s take the key change – Windows 8 has apps built with a new design paradigm which definitely isn’t called Metro. Metro apps don’t really have “windows” in the traditional sense – they’re more modeled on full-screen apps from smartphones or tablets than on Windows 1.0 -> 7. Which is fine, really, if you’re running Windows 8 on a tablet or touchscreen device. But what if you’re not? What about the normal PC user?

As Microsoft themselves ask:

The answer to that is, well, you sorta don’t.

Metro apps can exist in three states – fullscreen, almost fullscreen, or vertical stripe. You’re allowed to have two apps at most at the same time – one mostly full screen, and one vertical stripe. So what happens if you try to *use* that? Let’s take a fairly common thing I do – watch a video and play Minesweeper. In this example, the video player is the current replacement for Windows Media Player, and ships by default. The Minesweeper game isn’t installed by default, but is the only Minesweeper game in the Windows 8 app store which is gratis and by Microsoft Game Studios.

Here’s option A:

And for contrast, here’s option B:

Which of these does a better job of letting me play Minesweeper and watch a video at the same time?

Oh, here’s option C, dumping Microsoft’s own software, and using a third-party video player and third party Minesweeper implementation:

It’s magical – almost as if picking my own window sizes makes the experience better.

So, as you can see above, the “old” OS is still hiding there, in the form of a Windows 8 app called “Desktop”. Oh, sorry, didn’t I say? Metro apps, and non-Metro apps, are segregated. You can run both (the Desktop app can also be almost-fullscreen or a vertical strip), but they get their own lists of apps when multitasking. Compare the list on the left with the list at the bottom:

And it’s even more fun for apps like Internet Explorer, which can be started in both modes (and you often need both modes). Oh, and notice how the Ribbon interface from Office 2007 has invaded Explorer, filling the view with large buttons to do things you never want to do under normal circumstances.

So, that’s a short primer on why Windows 8 is terrible.

Is there really nothing here worth stealing? Actually, yes, there is! After much research, I have discovered Windows 8′s shining jewel:

The new Task Manager is lovely. I want it on my Linux systems. But that’s it.

Nowadays Drupal Services support becomes stronger and more flexible. The main functionality is provided by Services module. You can find more than 1300 modules tagged with “services” that is more than enough :).

Out of the box services provides just REST/RCP server and pure documentation of available options. But sometimes we need to build Client instance to retrieve data from another Drupal env that provides for example RESTful server. You have some ways to implement it:

• Custom handmade solution, built using services source only
• Use “Services Documentation” or “Services API” modules to get more useful info to build your own handmade Client instance :)
• Use contrib modules which provides already created Client instance like Services Client or Services Guzzle!

I prefer to use ready, tested solutions, not to reinvent the wheel and save my time :) Meet Services Guzzle module. It brings power of Guzzle framework to Services module, also Guzzle is already part of D8. The module provides three things:

• Generate Guzzle Service Description from endpoint definition.
• Example of Guzzle Client instance implementation and usage.
• GUI for Client debugging

 

Guzzle Service Description

Guzzle has really amazing feature - factory method to create Client instance from Guzzle description. You can read about it here. So the main job of our module is generate this description for particular endpoint object. For example we have endpoint “Node service” that provides all node operations: retrieving, creating, deleting, etc. SG (let make a shortcut for Services Guzzle module) create an additional tab for endpoints that looks like:

Here we can see Guzzle version of endpoint object in JSON format, that is even human-readable :) Now we have two ways to create a Guzzle Client (see on DrupalServicesClient class in the services_guzzle_client submodule):

• Create service.json file and put Guzzle description json string there, then this lovely piece of code will create ready-to-work instance: $client = \DrupalServices\DrupalServicesClient::factory(array('includes' => array($path_to_json . '/service.json'));
• Provide array with this description and use $client = \DrupalServices\DrupalServicesClient::factory($array_of_service_description);

That’s all, now you have full Guzzle Client object!

 

Guzzle Client usage

Now when we have a Guzzle Client lets see how it works. If you return to Guzzle endpoint service description json you will find array of operations like "NodeOperationRetrieve" or "NodeOperationCreate". Inside every operation there are some other options, but now we need only “parameters”. So for NodeOperationRetrive we need name of operation and param - “nid”. Lets use our Client to retrieve a node:

$arguments = array('nid' => 1);
$command = $client->getCommand('NodeOperationRetrieve', $arguments);
$response = $client->execute($command);

And if node with given id exists we will get node data into $response variable. Did you notice that it is template of using any operation provided by your endpoint. Just change operation name and arguments :) For example updating node:

$arguments = array('nid' => 1,
‘node’ => array(‘title’ => ‘Modified title’));
$command = $client->getCommand(NodeOperationUpdate, $arguments);
$response = $client->execute($command);

 

Gui for Guzzle client debugging

Service Guzzle Client provide example of usage and also UI to test and debug your local endpoint or external from given service description. After you choose one of these options you will get a list of available operations to test.

Use “UserOperationRetrieve” for example. Some operations will need Authorize first, it depends on your permissions. SG UI provides form for auth every time. So for UserOperationRetrieve we have such separate page with form:

And if you provide valid credentials and existed user id you will get the full user object via dpm theme (so familiar for Drupal developers). Also you will get the full exception message if some occurs.

Service Guzzle module introducing is over :) Waiting for feedback.

Language English Tags: DrupalDevelopmentTutorialsCheck this option to include this post in Planet Drupal aggregator: planet

Welcome to another Commerce Module Tuesday! Today we are looking at Commerce Reporting, maintained by Christophe Van Gysel who interned at Commerce Guys last year and is now interning at Google in the United States (yes, we’re all jealous of Christophe). Get ready for a high impact and extremely useful module, folks. It not only “just works” it takes all of it’s data from the existing database and displays fancy graphs and filterable reports. In other words, even if your store was built on a pre-beta Commerce from 2011, this module would still be able to read your store history.

Christophe had to really jump a number of hurdles to get this module launched last year, not the least of which was a lack of community consensus on how to display graphs from Views 3.x on Drupal 7. So he built the Visualization API which has now eclipsed commerce_reports in terms of active installs. So, as a part of another Commerce Module Tuesday, I invite you to sit back and take a look at another awesome community contributed module that fills a vital role: data mining.

(Video and Setup steps after the break.)

Everplans.com is a website meant to help people prepare for and deal with death. The previous iteration of their site presented numerous technical challenges, making it difficult for their team to achieve their goals. It became Digett's job to give Everplans a website that works for, not against, its users and administrators. 

read more

Apache Solr is a Java application that gives you a more full featured search experience than the default Drupal search. It provides tools to allow your users to narrow down the search results and adjust the sorting. Solr can be very confusing initially due to the new terms it introduces as well as the sheer number of configuration options. This guide helps you plan out the items that you need to think about before you ever install the module.

Don't worry if this doesn't make sense, we have an upcoming webinar that should help fill in all the blanks. Be sure to check out our free Intro to Solr in Drupal webinar.

PackagesI quite like the current status of Qt 5 in Debian and Ubuntu (the links are to the qtbase packages, there are ca. 15 other modules as well). Despite Qt 5 being bleeding edge and Ubuntu having had the need to use it before even the first stable release came out in December, the co-operation with Debian has went well. Debian is now having first Qt 5 uploads done to experimental and later on to unstable. My work contributed to pkg-kde git on the modules has been welcomed, and even though more work has gone there by others, there haven't been drastic changes that would cause too big transition problems on Ubuntu side. It has of course helped to ask others what they want, like the whole usage of qtchooser. Now with Qt 5.0.2 I've been able to mostly re-sync all newer changes / fixes to my packaging from Debian to Ubuntu and vice versa.

There will remain some delta, as pkg-kde plans to ask for a complete transition to qtchooser so that all Qt using packages would declare the Qt version either by QT_SELECT environment variable (preferable) or a package dependency (qt5-default or qt4-default). As a temporary change related to that, Debian will have a debhelper modification that defaults QT_SELECT to qt4 for the duration of the transition. Meanwhile, Ubuntu already shipped the 13.04 release with Qt 5, and a shortcut was taken there instead to prevent any Qt 4 package breakage. However, after the transition period in Debian is over, that small delta can again also be removed.

I will also need to continue pushing any useful packaging I do to Debian. Last week I pushed qtimageformats and qtdoc, but I know I'm still behind with the "possibly interesting" git snapshot modules like qtsensors and qtpim.

PatchesMore delta comes from the multiple patches in Ubuntu's Qt 5 related to the recent Ubuntu Touch efforts. I'm not thinking they are of immediate interest to Debian – let's start packaging Qt 5 apps to Debian first. However, about all of those patches have already been upstreamed to be part of Qt 5.1 or Qt 5.2, or will be later on. Some already were for 5.0.2.

A couple of months ago Ubuntu did have some patches hanging around with no clear author information. This was a result of the heated preparation for the Ubuntu Touch launches, and the fact that patches flew (too) quickly in place to various PPA:s et cetera. I started hunting down the authors, and the situation turned out to be better than I thought. About half of the patches were already upstreamed, and work on properly upstreaming other ones was swiftly started after my initial contact. Proper DEP3 fields really help understanding the overall situation. There are now 10 Canonical individuals in the upstream group of contributors, and in the last week's sprint it turned out more people will be joining them to upstream their future patches.

Nowadays about all the requests I get for including patches from developers are stuff that was already upstreamed, like the XEmbed support in qtbase. This is how it should be.

One big patch still being Ubuntu only is the Unity appmenu support. There was a temporary solution for 13.04 that forward-ported the Qt 4 way of doing it. This will be however removed from the first 13.10 ('saucy') upload, as it's not upstreamable (the old way of supporting Unity appmenus was deliberately dropped from Qt 5). A re-implementation via QPA plugin support is on its way, but it may be that the development version users will be without appmenu support for some duration. Another big patch is related to qtwebkit's device pixel ratio, which will need to be fixed. Apart from these two areas of work that need to be followed through, patches situation is quite nice as mentioned.
ConclusionFree software will do world domination, and I'm happy to be part of it.

For context, click here to jump down to the reference links.

Where We Are

I'm pleased to announce the following:

• My co-authors and I have completed a rough draft of this white paper and we're actively refining it to get to a completed first draft.
• Ned McClain of Applied Trust has joined the project as a co-author. Ned's expertise and years of experience in this field has been an extremely valuable asset and this project will continue to benefit as a direct result of his input.
• A heartfelt thanks to Ryan Cross of CrossFunctional for becoming our latest project sponsor.
• The article that sparked this project (Let's Talk About PCI Compliance for Ubercart and Drupal Commerce) has crossed 2500 page views. This reinforces (at least to me) that there is a demand for more information on this subject matter.

Why PCI Compliance for Drupal Is More Important Than Ever

• The number of reported Ubercart/Drupal Commerce installations continues to grow rapidly.
• Many "silver bullet" strategies are not as bulletproof as you'd like to believe.
• A new version of the PCI standard will be released within a year and the requirements are only going to get more stringent.
• As companies become more distributed and adopt cloud-based solutions, it's important to define who is responsible (and liable) in the context of securing payments.
• Fully understanding this topic can give you and/or your business a competitive advantage in the Drupal ecommerce marketplace.

And perhaps the most important item—if you currently own, operate, or host an ecommerce website that is NOT compliant, you could be putting your business at risk.

Next Steps

This is a complex topic that requires a lot of time to check assumptions, distill a large volume of material down to the most important elements, and write it in a way that is understandable across several audiences within the community. Having nearly achieved a fully complete first draft, we are at the stage where we will need to iterate and refine it to ensure its one cohesive document and it has all the necessary components (most notably references, citations, and footnotes). We will then reach out to additional reviewers to get feedback from a wider audience. If all goes as planned, this feedback will only require us to make minor adjustments and we will have a clear path forward to a final release.

Sponsorship

There are still several gold and silver sponsorships available if you are willing and able to fund the remaining portions of this project. While a lot of progress has been made, I recall several personal (and painful) experiences submitting manuscripts to scientific journals only to find out that the quantity of revisions requests required rewriting a paper from scratch. Yes, this can be disheartening, but it almost always resulted in a much better end product. Therefore, if you would like to become a sponsor, please reach out to me using the contact information at the official website for the white paper.

Thank you for your time and I look forward to contributing this work back to the community!

Reference

The following articles, posts, and websites describe the motivating factors for starting this project:

• Let's Talk About PCI Compliance for Ubercart and Drupal Commerce
• Proposal: Drupal PCI Compliance White Paper
• Drupal PCI Compliance White Paper (Official Website)

Tags: Drupal PlanetPCI compliance var switchTo5x = true;stLight.options({"publisher":"dr-8050e384-1b1-b22e-b17-7e272ca1dc8f"});

View the discussion thread.

The Multi Node Add module provides an interface for creating multiple pieces of content easily from a single page. The module is a time saver for content creators who often enter in a large amount of articles and pages. Using Multi Node Add is fairly straight forward, just enable the module and then go to /multi_node_add to create content.

4th May, I went to Shimokitazawa (Tokyo) to participate to OBS dojo by openSUSE developer. OBS, Open Build Service (formerly known as openSUSE Build Service) is kind a buildd in Debian but anyone can use it with signup to its site.

 And, osc package/command is like pbuilder, download dependency packages from Internet and build package in chroot (or lxc container, KVM, Xen). (disadvantage: osc is not usable if build.opensuse.org is not fine state e.g. overload. It's rare but it happened ;)

I want to learn something this OBS and osc.

The following blog post was written by Cathy Theys of comm-press, and is also read by Cathy Theys. You can find the original article where you can comment, and find all of the links mentioned in the blog on the Comm Press blog. Enjoy!

Tags:  Audioblog, planet-drupal

Got a new 27 inch monitor. Thanks to my friend. Connecting with displayPort cable was a breeze. xrandr tells me it is capable of 2560x1440, which is a lot of space compared to 1366x768 on MacBook Air.

How to plan a Drupal Project

When a client comes to you with an amazing idea for the project that is going to change EVERYTHING in a market, enthusiasm for getting down and building before thinking through how that goal might be achieved is very common. You may get a "plan" on the back of napkin. There are a few approaches that you can take to reach the client's ultimate goal.