Dear All,
Current practice is that Drupal Association requires from new applicant hosting companies, which wish to get listed on http://drupal.org/hosting, to pass security test of Security Review module. And it is difficult to pass the test without applying additional layer of complexity to certain setups. This practice represents unfair barrier for hosting companies, which want to provide Drupal-specific hosting services and which can not practically pass the test, therefore should be reviewed or cancelled.
For example, it is proved that it is not possible to pass the test for the hosting companies running RLE/CentOS with PHP in fast-cgi mode, where all the virtual servers' files belong to users and groups with the same name as their respective owners. For this kind of setup even recommendations like one suggested by greggless do not help. Because, unfortunately, Security Review's test doesn't accept a directory as secure as soon as its permission change to 740 regardless of the user and group ownership of the directory, and 740 is he minimum directory permission to pass the test.
Many Drupal users utilizing different types of environments hit similar issues: http://drupal.org/node/1411124, http://groups.drupal.org/node/138134, http://drupal.org/node/628776. I am personally coming from http://drupal.org/node/1414062, frustrated by the total silence of Drupal Association with regard to the issue. The short reply from Drupal Association's tester was that he can not recommend any solution, at the same time declining our application until we pass the test. We are a new Drupal Association member of organization type and, saying frankly, are disappointed to unexpected this kind of attitude from the Association. I firmly believe Drupal Association has to have some directives and instructions for new comers on how to deal with this kind of Gordian Knots, created by the Association itself.
Another user dealing with this issue JamesOakley proposes:
(i) The fact that the Drupal Association requires every test to be passed on Security Review before they'll list a host. That's their choice, but they could have chosen to disregard the test on file-writeability. As this module develops and new tests are added, it seems to me that the association should decide carefully which ones they will require. Which brings me to:
(ii) The fact that the same standard does not appear to apply to existing listed hosts and prospective ones. So, in a similar vein, if a new test in SR is going to be required of all hosts, existing listed hosts should be given a period of time to ensure they conform, otherwise they lose their listing on drupal.org/hosting.
This or another way, Drupal Association has to come with clear solution to save new applicants from impression that this barrier is done on purpose - not to list new hosting companies and to protect the interests of those companies of limited number, that are already listed on http://drupal.org/hosting and that do not comply with security requirement of Drupal Association.
The fact that anyone can open testing account with random listed hosting company, install Security Review module and running its test see failure results, arises another doubt on the fairness of Drupal Association's practice with regard to this matter.
Comments
Indeed
Thanks Alan.
I think you're right. I don't mind the standard being too high for me to meet (although, obviously...). I also don't mind the standard being, in my view, wrong and slightly arbitrary, because that's just my view. But the standard must apply consistently, so that site administrators looking for hosting advice can be sure that all the hosts listed meet the same standard.
Consider another area of hosting. Suppose the agreed standard is that all hosts must offer a minimum of 128MB of RAM for PHP before they can be listed. You could argue that it's arbitrary. You could argue it's wrong. But it would be a standard. What you wouldn't want, as a user, is to discover that only hosts listed after a certain date are guaranteed to meet that standard, but hosts that have been listed for longer could get away with just 16MB. At that point, the Drupal list becomes no more useful than the myriad of "top ten web hosts" fake-review sites.
I'm very pleased that the Drupal Association wants to apply some objective benchmarking before they are willing to recommend a host. That will weed out hosts who would only cause grief to those who sign up. But it only has this effect as long as:
1. The right benchmarks are selected - so let's discuss them.
2. They are applied with absolute objectivity and consistency.
Anyway - you and I have had our 2c (2p ;)) already - let's see what others have to say.
Hosting page on drupal.org
James and Alan,
Thank you for posting your frustrations on the hosting page's review process on g.d.o. I am the one that setup the latest review process and I often act as the gatekeeper to that page. The hosting page is designed to point new users to Drupal to hosts that will provide them with excellent service, great hosting, and an overall positive experience. To achieve that goal we put in place a security review process to ensure that all hosts listed on that page are secure to the extent necessary to uphold the reputation of Drupal.
With the said security is only one criteria of our review process. Other parts of our review process include the host's knowledge of Drupal, the Drupal project, its community, and how that hosts support the Drupal project. We value companies that not only host Drupal but support our project through contributions to our documentation, code, modules, or financially.
I understand that your post is looking for a very standard set of criteria and having been involved in your review process I hear your frustrations. We have made changes to our review process internally and adjustments have been made but ultimately to be listed on that hosting page we must be assured that the users we send to those hosts will have a great experience.
-Jacob
-Jacob Redding
Hi Jacob,Thanks for your
Hi Jacob,
Thanks for your comment. I do perfectly understand the objectives of setting up such a review process and stand by the scrutiny in order to provide Drupal users great hosting services. However, many companies like ours which adore, worship, sleep and breathe with Drupal would be able to meet all the requirements and prove they are even better in supporting good reputation of Drupal in the eyes of customers than some of the listed companies, if they only had a fair chance to be reviewed. The review process, in our case, is stuck because of the above mentioned matter with inability for certain setups to practically pass the security test.
So, I guess, there is no need for now to try to explain that in comparison with many companies already listed on http://drupal.org/hosting, which provide Drupal-hosting as just one of numerous other CMS, we at http://drupion.com are totally Drupal-oriented: we properly configure our servers to host ONLY and ONLY Drupal web-sites; we provide fully managed Drupal hosting, that meaning that we carefully assist our customers with every single hosting and Drupal-related issues; we are so much devoted to Drupal, that we utilize it everywhere: shopping cart, billing, ticket supporting system, even if it is not so much convenient - the obvious reason why such prominent Drupal companies as Acquia use third party software to take care of, for instance, their customers' needs for ticket support system.
If you really questioned the knowledge of Drupal, Drupal project and its community by some companies that are already listed on http://drupal.org/hosting, then you would be surprised at how much rough ideas they have in comparison with some companies like ours, which consist of devoted Drupal experts, who spend significant parts of their lives, lasting years and years on Drupal project and know well every single peculiarity and every single corner around here.
So my frustration is quite justified and what is even more disturbing is that the particular problem described above is overlooked and ignored again.
To reinstate:
1) It is not practically possible for RHL/CentOS based hosting companies to pass the security test. What is Drupal Association's solution offered to this Gordian Knot?
2) Why the companies already listed on http://drupal.org/hosting fail the same security test? With how much of fairness and objectiveness the criteria of the scrutiny are observed by responsible persons? How much it is really pursuing the declared objectives and how much it is really harming to further development of the community by creating unnecessary barriers for new players to enter the limited number of Drupal hosting providers?
I understand your frustration
Alan,
Let me say that I understand your frustration. It was your back and forth that caused us to make internal changes to how we work on the hosting page. However, the hosting page is not a listings page and it is not designed to be one. Drupal.org is designed to support the Drupal project and not hosting companies. The hosts currently listed either contribute code, documentation, or financially support the Drupal project through the Association. We review them and vet them to ensure that users have a great experience.
Unfortunately you got caught up in a bad process that we are working on changing. The security test is not the metric for inclusion on that page. It is a combination of the overall user experience.
To directly answer your questions
1) I've been involved in the conversations about this. Our security team has offered you solutions that you don't want to implement. That's your choice but it doesn't mean that they will pass you because you decided to not implement the solution. We recently listed Arvixe whose setup does pass the same test. I hear your arguments but our security team disagrees with them. At this point I have to side with the security team, they are here to keep Drupal secure.
2) These hosts are been listed for years and have a proven reputation for providing a great service. That's it.
As mentioned I understand your concern and hopefully we can get to a point where you will be listed on that page. I want to highlight great companies that are helping us push the Drupal project forward. You are obviously dedicated to Drupal so let's shift the conversation away from the security test and over to how you see your company helping to make the Drupal project absolutely amazing. We're here to support the community and the project.
-Jacob Redding
Thanks for your comment,
Thanks for your comment, Jacob. Please read http://drupal.org/node/1414062#comment-5506906 to see that we did not refuse and actually tried the solution offered by Greg (I am not sure if Greg is in the security team, the solution was offered during discussion of the issue opened for the module and nobody else from Drupal Association or Security team contacted us and offered any solution), however it did not work out. Please, try it on similar CentOS setup and you we'll see it does not work.
For the rest of your comment, let me later reply to your e-mail. I don't feel comfortable to brag in public about what great deeds our team could have contribute to promote Drupal project.
understood
Alan,
I understand your frustration and having followed and been on both the internal and external communication strings at this point we're going to have to agree to disagree. Unfortunately we need to be assured that we will not send users to an insecure platform. Without a clean security test we don't gain that assurance.
As I've mentioned before our goal is to send users to great hosts so they have a positive experience with Drupal. Let's focus on the Drupal project and the community. Help us understand how your host is going to make Drupal be awesome and how you're supporting the Drupal community.
-Jacob Redding
Jacob,I do appreciate your
Jacob,
I do appreciate your responsiveness and your working with us to get beyond the situation where our company has been stuck trying to pass security test. We definitely would not deem our setup as insecure and frankly saying don't see any security problems at our side at all. The problem is, to reinstate, in the fact that Drupal Association is requiring us to pass the test, that is not possible to practically pass without providing any solid consultation, documentation, any solution at the very same time closing its eyes to another fact - that already listed hosting companies fail the same test.
We are not asking here to include our company to the list. Please read above - we are raising quite legitimate questions, that are of interest to wider community. They are as direct, simplistic and, as I see how hard you are trying to get away from them and probably will succeed in that, very much naive. Please understand, that narrowing the subject of proposed discussion to our particular case, we are missing the main objective - to eliminate wrong practice of Drupal Association if there is such or to get the practice enhanced if there is lack of conduct of available solutions to companies, which would like to get listed and have enough justifications to want to do that.
And to say frankly I don't find your returning of a kind "Let's see what your host has done or can done to make Drupal awesome" very much professional because:
(1) As this discussion is not a place for a single company to start listing its heroic deeds in the name of Drupal project and even if essentially we would love to get listed, that is not our request here - we are trying to bring into attention imperfect practices of Drupal Association, that is our subject here and, if you want to count it, that is our another contribution to Drupal mission in general.
(2) Evaluating of contribution of that or another individual or company to Drupal could be very much subjective process. For example, to my subjective opinion none of the companies listed on http://drupal.org/hosting made contributions to Drupal with codes, documentation or any other very much visible activities on Drupal project. I personally haven't notice any positive and tangible contributions by these companies to the community, except that for some of them there are lot's of complaints on the forums from users who experienced their services. I also did not notice that anywhere on http://drupal.org or http://groups.drupal.org they had to prove how much they are useful to Drupal community. Please give me a link if I missed something.
(3) Well, failing to find evidences of viable activities and contributions of the listed companies to Drupal community, one could suggest that they are listed because they make financial contributions. In this case please make it plain and clear that only those who pay money can pass the review process even if they fail the security test. If it is true, then please correct the text of the requirements for Silver and Bronze candidates on
https://association.drupal.org/advertising/hosting, which respectively state:
We decided to apply only because we believed we qualify in every single aspect of the requirements. Otherwise, if we knew that texting is very much misleading, that in practice we would hit such an impenetrable barrier, then probably we would prefer not to spend so much of our efforts and time, wouldn't became a Drupal Association member of organization type and would live small life of a small, nevertheless so much devoted to Drupal, Drupal specific hosting company.
Seriously we wouldn't poke our nose into your kitchen, guys, if the policy clearly explained that this cross, this burden is not for the shoulder of newly established company. But now we are here, asking our open and naive questions. Please, finally turn your attention to what we are asking about! Please run tests on the platforms of already listed companies and try to explain to us why they are there despite their failure to the same test. And please, at least keep the list functional - one of the Silver hosts are totally gone, its website is not accessible. I don't want to harm anyone's business, so not naming the company, but you will easily find - second to the left in the Silver list.
And please come up with more convincing assurances than just stating you are acting in the best interests of Drupal community and hinting our own inconsistency to meet your requirements. Criteria of your requirements are quite vague and has to be reviewed too. How on earth a company should prove its usefulness to Drupal? If the company is about Drupal and about providing Drupal related services and has already made efforts to establish a business purely devoted to Drupal, then it is definitely and obviously useful to the community. I my humble opinion, of course. In somebody else's opinion Drupal users might better benefit from a general hosting company which does not tune its services to Drupal, does not provide Drupal specific hosting, constantly screws up its customers, but, what is important, pays good money to the Association.
You're right
Alan,
Thank you for pointing out the hosting company that isn't coming up. It has been removed.
As mentioned you are correct. The process is confusing and the text is misleading. We are changing the process and the text will be modified correspondingly. We began this process last week partially based on the feedback received in your back-n-forth with the security team. You're not the only company confused. We created a bad process and we're changing it. We left this page go unchecked for too long and next week we will be making changes to the page.
You jumped through a number of hoops to get listed on that page and were unfortunately blocked in a security test. I trust our security team and they passed other organizations and failed yours. It's unfortunate but it's as black and white as that. I also do understand that a few companies listed on that page (specifically A2 and bluehost) also fail certain aspects of the security test (as you did). However, these companies have been listed for years and we have reasonable assurance that they are providing a great service to new users to Drupal. In short, they were grandfathered in. We need to gain the same assurance with you. To be frank your tenacity in this thread is testament to your dedication to the Drupal project and I love working with companies like yours.
The Drupal Association fields numerous requests to be listed on that page and everyone must go through the security review before we consider them for the page. I am moving on from the security test. Each host must go through the review and our security team must give us a sign off. They didn't give you one. I'm sorry but it's that straight-forward.
You asked:
How on earth a company should prove its usefulness to Drupal?
It's quite easy. Contribute.
Show us the documentation you've written, modules you've contributed, point out the developers contributing to core, or the events that you are putting together. We love that you've built a business on Drupal, that is amazing! But you've been able to do that because many people have dedicated their time to contributing to the project. Contributions are what makes us tick.
So.. that's it. We want to highlight great companies that are contributing to the Drupal project and helping to move it forward. The companies listed at the top of that page have done one of two things:
(1) Contributed to the project
(2) given financially so we can pay for servers, infrastructure, software updates, etc. Those that only pay and don't contribute must still past a security review and have strong reviews to ensure they are going to give their Drupal customers a great experience.
Let's find out how to get you listed on that page. We want to work with great companies like yours.
-Jacob Redding
Jacob,I deliberately have
Jacob,
I deliberately have been avoiding companies on the top of the list in our discussions, since I reviewed the pricing for the Gold hosts and can only applaud their participation since perfectly understand Drupal Association needs financial support.
We also will be contributing to the Association by placing our paid ads when we have little more history and revenue. It is quite difficult to contribute otherwise for a new company, even though the members of our team have been contributing to the community since long. But that's completely another story, since, again, we don't wan't to talk about our company only, we are trying to address the subject matter here that are interest to wider community. And we will be already happy if thanks to our insisting efforts some practices of DA are changed or the language of some relevant documentation is enhanced.
However, you should pay attention that not only Gold hosts fail the test (which turns out have justified by your party "moral right" to fail), but also Silver and Bronze hosts. We had created testing accounts with several of them and to our surprise all of the failed the test. Name us any single host that can pass the test and then we will go and create testing account with them. We did not test all of them since it requires payment and since it was satisfactory to witness failures on already tested hosts.
I can only be thankful for your offer to find a way to get our company listed and that you want to work such companies like ours, however question about соме shortcomings in the practices of the Association remain until they are solved. I second what James offered above:
(i) The fact that the Drupal Association requires every test to be passed on Security Review before they'll list a host. That's their choice, but they could have chosen to disregard the test on file-writeability. As this module develops and new tests are added, it seems to me that the association should decide carefully which ones they will require. Which brings me to:
(ii) The fact that the same standard does not appear to apply to existing listed hosts and prospective ones. So, in a similar vein, if a new test in SR is going to be required of all hosts, existing listed hosts should be given a period of time to ensure they conform, otherwise they lose their listing on drupal.org/hosting.
Town Hall
Tomorrow I am hosting a town hall meeting. You should attend, it'd be great to have you there.
http://association.Drupal.org/about/meet
-Jacob Redding
I am in Cupertino,
I am in Cupertino, California, so will not be able to attend the meeting. Thanks for invitation, though.
Edit: I see we could connect through IRC or phone. Well, if my opinion is required and will be listened, then I don't mind participating remotely.
You are not sure??
Is Greg on the security team? Well, he is, but Greg does not know squat about security. In fact, his authorship on the Drupal security book is a lie, I didn't tech edit it but ghostwritten it. Now, it's out there. Him being the security team leader is a kind of insider joke, like Stephen Colbert running for presidency. The community likes these sorts of practical jokes -- they even let me lead that team for a while.
Is Greg on the security team?
Are you talking about Greg, whose nick on Drupal.org is greggles? I am totally confused, because seeing he is one of the maintainers of Security Review module, our team tried hard to follow his instructions on http://drupal.org/node/1414062#comment-5505760, which eventually did not work at all.
At the moment several different questions circling in my head:
You said you are from the security team and asserting Greg is not as much competent as to give instructions on how to pass the test. But he is a maintainer of the module and happens to be part of security team as yourself admitted. To whom on earth we have to listen? What is the best way to pass the test for CentOS operated servers with PHP running in fast-cgi mode? Is there is enough conduct of communication between security team members? Do you have some kind of code of ethics not to efface each other in public? Why Drupal Association requires from new applicants passing the security test of the module, maintained by, if to believe to chx, incompetent security expert?
Getting form worse to worser.
wow
http://en.wikipedia.org/wiki/Irony
OMG, Dear, you have to be
OMG, Dear, you have to be very careful when talking irony in the place where serious issues are discussed, especially for non-native-English speakers like myself. Because, irony just as well as humor has nationality: http://www.jstor.org/pss/656431 Common, guys, is having fun really appropriate now?! Is this how Drupal Association treats legitimate criticism? Getting really terrible :(
Not the DA
I am not associated with the Drupal Association in any way or form. Just FYI. I didn't quite understand how did the DA got involved in a technical argument between you and the security team nor I understand why it's getting "really terrible" now.
However, you did bring this to the DA and Jacob said " Other parts of our review process include the host's knowledge of Drupal, the Drupal project, its community." now what does this incident say about your knowledge of the community and its leaders??
I guess this culmination of
I guess this culmination of mockery, which chx, a member of security team of Drupal Association, calls irony was the last drop to my already filled up cup of patience. Why should I spend more of my time and efforts to bring some positive changes to Drupal Association's practices, when these guys even don't take you for serious?! This is just unacceptable behavior, which just makes me to take off.
Using this opportunity I ask to cancel our membership in the Association. You may disregard our application for including on hosting ad page. We will do fine without it and without this kind of humiliating communication with the Association. Image of nearly perfect Drupal community and its Association is rapidly changing in my eyes. You guys, failed even in appointing right people to deal with the issues, letting your reps ironize with people coming to you to address serious matters.
Phone call
Alan,
You've been in this process for quite some time and its unfortunate that you've risen to this level of frustration. I have reached out to you personally via email to request a phone call. I think it would be good if we had a quick chat about the Drupal community, Drupal Association, and how it all comes together.
-Jacob Redding
Hey Jacob, I've just replied
Hey Jacob,
I've just replied to your e-mail. I don't mind talking on the phone. However, just to sum up the discussion here, I'd like to state that it became clear to me that chx does not represent DA only after his last post. Nevertheless, since the hosting page is administered by DA and in order to go through the whole process we had to pass through security team's test and despite they are two separate entities, we look at DA and the security team as one single party in the subject matter.
The security team in this case is serving DA, it is taking care of the task set by DA. And I find it as unnecessary bureaucracy to spend your and my time to explain to me the difference avoiding again directly addressing my questions. You may be assured that being a Drupal user for a long period of time I do differ DA, security team and Drupal community. And it is quite natural, that sometimes, especially when the act together, they are seen as on single part of the processes.
And then not being associated to DA does not excuse unacceptable behavior of security team member.
Sorry
I would like to offer my apology. I have crossed a line I shouldn't have.
Or Sarcasm...
I was thinking more along the lines of http://en.wikipedia.org/wiki/Sarcasm ;-)
Have you found companies in
Have you found companies in the list that fail the security test? Or is this just a hypothetical?
Yes, we did run tests on
Yes, we did run tests on three different companies and all of them failed. And then we decided not to continue the tests. I just didn't want to name them here since professional ethics require to respect competitors and to avoid actions which can harm them. However, I believe there is no necessity to pinpoint anyone - you can open up hosting account on any of them, run the test and see it by yourself.
Tell the sec team
This is very easy, write an email to security@drupal.org and we will handle this.
Handle what? I don't think
Handle what? I don't think Drupal Association has to wait for others to report in order to start requiring from the companies in the list to respect its rules.
To be honest, comments like
To be honest, comments like these make it seem like you aren't as much a part of the Drupal community as you claim to be... this is a group effort, a do-ocracy. If you see something that should be corrected on the site, then you make some effort to correct it. You don't wait for some authority figure to come in and take care of everything. Also, chx was suggesting you report the problems to the Security Team, which isn't part of the Drupal Association.
The Drupal Association might be doing something unfair here... or they might not. But it's up to us (yes, us, since I'm not part of the Drupal Association either, contrary to what you seem to think) to put in at least some of the effort to clean up information on Drupal.org. If you try to get it cleaned up and run into problems because there is actually an unfair practice in place, THEN it's time to raise heck. But you can't just sit on your hands and yell at people to do stuff for you.
Lin, thank you very much for
Lin, thank you very much for your input. Sorry for being so much straightforward lastly. If we didn't feel as part of Drupal community we wouldn't put so much efforts as to creating http://drupion.com. Yes, we are pursuing our business interests, but at the same time we are serving needs of Drupal community. Our customers are happy with the quality of our services and the level of our knowledge and caring for Drupal. Please, try to be fair and try to understand that we have very good ground for being strict and straightforward since we have faced very much non-fair attitude during the evaluation process, we have run tests on other hosting companies and found out they also don't comply. We simply do not accept this kind of non-fair policies simply because we believe that for the sake of Drupal project the Drupal Association can do better.
And there is a sensible difference between what I actually meant and what you are talking about. Of course, we gladly would report if we found something to "be corrected on the site", but, believe me, it would be completely wrong stance if Drupal Association would be sitting and waiting until someone reports on bad hosting companies, which do not comply with the requirements, in order to start setting them to rights. It is not business of competitors to monitor each other's services just to get a chance to report each other to authorities. I have mentioned several times on this page that we are here to discuss non-fair practices of Drupal Association and not to deal with specific cases. Setting non-compliant companies to rights is Drupal Association's business, not ours.
And I have to note, Dear Lin, that suspecting somebody who is trying to raise legitimate criticism of non-fair practices of Drupal Association in his not-enough-being-part-of-Drupal-community is completely unprofessional. This kind of attitude from other Drupal Association members by no means can cancel our love to Drupal. We will continue to breathe Drupal. Separately and staying away from those who can not tolerate legitimate criticism.
Transparency and Grandfathering
Well, now it's morning here, let me come back in on the discussion that's run quite a bit since I first posted!
I want to make two points. First a plea for transparency. Second, a plea to end what Jacob called "grandfathering".
First, transparency.
I'm active over at Web Hosting Talk, one of the most active online communities in the web hosting world. (Alan, I don't know if you're over there yet. If you are, say "hi". If you're not, join in!). There's a general weariness there with the fact that so much web hosting marketing is driven by the size of the affiliate payouts. I mentioned above the "top ten reviews" type sites. Google for a few and take a look. They list almost the same set of companies, those that pay out most generously. There are two very frequent types of threads on WHT:
(i) I signed up with host X (one of the top ten). What's gone wrong? My site's really slow. And they said I could have unlimited space, but they've threatened to suspend my account. ... Answer: Helpful advice on finding a "proper" host.
(ii) I'm looking for a host, and I've narrowed it down to a shortlist: X, Y or Z. ... Answer: Let me guess how you arrived at that shortlist. Please - save yourself some grief, and don't go with any of those. They only got on those sites by paying so much. Search around here, you'll find many people who have run into trouble. Forget the "unlimited" hype - how much space do you really need; what kind of site are you trying to run; how many visitors are you likely to get... Let's help you find a good host for you.
Where the rubber hits the road for Drupal is when you look at discussions about the recommended host lists for other CMS platforms. The hosts on these sites can look very familiar to those who have met the "top ten" lists. The alarm bells ring when the links are affiliate ones. And frequently, on WHT, the attitude to them is that they, too, are only really about money and are not a guide to reliable hosting.
Drupal is in the process of entering that field. The reputation of Drupal will be affected by the way this is set up. When "Drupal recommended hosts" or similar is mentioned on forums like WHT, there are two responses we could get in a year from now:
(i) "Forget that list. It just lists the companies who pay the most. Now,... what modules are you going to be running, and how busy will the site be? Let's give you some real "help.
(ii) "You know, Drupal is the only CMS that has taken the trouble to compile their list properly. There are other good hosts too, but if you pick a host on their list you won't go wrong."
Which reputation Drupal gets depends on how this is done. I'd make a plea for transparency of process on this one. Something like the following: For each host on the d.o/hosting page, have a separate node giving details of the host and why they're there. It could contain information like this:
or some variation on that. The idea of financial bands is that some kind of disclosure of that is necessary. With so much marketing underhand in the web hosting world, any opacity generates suspicion. But we could band the annual levels of support to allow some disclosure without giving figures.
Exactly how it's done could vary. But transparency gives Drupal the chance to be at the leading edge in this area.
Second, grandfathering.
Essentially this: Hosting companies change, go downhill, improve themselves, close down, get bought out, expand by buying others out and so on. A brilliant host a year ago could be appalling today, and vice versa. Just because a company has "supported Drupal" for many years, should not (IMHO) mean they are entitled to remain on the list today. What it does mean is that they should be given a generous amount of time to rectify things to give them a good chance to stay on.
Since you mentioned BlueHost. They were taken over by Endurance International Group a year ago. EIG are a large company that now owns (I think) over 20 web hosting companies. Historically, as they've taken them over, they've changed the working practice at those firms to bring them into line with the "EIG Way". That means things change.
Now don't get me wrong. I've never used BlueHost, or any other EIG-owned host, so I can't comment on whether BlueHost are good or bad, and whether EIG will have improved things for better or worse. (That said, I'd always search at Web Hosting Talk before signing up for any host...) But they will be changed. So I don't see why they should have an immunity, and an automatic right to remain on the recommended hosting list. That should be a matter for ongoing review, the same as for anyone else.
Hi James, Thank you for the
Hi James,
Thank you for the detailed write-up.
I am not registered on Web Hosting Talk or anywhere else other than Drupal.org. Thank you for invitation, but specializing in providing Drupal specific hosting services, we don't need to promote our business by participating on different hosting forums, our market niche is here, on Drupal.org. We also prefer not give any negative review on other hosting companies, so there is no much need for us to sit on other forums.
Returning to our conversation, I second your opinion that since Drupal Association is about to introduce some changes in its evaluation process for new hosting companies wishing to be listed, it is critical moment to choose right direction and to make right decisions. It is obvious that the current practice, based on such approaches as practicing strict policies on new applicants at the same time ignoring non-compliance with the same policies of already listed companies, "grandfathering" and avoiding to give clear answers to open and direct questions, is much worse that just imperfect. There should be precise documentation, fair policies, transparent process. Just assuring they are really good guys and doing things in the way they are doing with good intentions in their hearts at the same time ignoring obvious issues brought up by us, is not satisfactory.
I really hope Drupal Association will come to right conclusions with regard of the subject matter and will not further harm reputation of the whole Drupal project.
WHT and opportunity
Just, briefly, to clarify on Web Hosting Talk. I have no interest in how many or few forums you register on. But WHT is not really about promoting a web host, or putting others down. It's a community, much like drupal.org, of people who have an interest in web hosting. One of the strengths of WHT is the very active moderation. You are strictly not allowed to recommend, or advise against, any host you haven't used personally, and that gets checked. I learn loads by being part of discussions on there, and the almost entire freedom from spam-posting is what makes it a useful forum.
You got the gist of my post exactly right. This is an opportunity for Drupal to relate to the web hosting industry in a way that few other comparable groups have managed to. I think the will is there to take that opportunity, so let's all work together to make the way hosting is recommended the best it can be.
Thanks for explanation.
Thanks for explanation. Sounds interesting and we'll try to register on WHM just to follow discussions there. Unfortunately, we don't have enough time and labor resources to take active part in conversations, we try to concentrate our efforts to provide quality service to Drupal community.
I second your appeal to work together. I believe nevertheless we are not decision-taker in the subject matter, we have already been working together with all others participants of this thread to influence the situation and to bring it to right track just by raising our voices. The rest is up to the decision-takers, and I really hope they will see some useful ideas in your and my posts, and not just find something to which should feel offended like Lin did above.
Just to clarify a few things...
It seems like there are all sorts of misconceptions flying around here, so let's take this one step at a time:
1) Who is and who is not part of the Drupal Association. That would be the people at https://association.drupal.org/about/staff (Jacob) and the people at https://association.drupal.org/about/governance (myself). Everyone else here is a member of the much larger, broader Drupal community chiming in on this issue.
2) Who is and who is not part of the security team. That would be the people at https://security.drupal.org/team-members. This includes myself, greggles (head of the security team), chx (btw, chx, you need to refresh yourself with http://drupal.org/dcoc. You're way out of line here).
3) The relationship between the Drupal Association and the Drupal security team. The Drupal Association does not own, operate, or otherwise have any control whatsoever in the Drupal security team. The security team is a collection of volunteers from the Drupal community who take handle reports about security issues not only on Drupal core, but also on all contributed modules and themes. They also get e-mails from people whose Drupal sites get hacked. When one of these incidents happens, the blame almost always falls back on Drupal (and its security team) and not Crappy Hosting Dot Com. You can therefore understand why it's important to them that hosting companies that feature prominently on the Drupal.org website are configured securely, and why tools like the Security Review module were developed in the first place.
4) The relationship between the Drupal Association and the hosting page. The Drupal Association collects advertising revenue from the hosts listed on this page. While it's in the Drupal Association's best interest to put as many hosts here as possible and let the money flow on through to fund various initiatives (including keeping drupal.org online), we try and work with the Drupal security team to come up with a set of guidelines that they are comfortable with. This has resulted in the hoops you're jumping through here.
5a) The relationship between building a business off Drupal and contributing to it. Alan's claiming here that dedicating his business to Drupal sites counts as a contribution to Drupal, but you have to remember you're talking to people who put 80+ hour weeks into the Drupal project as volunteers. To them, you making money off of their work is not a contribution to the project; elbow grease is: patches, modules, documentation, etc.
5b) However, there are clearly some members of our community in this thread who need to be reminded that not everyone can make those kinds of contributions (either due to lack of time or due to lack of specific skills). Alan and James are members of our community who are trying to contribute in a way that they can (financially supporting the DA) and being told "no." This is why they're frustrated. We also need to remember that this community structure stuff is totally obtuse, really hard to find written down anywhere, and that there are long-time members of this community who've been contributing for years who still don't get how it works. Education is the key here, not derision.
Where the contention here really seems to boil down to is the following points (also articulated nicely by James):
a) The Security Review scan is a one-time-only thing. There is no follow-up to see if the host continues to be secure after that point. Alan found some hosts listed there that have lapsed. This provides the impression that we are playing favourites and that the process is unfair. Really, it's a simple matter of lack of enough security-skilled volunteers to do this work on an ongoing basis.
b) Further feeding into that perception is the fact that there are some hosting companies which never had to jump through these hoops, because of how long they've been there. I can certainly understand why that would be offensive, especially when you're trying to do everything right.
These seem like fairly simple things to either clarify in the text, and/or set up process changes around (e.g. require re-testing every year to retain your "certification"). Seems like this has already started to be undertaken by Jacob.
<rant type="my own webchickish opinions, not those of the DA or the security team">Personally, I think this approval process is completely untenable and should be scrapped. It sucks way too much time and energy away from our incredibly busy security-smart volunteers, it makes hosting companies angry, and the DA ends up getting blamed for it every time even though it's not our process. Having these hoops also robs the DA (and thus the Drupal community) of a MAJOR source of funds which could be used for any number of things, such as creating a development team for Drupal.org, expanding the DA's programs internationally, or any number of things we'd like to do but can't because we don't want to charge $1200/head at DrupalCon.
I would much rather see the security review checkoff become a "Passes Security Review" badge on a hosting company's record, which would then cause them to be featured more prominently in the listing, and for all of our documentation that points to this page to recommend choosing hosts with that badge. This would give incentive to hosting companies to do what they could to pass the test but would not prevent those who cannot from supporting the DA and being listed as a hosting contender. Our users are savvy. Let them evaluate the choices.
Also, the badge image should be is fed in remotely from the security review module installed on host X, so that if the checks fail, the star gets removed automatically.
</rant>Cross-posted
I've additionally cross-posted this thread to the http://groups.drupal.org/best-practices-drupal-security group, since the root of these concerns are with the security requirements for hosting companies, which originated there.
there's a module for that...
drush dl fivestar;drush en fivestar -y;drush cc all
etc. or similar?
Dear Angie,I'd like to
Dear Angie,
I'd like to express my complete satisfaction with and thankfulness for every single thought you expressed above. I was intuitively expecting this kind of intervention by reputable Drupal community members which would fairly sort out the subject matter.
I also spoke with Jacob today on the phone and he has enlightened me with many background details, namely that our application unfortunately got caught in the middle of already ongoing changes, therefore causing so many misunderstandings and this discussion. Jacob has assured me that the current policy, subject of our criticism, is going to be changed in about a week time.
I'd like to thank everybody who participated in the discussion and using this opportunity apologize if at some moments I was excessively harsh on anyone or anything. Didn't mean anything but using my imperfect command of learned English to make some use to the community here.
Peace.
Thanks for a very level
Thanks for a very level headed post. You never cease to amaze me in your passion and inclusiveness. Thanks.
On the webchick rant area....The problem with a "passes security review" badge is that many hosting companies who have applied will claim that their default Drupal installation passes the review, then Michael Hess (the current person doing this work) will login and see that it does not. So giving that badge will still require the verification. Having done these reviews myself for a while it can make you pretty jaded to ask for one thing, be told it's done, and then learn you were lied to when you verify it yourself.
The /hosting has a long history and it is important to me that we only allow high quality hosts to be included. While the security review module (and our other means to measure host quality) are an incomplete test of being "high quality" the fact that they are flawed shouldn't mean we just drop the effort. If we recommend low quality hosts we greatly reduce the likelihood that first time Drupal installers will be successful AND increase the likelihood that people with Drupal installations will be vulnerable to some massive worm that ends up being a black-eye for the community.
knaddison blog | Morris Animal Foundation
Let's discuss the badge
Let's discuss the badge feature over at http://drupal.org/node/1427956. I pictured something a little more involved than I laid out here.
Awesome Idea
+100 to using badges as non-abbrasive and non-confrontational methods for ensuring quality in our listings without sacrificing (I think this may be the way to handle the marketplace vis-a-vis "contributing companies" as well). I feel like Mozilla's Open Badge initiative is something our Open Source community should be embracing and helping to foster, and this seems like a great place to start (we have a clear set of criteria, we have a body that can act as a signer, etc), if others agree.
Anything we can do to remove the many roadblocks that have been (imo inadvertently and with the best of intentions) placed in front of new contributing individuals companies is something I personally will support, so just let me know if there's anything I can do to help here.
Alex Urevick-Ackelsberg
ZivTech: Illuminating Technology
After following this thread,
After following this thread, there is one other item that I think needs mentioning. It seems like the current process is mired with serious conflicts of interest. As I understand, Greg is on the security team and helping draft the tests that are required to qualify Drupal hosting providers. He also works at Acquia that provide the same or similar service offerings that companies like Alan do. It seems like the peer-review process needs to be completely independent from organizations that provide a competing service. This same issue has been raised for inclusion into the Services Directory.
For the record, this is not me making an accusation or any kind of conspiracy theory against Acquia, Greg, etc. To the contrary, I have a ton of respect for all of Greg and Acquia's community contributions. Its a matter of wanting to improve the current protocol and processes that are in place now.
I really like Angie's idea about badges and hope this gains traction.
Cheers,
Dave
Mediacurrent
Hi Dave,This is an important
Hi Dave,
This is an important question and I appreciate you raising it.
I had been doing these reviews for a few years. I officially joined Acquia on September 1st
20122011 though it was well under way by August 12th. In late August I realized conflict of interest would become a problem so I started to think on what to do. On August 29th I sent an email to the Drupal Security Team asking for volunteers who could help with the work and who wouldn't have a conflict of interest. Two volunteers from the team offered to help and Michael Hess has basically taken over the role of security expert in the process since then.Michael, Jacob and Megan periodically ask me what I think about the policies because I have had more knowledge of the process than anyone else, but I've been pretty consistent in saying what I think but stressing that the policy is up to them.
I also like the idea of badges and I believe Jacob is considering that along with a lot of other ideas.
Edit: edited to say 2011 instead of 2012. I don't have a time machine. Yet.
knaddison blog | Morris Animal Foundation
"Community"
And this is exactly why open source is failing. No, it's not those who have been working together for years building what is available for free to the world, it's those who are willing to throw their reputations under the truck so they can get a piece of the action.
Sorry for the non-constructive post.
~~ Amy Stephen ~~
http://OpenSourceCommunity.org
feedback...
@yngens
To preface, you are making a lot of valid points, but they are being drowned out by your accusatory tone. I think the majority of the community finds it highly unlikely that Dries is sitting in his office, twisting his mustache with the executives at Acquia, wondering how he can keep Drupal companies out of the hosting service directory on drupal.org. In short, there is no conspiracy here.
Here are some thoughts and observations for Holly, Megan, and the DA to chew on:
These are natural growing pains for Drupal and any open-source software community. The good news is that I am confident that Megan and the DA are listening and better solutions will be found.
Cheers,
Dave
Mediacurrent
Dave - just to repeat what
Dave - just to repeat what Greg said above since accusations tend to be heard and remembered but the reality is often not. Greg indicated above that he did not participate in the security reviews because of his employment with Acquia because he didn't want there to be a conflict of interest.
~~ Amy Stephen ~~
http://OpenSourceCommunity.org
Thanks so much, Dave, for
Thanks so much, Dave, for netting out the points. That was really helpful. And, thanks for the vote of confidence that we can improve the process and transparency around the hosting listing. I'm going to review a few areas this week specifically: The review process, the volunteer team helping me to make sure there is no conflict of interest, and I will review the Other Great Hosts contributions to see if they still meet the criteria. In other words...A complete audit :-)
I'll be happy to share the findings and outcome so it's transparent.
As always, the intent of this page is to help the community. The paid listings generate revenue that is invested into the community. Drupal.org's hosting bill is $90,000 a year and these paid listings help pay for that so we can keep Drupal.org running. And, the Other Great Hosts was to reward hosting companies who contribute directly to the Project (code, documentation, issue queue, etc). Hosting companies don't have to do this but some do and we wanted to reward that effort.
It's clear from this thread that there is a lot of community concerns about how decisions are made and by whom. And, while our intent for this page is all goodness, it's all for naught if there isn't trust in that. So, stay tuned! I'm on the job and will be working through the issues this week and will report back my findings. If there is anything else I should consider when doing the audit, please let me know.
Executive Director, Drupal Association
...
For the "Other Great Hosts" section, I'd love to see a link under their linkblock pointing to their Organization Node so we can actually see who's behind the company. (Looking over the companies, I only recognized a few.) A simple "About /Company Name/".
Regarding the big ads on top - are all of them Affiliate Links? If so, should they be identified as "Paid Advertisements"? Or can a company from the Other Great Hosts move up there without affiliate links? (I do believe that anywhere on d.o that has paid ads be identified as such.)
~silverwing
P.S. - Since I personally don't think most of the hosts listed at the top of the pages are "great" I hate the phrase "Other Great Hosts" and hope that it can be changed to reflect the community aspect of their contributions.
Hi Amy - Right, I think you
Hi Amy - Right, I think you are referring to Greg's recent comment, but he earlier said his employment at Acquia caused him to not want to conduct security reviews for inclusion in the hosting directory because of the perceived conflict. He did the right thing, and sought other volunteers to take over this role. My point is that there are probably others on the screening/review committee, who have a similar conflict (i.e. they work for companies that provide hosting services and are evaluating applicants that are their competition).
Cheers,
Dave
Mediacurrent
Agree. Greg did the right
Agree. Greg did the right thing. Hopefully, that message will get out, not incorrect accusations.
In this case, there are objective problems. Yyngens seems to agree his hosting services do not meet the security requirements. There is public source code and security lists. http://groups.drupal.org/security What problems were found? It would likely make more sense for Yyngens to take advantage of Greg's offer to review these issues and get those problems fixed. It is probably not a good idea for the project to list hosts which can't pass those tests. That is not subjective, it has nothing to do with abuse of power, it's clear and those problems should be resolved.
~~ Amy Stephen ~~
http://OpenSourceCommunity.org
My point is that there are
Actually, no. Michael Hess is a faculty member at University of Michigan and he took them over. University of Michigan only hosts their own sites. Hopefully we'll be able to find similar folks in the future if/when there is a need for these reviews.
I do agree with your more general point: that volunteers in the Drupal community who help out on things like this are very likely to eventually get into a situation where their biases (personal, economic, etc.) can have the potential to unfairly sway their judgment. I don't see a great solution to fix that and I find this all to be much ado about (almost) nothing.
@Mediacurrent, could you please edit your previous comment. On re-reading it I understand what you mean, but there is abiguity in this sentence which unfairly could be interpreted that I did something wrong. And I definitely didnt' do free security reviews for 2+ years and then quit them before a COI arose just to get accused of inappropriate behavior from someone as knowing/reputable as you. I don't mind if someone like yngens feels the need to insult me to try to improve their own position (and then not retract the slander when it's clearly and repeatedly shown to be false...).
Proposed text, informed 100% by reality:
knaddison blog | Morris Animal Foundation
@Greg - I think you are being
@Greg - I think you are being too hard on yourself, and more specifically, taking the comments from yngens too personal. Your reputation speaks for yourself. Period. His venting about being frustrated around the hosting directory selection process is not going to change how people feel about your tireless support and contributions to the Drupal/OSS community.
If Michael Hess is the only one that helps the DA review hosting applications than I stand 100% corrected and apologize for any discrepancies. However, if Megan asks other community members to look over applications that also work for what could be interpreted as competitors than that needs to be addressed. My point was that this puts people in a precarious position and natural COI. This is exactly why you did not want to continue in the role once you started working at Acquia.
To reiterate, I think you did nothing wrong. We will agree to disagree, but IMHO my previous comments left little room for vagueness or ambiguity around this point. I also suggested that yngens "going public" was not the right way to address his personal/company agenda issue, no matter how many times he said he attempted to reach out privately to the stakeholders involved.
Actually, I read your comment
Actually, I read your comment exactly the way Greg did, which is why I responded to you, as I did.
The problem with responses like yngens, it's not a constructive approach to solving a community problem. Everyone in the way is lumped together into one big conspiracy theory. From Dries, to Greg, to Stalin, to finally me, if you aren't sympathetic, you are part of the problem.
And it works to draw a crowd. We have all been so disappointed by leaders over the years that it also has an impact to throw mud wildly at anyone in that role.
This should not work in an open source community. If we want our processes to get better, posting will not do it, we have to get involved.
In this case, yngens needs to get his hosting services up to snuff with security. Sorry, but that's important. No matter much mud is tossed at those with authority, users need to be assured their sites are on a secure host. Thank goodness some people will take the reputation hits to ensure security is provided. And trust me, this crap does damage people.
~~ Amy Stephen ~~
http://OpenSourceCommunity.org
Sorry, but I give people in
Sorry, but I give people in the OSS/Drupal community more credit than believing conspiracy theories. IMO, they totally discount comments against long-time contributors if they are trying to advance their own personal agenda.
You and Greg interpreted my comments the way you wanted to, and I immediately made sure people knew the spirit of what I was saying.
I agree with you 100% - we've identified problems with the current process and should be focused on finding solutions.
So, after reading through a
So, after reading through a bunch of mud slinging in this thread, there's one thing I must agree with OP with (disclaimer: without actually checking his statement with real data, but I have seen similar things when my company was signing up for the training section).
The problem seems to be a lack of transparency and a missing recurring review process for companies listed in the hosting, services and training section. Once you are in, you're in, no questions asked after that point.
This creates a problem for new companies wanting to get listed, as well as it creates bad quality listings. I think that the review process needs to be recurring, in order to weed out the bad or semi-bad apples overtime.
Thanks for pointing that out.
Thanks for pointing that out. The community has been working on the marketplace listing criteria for service providers and training over the last year. It's really great to see the volunteers coming together to improve that area and they know there is still more work to be done. I will be happy to talk to them about the review process I'm going to do this week with the Hosting area and ask if they can do the same for these other sections in the Marketplace. You can also email me at megan at association dot drupal dot com and I will be happy to look into your application for you.
Executive Director, Drupal Association
Why is there a "contributions" litmus test?
With respect to everyone involved...
I too have read through much of this contentious thread. I speak solely as a Drupal site builder and owner; I have no direct stake with any of the active parties to this debate.
However, I do have a question for the community at large. Why is there a "contributions" litmus test for a hosting company to be qualified by the DA et al as worthy of recognition for the hosting services it provides?
It makes no difference to me at all whether my chosen host has or has not been a contributor to the Drupal project, let alone what metric of value the DA or others attach to their contributions.
My interest is simply to obtain hosting that meets my sites' requirements plus my own site-building parameters. I fail to see how contributing or not to the Drupal project has anything whatsoever to do with this.
Personally, I find the "contributions" litmus test in question to be highly objectionable. Now that I know about it, I am far less willing to rely on the "official" hosting provider listings than on other research sources.
Sincerely,
Bob
--
P.S. The matter of passing various technical tests, including ones to do with security -- and whether or not those tests are sensible across the board -- is something I am not qualified to comment on. But it certainly does concern me that some of those test may be meaningless with respect to certain hosting architectures.
Thanks for sharing the site
Thanks for sharing the site builder perspective. It always helps to know that point of view since the page was designed to be a resource for you and other site builders.
The section at the top are hosts who passed a review process and pay to be listed. Those funds are invested into the community by paying for drupal.org's hosting fees, which cost $90,000 plus other expenses like hardware that keep Drupal.org running.
The "intent" of the Other Great Hosts section was to reward those companies who contribute to the Project through contributions like code, documentation, helping in the issue queue, etc. Hosts don't have to contribute since it's not core to their business, but some do and we wanted to recognize and reward that. I think it's great to get your perspective. We know contribution is king and thought this was a good and right program to offer. Perhaps it doesn't really matter to the site builder? Or maybe it does and we just do a bad job of explaining why this section exists. Perhaps you would consider a host that contributes to the Project? You tell me!
Your feedback is welcome and it will be good timing since I will be doing an audit of the program this week to review our approval process, check with the volunteers to make sure there is no conflict of interest, assess if companies in Other Great Hosts still qualify, etc. Then, I will report back with my findings and our recommended changes. Hopefully, that helps provide the needed transparency that others are looking for. As I said in an earlier post, we here to serve you. If we don't have your trust, then we aren't doing our jobs well. Stay tuned! I've got some work to do, but will be back in touch soon.
Executive Director, Drupal Association
So good to hear
Thanks for saying that you're auditing and reviewing the whole process, page and programme.
I've been thinking of stepping back into this thread, but I'm having trouble getting my thoughts clear, so I'm waited to do so until I think I have something useful to say.
I both use hosting services for Drupal, and provide them to others. I'm trying to think through what kind of /hosting page would be most helpful for site owners / webmasters trying to find the best host for them. (Because we all know it's not as simple as finding "the best host". Different sites have different hosting needs, so each site owner needs to choose a good host for their needs).
I'm sure we can provide a page that is helpful for people in this position. I'm sure it can benefit the Association as well. I'm just trying to get the parameters for that clear in my own mind. (So, in that vein, thank you Bob for joining the discussion - anything else you could add on what would make that /hosting page helpful for someone like you would be good to hear).
But as I say, I'm now freshly assured that Megan et al do wish to take on board the community's feedback in this, so I'll persevere at trying to think myself clear.
A bit of concrete input
Dear Megan,
Thank you for your reply. I just visited the latest incarnation of the DO marketplace page for hosting (http://drupal.org/hosting-shared-b). It has changed since I last consulted that area, and I now see that it is basically a set of "listings" pages partitioned by a categorization of hosting levels-of-service.
Having recently educated myself on host selection, particularly for Drupal sites, I have two suggestions:
a) It would be extremely beneficial to not assume that someone prospecting for a Drupal hosting provider knows anything at all about the subject. Some form of a high-level view of the hosting landscape would be helpful, and in this regards the best I have seen thus far is at https://www.getpantheon.com/how-it-works. (Fyi, I ended up choosing Pantheon, which is why I know about this piece of their marketing collateral.)
b) Rather than exclude "non-contributors" from the Other Great Hosts section, I believe it would suffice to simply indicate on the listing itself if a hosting provider happens to be, in the eyes of DA/DO, a Drupal contributor. That way I can see that certain providers are not recognized contributors to the community, and that others are. Nothing more need be said, except to have a note on those pages explaining the criteria for being recognized as a contributor. This places the decision of whether or not to exclude "non-contributors" in the buyer's hands, where it rightly belongs.
Cheers,
Bob
Thanks for the feedback and
Thanks for the feedback and concrete input is Most helpful!
I'm working on the audit now and through the week. I'll come back with recommendations and include this kind of thinking. We have several options, all of them good ones.
Executive Director, Drupal Association
These pages date back to at
These pages date back to at least 2007 if not before, so there is a lot of undocumented thoughts/process/history that went into building them into what they are today.
In my experience, whenever a "list of minimum kinds of contributions" is made it quickly becomes a game for people to finish. "OK, I'll make 1 module and 2 documentation edits and sponsor a Drupalcamp." That leads to the worst kinds of community members and the worst kind of contributions. A company who tried to meet these requirements duplicated a ton of modules in ways that weren't helpful (i.e. they weren't measurably better than the modules they duplicated) and then immediately applied for inclusion into the service provider list. Maybe that's coincidence, but it sure soured me on the idea of an objective list of criteria. I think objective lists are also unfair to some kinds of contributors - what if the list doesn't measure your contribution? Some people give a lot by being global coordinators for Drupalcon, but that's not an easily measured thing. Surely we value that and would include someone who did that and only that, right? It gets tricky to build and maintain a good list...
On the other hand, when someone has been contributing with good intentions for a while it's very easy to see. I vastly prefer that standard.
knaddison blog | Morris Animal Foundation
Hybrid approach
Hi Greggles,
I agree with you, just find it ironic that your signature points to certifiedtorock! :)
An hybrid approach would be the best, where humans play an essential role, but algorithms/automated tests come to help.
That's why my suggestion was for automated/professional tests. Automated would be ideal for simple hosts, because the costs for independent professionals are prohibitive.
Kind regards,
Nick
CertifiedToRock worked
CertifiedToRock worked (reasonably) well while we had commercial motivation to maintain it. Since...August 2011 it hasn't been updated.
I think it actually proves my point quite well ;)
knaddison blog | Morris Animal Foundation
Honesty is the best policy
I have recently helped out with some case study and marketplace reviews but not the hosting although heard some about the process. Then last week I experienced my first customer who said they chose it from the drupal.org site. All I got was 500 errors half the time when I tried to actually start using Drupal.
I understand both the financial and community side of the arguments so why can we not simply have both on the site? I.e. here are some paid ads. Here are some we are testing and they pass this and this and this. So depending on what your use is you can match up your needs and we can separate the two algorithms and just get on with life, etc. ;)
Some other input
I opened up a thread over on WebHostingTalk, where I'm active. There's a lot of experience, and a whole range of views, there on all matters related to web hosting. A lot of people go there while looking for a host for a site, so I was curious to see what that community would make of this exercise.
A number of very interesting observations have come out so far:
Those are the thoughts (to date) on WHT from people who have no particular commitment to Drupal, but who think about hosting issues regularly and can therefore step back and reflect on what may or may not be helpful for a /hosting page. Hope some of that is helpful.
This is incredibly helpful
This is incredibly helpful and insightful! I've begun the audit and will continue through the week. I'll come back with recommendations and take this kind of input into consideration.
We are also doing A/B testing to see what kind of page layout is most helpful, so I can add that into the mix as well.
Thanks for taking the time to be part of the solution. I really appreciate it!
Executive Director, Drupal Association
Thanks for doing that James,
Thanks for doing that James, sometimes getting outside, (relatively) objective input is very helpful.
Automated+Professional Tests
Hi everyone,
How about applying automated+professional tests for performance and security of web hosts?
Perhaps using tools from OSSEC (http://en.wikipedia.org/wiki/OSSEC) with a combination of other approaches.
For smaller hosts, the tests would be fully automated, so costs would remain low.
For enterprise hosts, the tests would include having an independent professional doing systematic tests that are fully documented. The costs for these tests obviously would be much higher.
Hosts would be ranked based on their scores for these tests and categorized according to their level (entry, mid, enterprise).
Hosts may request these tests at any time, paying the appropriate fees each time. This would allow them to improve their scores, and consequently, their rankings.
Extra points may be given to contributions to the Drupal project (code, community involvement (Drupalcamps), etc).
This solution would solve any ambiguities that the current approach has, as long as everything is very well documented.
Kind regards,
Nick
Nick - Isn't that intrusion
Nick -
Isn't that intrusion detection software? And, wouldn't it have to be installed by the host?
But, I like the idea of automating.
Along those lines if there were some type of software that users could install on their hosts -- maybe even as a Drupal Module - that looked for certain conditions (777 file permissions? shared virtual hosts? an ability to write outside of root?) all of which would be useful towards some kind of basic hosting grade.
Maybe those tests could even use a phone home setup - like the install count - to report findings. That would be a fair approach that wouldn't require any interference from the host and the reputation of security team members wouldn't be on the line.
But, like all awesome ideas, until it runs on a server, it's just an idea. So, someone would have to create it. That's always the gotcha. If someone wants the process to change, then, that'd be a great way to do it -- create an open source security test -- make it available as a module -- figure out how to collect and present the data.
In fact, one of the links I shared above would be a good headstart since the security team already has resources that list tests and there are a good deal of tests already written.
~~ Amy Stephen ~~
http://OpenSourceCommunity.org
+1
Brilliant
Because the other thing that could be monitored by that kind of user-installed module is page-load times. That could then be aggregated, and would solve the problem of a host demonstrating a zippy Drupal installation, but a real site with real traffic on a busy shared server runs like treacle.
Hi Amy, That's correct.
Hi Amy,
That's correct. Probably OSSEC would be one of the tools used by a professional for a semi-automated test.
But I really liked the way you expanded the idea. There are a whole set of tests that could be run against a server (hosted or not, fully automated or not).
Indeed this would require an initial investment by the DA, but I suspect it would soon be recovered by webhost applicants.
Perhaps the best way to start off would be with the bigger hosts, where an independent professional would be hired to create a series of systematic tests. Soon after, the same professional could start creating/adapting a series of tests for smaller hosts. Perhaps the first few months the DA would only be able to cover its investments, but later this would pay off for the DA, the webhosts, and users alike.
Kind regards,
Nick
Just curious, but why can a
Just curious, but why can't a group of community volunteers who are interested in reform in this area do the work? The DA would need to adopt it for testing for this purpose, of course, but the leg work to make it happen and prove it's a valid approach should be do-able by the community, right?
~~ Amy Stephen ~~
http://OpenSourceCommunity.org
Thanks for the creative
Thanks for the creative thinking about the test automation and other helpful comments.
I think it is great to have community involved in this section and all the ideas coming forward are really helpful. Before we do anything, why don't we want on two things:
1) I'll complete the audit this week and come back with recommendations
2) We need governance to be completed. Read here on what this is:http://buytaert.net/creating-a-structure-for-drupal-governance
In short, Dries is coming up with a framework on how Drupal.org changes, improvements are made and who is point on making them and the process to follow. You will see the Drupal Association is getting a role along with Working Groups made up of community members.
I'm excited for governance to be in place so it will be easier to answer questions like yours. I think we are close to getting that clarity and when we do we can apply it to the hosting page...and other sections, too!
Executive Director, Drupal Association
Metrics
@JamesOakley thanks for providing a great summary - used to be on WHT and I'd forgotten how useful having something like our hosting pages to use was until I remembered many days of WHT forum trawling!
There seems to be three key metrics in this equation so far:
It is a given that cash should not be the only metric, however I do see it as a contribution. If we split the metrics, we would create a path to accepting cash contributions quicker whilst also accommodating other factors.
There is never going to be one answer for this which is why splitting it up helps - I'm quite happy to take the cash off someone who we may review as really poor - the DA can put that cash to good use, and if they don't improve their hosting and keep paying the cash and are happy to be there with poor reviews by us then I'm still happy because we've done all we can to advise potential clients of theirs the ability to do what they want on it. If we lump it all into "these are good" we then I think have more risks as businesses merge, change hands, employees, etc.
I see some kind of matrix screen where we can click on various metrics in order to whittle it down to a few potential hosts. I'd use that as my needs range - for sure I have those few favourite hosts but my clients range from a picture framer with a studio down the road to corporations with their own infrastructures so need this kind of stuff, and I'd rather be in control of a few metrics than rely on a small set of "rules".
I'm quite happy to take the
The end justifies the means?
No one should recommend something that they know is bad because they are getting cash. Period. This is where we draw the line of doing what's wrong or right.
If certain webhosts do not achieve a minimum level of quality, they should not be listed, no matter how much money they pay.
Not what I said
Thats wasn't what I said, in fact it's what I'm saying is the problem, you're lumping "recommend" with "cash" (and "contributions" and "capabilities"), I am recommending separation of them.
Steve, these are really good
Steve, these are really good points. Thanks for coming up with a matrix concept. I'm working on the audit this week and will take this into considerations when I come back to the group with my findings and recommendations.
Executive Director, Drupal Association
I'd echo that
I like the idea of a matrix.
I like the idea of taking cash of a host whilst making clear that the standards may be really poor. It's making sure that potential clients are unambiguously clear about the different facets of why this host is / is not included on d.o/h so that they aren't misled.
Let me try to understand what
Let me try to understand what both you and Steve are proposing:
Even though a host scores really poor below a minimum standard, even so you are willing to list them at the Drupal "recommended hosts" page (as you called it), but with unfavorable reviews, as long as they pay cash?
Why? Just because of the money?
Why confuse users and risk the reputation of Drupal?
My firm opinion is that they shouldn't even be listed, no matter how much money they pour in.
Naming
I didn't say we should recommend hosts based on money, no. What I said is we should accept people who want to pay money to advertise, we should also test and provide recommendations for hosts, and we should provide guidelines as to what kind of hosting you should be looking for based on what kind of things you'll be wanting to do with your site.
You are focusing on one scenario:
- that the host is not good at hosting Drupal
- that the host is happy to pay for a listing which isn't recommended, doesn't show up in searches based on features I'm searching for
- that the user, despite being told both these facts, still believes that they should consider that host
If I were a host paying for advertising and I consistently had bad reviews, I would not pay to advertise and I'd go elsewhere.
Transparency
Yes - in other words, it will become bad value for money for poor quality hosts to pay large sums to advertise on drupal.org. So they won't. ... And, provided the user is alert to the way the page is laid out, they won't sign up for a poor host either. (Although this bad scenario that Steve outlines may still happen occasionally).
The key to both those safeguards is transparency.
The poor hosts advertising elsewhere - that's about efficiency in the marketplace for places to advertise, but a market is only efficient insofar as it is transparent.
The users buying elsewhere - relies on them being able to sift the information on the /hosting page in an informed way. That relies on the page being laid out so that the quality metrics are clearly visible, not hidden to try and trick users into signing up for certain "preferred" hosts.
Some kind of searchable / filterable matrix page would do this nicely.
One more thing - reputation
There was one more thing in that WHT thread that I forgot to add in my summary earlier.
Drupal's reputation is tied up with getting this right.
If a Drupal newbie comes by to try out Drupal, they will assume that the recommended hosts will be the ones that offer the best experience of Drupal. If they then try using Drupal on one of the recommendations, and find it slow and unwieldy, they will assume that the host is one of those on which things should work well, and therefore that the fault is with Drupal itself.