Drupal Association should play fair game for hosting companies, wishing to get listed on http://drupal.org/hosting

removed0's picture

Dear All,

Current practice is that Drupal Association requires from new applicant hosting companies, which wish to get listed on http://drupal.org/hosting, to pass security test of Security Review module. And it is difficult to pass the test without applying additional layer of complexity to certain setups. This practice represents unfair barrier for hosting companies, which want to provide Drupal-specific hosting services and which can not practically pass the test, therefore should be reviewed or cancelled.

For example, it is proved that it is not possible to pass the test for the hosting companies running RLE/CentOS with PHP in fast-cgi mode, where all the virtual servers' files belong to users and groups with the same name as their respective owners. For this kind of setup even recommendations like one suggested by greggless do not help. Because, unfortunately, Security Review's test doesn't accept a directory as secure as soon as its permission change to 740 regardless of the user and group ownership of the directory, and 740 is he minimum directory permission to pass the test.

Many Drupal users utilizing different types of environments hit similar issues: http://drupal.org/node/1411124, http://groups.drupal.org/node/138134, http://drupal.org/node/628776. I am personally coming from http://drupal.org/node/1414062, frustrated by the total silence of Drupal Association with regard to the issue. The short reply from Drupal Association's tester was that he can not recommend any solution, at the same time declining our application until we pass the test. We are a new Drupal Association member of organization type and, saying frankly, are disappointed to unexpected this kind of attitude from the Association. I firmly believe Drupal Association has to have some directives and instructions for new comers on how to deal with this kind of Gordian Knots, created by the Association itself.

Another user dealing with this issue JamesOakley proposes:

(i) The fact that the Drupal Association requires every test to be passed on Security Review before they'll list a host. That's their choice, but they could have chosen to disregard the test on file-writeability. As this module develops and new tests are added, it seems to me that the association should decide carefully which ones they will require. Which brings me to:

(ii) The fact that the same standard does not appear to apply to existing listed hosts and prospective ones. So, in a similar vein, if a new test in SR is going to be required of all hosts, existing listed hosts should be given a period of time to ensure they conform, otherwise they lose their listing on drupal.org/hosting.

This or another way, Drupal Association has to come with clear solution to save new applicants from impression that this barrier is done on purpose - not to list new hosting companies and to protect the interests of those companies of limited number, that are already listed on http://drupal.org/hosting and that do not comply with security requirement of Drupal Association.

The fact that anyone can open testing account with random listed hosting company, install Security Review module and running its test see failure results, arises another doubt on the fairness of Drupal Association's practice with regard to this matter.



JamesOakley's picture

Thanks Alan.

I think you're right. I don't mind the standard being too high for me to meet (although, obviously...). I also don't mind the standard being, in my view, wrong and slightly arbitrary, because that's just my view. But the standard must apply consistently, so that site administrators looking for hosting advice can be sure that all the hosts listed meet the same standard.

Consider another area of hosting. Suppose the agreed standard is that all hosts must offer a minimum of 128MB of RAM for PHP before they can be listed. You could argue that it's arbitrary. You could argue it's wrong. But it would be a standard. What you wouldn't want, as a user, is to discover that only hosts listed after a certain date are guaranteed to meet that standard, but hosts that have been listed for longer could get away with just 16MB. At that point, the Drupal list becomes no more useful than the myriad of "top ten web hosts" fake-review sites.

I'm very pleased that the Drupal Association wants to apply some objective benchmarking before they are willing to recommend a host. That will weed out hosts who would only cause grief to those who sign up. But it only has this effect as long as:
1. The right benchmarks are selected - so let's discuss them.
2. They are applied with absolute objectivity and consistency.

Anyway - you and I have had our 2c (2p ;)) already - let's see what others have to say.

Hosting page on drupal.org

jredding's picture

James and Alan,

Thank you for posting your frustrations on the hosting page's review process on g.d.o. I am the one that setup the latest review process and I often act as the gatekeeper to that page. The hosting page is designed to point new users to Drupal to hosts that will provide them with excellent service, great hosting, and an overall positive experience. To achieve that goal we put in place a security review process to ensure that all hosts listed on that page are secure to the extent necessary to uphold the reputation of Drupal.

With the said security is only one criteria of our review process. Other parts of our review process include the host's knowledge of Drupal, the Drupal project, its community, and how that hosts support the Drupal project. We value companies that not only host Drupal but support our project through contributions to our documentation, code, modules, or financially.

I understand that your post is looking for a very standard set of criteria and having been involved in your review process I hear your frustrations. We have made changes to our review process internally and adjustments have been made but ultimately to be listed on that hosting page we must be assured that the users we send to those hosts will have a great experience.


-Jacob Redding

Hi Jacob,Thanks for your

removed0's picture

Hi Jacob,

Thanks for your comment. I do perfectly understand the objectives of setting up such a review process and stand by the scrutiny in order to provide Drupal users great hosting services. However, many companies like ours which adore, worship, sleep and breathe with Drupal would be able to meet all the requirements and prove they are even better in supporting good reputation of Drupal in the eyes of customers than some of the listed companies, if they only had a fair chance to be reviewed. The review process, in our case, is stuck because of the above mentioned matter with inability for certain setups to practically pass the security test.

So, I guess, there is no need for now to try to explain that in comparison with many companies already listed on http://drupal.org/hosting, which provide Drupal-hosting as just one of numerous other CMS, we at http://drupion.com are totally Drupal-oriented: we properly configure our servers to host ONLY and ONLY Drupal web-sites; we provide fully managed Drupal hosting, that meaning that we carefully assist our customers with every single hosting and Drupal-related issues; we are so much devoted to Drupal, that we utilize it everywhere: shopping cart, billing, ticket supporting system, even if it is not so much convenient - the obvious reason why such prominent Drupal companies as Acquia use third party software to take care of, for instance, their customers' needs for ticket support system.

If you really questioned the knowledge of Drupal, Drupal project and its community by some companies that are already listed on http://drupal.org/hosting, then you would be surprised at how much rough ideas they have in comparison with some companies like ours, which consist of devoted Drupal experts, who spend significant parts of their lives, lasting years and years on Drupal project and know well every single peculiarity and every single corner around here.

So my frustration is quite justified and what is even more disturbing is that the particular problem described above is overlooked and ignored again.

To reinstate:

1) It is not practically possible for RHL/CentOS based hosting companies to pass the security test. What is Drupal Association's solution offered to this Gordian Knot?

2) Why the companies already listed on http://drupal.org/hosting fail the same security test? With how much of fairness and objectiveness the criteria of the scrutiny are observed by responsible persons? How much it is really pursuing the declared objectives and how much it is really harming to further development of the community by creating unnecessary barriers for new players to enter the limited number of Drupal hosting providers?

I understand your frustration

jredding's picture


Let me say that I understand your frustration. It was your back and forth that caused us to make internal changes to how we work on the hosting page. However, the hosting page is not a listings page and it is not designed to be one. Drupal.org is designed to support the Drupal project and not hosting companies. The hosts currently listed either contribute code, documentation, or financially support the Drupal project through the Association. We review them and vet them to ensure that users have a great experience.

Unfortunately you got caught up in a bad process that we are working on changing. The security test is not the metric for inclusion on that page. It is a combination of the overall user experience.

To directly answer your questions
1) I've been involved in the conversations about this. Our security team has offered you solutions that you don't want to implement. That's your choice but it doesn't mean that they will pass you because you decided to not implement the solution. We recently listed Arvixe whose setup does pass the same test. I hear your arguments but our security team disagrees with them. At this point I have to side with the security team, they are here to keep Drupal secure.

2) These hosts are been listed for years and have a proven reputation for providing a great service. That's it.

As mentioned I understand your concern and hopefully we can get to a point where you will be listed on that page. I want to highlight great companies that are helping us push the Drupal project forward. You are obviously dedicated to Drupal so let's shift the conversation away from the security test and over to how you see your company helping to make the Drupal project absolutely amazing. We're here to support the community and the project.

-Jacob Redding

Thanks for your comment,

removed0's picture

Thanks for your comment, Jacob. Please read http://drupal.org/node/1414062#comment-5506906 to see that we did not refuse and actually tried the solution offered by Greg (I am not sure if Greg is in the security team, the solution was offered during discussion of the issue opened for the module and nobody else from Drupal Association or Security team contacted us and offered any solution), however it did not work out. Please, try it on similar CentOS setup and you we'll see it does not work.

For the rest of your comment, let me later reply to your e-mail. I don't feel comfortable to brag in public about what great deeds our team could have contribute to promote Drupal project.


jredding's picture


I understand your frustration and having followed and been on both the internal and external communication strings at this point we're going to have to agree to disagree. Unfortunately we need to be assured that we will not send users to an insecure platform. Without a clean security test we don't gain that assurance.

As I've mentioned before our goal is to send users to great hosts so they have a positive experience with Drupal. Let's focus on the Drupal project and the community. Help us understand how your host is going to make Drupal be awesome and how you're supporting the Drupal community.

-Jacob Redding

Jacob,I do appreciate your

removed0's picture


I do appreciate your responsiveness and your working with us to get beyond the situation where our company has been stuck trying to pass security test. We definitely would not deem our setup as insecure and frankly saying don't see any security problems at our side at all. The problem is, to reinstate, in the fact that Drupal Association is requiring us to pass the test, that is not possible to practically pass without providing any solid consultation, documentation, any solution at the very same time closing its eyes to another fact - that already listed hosting companies fail the same test.

We are not asking here to include our company to the list. Please read above - we are raising quite legitimate questions, that are of interest to wider community. They are as direct, simplistic and, as I see how hard you are trying to get away from them and probably will succeed in that, very much naive. Please understand, that narrowing the subject of proposed discussion to our particular case, we are missing the main objective - to eliminate wrong practice of Drupal Association if there is such or to get the practice enhanced if there is lack of conduct of available solutions to companies, which would like to get listed and have enough justifications to want to do that.

And to say frankly I don't find your returning of a kind "Let's see what your host has done or can done to make Drupal awesome" very much professional because:

(1) As this discussion is not a place for a single company to start listing its heroic deeds in the name of Drupal project and even if essentially we would love to get listed, that is not our request here - we are trying to bring into attention imperfect practices of Drupal Association, that is our subject here and, if you want to count it, that is our another contribution to Drupal mission in general.

(2) Evaluating of contribution of that or another individual or company to Drupal could be very much subjective process. For example, to my subjective opinion none of the companies listed on http://drupal.org/hosting made contributions to Drupal with codes, documentation or any other very much visible activities on Drupal project. I personally haven't notice any positive and tangible contributions by these companies to the community, except that for some of them there are lot's of complaints on the forums from users who experienced their services. I also did not notice that anywhere on http://drupal.org or http://groups.drupal.org they had to prove how much they are useful to Drupal community. Please give me a link if I missed something.

(3) Well, failing to find evidences of viable activities and contributions of the listed companies to Drupal community, one could suggest that they are listed because they make financial contributions. In this case please make it plain and clear that only those who pay money can pass the review process even if they fail the security test. If it is true, then please correct the text of the requirements for Silver and Bronze candidates on
https://association.drupal.org/advertising/hosting, which respectively state:

Silver hosts

Silver Hosts maintain consistent positive ratings and work to resolve any disputes with their customers. They receive a web link that uses an affiliate commission program. To participate, companies must:

Support the Drupal community through an affiliate link program
Meet the minimum server requirements for the latest version of Drupal
Maintain the latest version of Drupal and remain up to date on all security updates.

Bronze hosts

These hosts meet Drupal's minimum server requirements. They are listed for free and therefore do not need to provide an affiliate link. To participate, companies must:
Meet the minimum server requirements for the latest version of Drupal
Maintain the latest version of Drupal and remain up to date on all security updates.

We decided to apply only because we believed we qualify in every single aspect of the requirements. Otherwise, if we knew that texting is very much misleading, that in practice we would hit such an impenetrable barrier, then probably we would prefer not to spend so much of our efforts and time, wouldn't became a Drupal Association member of organization type and would live small life of a small, nevertheless so much devoted to Drupal, Drupal specific hosting company.

Seriously we wouldn't poke our nose into your kitchen, guys, if the policy clearly explained that this cross, this burden is not for the shoulder of newly established company. But now we are here, asking our open and naive questions. Please, finally turn your attention to what we are asking about! Please run tests on the platforms of already listed companies and try to explain to us why they are there despite their failure to the same test. And please, at least keep the list functional - one of the Silver hosts are totally gone, its website is not accessible. I don't want to harm anyone's business, so not naming the company, but you will easily find - second to the left in the Silver list.

And please come up with more convincing assurances than just stating you are acting in the best interests of Drupal community and hinting our own inconsistency to meet your requirements. Criteria of your requirements are quite vague and has to be reviewed too. How on earth a company should prove its usefulness to Drupal? If the company is about Drupal and about providing Drupal related services and has already made efforts to establish a business purely devoted to Drupal, then it is definitely and obviously useful to the community. I my humble opinion, of course. In somebody else's opinion Drupal users might better benefit from a general hosting company which does not tune its services to Drupal, does not provide Drupal specific hosting, constantly screws up its customers, but, what is important, pays good money to the Association.

You're right

jredding's picture


Thank you for pointing out the hosting company that isn't coming up. It has been removed.

As mentioned you are correct. The process is confusing and the text is misleading. We are changing the process and the text will be modified correspondingly. We began this process last week partially based on the feedback received in your back-n-forth with the security team. You're not the only company confused. We created a bad process and we're changing it. We left this page go unchecked for too long and next week we will be making changes to the page.

You jumped through a number of hoops to get listed on that page and were unfortunately blocked in a security test. I trust our security team and they passed other organizations and failed yours. It's unfortunate but it's as black and white as that. I also do understand that a few companies listed on that page (specifically A2 and bluehost) also fail certain aspects of the security test (as you did). However, these companies have been listed for years and we have reasonable assurance that they are providing a great service to new users to Drupal. In short, they were grandfathered in. We need to gain the same assurance with you. To be frank your tenacity in this thread is testament to your dedication to the Drupal project and I love working with companies like yours.

The Drupal Association fields numerous requests to be listed on that page and everyone must go through the security review before we consider them for the page. I am moving on from the security test. Each host must go through the review and our security team must give us a sign off. They didn't give you one. I'm sorry but it's that straight-forward.

You asked:
How on earth a company should prove its usefulness to Drupal?

It's quite easy. Contribute.

Show us the documentation you've written, modules you've contributed, point out the developers contributing to core, or the events that you are putting together. We love that you've built a business on Drupal, that is amazing! But you've been able to do that because many people have dedicated their time to contributing to the project. Contributions are what makes us tick.

So.. that's it. We want to highlight great companies that are contributing to the Drupal project and helping to move it forward. The companies listed at the top of that page have done one of two things:
(1) Contributed to the project
(2) given financially so we can pay for servers, infrastructure, software updates, etc. Those that only pay and don't contribute must still past a security review and have strong reviews to ensure they are going to give their Drupal customers a great experience.

Let's find out how to get you listed on that page. We want to work with great companies like yours.

-Jacob Redding

Jacob,I deliberately have

removed0's picture


I deliberately have been avoiding companies on the top of the list in our discussions, since I reviewed the pricing for the Gold hosts and can only applaud their participation since perfectly understand Drupal Association needs financial support.

We also will be contributing to the Association by placing our paid ads when we have little more history and revenue. It is quite difficult to contribute otherwise for a new company, even though the members of our team have been contributing to the community since long. But that's completely another story, since, again, we don't wan't to talk about our company only, we are trying to address the subject matter here that are interest to wider community. And we will be already happy if thanks to our insisting efforts some practices of DA are changed or the language of some relevant documentation is enhanced.

However, you should pay attention that not only Gold hosts fail the test (which turns out have justified by your party "moral right" to fail), but also Silver and Bronze hosts. We had created testing accounts with several of them and to our surprise all of the failed the test. Name us any single host that can pass the test and then we will go and create testing account with them. We did not test all of them since it requires payment and since it was satisfactory to witness failures on already tested hosts.

I can only be thankful for your offer to find a way to get our company listed and that you want to work such companies like ours, however question about соме shortcomings in the practices of the Association remain until they are solved. I second what James offered above:

(i) The fact that the Drupal Association requires every test to be passed on Security Review before they'll list a host. That's their choice, but they could have chosen to disregard the test on file-writeability. As this module develops and new tests are added, it seems to me that the association should decide carefully which ones they will require. Which brings me to:

(ii) The fact that the same standard does not appear to apply to existing listed hosts and prospective ones. So, in a similar vein, if a new test in SR is going to be required of all hosts, existing listed hosts should be given a period of time to ensure they conform, otherwise they lose their listing on drupal.org/hosting.

Town Hall

jredding's picture

Tomorrow I am hosting a town hall meeting. You should attend, it'd be great to have you there.

-Jacob Redding

I am in Cupertino,

removed0's picture

I am in Cupertino, California, so will not be able to attend the meeting. Thanks for invitation, though.

Edit: I see we could connect through IRC or phone. Well, if my opinion is required and will be listened, then I don't mind participating remotely.

You are not sure??

chx's picture

Is Greg on the security team? Well, he is, but Greg does not know squat about security. In fact, his authorship on the Drupal security book is a lie, I didn't tech edit it but ghostwritten it. Now, it's out there. Him being the security team leader is a kind of insider joke, like Stephen Colbert running for presidency. The community likes these sorts of practical jokes -- they even let me lead that team for a while.

Is Greg on the security team?

removed0's picture

Is Greg on the security team? Well, he is, but Greg does not know squat about security. In fact, his authorship on the Drupal security book is a lie, I didn't tech edit it but ghostwritten it. Now, it's out there. Him being the security team leader is a kind of insider joke, like Stephen Colbert running for presidency. The community likes these sorts of practical jokes -- they even let me lead that team for a while.

Are you talking about Greg, whose nick on Drupal.org is greggles? I am totally confused, because seeing he is one of the maintainers of Security Review module, our team tried hard to follow his instructions on http://drupal.org/node/1414062#comment-5505760, which eventually did not work at all.

At the moment several different questions circling in my head:

You said you are from the security team and asserting Greg is not as much competent as to give instructions on how to pass the test. But he is a maintainer of the module and happens to be part of security team as yourself admitted. To whom on earth we have to listen? What is the best way to pass the test for CentOS operated servers with PHP running in fast-cgi mode? Is there is enough conduct of communication between security team members? Do you have some kind of code of ethics not to efface each other in public? Why Drupal Association requires from new applicants passing the security test of the module, maintained by, if to believe to chx, incompetent security expert?

Getting form worse to worser.


chx's picture


Ironic statements typically imply a meaning in opposition to their literal meaning.

OMG, Dear, you have to be

removed0's picture

OMG, Dear, you have to be very careful when talking irony in the place where serious issues are discussed, especially for non-native-English speakers like myself. Because, irony just as well as humor has nationality: http://www.jstor.org/pss/656431 Common, guys, is having fun really appropriate now?! Is this how Drupal Association treats legitimate criticism? Getting really terrible :(

Not the DA

chx's picture

I am not associated with the Drupal Association in any way or form. Just FYI. I didn't quite understand how did the DA got involved in a technical argument between you and the security team nor I understand why it's getting "really terrible" now.

However, you did bring this to the DA and Jacob said " Other parts of our review process include the host's knowledge of Drupal, the Drupal project, its community." now what does this incident say about your knowledge of the community and its leaders??

I guess this culmination of

removed0's picture

I guess this culmination of mockery, which chx, a member of security team of Drupal Association, calls irony was the last drop to my already filled up cup of patience. Why should I spend more of my time and efforts to bring some positive changes to Drupal Association's practices, when these guys even don't take you for serious?! This is just unacceptable behavior, which just makes me to take off.

Using this opportunity I ask to cancel our membership in the Association. You may disregard our application for including on hosting ad page. We will do fine without it and without this kind of humiliating communication with the Association. Image of nearly perfect Drupal community and its Association is rapidly changing in my eyes. You guys, failed even in appointing right people to deal with the issues, letting your reps ironize with people coming to you to address serious matters.

Phone call

jredding's picture


You've been in this process for quite some time and its unfortunate that you've risen to this level of frustration. I have reached out to you personally via email to request a phone call. I think it would be good if we had a quick chat about the Drupal community, Drupal Association, and how it all comes together.

-Jacob Redding

Hey Jacob, I've just replied

removed0's picture

Hey Jacob,

I've just replied to your e-mail. I don't mind talking on the phone. However, just to sum up the discussion here, I'd like to state that it became clear to me that chx does not represent DA only after his last post. Nevertheless, since the hosting page is administered by DA and in order to go through the whole process we had to pass through security team's test and despite they are two separate entities, we look at DA and the security team as one single party in the subject matter.

The security team in this case is serving DA, it is taking care of the task set by DA. And I find it as unnecessary bureaucracy to spend your and my time to explain to me the difference avoiding again directly addressing my questions. You may be assured that being a Drupal user for a long period of time I do differ DA, security team and Drupal community. And it is quite natural, that sometimes, especially when the act together, they are seen as on single part of the processes.

And then not being associated to DA does not excuse unacceptable behavior of security team member.


chx's picture

I would like to offer my apology. I have crossed a line I shouldn't have.

Or Sarcasm...

budda's picture

I was thinking more along the lines of http://en.wikipedia.org/wiki/Sarcasm ;-)

Have you found companies in

linclark's picture

Have you found companies in the list that fail the security test? Or is this just a hypothetical?

Yes, we did run tests on

removed0's picture

Yes, we did run tests on three different companies and all of them failed. And then we decided not to continue the tests. I just didn't want to name them here since professional ethics require to respect competitors and to avoid actions which can harm them. However, I believe there is no necessity to pinpoint anyone - you can open up hosting account on any of them, run the test and see it by yourself.

Tell the sec team

chx's picture

This is very easy, write an email to security@drupal.org and we will handle this.

Handle what? I don't think

removed0's picture

Handle what? I don't think Drupal Association has to wait for others to report in order to start requiring from the companies in the list to respect its rules.

To be honest, comments like

linclark's picture

To be honest, comments like these make it seem like you aren't as much a part of the Drupal community as you claim to be... this is a group effort, a do-ocracy. If you see something that should be corrected on the site, then you make some effort to correct it. You don't wait for some authority figure to come in and take care of everything. Also, chx was suggesting you report the problems to the Security Team, which isn't part of the Drupal Association.

The Drupal Association might be doing something unfair here... or they might not. But it's up to us (yes, us, since I'm not part of the Drupal Association either, contrary to what you seem to think) to put in at least some of the effort to clean up information on Drupal.org. If you try to get it cleaned up and run into problems because there is actually an unfair practice in place, THEN it's time to raise heck. But you can't just sit on your hands and yell at people to do stuff for you.

Lin, thank you very much for

removed0's picture

Lin, thank you very much for your input. Sorry for being so much straightforward lastly. If we didn't feel as part of Drupal community we wouldn't put so much efforts as to creating http://drupion.com. Yes, we are pursuing our business interests, but at the same time we are serving needs of Drupal community. Our customers are happy with the quality of our services and the level of our knowledge and caring for Drupal. Please, try to be fair and try to understand that we have very good ground for being strict and straightforward since we have faced very much non-fair attitude during the evaluation process, we have run tests on other hosting companies and found out they also don't comply. We simply do not accept this kind of non-fair policies simply because we believe that for the sake of Drupal project the Drupal Association can do better.

And there is a sensible difference between what I actually meant and what you are talking about. Of course, we gladly would report if we found something to "be corrected on the site", but, believe me, it would be completely wrong stance if Drupal Association would be sitting and waiting until someone reports on bad hosting companies, which do not comply with the requirements, in order to start setting them to rights. It is not business of competitors to monitor each other's services just to get a chance to report each other to authorities. I have mentioned several times on this page that we are here to discuss non-fair practices of Drupal Association and not to deal with specific cases. Setting non-compliant companies to rights is Drupal Association's business, not ours.

And I have to note, Dear Lin, that suspecting somebody who is trying to raise legitimate criticism of non-fair practices of Drupal Association in his not-enough-being-part-of-Drupal-community is completely unprofessional. This kind of attitude from other Drupal Association members by no means can cancel our love to Drupal. We will continue to breathe Drupal. Separately and staying away from those who can not tolerate legitimate criticism.

Transparency and Grandfathering

JamesOakley's picture

Well, now it's morning here, let me come back in on the discussion that's run quite a bit since I first posted!

I want to make two points. First a plea for transparency. Second, a plea to end what Jacob called "grandfathering".

First, transparency.

I'm active over at Web Hosting Talk, one of the most active online communities in the web hosting world. (Alan, I don't know if you're over there yet. If you are, say "hi". If you're not, join in!). There's a general weariness there with the fact that so much web hosting marketing is driven by the size of the affiliate payouts. I mentioned above the "top ten reviews" type sites. Google for a few and take a look. They list almost the same set of companies, those that pay out most generously. There are two very frequent types of threads on WHT:

(i) I signed up with host X (one of the top ten). What's gone wrong? My site's really slow. And they said I could have unlimited space, but they've threatened to suspend my account. ... Answer: Helpful advice on finding a "proper" host.
(ii) I'm looking for a host, and I've narrowed it down to a shortlist: X, Y or Z. ... Answer: Let me guess how you arrived at that shortlist. Please - save yourself some grief, and don't go with any of those. They only got on those sites by paying so much. Search around here, you'll find many people who have run into trouble. Forget the "unlimited" hype - how much space do you really need; what kind of site are you trying to run; how many visitors are you likely to get... Let's help you find a good host for you.

Where the rubber hits the road for Drupal is when you look at discussions about the recommended host lists for other CMS platforms. The hosts on these sites can look very familiar to those who have met the "top ten" lists. The alarm bells ring when the links are affiliate ones. And frequently, on WHT, the attitude to them is that they, too, are only really about money and are not a guide to reliable hosting.

Drupal is in the process of entering that field. The reputation of Drupal will be affected by the way this is set up. When "Drupal recommended hosts" or similar is mentioned on forums like WHT, there are two responses we could get in a year from now:

(i) "Forget that list. It just lists the companies who pay the most. Now,... what modules are you going to be running, and how busy will the site be? Let's give you some real "help.
(ii) "You know, Drupal is the only CMS that has taken the trouble to compile their list properly. There are other good hosts too, but if you pick a host on their list you won't go wrong."

Which reputation Drupal gets depends on how this is done. I'd make a plea for transparency of process on this one. Something like the following: For each host on the d.o/hosting page, have a separate node giving details of the host and why they're there. It could contain information like this:

  • Name of company:
  • Band: Bronze
  • Financial Support for the Drupal Association: {"No","Band 1", "Band 2", "Band 3"}
  • Modules maintained: 3 (Views, CCK, Mollom)
  • Themes maintained: 1 (Garland)
  • Modules / Themes co-maintained: 4
  • In business since: 2005
  • Passes all Drupal Security Team tests: Yes (last tested March 2011)

or some variation on that. The idea of financial bands is that some kind of disclosure of that is necessary. With so much marketing underhand in the web hosting world, any opacity generates suspicion. But we could band the annual levels of support to allow some disclosure without giving figures.

Exactly how it's done could vary. But transparency gives Drupal the chance to be at the leading edge in this area.

Second, grandfathering.

Essentially this: Hosting companies change, go downhill, improve themselves, close down, get bought out, expand by buying others out and so on. A brilliant host a year ago could be appalling today, and vice versa. Just because a company has "supported Drupal" for many years, should not (IMHO) mean they are entitled to remain on the list today. What it does mean is that they should be given a generous amount of time to rectify things to give them a good chance to stay on.

Since you mentioned BlueHost. They were taken over by Endurance International Group a year ago. EIG are a large company that now owns (I think) over 20 web hosting companies. Historically, as they've taken them over, they've changed the working practice at those firms to bring them into line with the "EIG Way". That means things change.

Now don't get me wrong. I've never used BlueHost, or any other EIG-owned host, so I can't comment on whether BlueHost are good or bad, and whether EIG will have improved things for better or worse. (That said, I'd always search at Web Hosting Talk before signing up for any host...) But they will be changed. So I don't see why they should have an immunity, and an automatic right to remain on the recommended hosting list. That should be a matter for ongoing review, the same as for anyone else.

Hi James, Thank you for the

removed0's picture

Hi James,

Thank you for the detailed write-up.

I am not registered on Web Hosting Talk or anywhere else other than Drupal.org. Thank you for invitation, but specializing in providing Drupal specific hosting services, we don't need to promote our business by participating on different hosting forums, our market niche is here, on Drupal.org. We also prefer not give any negative review on other hosting companies, so there is no much need for us to sit on other forums.

Returning to our conversation, I second your opinion that since Drupal Association is about to introduce some changes in its evaluation process for new hosting companies wishing to be listed, it is critical moment to choose right direction and to make right decisions. It is obvious that the current practice, based on such approaches as practicing strict policies on new applicants at the same time ignoring non-compliance with the same policies of already listed companies, "grandfathering" and avoiding to give clear answers to open and direct questions, is much worse that just imperfect. There should be precise documentation, fair policies, transparent process. Just assuring they are really good guys and doing things in the way they are doing with good intentions in their hearts at the same time ignoring obvious issues brought up by us, is not satisfactory.

I really hope Drupal Association will come to right conclusions with regard of the subject matter and will not further harm reputation of the whole Drupal project.

WHT and opportunity

JamesOakley's picture

Just, briefly, to clarify on Web Hosting Talk. I have no interest in how many or few forums you register on. But WHT is not really about promoting a web host, or putting others down. It's a community, much like drupal.org, of people who have an interest in web hosting. One of the strengths of WHT is the very active moderation. You are strictly not allowed to recommend, or advise against, any host you haven't used personally, and that gets checked. I learn loads by being part of discussions on there, and the almost entire freedom from spam-posting is what makes it a useful forum.

You got the gist of my post exactly right. This is an opportunity for Drupal to relate to the web hosting industry in a way that few other comparable groups have managed to. I think the will is there to take that opportunity, so let's all work together to make the way hosting is recommended the best it can be.

Thanks for explanation.

removed0's picture

Thanks for explanation. Sounds interesting and we'll try to register on WHM just to follow discussions there. Unfortunately, we don't have enough time and labor resources to take active part in conversations, we try to concentrate our efforts to provide quality service to Drupal community.

I second your appeal to work together. I believe nevertheless we are not decision-taker in the subject matter, we have already been working together with all others participants of this thread to influence the situation and to bring it to right track just by raising our voices. The rest is up to the decision-takers, and I really hope they will see some useful ideas in your and my posts, and not just find something to which should feel offended like Lin did above.

Just to clarify a few things...

webchick's picture

It seems like there are all sorts of misconceptions flying around here, so let's take this one step at a time:

1) Who is and who is not part of the Drupal Association. That would be the people at https://association.drupal.org/about/staff (Jacob) and the people at https://association.drupal.org/about/governance (myself). Everyone else here is a member of the much larger, broader Drupal community chiming in on this issue.

2) Who is and who is not part of the security team. That would be the people at https://security.drupal.org/team-members. This includes myself, greggles (head of the security team), chx (btw, chx, you need to refresh yourself with http://drupal.org/dcoc. You're way out of line here).

3) The relationship between the Drupal Association and the Drupal security team. The Drupal Association does not own, operate, or otherwise have any control whatsoever in the Drupal security team. The security team is a collection of volunteers from the Drupal community who take handle reports about security issues not only on Drupal core, but also on all contributed modules and themes. They also get e-mails from people whose Drupal sites get hacked. When one of these incidents happens, the blame almost always falls back on Drupal (and its security team) and not Crappy Hosting Dot Com. You can therefore understand why it's important to them that hosting companies that feature prominently on the Drupal.org website are configured securely, and why tools like the Security Review module were developed in the first place.

4) The relationship between the Drupal Association and the hosting page. The Drupal Association collects advertising revenue from the hosts listed on this page. While it's in the Drupal Association's best interest to put as many hosts here as possible and let the money flow on through to fund various initiatives (including keeping drupal.org online), we try and work with the Drupal security team to come up with a set of guidelines that they are comfortable with. This has resulted in the hoops you're jumping through here.

5a) The relationship between building a business off Drupal and contributing to it. Alan's claiming here that dedicating his business to Drupal sites counts as a contribution to Drupal, but you have to remember you're talking to people who put 80+ hour weeks into the Drupal project as volunteers. To them, you making money off of their work is not a contribution to the project; elbow grease is: patches, modules, documentation, etc.

5b) However, there are clearly some members of our community in this thread who need to be reminded that not everyone can make those kinds of contributions (either due to lack of time or due to lack of specific skills). Alan and James are members of our community who are trying to contribute in a way that they can (financially supporting the DA) and being told "no." This is why they're frustrated. We also need to remember that this community structure stuff is totally obtuse, really hard to find written down anywhere, and that there are long-time members of this community who've been contributing for years who still don't get how it works. Education is the key here, not derision.

Where the contention here really seems to boil down to is the following points (also articulated nicely by James):

a) The Security Review scan is a one-time-only thing. There is no follow-up to see if the host continues to be secure after that point. Alan found some hosts listed there that have lapsed. This provides the impression that we are playing favourites and that the process is unfair. Really, it's a simple matter of lack of enough security-skilled volunteers to do this work on an ongoing basis.

b) Further feeding into that perception is the fact that there are some hosting companies which never had to jump through these hoops, because of how long they've been there. I can certainly understand why that would be offensive, especially when you're trying to do everything right.

These seem like fairly simple things to either clarify in the text, and/or set up process changes around (e.g. require re-testing every year to retain your "certification"). Seems like this has already started to be undertaken by Jacob.

<rant type="my own webchickish opinions, not those of the DA or the security team">
Personally, I think this approval process is completely untenable and should be scrapped. It sucks way too much time and energy away from our incredibly busy security-smart volunteers, it makes hosting companies angry, and the DA ends up getting blamed for it every time even though it's not our process. Having these hoops also robs the DA (and thus the Drupal community) of a MAJOR source of funds which could be used for any number of things, such as creating a development team for Drupal.org, expanding the DA's programs internationally, or any number of things we'd like to do but can't because we don't want to charge $1200/head at DrupalCon.

I would much rather see the security review checkoff become a "Passes Security Review" badge on a hosting company's record, which would then cause them to be featured more prominently in the listing, and for all of our documentation that points to this page to recommend choosing hosts with that badge. This would give incentive to hosting companies to do what they could to pass the test but would not prevent those who cannot from supporting the DA and being listed as a hosting contender. Our users are savvy. Let them evaluate the choices.

Also, the badge image should be is fed in remotely from the security review module installed on host X, so that if the checks fail, the star gets removed automatically.


webchick's picture

I've additionally cross-posted this thread to the http://groups.drupal.org/best-practices-drupal-security group, since the root of these concerns are with the security requirements for hosting companies, which originated there.

there's a module for that...

stevepurkiss's picture

drush dl fivestar;drush en fivestar -y;drush cc all
etc. or similar?

Dear Angie,I'd like to

removed0's picture

Dear Angie,

I'd like to express my complete satisfaction with and thankfulness for every single thought you expressed above. I was intuitively expecting this kind of intervention by reputable Drupal community members which would fairly sort out the subject matter.

I also spoke with Jacob today on the phone and he has enlightened me with many background details, namely that our application unfortunately got caught in the middle of already ongoing changes, therefore causing so many misunderstandings and this discussion. Jacob has assured me that the current policy, subject of our criticism, is going to be changed in about a week time.

I'd like to thank everybody who participated in the discussion and using this opportunity apologize if at some moments I was excessively harsh on anyone or anything. Didn't mean anything but using my imperfect command of learned English to make some use to the community here.


Thanks for a very level

greggles's picture

Thanks for a very level headed post. You never cease to amaze me in your passion and inclusiveness. Thanks.

On the webchick rant area....The problem with a "passes security review" badge is that many hosting companies who have applied will claim that their default Drupal installation passes the review, then Michael Hess (the current person doing this work) will login and see that it does not. So giving that badge will still require the verification. Having done these reviews myself for a while it can make you pretty jaded to ask for one thing, be told it's done, and then learn you were lied to when you verify it yourself.

The /hosting has a long history and it is important to me that we only allow high quality hosts to be included. While the security review module (and our other means to measure host quality) are an incomplete test of being "high quality" the fact that they are flawed shouldn't mean we just drop the effort. If we recommend low quality hosts we greatly reduce the likelihood that first time Drupal installers will be successful AND increase the likelihood that people with Drupal installations will be vulnerable to some massive worm that ends up being a black-eye for the community.

Let's discuss the badge

webchick's picture

Let's discuss the badge feature over at http://drupal.org/node/1427956. I pictured something a little more involved than I laid out here.

Awesome Idea

Alex UA's picture

I would much rather see the security review checkoff become a "Passes Security Review" badge on a hosting company's record, which would then cause them to be featured more prominently in the listing, and for all of our documentation that points to this page to recommend choosing hosts with that badge. This would give incentive to hosting companies to do what they could to pass the test but would not prevent those who cannot from supporting the DA and being listed as a hosting contender. Our users are savvy. Let them evaluate the choices.

+100 to using badges as non-abbrasive and non-confrontational methods for ensuring quality in our listings without sacrificing (I think this may be the way to handle the marketplace vis-a-vis "contributing companies" as well). I feel like Mozilla's Open Badge initiative is something our Open Source community should be embracing and helping to foster, and this seems like a great place to start (we have a clear set of criteria, we have a body that can act as a signer, etc), if others agree.

Anything we can do to remove the many roadblocks that have been (imo inadvertently and with the best of intentions) placed in front of new contributing individuals companies is something I personally will support, so just let me know if there's anything I can do to help here.

Alex Urevick-Ackelsberg
ZivTech: Illuminating Technology

After following this thread,

Mediacurrent's picture

After following this thread, there is one other item that I think needs mentioning. It seems like the current process is mired with serious conflicts of interest. As I understand, Greg is on the security team and helping draft the tests that are required to qualify Drupal hosting providers. He also works at Acquia that provide the same or similar service offerings that companies like Alan do. It seems like the peer-review process needs to be completely independent from organizations that provide a competing service. This same issue has been raised for inclusion into the Services Directory.

For the record, this is not me making an accusation or any kind of conspiracy theory against Acquia, Greg, etc. To the contrary, I have a ton of respect for all of Greg and Acquia's community contributions. Its a matter of wanting to improve the current protocol and processes that are in place now.

I really like Angie's idea about badges and hope this gains traction.



Hi Dave,This is an important

greggles's picture

Hi Dave,

This is an important question and I appreciate you raising it.

I had been doing these reviews for a few years. I officially joined Acquia on September 1st 2012 2011 though it was well under way by August 12th. In late August I realized conflict of interest would become a problem so I started to think on what to do. On August 29th I sent an email to the Drupal Security Team asking for volunteers who could help with the work and who wouldn't have a conflict of interest. Two volunteers from the team offered to help and Michael Hess has basically taken over the role of security expert in the process since then.

Michael, Jacob and Megan periodically ask me what I think about the policies because I have had more knowledge of the process than anyone else, but I've been pretty consistent in saying what I think but stressing that the policy is up to them.

I also like the idea of badges and I believe Jacob is considering that along with a lot of other ideas.

Edit: edited to say 2011 instead of 2012. I don't have a time machine. Yet.

Hi Greg, From your last post

yngens's picture

Hi Greg,

From your last post on http://groups.drupal.org/node/288188 you seem to continue to represent the Drupal Security Team despite your assurances back in 2012 that because of conflict of interests you passed your position to Michael Hess. Could you please elaborate on this? Are you still working for Acquia at the same time making decision on which hosting companies are good to be listed on http://drupal.org/hosting?

Team vs. Process

Heine's picture

Greg is still security team leader. It was only his position in the hosting application process that was taken by Michael Hess.

Michael Hess has basically taken over the role of security expert in the process since then.

Emphasis added.

In addition, AFAIK (etc), Greg is not employed by Acquia.

AFAIK (etc), Greg is not

yngens's picture

AFAIK (etc), Greg is not employed by Acquia

contradicts to his own words:

I officially joined Acquia on September 1st 2012 2011

Moreover, Greg is just one case and we are talking in principle here: everybody associated with Acquia, including Dries himself, should free their positions and responsibilities in the Drupal Association. Otherwise there is no guarantee that companies on http://drupal.org/hosting are chosen for listing objectively. And no assurances like "they are all nice guys and they wouldn't do bad things" will make people believe the decisions with regard to that unfortunate page are taken on fair basis. I have no doubt Greg, Dries or any other DA staff are nice persons, but as professionals they should finally accept there is an ethical contradiction in this question.

There is a very simple solution: no company should get listed for free or all other Drupal-specific hosting companies should be let to get listed. It is unfortunate for Acquia, founded by Drupal lead, to be in the same competitive hosting market as we, all other Drupal companies are. And until Acquia completely pulls out its authority and associations related to that page there always will be some room for doubts in fairness here.

Hi, a couple of

greggles's picture

Hi, a couple of points.

  • Posting about security team policy into the Security group doesn't indicate my role within the security team. Anyone from inside or outside of the team can post discussions into the Security group.
  • I am still (until November 2013) the Lead of the Drupal Security Team
  • The conflict-of-interest was only vis-a-vis the hosting security reviews. I did absolutely stop those as I mentioned in the previous comment. I realize on re-reading the comment it wasn't clear what the conflict of interest was: it's that Acquia is a hosting company listed in the /hosting section and I worked for them so there is at least an appearance of potential bias in my reviewing other people for inclusion on that page.
  • I don't see how working for Acquia and being involved in the Security Team could be a conflict of interest but am open to you enlightening me.
  • The security team is not officially responsible for reviewing hosts prior to inclusion on /hosting
  • While I worked for them, Acquia supported the community in sponsoring 20% of my time to the security team, a rather generous contribution to the community.
  • As of September 2012 I no longer work for Acquia. I guess that means could do security reviews of hosts again, but dealing with hosting companies who prioritize security differently than I do has soured me on the experience. If I were to do them, I would probably maintain my previous stance: that a host's default installation has to be up to date and pass the Security Review module tests. I would be happy to review the specifics of your case, but throwing around pretty wild accusations here and on twitter doesn't set us off on a good foot.

Edited to clarify that it's the hosting companies that frustrated me.

Dear Greg, I do appreciate

yngens's picture

Dear Greg,

I do appreciate your detailed comment and disclosures since we, ordinary users, do not know/track when Drupal gurus like yourself are picked up and invited to Acquia or vice-versa when they are let go, and have to make assumptions until confirmed.

I don't see how working for Acquia and being involved in the Security Team could be a conflict of interest but am open to you enlightening me.

If Security Team reviews the applications from hosting companies other than Acquia, then it is definitely a conflict of interests. Let's not play naivety here and turn attention to your own words:

at least an appearance of potential bias in my reviewing other people for inclusion on that page.

I don't want to go into discussion about how Acquia sucks up all the Drupal talents and how this fact represents the big contradiction by itself, but Dries himself wouldn't post http://buytaert.net/does-acquia-suck-up-all-the-drupal-talent if there was no ground for such beliefs. Dries and his colleagues might consider it FUD, but it doesn't change the general opinion about how Acquia is turning all the power of Drupal-project collected by years of public contribution into its comparative advantage. And frankly saying it is a shame for such a big company to still try to abuse its already dominating market power against smaller Drupal-specific hosting companies, which even can not be considered serious competitors for it, through its current, former or future employees spread everywhere, but mainly concentrated in other large Drupal shops and, of course, in the Drupal Association.

It is already March, 2013 and

yngens's picture

It is already March, 2013 and our company, http://drupion.com, despite all our efforts still can't get listed. This time they don't require us to pass that security test, but have invented another very simple excuse: we have not contributed to the community enough.

All our requests to show us evidences of how exactly other companies listed in "Other great hosts" section have contributed to the community are totally ignored. So we can't help but start believing DA is playing double standards and protecting the commercial interests of Acquia and some other companies which might be associated to DA members. Please read further on: http://drupal.org/node/1955290

Cross-posting from drupal.org

yngens's picture

Cross-posting from drupal.org to groups.drupal.org in the hope it will get more attention and that unfortunate page http://drupal.org/hosting either will get completely cleared from free-of-charge grandfathered companies or they finally will start to let other Drupal-specific companies to get listed. DA reps' new excuse for absence of significant contributions to the community is not professional, is not measurable and could be very much subjective. If they require proof of such contributions they MUST show examples of how listed companies have contributed to the community. Let's take Holistic Solutions' HotDrupal.com - we want to see what are contributions of this company to get listed? Why it deserves grandfathering from DA and in what exact respect is better than, let's say Drupion.com?

I believe there will be no harm if Drupal community learns about an interesting discussion on Acquia's business practices going on currently in Wordpress community, namely on the personal blog of their project lead. Matt for Wordpress community is like Dries for us:


Personally I think it's just ok for Acquia staff member to approach anyone with that kind of advertisement. It is just little awkward when another word-wide popular CMS' lead is targeted and invited to switch to Drupal :)

What worse is not Acquia's methods of expanding, but Acquia's blocking its competitors from getting listed on http://drupal.org/hosting. We (http://drupion.com) have applied numerous times and we meet all their requirements, however they keep asking for evidences of our contributions to the community and declining our requests. The Association never could present the evidences of what kind of great contributions to the community have been made by some of the following companies, which somehow got listed in "Other great hosts" section: 2020Media, CiviHosting, Cruiskeen, EchoDitto, Egressive Limited, Holistic Solutions' HotDrupal.com, Koumbit.org, Promet Solutions.

I am not talking about companies like GreenGeeks, BlueHost, A2hosting, Arvixe, Inmotion - capitalism works there perfectly - they pay money and the Association doesn't even care if those companies are specialized and knowledgable enough in Drupal, whether they comply with their own security requirements (as noted above number of companies listed on http://drupal.org/hosting fail to comply with the security team requirements). These companies just pay big money and get through. To me even the fact the Association need funds to support its activities doesn't justify this kind of purely mercantile practice. It is simply not fair to the end-user, who has no idea he/she has better options than being sold to ordinary hosting company which doesn't care about Drupal, but has money to bribe the Association.

And what is saddening is that the Drupal Association is headed by Dries Buytaert, who, at the same time, is the head of hosting company called Acquia. Isn't it little controversial? And we at Drupion start to believe that it is simply not in the best interest for Acquia to let other Drupal-specialized hosting companies to get in that list. We have respected and loved this guy for years, but unfortunately commercial interests of Dries Buytaert have corrupted the whole idea of Drupal being an open-source project and providing equal opportunities for everybody in the community.

And I really regret that impervious stance of Dries Buytaert and his association is getting more and more ridiculous and causing more and more controversies within and outside of Drupal community.

Thanks for reaching out and

megansanicki's picture

Thanks for reaching out and letting us know your frustrations. I saw this posting in several places and thought it best to reply in this forum since it is the DA group. Hope that is OK!

I hear you and I will do my best to answer each point the best I can, but I also know that we can always do better in transparency and communication, which is a priority for our new Executive Director, Holly Ross.

Naturally, I can't speak to the email that reached Wordpress, but it was clearly a mistake made by an Acquia employee. Those things happen. I think I've made that kind of mistake before, too. You sure learn fast that way!

As for Acquia's influence over the DA through Dries, well, I think others in the community have commented a lot on this via this forum and the others you linked to. As I mentioned above, the DA can definitely be more transparent and communicate better. That can come through our open Board Meetings, posting meeting minutes via our social media, blogging (a lot) and much more. Holly Ross is already addressing this issue, but we would love to hear how we can be more transparent and communicate better. We serve you and if you feel out of the loop that is not good. How can we help? We're open to suggestions on how to better communicate and provide more transparency into decision making or other aspects of the DA.

For the hosting listings, we have so many wonderful hosting companies supporting Drupal. We are very thankful you do, too. The criteria for getting on Other Great Hosts is here: https://association.drupal.org/advertising/hosting

To be honest, I don't know the history of all the companies on the Other Great Hosts section. Those decisions were made before me. I certainly can do some leg work and research this and perhaps this section needs to be revisited. What I do know is that for now, the policy is that you get listed if you contribute code, help write documentation, help in the issue queue, or some other way of giving back to the Project. I can see a couple of years ago you did, but I think decisions to not list you were based on the need for more recent contributions. But, if we are wrong you have recent contributions to the Project, pleae let me know.

Perhaps our policy is too vague and we need to revisit that, too. Our intent is to reward those who are giving back directly to the Project in these kinds of ways. There are so many amazing hosting companies optimizing their services for Drupal and we applaud and thank those companies, but contribution is king and that is what we aim to encourage and reward through the "Other Great Hosts" section. Can we do better? Always. If you have suggestions on how we can improve the policy so it is less vague and still serves the program's intent, please let me know. I'm certainly open to improving our communication.

Executive Director, Drupal Association

Megan,Thank you for being

yngens's picture


Thank you for being nice, but isn't it little bit too late? Why you couldn't write such nice mannered replies when communicating with us through regular e-mail? Do you think we enjoy so much going public with our frustration? For that matter, does any sane person enjoy to cause this much aggravation from around Drupal community, but mainly from Acquia and DA staff?

Dear Megan,

I will not be bragging about our contributions, But just to show how unfair you are, please go to http://drupal.org/project/ubersmith and see the date the project was contributed. Was it "couple years ago"? And maybe you can read our last couple e-mail messages to you to find out the list of all our staff-member contributions to the Drupal community?

And then I wonder why you, guys, keep turning this subject to discussion about our company, when we have numerous times stated that we seek changes in DA's policies and practices in the best interests of general Drupal public?! Why you just can't see the policy for selecting for "Other great hosts" is not transparant and very much subjective?! Why you keep talking about contributions required when we have begged so many times for you to show what exact contributions the already listed companies did to the community?! Why you just can't either completely remove that section or to let any company, which offers Drupal-oriented hosting to get listed?! Wouldn't be much fairer just to list only paid advertisements?

You, guys, are always trying to be nice in public, but fail to address openly asked questions and never are as nice when communicating directly through e-mails. We asked to give us proof-links of contributions of already listed companies in our last e-mail and never got received an answer from you.

This shadow of unfair policies and practices toward other hosting companies will always haunt Dries and headed by him Drupal Association until that section is completely removed or every decent Drupal-oriented hosting company is let in. You have to finally understand this simple fact.

"Why you keep talking about

AmyStephen's picture

"Why you keep talking about contributions required when we have begged so many times for you to show what exact contributions the already listed companies did to the community?!"

"Wouldn't be much fairer just to list only paid advertisements?"

?\"We asked to give us proof-links of contributions of already listed companies in our last e-mail and never got received an answer from you."

"This shadow of unfair policies and practice"

Here's how I read comments like these. You have no faith in those who are entrusted with custodianship of this listing resource. You will not accept that you have not contributed to the level necessary to be listed. You would prefer that the community process of contributing and being listed be dropped and that it instead be purely commercial (since it's easier for you to measure). You have judged them to be unfair, You have suggested they can't be trusted. You assume that they should discuss with you the personal business of others -- because you can't trust their judgement (and for whatever reason don't appreciate the need for discretion in this area.)

I have only one question for you - why are you trying to participate with a project that you do not and cannot trust?

Dear Amy,I'd like to start

yngens's picture

Dear Amy,

I'd like to start with answering to your last question:

why are you trying to participate with a project that you do not and cannot trust?

Dries was one who founded Drupal and we will always be respectful to this fact and thankful to him for Drupal, which we do love. However, Drupal has grown mature thanks to the whole community's contributions for many years and thus doesn't belong to Dries only. Even if me and my colleagues from Drupion will get somehow punished for bringing up this kind of quite legitimate from our perspective issues and get totally banned, we will continue to love Drupal and to do what we are good at - optimizing LAMP stack for Drupal and offering quality Drupal hosting at competitive prices.

We have already gained quite enough pull of loyal and thankful customers and can exist completely independently from rulings of Acquia, DA and Dries related people's, who just continue to question our integrity at the same time completely ignoring the fact that Dries is not only the lead for the whole Drupal project, but also is a founder of Drupal hosting company Acquia and at the same time a head of the Drupal Association, which in turn controls /hosting page and that there is an obvious conflict of interests here.

Why not to start addressing this conflict instead of questioning our "faith" or "trust"? Those are pretty vague and subjective criteria. Let's just come up and play by fully transparent and clear to understand policies and rules. Is it so difficult, gosh? Trust is not an issue here at all. The issue is a lack of understanding by Dries, DA and all the responsible persons that our frustration has real grounds, their failure to address this kind of issues, that we have been trying to address since long can not be justified by any references to lack of our own trust to them. We do trust them enough, but let them do what they were supposed to do since long.

Thanks for the feedback. We

megansanicki's picture

Thanks for the feedback. We definitely want to be fair and I think your point is valid. It's certainly time to revisit the Other Great Hosts section. I will review those that were "grandfathered in" and confirm if they meet the criteria. Sometimes there are just so many things to work on and this clearly needs to bubble up on the list, so I will personally do that next week.

Thank you as well for pointing me to your team member's contribution. If we missed that in our email exchanges, I greatly apologize. I will look into this as well as part of the review for the Other Great Hosts section.

Executive Director, Drupal Association

Megan, Thanks for your reply.

yngens's picture


Thanks for your reply. I wanted to say our company is not any worse and maybe way better than some other companies listed there and that I would be looking forward for "Other Great Hosts" section to get changed next week and hope we will be finally honored. However, I would like to emphasize that nevertheless getting into that list is the agenda of our company, by re-initiating discussions in this thread we purse to arrive to the solution, which would satisfy the interests of general Drupal society and will totally glad and accept if that section is completely removed.

And probably that would be the best solution to avoid possible speculations about the conflict of interests of Dries' hosting company with other Drupal shops. I understand that the section was designed to give incentives for being more contributive, however the nature of hosting business is such is that vendors concentrate on providing best hosting solutions and not necessarily codes or other activities, because they are hosters and not necessarily developers, coders and as such they can contribute indirectly by at least mere fact they are providing Drupal-specific hosting services. So far you have not presented proof of that some of the listed companies have contributed more than, for example, we have. And it is always will be challenging to your party to demonstrate that your decisions on whom to list are not based on subjective opinion. All this causes more questions and ground for various accusations than provides incentives to contribute more. We searched well any strong tracks of contributions of the listed companies.

Therefore, to re-instate that section should be totally removed or requirements for getting into that section soften and more Drupal-specific hosting companies listed. The end-users will see no harm, but only use if they see more options to choose between. End this syndicate style of protectionism and let free market work!

HI Ygens and everyone who

megansanicki's picture

HI Ygens and everyone who participated in this helpful discussion. Hope it is OK to respond here at the top of the thread. I'm still learning the best way to post in forums.

Thank you, everyone, for your helpful suggestions on how to improve the current hosting page as well as clearly articulating your concerns. The Drupal Association is here to serve you, the community, and it’s all for naught if our programs miss the boat or we lose your trust due to lack of transparency. Thanks for giving me time to do a little home work. I’ve done some digging and thinking and have some answers for you. But first, let me recap a few themes I gathered from your posts:

  • The page does not make it clear who passed the security test and what is the purpose of the two sections? (is one of them paid ads?)
  • What is the security process? Who provides the test? Does this person have a conflict of interest?
  • Are the hosts currently meeting the listing criteria?
  • This page is for new site builders and should have some content that explains how to evaluate hosts and other relevant topics
  • Offering a paid listing seems generally OK to everyone, but we need to be careful of quality, this host may become the way a Drupal evaluator judges our project.

So, as promised, I did an audit of the hosting program and current listings and, along with community input, I have outlined what we think is the best path forward. Below explains the page’s intent, our current process, our audit findings, and our recommendation.

The intent:
This landing page has had several iterations since 2007, but the intent is always to:
- Generate revenue through affiliate links so we can fund community programs
- Reward companies who contribute directly to the project (code, documentation, issue queue, support the forums, etc)
- Have hosts go through a quality check looking at several aspects including a security test. We don’t want anyone blaming Drupal if it’s really the host that is not performing.

The Current Process
- All listing requests come to me. I work for the Drupal Association, and follow the approval process that’s been set by community members and the Drupal Association Executive Director.
- I ask the host to use the Security Review Module (http://drupal.org/project/security_review) and to send me a screenshot of their results. If it is “all green”, I pass it on to the one and only community member who verifies the test. His name is Michael Hess. He teaches at University of Michigan and the university doesn’t sell hosting, so there is no conflict of interest. Michael is also on the Security Team and really knows his stuff.
- If the host is willing to pay the advertising fees, they take the security test, but if they use Cpanel, then there are certain tests that may not pass. Overall, if the assessment is that they provide a reasonable level of security given the cost of their service, then we do a Drupal community review of this host. If we don’t see negative comments, then we list them, and accept their money. However, we have turned away many companies who failed too many of the tests and turned away their money.
- We also put copy on this hosting page in the sidebar that says: “The Drupal community does not endorse these companies. See the Drupal.org advertising policy for more information and how to get your organization listed.” The intent for this copy and link to the advertising page is to show that these are paid ads, what the review process is, etc.
- You will see on the advertising page (https://association.drupal.org/advertising/hosting) that paid listings start at a $5,000 minimum monthly guarantee and the criteria includes positive community reviews and be an Organization member. Due to an increase in traffic to this page and competition for the #1 and #2 spot, we have set additional criteria and will update the advertising policy. Currently, the #1 spot must pay a $7,000 minimum monthly guarantee and all the other ad listing prices increase as well. And, to be considered for the #1 and #2 spot, you must be a Drupal Association Supporting Partner and sponsor DrupalCons. I am updating this policy and the partners are complying with this new criteria - happily I might ad. All funds are invested in community programs.
- If the host wants to be listed as Other Great Hosts, then they must pass the security test, show how they contribute to the Project, and provide an affiliate link. Why do we list only hosts who contribute? There are lots of hosts making a lot of money off of Drupal. The community only wants to list hosts (or any kind of service provider) that gives back. See the community criteria for accepting service providers (http://drupal.org/node/1735708)

What We Found in the Audit

The Paid Sponsors:
Each sponsor is meeting all criteria of “pay the monthly list price”, have positive community reviews, are an Organization member . And some are now Supporting Partners (https://association.drupal.org/supporting-partners)! Plus they help the community in other ways that is not required by this program). They all took the security test and showed that they provide a reasonable level of security.

Other Great Hosts
Yep, there is some legacy there. There’s been several iterations to this page and this section particularly. It needs some cleaning up. All are great companies, so I won’t say what the deficits are, but I will take the blame for any that exist.

Recommendations for changes:
1. Paid Listings:
Keep the current Paid Listing criteria, but be clear about the security test. Specifically, we recommend requiring that shared hosts:

They have a “1 click installer” of Drupal that is the most recent version
We install the Security Review module into a site we’ve installed with that 1 click installer
Security Review module should pass all tests with two exceptions: the warning about errors being displayed to users and the warning about file permissions/ownership

  1. On Drupal.org/hosting, add content for the new site builder that is educational and helps them select hosts: many shared hosts won’t meet all of the quality tests, but at their price level that’s a reasonable trade-off.

  2. Remove the “Other Great Hosts” section and invite companies listed there to apply to be included in the marketplace (see point 4).

  3. Invite all hosts who don’t want to pay, but contribute to the Project, to apply to be listed in the Service Provider section of the Drupal.org/Marketplace requests. This section just needs to include “hosting” as a service provider type. There is already a clear process of reviewing applicants to this area, which was recently vetted by the community. Additionally, they can add security test criteria and set up the organizations’ node to have a field that says “security test passed in March 2013”. Setting up the features to support this change are something the DA commits to getting done in the next few weeks.

  4. Update the advertising section to reflect the above advertising and listing policy and process.

So, that’s one big response, I know, but I wanted to be as clear as possible in order to be super transparent. Thank you so much for all of your help and feedback. We will move quickly to implement the recommended changes so we can get this section of Drupal.org back on track.

Megan Sanicki, Drupal Association

Executive Director, Drupal Association

One caveat

JamesOakley's picture

Megan - that all sounds great. And good that it's comprehensive, and will allow standards to be applied consistently and transparently. The marketplace is probably the right place for other providers to be listed anyway.

One caveat: You said

Offering a paid listing seems generally OK to everyone, but we need to be careful of quality, this host may become the way a Drupal evaluator judges our project.

That is right. But the remainder of what you wrote only spoke of security, not of quality more widely. I'm still nervous that whilst the giants of the hosting industry have the advertising budget for this, and will be able to run secure servers, some of them also have a history of overloading those servers, putting profit above performance.

When a potential Drupal adopter tries the project and finds it wanting because of problems at the host, it is very unlikely that they will be tutting about how insecure Drupal is, when they should have blamed the host's laxity. It is far more likely that the problem they encounter will be how slow Drupal is, or how they keep getting "database gone away" errors, or something like that.

That can all be mitigated in the setup you've decided upon - by making sure that the blurb on the page, as well as the "help in finding a host" section, makes clear that (i) this is a paid advertising section, (ii) all the hosts here have passed security tests, but (iii) that is not an indicator that their hosting is suitable for any particular Drupal site, or of the performance of their servers in any other respect.

Other than that caveat - great work! Thanks for keeping us all in the loop - and for making this more transparent.

Hi Megan, Thank you for the

yngens's picture

Hi Megan,

Thank you for the detailed input, however I have to state we have heard lot's of nice words, but haven't seen any solid actions to change the current state of the issue.

If the host is willing to pay the advertising fees, they take the security test, but if they use Cpanel, then there are certain tests that may not pass.

Why this kind of exceptions and excuses are honored towards cPanel hosts only? cPanel is just one of many control panels out there in hosting industry. For example, at Drupion we totally rely on Virtualmin (http://drupion.com/about/technology/virtualmin), which automatically sets all the directory and file ownerships and permissions, and which fails that torture named here the "security test".

Just remove "other great hosts" section and do whatever torture you want to do to paid hosts. As long as there will be free section and some companies will get there based on the subjective opinions of Drupal Association mafia, there always will be grounds to blame your party for double standards and grandfathering certain companies.

And the obvious conflict of interests in the fact that Dries Buytaert, who owns a hosting company, remains President of the Board of Directors of the Association, which defines regulations towards hosting ads, of course, got totally ignored, avoided and still remains.


AmyStephen's picture

And this is exactly why open source is failing. No, it's not those who have been working together for years building what is available for free to the world, it's those who are willing to throw their reputations under the truck so they can get a piece of the action.

Sorry for the non-constructive post.

You might ignore the

yngens's picture

You might ignore the connection, but to me Acquia is not only expanding using such doubtful methods disclosed by Wordpress lead Mat externally in the outer world, but also overpowering other Drupal-oriented hosting companies abusing Dries name, authority and position in DA internally within the Drupal community. I am not going to argue further with you on this, but have to state we've been around here for many years and have full moral rights to voice out our concerns and frustrations.

Now, to make it official here is my request for another change: http://drupal.org/node/1956666

I ask those who are not afraid of Dries and company to voice out their support to our request as not doubt there will be plenty of those who will dislike our position and rush to support Acquia, Dries and headed by him Drupal Association, who controls /hosting page. There is an undeniable conflict of interests here, which can be addressed simply by removing that section for "Other great hosts" or by finally letting all other Drupal-oriented hosting companies to get listed. Put your sympathies and antipathies aside and try to see the essence of our request, which pursues the aim to protect the interests of Drupal community in general.

And believe me we've been trying hard and since long to get this issue resolved without disturbing and abusing the Drupal community's attention, however being nice with DA doesn't help at all. You will just get ignored, your questions remain unanswered, unfortunately.

Earlier, you expressed

AmyStephen's picture

Earlier, you expressed frustration that those entrusted with custodianship of this resource didn't review all of the approved listings and their reasoning for approving the request personally with you.

I'm definitely not afraid of Dries. So, I qualify as one whose support you are looking for. Now, post your application requested on https://association.drupal.org/advertising/hosting -- "being around for years" isn't enough. Under "other Great Hosts" there are requests for code, documentation, support, affiliate link, DA membership -- you know -- things you did for the project. We're going to have to review those same things to make the judgement you are asking.

Plus, you are a big fan of transparency, so, post please!

Amy, Easy. Do you represent

yngens's picture


Easy. Do you represent DA or what to be so demanding? Do you think we are avoiding to apply? Read the whole thread and see we applied since long and had been struggling through impossible to pass barriers by security team. And we were ones among some others to initiate this discussion in the very beginning and to get previous even worse policies changed. Moreover, if you are with DA ask Megan to forward you all our correspondence and you will find more than enough documentation and evidences sent. Moreover, requirements for things like "requests for code, documentation, support, affiliate link, DA membership" and I am pretty sure you could make this list even longer could easily get abused by any authoritative party. Drupal community is not territory of USSR, DA is not Politburo and Dries is not Stalin to stir this kind of unnecessary bureaucracy. Common sense should rule. If any Drupal shop is in the market for long time, has established Drupal customers pull, its member staff are within the community for many years, then it should be just enough to get included. Don't play gods in Olymp to judge ordinary Drupal users and ordinary Drupal companies if you've got to DA, Acquia or got some other affiliation by Dries. And playing advocacy of named entities also not necessary here, since the community doesn't lack people who are ready to admire and justifies whatever comes from Dries, DA or Acquia. The community lacks members who can step forward to openly raise questions, which have quite legitimate grounds, everybody is aware of which, but prefer to keep silence. Because Dries and his circle managed to build such marketing strategy, which enables them to silence whatever not good for them.

I figured you wouldn't post

AmyStephen's picture

I figured you wouldn't post your application, I'm thinking maybe you know your company does need to contribute more.

I'm sure it is tough to compete with the likes of Acquia but do you honestly believe that your companies name on some internal Drupal page is how that business lives or dies?

My advise to you is to redo your application so that it highlights the contributions your company (and its employees) have made in order to make Drupal better. In a letter that accompanies your application, ask for ideas that you can consider in order to improve and let the approver know you'll be applying again in six months -- and that you plan to blow them away with examples of why the Drupal project is better because of your company.

If you problems are clearing the security hurdles, fix it. If you feel the criteria are too high, do a survey of other hosts - a survey of Drupal hosts. Explain what the security barriers are. Maybe I'll agree with that but when you bring in Stalin, it's your credibility that is lost.

Amy, you again ignored every

yngens's picture

Amy, you again ignored every argument I made and turning the ball back against our company. Do nto concentrate on our company, but try to open your eyes and see DA couldn't present evidences of contribution of the listed companies. Read Alan Mel's post in the very beginning as a proof of how long we have been struggling through this. And finally we agree even not to be listed at all, but we are seeking DA's clarification of why the listed companies are listed or get that section to be removed. You may keep ignoring the essence of our questions and frustration, but don't think people are blind - many will see you, guys, again trying to get away by not addressing the real issues. And you did not answer the question: do you represent DA, Acquia or Dries himself that behaving so much demanding and commanding?!

This is all about your

AmyStephen's picture

This is all about your company and you asked for our support in getting your company listed.

In order to be able to do that, I asked that you post your application.

Having read this more closely, I also need to understand the security tests your host site failed. I am not understanding why you believe your site should be listed in light of the security problems identified.

Did you take Greg up on his offer to help you understand and ultimately resolve those problems?

Your insinuations spread, don't they. Now it's me. One thing you can count on, Stalin and I have absolutely nothing to do with your hosting company not being listed. Neither of us represent any of the parties you listed, either. =)

Stay on topic, please.

This is my last comment to

AmyStephen's picture

This is my last comment to you.

I've seen this over and over and over in many open source projects. People feeling entitled to something but not understanding how to participate in a constructive way.

Have there been problems with these listings? Yes, absolutely. Friends of mine have also felt that some of this is objective and difficult to navigate.

But you cross a line when you start to accuse people of some of the things you have said in this thread -- and that, my friend, will kill open source projects faster than anything.

These people who you have smeared with your comments are the very people who have made Drupal possible.

Acquia is not your biggest problem. Your biggest problem is you don't measure up. You have not passed the security tests. You aren't even trying to figure out why. You have not demonstrated to the powers who be that your company has contributed enough to be listed. And, instead of working on those issues, getting involved, getting to know the people who are administering these resources, instead of asking what you can do and taking it on as a challenge, you are assuming some very negative things.

Truth is, I'm starting to doubt all this stuff about community. I actually believe you might be right. Forget about contributions and measuring what people do -- and start making everyone pay for it. Pay the developers, the documenters, the people who help in the forums, charge for the download, charge for the marketing, the ad space. Make it all nice and easy to measure.

Of course, that cuts out participation by anyone without money, but hey. Right?

This is not easy to do. It gets even more difficult when people publicly start making crazy accusations.

If you want support, you have to be willing to share your information. No one can support you on your word that everyone else is evil and conspiring against you.

Just stop a moment and think about it. Maybe ask some who are listed what they did to ultimately get there. Maybe follow thru with Greg. Maybe apologize for some of these silly comments. Maybe find a way to contribute.

If you can't buy into the community way, then, what can I say?

I heard your arguments. I just wish you could. If you could, you'd get it. This is no way to solve your problems.

Adios. Cheers. All the best. Good luck. Have fun.

Again I hear "you, you and

yngens's picture

Again I hear "you, you and you". We brought evidences that number of the companies listed failed the same security test. We asked to prove some of the companies listed contributed more than we have done. But our legitimate arguments completely get pushed off the road. Because on that road Amy is driving shouting loudly: "You, you, you"! We don't want to get listed anymore. Not with this attitude at least. And it is not about us. Get things straighten on your end, guys! Don't play double standards and if you do come up with some requirements, then please care as to make them actual for every body else. Provide no grandfathering and equal opportunities for everyone and then maybe you will gain some moral rights to say: "you, you, you"

This is not true

AmyStephen's picture

But our legitimate arguments completely get pushed off the road. Because on that road Amy is driving shouting loudly: "You, you, you"!

I have never talked to you or about you before this thread.

I do not know you.

I do not represent anyone who you seem to be upset with.

I have not conspired with anyone to create a problem for you.

I don't like my character defamed. You need to stop.

You need to make it clear that you are not accusing me of having anything to do with you not being listed.

Aamy, Then read your posts of

yngens's picture


Then read your posts of very much demanding character above, which makes not only myself, but any arbitrary reader from aside to believe you have some associations or interests. You have to understand that by pursuing our own agenda, we at the same time are trying to arise the matter which represent interests of many other applicant hosting companies. And there are contradictions, conflicts of interests in this matter like DA failing to apply the same requirements for everybody, especially their grandfathered companies in the list. So you should stop demanding anything from new applicants until DA or you as their partisan show us what are their great contributions next to which our humble contributions should keep silence. I didn't require or demand anything from you, so it is actually you who NEED TO do something. At least to understand that Dries, Acquia or DA don't really need your advocacy here.

I'm done with you.

AmyStephen's picture

I'm done with you.


Mediacurrent's picture

To preface, you are making a lot of valid points, but they are being drowned out by your accusatory tone. I think the majority of the community finds it highly unlikely that Dries is sitting in his office, twisting his mustache with the executives at Acquia, wondering how he can keep Drupal companies out of the hosting service directory on drupal.org. In short, there is no conspiracy here.

Here are some thoughts and observations for Holly, Megan, and the DA to chew on:

  1. Some feel the process around directory inclusion is too subjective and arbitrarily administered.
  2. The actual approval is facilitated by Megan, but as I understand the screening is largely "controlled" by volunteers that are already stretched on other issues; an important factor tends to be purely based on timing, and the availability of Megan/volunteers. This subsequently causes frustrations around an apparent lack of communication and transparency.
  3. There can be an unintentional, but nonetheless a pre-existing bias against certain cultures who struggle to "sell" themselves and their contributions effectively.
  4. This is an anecdotal observation (no data to support this theory), but there seems to be a geographic lean - a reviewer may know more about a service provider in their own region.
  5. The protocol tends to put reviewers in a natural conflict of interest (i.e. when Greg was working for Acquia). For example, those most qualified to vet hosting providers tend to work for ones themselves (i.e. the competition) - at one time, this issue was also raised for case studies that appeared on the front page of drupal.org

These are natural growing pains for Drupal and any open-source software community. The good news is that I am confident that Megan and the DA are listening and better solutions will be found.


Dave - just to repeat what

AmyStephen's picture

Dave - just to repeat what Greg said above since accusations tend to be heard and remembered but the reality is often not. Greg indicated above that he did not participate in the security reviews because of his employment with Acquia because he didn't want there to be a conflict of interest.

Dave,I appreciate your

yngens's picture


I appreciate your trying to straighten my points and put this discussion to right boundaries. I wish English was my first tongue to be able to express thoughts in gentler manner maybe and to avoid mental and cultural gaps when you think in one language at the same time have to reach out to speakers of another language.

One thing I want to assure every reader of this page is that we tried hard to avoid going public with our frustrations. We had quite intense e-mail exchange with DA reps, with Megan, we tried to reach Dries himself with no joy and no success in the end. You can not imagine how frustrating it is when you and your colleagues have done huge job to be able to provide to Drupal community with quality services, tried to be in line of all the requirements of the community and its leadership, to feel your team deservers to be fairly evaluated and despite all your efforts not to be accepted in. At the same time seeing how some quite mediocre companies are grandfathered for nothing, no tracks of contribution from their end. And you know what, you are completely right about existence of geographic lean, but in my straightforward language I would use a word "discrimination". We openly disclosed to DA we have operations on other remote countries, we mentioned all the activities in overseas countries, that benefits to Drupal project, but that here in US we do mostly serve local American and Canadian companies. And sometimes I really think maybe it was mistake we even mentioned that our staff-member consist of international Drupal experts.

I am also far away of sincerely believing that "Dries is sitting in his office, twisting his mustache with the executives at Acquia, wondering how he can keep Drupal companies out of the hosting service directory on drupal.org" or something alike. However, I do assert Dries knows about our long time struggle to get listed on that page, since we had been forwarding all the communications to him. And guess what - nevertheless we begged DA to give at least some examples of contributions of some of the listed companies and failed to get any response and addressed directly to Dries - no single reaction from his side.

I might be out of the line of political correctness, pardon my French, but without going too deep into conspiracy theories there is simple conflict of interests in the fact itself that Dries runs a hosting business and is at the same time head of DA. He might even not know and not care what is going on around that page, but existence of certain hierarchy, or let's say respect to his personality, his name, his authority in Drupal community and especially in Drupal's Olymp (since they in Acquia like metaphors like "RedHut of Drupal") is undeniable and will remain there always, which can influence decisions on varios levels even without Dries' consent. Dries has to understand this and has to either step down of DA leadership completely or DA has to completely give up its policies towards other hosting companies or Drupal shops. Look what is happening: in nowadays Drupal world every Drupal shops kind of feels it has to become Acquia partner, many wonder where Drupal ends and Acquia starts, Acquia is overwhelmingly starts to dominate in the market, all the leverages and boundaries are disrupted, that Acquia doesn't have to be afraid of any competition. So why on earth DA is being soo much protective of the pages where they easily could let such companies like ours to take their little humble corners at least to avoid such comments like on http://drupal.org/node/1951464#comment-7223160:

Finally you are not in the list that Drupal.org advertise. (sorry again)

Would Dries and DA people prefer total silence and harmony in the community? Well, then please quit your double standards and stop requiring of contributions when you have companies there with no single contribution listed. Just remove that section and be done with this. You may justify your position in this situation by turning all the blames to myself, but please be assured once again we tried all the constructive ways prior to going public with this.

Thanks so much, Dave, for

megansanicki's picture

Thanks so much, Dave, for netting out the points. That was really helpful. And, thanks for the vote of confidence that we can improve the process and transparency around the hosting listing. I'm going to review a few areas this week specifically: The review process, the volunteer team helping me to make sure there is no conflict of interest, and I will review the Other Great Hosts contributions to see if they still meet the criteria. In other words...A complete audit :-)

I'll be happy to share the findings and outcome so it's transparent.

As always, the intent of this page is to help the community. The paid listings generate revenue that is invested into the community. Drupal.org's hosting bill is $90,000 a year and these paid listings help pay for that so we can keep Drupal.org running. And, the Other Great Hosts was to reward hosting companies who contribute directly to the Project (code, documentation, issue queue, etc). Hosting companies don't have to do this but some do and we wanted to reward that effort.

It's clear from this thread that there is a lot of community concerns about how decisions are made and by whom. And, while our intent for this page is all goodness, it's all for naught if there isn't trust in that. So, stay tuned! I'm on the job and will be working through the issues this week and will report back my findings. If there is anything else I should consider when doing the audit, please let me know.

Executive Director, Drupal Association


silverwing's picture

For the "Other Great Hosts" section, I'd love to see a link under their linkblock pointing to their Organization Node so we can actually see who's behind the company. (Looking over the companies, I only recognized a few.) A simple "About /Company Name/".

Regarding the big ads on top - are all of them Affiliate Links? If so, should they be identified as "Paid Advertisements"? Or can a company from the Other Great Hosts move up there without affiliate links? (I do believe that anywhere on d.o that has paid ads be identified as such.)


P.S. - Since I personally don't think most of the hosts listed at the top of the pages are "great" I hate the phrase "Other Great Hosts" and hope that it can be changed to reflect the community aspect of their contributions.

Hi Amy - Right, I think you

Mediacurrent's picture

Hi Amy - Right, I think you are referring to Greg's recent comment, but he earlier said his employment at Acquia caused him to not want to conduct security reviews for inclusion in the hosting directory because of the perceived conflict. He did the right thing, and sought other volunteers to take over this role. My point is that there are probably others on the screening/review committee, who have a similar conflict (i.e. they work for companies that provide hosting services and are evaluating applicants that are their competition).


Agree. Greg did the right

AmyStephen's picture

Agree. Greg did the right thing. Hopefully, that message will get out, not incorrect accusations.

In this case, there are objective problems. Yyngens seems to agree his hosting services do not meet the security requirements. There is public source code and security lists. http://groups.drupal.org/security What problems were found? It would likely make more sense for Yyngens to take advantage of Greg's offer to review these issues and get those problems fixed. It is probably not a good idea for the project to list hosts which can't pass those tests. That is not subjective, it has nothing to do with abuse of power, it's clear and those problems should be resolved.

My point is that there are

greggles's picture

My point is that there are probably others on the screening/review committee, who have a similar conflict

Actually, no. Michael Hess is a faculty member at University of Michigan and he took them over. University of Michigan only hosts their own sites. Hopefully we'll be able to find similar folks in the future if/when there is a need for these reviews.

I do agree with your more general point: that volunteers in the Drupal community who help out on things like this are very likely to eventually get into a situation where their biases (personal, economic, etc.) can have the potential to unfairly sway their judgment. I don't see a great solution to fix that and I find this all to be much ado about (almost) nothing.

@Mediacurrent, could you please edit your previous comment. On re-reading it I understand what you mean, but there is abiguity in this sentence which unfairly could be interpreted that I did something wrong. And I definitely didnt' do free security reviews for 2+ years and then quit them before a COI arose just to get accused of inappropriate behavior from someone as knowing/reputable as you. I don't mind if someone like yngens feels the need to insult me to try to improve their own position (and then not retract the slander when it's clearly and repeatedly shown to be false...).

Proposed text, informed 100% by reality:

The protocol tends to put reviewers in a natural conflict of interest (i.e. how Greg chose to stop doing reviews before taking a job with Acquia).

@Greg - I think you are being

Mediacurrent's picture

@Greg - I think you are being too hard on yourself, and more specifically, taking the comments from yngens too personal. Your reputation speaks for yourself. Period. His venting about being frustrated around the hosting directory selection process is not going to change how people feel about your tireless support and contributions to the Drupal/OSS community.

If Michael Hess is the only one that helps the DA review hosting applications than I stand 100% corrected and apologize for any discrepancies. However, if Megan asks other community members to look over applications that also work for what could be interpreted as competitors than that needs to be addressed. My point was that this puts people in a precarious position and natural COI. This is exactly why you did not want to continue in the role once you started working at Acquia.

To reiterate, I think you did nothing wrong. We will agree to disagree, but IMHO my previous comments left little room for vagueness or ambiguity around this point. I also suggested that yngens "going public" was not the right way to address his personal/company agenda issue, no matter how many times he said he attempted to reach out privately to the stakeholders involved.

Actually, I read your comment

AmyStephen's picture

Actually, I read your comment exactly the way Greg did, which is why I responded to you, as I did.

The problem with responses like yngens, it's not a constructive approach to solving a community problem. Everyone in the way is lumped together into one big conspiracy theory. From Dries, to Greg, to Stalin, to finally me, if you aren't sympathetic, you are part of the problem.

And it works to draw a crowd. We have all been so disappointed by leaders over the years that it also has an impact to throw mud wildly at anyone in that role.

This should not work in an open source community. If we want our processes to get better, posting will not do it, we have to get involved.

In this case, yngens needs to get his hosting services up to snuff with security. Sorry, but that's important. No matter much mud is tossed at those with authority, users need to be assured their sites are on a secure host. Thank goodness some people will take the reputation hits to ensure security is provided. And trust me, this crap does damage people.

Sorry, but I give people in

Mediacurrent's picture

Sorry, but I give people in the OSS/Drupal community more credit than believing conspiracy theories. IMO, they totally discount comments against long-time contributors if they are trying to advance their own personal agenda.

You and Greg interpreted my comments the way you wanted to, and I immediately made sure people knew the spirit of what I was saying.

I agree with you 100% - we've identified problems with the current process and should be focused on finding solutions.

So, after reading through a

walterheck's picture

So, after reading through a bunch of mud slinging in this thread, there's one thing I must agree with OP with (disclaimer: without actually checking his statement with real data, but I have seen similar things when my company was signing up for the training section).

The problem seems to be a lack of transparency and a missing recurring review process for companies listed in the hosting, services and training section. Once you are in, you're in, no questions asked after that point.

This creates a problem for new companies wanting to get listed, as well as it creates bad quality listings. I think that the review process needs to be recurring, in order to weed out the bad or semi-bad apples overtime.

Thanks for pointing that out.

megansanicki's picture

Thanks for pointing that out. The community has been working on the marketplace listing criteria for service providers and training over the last year. It's really great to see the volunteers coming together to improve that area and they know there is still more work to be done. I will be happy to talk to them about the review process I'm going to do this week with the Hosting area and ask if they can do the same for these other sections in the Marketplace. You can also email me at megan at association dot drupal dot com and I will be happy to look into your application for you.

Executive Director, Drupal Association

Why is there a "contributions" litmus test?

Bob Newby's picture

With respect to everyone involved...

I too have read through much of this contentious thread. I speak solely as a Drupal site builder and owner; I have no direct stake with any of the active parties to this debate.

However, I do have a question for the community at large. Why is there a "contributions" litmus test for a hosting company to be qualified by the DA et al as worthy of recognition for the hosting services it provides?

It makes no difference to me at all whether my chosen host has or has not been a contributor to the Drupal project, let alone what metric of value the DA or others attach to their contributions.

My interest is simply to obtain hosting that meets my sites' requirements plus my own site-building parameters. I fail to see how contributing or not to the Drupal project has anything whatsoever to do with this.

Personally, I find the "contributions" litmus test in question to be highly objectionable. Now that I know about it, I am far less willing to rely on the "official" hosting provider listings than on other research sources.




P.S. The matter of passing various technical tests, including ones to do with security -- and whether or not those tests are sensible across the board -- is something I am not qualified to comment on. But it certainly does concern me that some of those test may be meaningless with respect to certain hosting architectures.

Thanks for sharing the site

megansanicki's picture

Thanks for sharing the site builder perspective. It always helps to know that point of view since the page was designed to be a resource for you and other site builders.

The section at the top are hosts who passed a review process and pay to be listed. Those funds are invested into the community by paying for drupal.org's hosting fees, which cost $90,000 plus other expenses like hardware that keep Drupal.org running.

The "intent" of the Other Great Hosts section was to reward those companies who contribute to the Project through contributions like code, documentation, helping in the issue queue, etc. Hosts don't have to contribute since it's not core to their business, but some do and we wanted to recognize and reward that. I think it's great to get your perspective. We know contribution is king and thought this was a good and right program to offer. Perhaps it doesn't really matter to the site builder? Or maybe it does and we just do a bad job of explaining why this section exists. Perhaps you would consider a host that contributes to the Project? You tell me!

Your feedback is welcome and it will be good timing since I will be doing an audit of the program this week to review our approval process, check with the volunteers to make sure there is no conflict of interest, assess if companies in Other Great Hosts still qualify, etc. Then, I will report back with my findings and our recommended changes. Hopefully, that helps provide the needed transparency that others are looking for. As I said in an earlier post, we here to serve you. If we don't have your trust, then we aren't doing our jobs well. Stay tuned! I've got some work to do, but will be back in touch soon.

Executive Director, Drupal Association

So good to hear

JamesOakley's picture

Thanks for saying that you're auditing and reviewing the whole process, page and programme.

I've been thinking of stepping back into this thread, but I'm having trouble getting my thoughts clear, so I'm waited to do so until I think I have something useful to say.

I both use hosting services for Drupal, and provide them to others. I'm trying to think through what kind of /hosting page would be most helpful for site owners / webmasters trying to find the best host for them. (Because we all know it's not as simple as finding "the best host". Different sites have different hosting needs, so each site owner needs to choose a good host for their needs).

I'm sure we can provide a page that is helpful for people in this position. I'm sure it can benefit the Association as well. I'm just trying to get the parameters for that clear in my own mind. (So, in that vein, thank you Bob for joining the discussion - anything else you could add on what would make that /hosting page helpful for someone like you would be good to hear).

But as I say, I'm now freshly assured that Megan et al do wish to take on board the community's feedback in this, so I'll persevere at trying to think myself clear.

A bit of concrete input

Bob Newby's picture

Dear Megan,

Thank you for your reply. I just visited the latest incarnation of the DO marketplace page for hosting (http://drupal.org/hosting-shared-b). It has changed since I last consulted that area, and I now see that it is basically a set of "listings" pages partitioned by a categorization of hosting levels-of-service.

Having recently educated myself on host selection, particularly for Drupal sites, I have two suggestions:

a) It would be extremely beneficial to not assume that someone prospecting for a Drupal hosting provider knows anything at all about the subject. Some form of a high-level view of the hosting landscape would be helpful, and in this regards the best I have seen thus far is at https://www.getpantheon.com/how-it-works. (Fyi, I ended up choosing Pantheon, which is why I know about this piece of their marketing collateral.)

b) Rather than exclude "non-contributors" from the Other Great Hosts section, I believe it would suffice to simply indicate on the listing itself if a hosting provider happens to be, in the eyes of DA/DO, a Drupal contributor. That way I can see that certain providers are not recognized contributors to the community, and that others are. Nothing more need be said, except to have a note on those pages explaining the criteria for being recognized as a contributor. This places the decision of whether or not to exclude "non-contributors" in the buyer's hands, where it rightly belongs.



Thanks for the feedback and

megansanicki's picture

Thanks for the feedback and concrete input is Most helpful!

I'm working on the audit now and through the week. I'll come back with recommendations and include this kind of thinking. We have several options, all of them good ones.

Executive Director, Drupal Association

These pages date back to at

greggles's picture

These pages date back to at least 2007 if not before, so there is a lot of undocumented thoughts/process/history that went into building them into what they are today.

In my experience, whenever a "list of minimum kinds of contributions" is made it quickly becomes a game for people to finish. "OK, I'll make 1 module and 2 documentation edits and sponsor a Drupalcamp." That leads to the worst kinds of community members and the worst kind of contributions. A company who tried to meet these requirements duplicated a ton of modules in ways that weren't helpful (i.e. they weren't measurably better than the modules they duplicated) and then immediately applied for inclusion into the service provider list. Maybe that's coincidence, but it sure soured me on the idea of an objective list of criteria. I think objective lists are also unfair to some kinds of contributors - what if the list doesn't measure your contribution? Some people give a lot by being global coordinators for Drupalcon, but that's not an easily measured thing. Surely we value that and would include someone who did that and only that, right? It gets tricky to build and maintain a good list...

On the other hand, when someone has been contributing with good intentions for a while it's very easy to see. I vastly prefer that standard.

Hybrid approach

nickvidal's picture

Hi Greggles,

I agree with you, just find it ironic that your signature points to certifiedtorock! :)

An hybrid approach would be the best, where humans play an essential role, but algorithms/automated tests come to help.

That's why my suggestion was for automated/professional tests. Automated would be ideal for simple hosts, because the costs for independent professionals are prohibitive.

Kind regards,

CertifiedToRock worked

greggles's picture

CertifiedToRock worked (reasonably) well while we had commercial motivation to maintain it. Since...August 2011 it hasn't been updated.

I think it actually proves my point quite well ;)

Honesty is the best policy

stevepurkiss's picture

I have recently helped out with some case study and marketplace reviews but not the hosting although heard some about the process. Then last week I experienced my first customer who said they chose it from the drupal.org site. All I got was 500 errors half the time when I tried to actually start using Drupal.

I understand both the financial and community side of the arguments so why can we not simply have both on the site? I.e. here are some paid ads. Here are some we are testing and they pass this and this and this. So depending on what your use is you can match up your needs and we can separate the two algorithms and just get on with life, etc. ;)

Some other input

JamesOakley's picture

I opened up a thread over on WebHostingTalk, where I'm active. There's a lot of experience, and a whole range of views, there on all matters related to web hosting. A lot of people go there while looking for a host for a site, so I was curious to see what that community would make of this exercise.

A number of very interesting observations have come out so far:

  • A positive: The Drupal "recommended hosts" page is better than the comparable pages people have seen on other platforms. That's good to know!
  • One view is that any commercial consideration in whether to include a host will automatically render the list useless for the end-user, because the hosts with the biggest budgets for advertising will automatically feature, regardless of quality.
  • Others would say that there's no harm in Drupal receiving an income from those hosts, but it needs to be seen to prioritise quality hosting over the amount of money involved. Specifically, it may just be that the biggest, most well-known hosts are those with the best hardware and support staff, so offer excellent value for Drupal site owners. However that should be the reason they are included, not because of the amount of money they have to bring.
  • Countering that, another view was that many of the larger hosts advertising on our /hosting page are also the ones that seem to attract complaints over on WHT. They have a reputation for overloading their servers and offering poor, cut-and-paste, support. Whilst they may be fine for some Drupal sites, they are not hosts that some on WHT would recommend to anyone. Fine on paper. Trouble in practice. [Conclusion: In re-visiting the grandfathered hosts, it's not enough to check them against basic security and the ability to run a Drupal site. Somehow, we need to check they can run a real, views-and-panels-heavy, moderate-amount-of-traffic, site - without 500 errors and connection-limit errors.]
  • One really helpful observation was that two kinds of people build Drupal sites - professional developers, and site-masters. There was a feeling that Drupal is more attractive to the developer, compared to a competitor like Wordpress that is easier for a novice to pick up. (That, I know, is debatable). Of those two kinds of person, the developer would never look at a page like /hosting for advice. They already know enough to know what kind of resources their site needs, and they probably have one or several preferred providers. So the page needs to be targeted to the novice looking to build their first Drupal site.
  • Once that's been said, it then helps to ask what they most need from a host. Most hosts have an official policy of "no support for 3rd party scripts". If the page helped a site builder choose a host who will go the extra mile with Drupal, that would be a real help to them. The specific example given was doing a core update. Not the easiest job in Drupal 6 / 7, so if a host would offer to do that for the customer, that would be a real selling point. One could either only list hosts who go that extra mile, or add a column to the table that indicates how much this is so.
  • For an open-source, community-driven project like Drupal, the idea of featuring hosts that give back to the community was felt to be an appealing way to work.

Those are the thoughts (to date) on WHT from people who have no particular commitment to Drupal, but who think about hosting issues regularly and can therefore step back and reflect on what may or may not be helpful for a /hosting page. Hope some of that is helpful.

This is incredibly helpful

megansanicki's picture

This is incredibly helpful and insightful! I've begun the audit and will continue through the week. I'll come back with recommendations and take this kind of input into consideration.

We are also doing A/B testing to see what kind of page layout is most helpful, so I can add that into the mix as well.

Thanks for taking the time to be part of the solution. I really appreciate it!

Executive Director, Drupal Association

Thanks for doing that James,

Liam McDermott's picture

Thanks for doing that James, sometimes getting outside, (relatively) objective input is very helpful.

Automated+Professional Tests

nickvidal's picture

Hi everyone,

How about applying automated+professional tests for performance and security of web hosts?

Perhaps using tools from OSSEC (http://en.wikipedia.org/wiki/OSSEC) with a combination of other approaches.

For smaller hosts, the tests would be fully automated, so costs would remain low.

For enterprise hosts, the tests would include having an independent professional doing systematic tests that are fully documented. The costs for these tests obviously would be much higher.

Hosts would be ranked based on their scores for these tests and categorized according to their level (entry, mid, enterprise).

Hosts may request these tests at any time, paying the appropriate fees each time. This would allow them to improve their scores, and consequently, their rankings.

Extra points may be given to contributions to the Drupal project (code, community involvement (Drupalcamps), etc).

This solution would solve any ambiguities that the current approach has, as long as everything is very well documented.

Kind regards,

Nick - Isn't that intrusion

AmyStephen's picture

Nick -

Isn't that intrusion detection software? And, wouldn't it have to be installed by the host?

But, I like the idea of automating.

Along those lines if there were some type of software that users could install on their hosts -- maybe even as a Drupal Module - that looked for certain conditions (777 file permissions? shared virtual hosts? an ability to write outside of root?) all of which would be useful towards some kind of basic hosting grade.

Maybe those tests could even use a phone home setup - like the install count - to report findings. That would be a fair approach that wouldn't require any interference from the host and the reputation of security team members wouldn't be on the line.

But, like all awesome ideas, until it runs on a server, it's just an idea. So, someone would have to create it. That's always the gotcha. If someone wants the process to change, then, that'd be a great way to do it -- create an open source security test -- make it available as a module -- figure out how to collect and present the data.

In fact, one of the links I shared above would be a good headstart since the security team already has resources that list tests and there are a good deal of tests already written.


JamesOakley's picture


Because the other thing that could be monitored by that kind of user-installed module is page-load times. That could then be aggregated, and would solve the problem of a host demonstrating a zippy Drupal installation, but a real site with real traffic on a busy shared server runs like treacle.

Hi Amy, That's correct.

nickvidal's picture

Hi Amy,

That's correct. Probably OSSEC would be one of the tools used by a professional for a semi-automated test.

But I really liked the way you expanded the idea. There are a whole set of tests that could be run against a server (hosted or not, fully automated or not).

Indeed this would require an initial investment by the DA, but I suspect it would soon be recovered by webhost applicants.

Perhaps the best way to start off would be with the bigger hosts, where an independent professional would be hired to create a series of systematic tests. Soon after, the same professional could start creating/adapting a series of tests for smaller hosts. Perhaps the first few months the DA would only be able to cover its investments, but later this would pay off for the DA, the webhosts, and users alike.

Kind regards,

Just curious, but why can a

AmyStephen's picture

Just curious, but why can't a group of community volunteers who are interested in reform in this area do the work? The DA would need to adopt it for testing for this purpose, of course, but the leg work to make it happen and prove it's a valid approach should be do-able by the community, right?

Thanks for the creative

megansanicki's picture

Thanks for the creative thinking about the test automation and other helpful comments.

I think it is great to have community involved in this section and all the ideas coming forward are really helpful. Before we do anything, why don't we want on two things:

1) I'll complete the audit this week and come back with recommendations

2) We need governance to be completed. Read here on what this is:http://buytaert.net/creating-a-structure-for-drupal-governance

In short, Dries is coming up with a framework on how Drupal.org changes, improvements are made and who is point on making them and the process to follow. You will see the Drupal Association is getting a role along with Working Groups made up of community members.

I'm excited for governance to be in place so it will be easier to answer questions like yours. I think we are close to getting that clarity and when we do we can apply it to the hosting page...and other sections, too!

Executive Director, Drupal Association


stevepurkiss's picture

@JamesOakley thanks for providing a great summary - used to be on WHT and I'd forgotten how useful having something like our hosting pages to use was until I remembered many days of WHT forum trawling!

There seems to be three key metrics in this equation so far:

  • contributions
  • capabilities
  • cash

It is a given that cash should not be the only metric, however I do see it as a contribution. If we split the metrics, we would create a path to accepting cash contributions quicker whilst also accommodating other factors.

There is never going to be one answer for this which is why splitting it up helps - I'm quite happy to take the cash off someone who we may review as really poor - the DA can put that cash to good use, and if they don't improve their hosting and keep paying the cash and are happy to be there with poor reviews by us then I'm still happy because we've done all we can to advise potential clients of theirs the ability to do what they want on it. If we lump it all into "these are good" we then I think have more risks as businesses merge, change hands, employees, etc.

I see some kind of matrix screen where we can click on various metrics in order to whittle it down to a few potential hosts. I'd use that as my needs range - for sure I have those few favourite hosts but my clients range from a picture framer with a studio down the road to corporations with their own infrastructures so need this kind of stuff, and I'd rather be in control of a few metrics than rely on a small set of "rules".

I'm quite happy to take the

nickvidal's picture

I'm quite happy to take the cash off someone who we may review as really poor - the DA can put that cash to good use.

The end justifies the means?

No one should recommend something that they know is bad because they are getting cash. Period. This is where we draw the line of doing what's wrong or right.

If certain webhosts do not achieve a minimum level of quality, they should not be listed, no matter how much money they pay.

Not what I said

stevepurkiss's picture

Thats wasn't what I said, in fact it's what I'm saying is the problem, you're lumping "recommend" with "cash" (and "contributions" and "capabilities"), I am recommending separation of them.

Steve, these are really good

megansanicki's picture

Steve, these are really good points. Thanks for coming up with a matrix concept. I'm working on the audit this week and will take this into considerations when I come back to the group with my findings and recommendations.

Executive Director, Drupal Association

I'd echo that

JamesOakley's picture

I like the idea of a matrix.

I like the idea of taking cash of a host whilst making clear that the standards may be really poor. It's making sure that potential clients are unambiguously clear about the different facets of why this host is / is not included on d.o/h so that they aren't misled.

Let me try to understand what

nickvidal's picture

Let me try to understand what both you and Steve are proposing:

Even though a host scores really poor below a minimum standard, even so you are willing to list them at the Drupal "recommended hosts" page (as you called it), but with unfavorable reviews, as long as they pay cash?

Why? Just because of the money?

Why confuse users and risk the reputation of Drupal?

My firm opinion is that they shouldn't even be listed, no matter how much money they pour in.


stevepurkiss's picture

I didn't say we should recommend hosts based on money, no. What I said is we should accept people who want to pay money to advertise, we should also test and provide recommendations for hosts, and we should provide guidelines as to what kind of hosting you should be looking for based on what kind of things you'll be wanting to do with your site.

You are focusing on one scenario:
- that the host is not good at hosting Drupal
- that the host is happy to pay for a listing which isn't recommended, doesn't show up in searches based on features I'm searching for
- that the user, despite being told both these facts, still believes that they should consider that host

If I were a host paying for advertising and I consistently had bad reviews, I would not pay to advertise and I'd go elsewhere.


JamesOakley's picture

Yes - in other words, it will become bad value for money for poor quality hosts to pay large sums to advertise on drupal.org. So they won't. ... And, provided the user is alert to the way the page is laid out, they won't sign up for a poor host either. (Although this bad scenario that Steve outlines may still happen occasionally).

The key to both those safeguards is transparency.

The poor hosts advertising elsewhere - that's about efficiency in the marketplace for places to advertise, but a market is only efficient insofar as it is transparent.

The users buying elsewhere - relies on them being able to sift the information on the /hosting page in an informed way. That relies on the page being laid out so that the quality metrics are clearly visible, not hidden to try and trick users into signing up for certain "preferred" hosts.

Some kind of searchable / filterable matrix page would do this nicely.

One more thing - reputation

JamesOakley's picture

There was one more thing in that WHT thread that I forgot to add in my summary earlier.

Drupal's reputation is tied up with getting this right.

If a Drupal newbie comes by to try out Drupal, they will assume that the recommended hosts will be the ones that offer the best experience of Drupal. If they then try using Drupal on one of the recommendations, and find it slow and unwieldy, they will assume that the host is one of those on which things should work well, and therefore that the fault is with Drupal itself.