Thursday, May 1, 2014

2006 Called and Wants its Apache Config Back


Upgrade Apache, stop using Rewrite Rules and go back to ProxyPass.


This is a quicky but hopefully it will save someone else from my pain. We upgraded our apache instance from 2.2 to 2.4 in the last few months (with some, but not a ton of pain). The biggest change IMO was the way permissions work, moving away from Order allow,deny syntax and towards Require syntax. I followed the upgrade guide and everything started normally and Rewrite rules were all good so I did the lazy admin thing and wrapped it up.

My papertrail alerts notified me with this log, on a completely blocked off site:

Sadly, this error is actually just a canary. I discovered that someone in Poznan [1] has been using our server as a Proxy [3]. Guh.

I validated this by setting my browser proxy for that subomain on for our http, not https domain (https didn't work) and then attempting to browse the internet [2]. Which worked. Moar guh. You could see in the logs that I was using our server as a passthrough, which is bad juju. I have no idea how or why, since we have ProxyRequests off and we were using rewrite with [L,P] and I was set on a traditional tried and true recommended Plone rewrite method. I used ProxyPass rules then I could NOT use that server as a proxy, but if I used Rewrite with [P] then I could.

I honestly don't understand 100%, but it has to do with the fact that Require all granted is needed to get to the rewrite rules, and because we are using apache like a proxy using Require all denied and then Require local just doesn't work (tail the auth logs at trace3 and you'll see something like client denied by server configuration: proxy: where that proxy prefix makes things "not work as expected"(tm). The docs recommend using mod_remoteip to get around this limitation but I tried unsuccessfully many variations of this and just got nowhere.

During this long ass investigation, I also learned that using rewrite rules are not the recommended way to do things anymore anyways and furthermore are less performant because rewrites don't use Apache's worker pool. That's obviously no good.

It would be easy enough to fix if we didn't have a lot of domain shit going on (who doesn't these days), which turns out to be pretty annoying and hard to resolve. I come to you with this config snippet, which should for just about anyone who wants to update to 2.4.

If you use puppetlabs apache module this will look like:
I still have not figured out a sexy one off solution for managing multiple subdomains this way and rewriting them to plone sites so you would need to rely on your trusty musty config management tool to do that for you (which you are using right???).

I know I usually use this blog for more definitive advice but this is actually NOT one of those. I am extremely surprised at the ease which I set my own server up as a proxy and the pain it took to undo that. This post is part alternative method, part warning, and part documentation as to why I'm switching over from Rewrite to ProxyPass again.

[1] To do this, look in your apache access logs and then perform a whois on the requesters ip.
[2] You can also do this with telnet, but I got mixed results that way. I found the browser was just easier to jerry rig the test case.
[3] Note that this doesn't necessarily mean that your server is compromised, but rather that some baddies can proxy through your servers and do baddie things.  More importantly, your service host can find out and slap you with something if you are lucky or suspend your sever if you are not. DO NOT FEED THE BADDIES! Unless you are a sympathizer. Then honeypot up!

Friday, October 18, 2013

Team Modernize


Have you wanted to contribute to a major Plone release but felt nervous or perhaps feeling a bit like you don't have the chops (aka impostor syndrome)? Can you spare a 1-4 hours? Have I got a deal for you!


It has been a VERY busy summer and I may have disappeared for a bit to actually make money but I'm getting back into the swing of things and rediscovering a PLIP I proposed, thanks to some lovely nagging by @bloodbare.

 In one year, many things have changed and Plone 5 is real. We started at the Plone conference in Arnhem and things just lagged - MY BAD! The problem with this PLIP was that it is a bit overwhelming and I just couldn't get motivated to continue. To be fair no one else did either because its a mega poopy task. It was difficult to track and the branches were dizzying. Lucky for us all, we can move forward differently in a way that is a bit cleaner.

I have carefully broken apart this PLIP* into a lots of tiny little pieces. Each task should be around 1-4 hours. Some may even be shorter than that. If you want to help with this PLIP all you have to do is:

  1. Get the Plone 5 buildout running on your machine. This is the master branch (it's so exciting!). If you have not signed a contributor agreement yet don't let that stop you. Send it my way to and we will get you started.
  2. Accept a ticket from the list of baddies. Some tickets are literally just "Delete these files and make sure no tests break". Yep. Get those before they are gone!
  3. Modernize like mad
  4. Run test cases locally
  5. Commit the changes and make a pull request. Make sure to indicate the ticket number in the request. The pull requests go to master branch.
  6. Make sure to followup with jenkins and the other robots to verify you didn't break the build. In theory they actually yell at you!
  7. GOTO 2**

And that's it! For your help you will get:

  1. My undying admiration and appreciation
  2. A chance to participate in a major open source software release (very cool stuff)
  3. Upon Plone 5 launch, a t-shirt, laptop sticker, or fez celebrating the release of Plone 5 and indicating that you were a core contributor in the decrufting of this bad boy. ***
  4. The chance to save that dirt old feature you love, or remove that buggy old feature you hate
  5. A chance to go through the pull request cycle with a group of people who are committed to be very sweet while giving you code review and pointers. What other PLIP can guarantee that???
I am here to help through the whole process. If you are interested and still don't know where to start, just find eleddy on IRC and I'll walk you through it. These tickets are a once in a lifetime way to get involved in a major framework and a major release.

I can't do it alone, Ploners. Together, we can decruft this bad boy all the way to Plone 5. 

* There are indeed still some tickets remaining to be made and I promise I'll get to those soon! That doesn't mean I don't need help now!
** or not. Seriously, if you just picked one ticket I would still jump for joy!
*** I promise to think of something clever

Friday, June 14, 2013

Operation Flawless Login

No booze, no caffeine, training,
bad wifi, jetlag, and 100+ users
on every type of device under
the sun who couldn't reliably
log onto the system. PAIN.
I was going to do the whole play it cool thing and wait 3 days for the next post but I am just so excited about this new "blogging" trend. I'm hoping to make it a Friday tradition (preceded by 2 cups of drip coffee and followed by a nap).

One thing I'm super excited to start working on as part of the migration away from cpy/cpt is redoing login. As far as Plone goes, you are likely in 1 or 2 camps: 
  1. Works fine for me!
  2. Rot in hell you !@#$ old code
I suspect most of you are in camp 1, or just have no opinion whatsoever so I'm hoping I can convince you to jump over to camp 2. Most of the following was originally written with an intense amount of pain (see photo) so if it seems like I'm shouting at times its because I was: I probably qualified as temporarily insane. Here we go!

Ryan Foster (@dextermilo) recently proposed this beautiful, simple, login page for a client which has all css/js/etc embedded making it load very fast (1 template + logo). Tell me you don't want this login page HARD. I know I do.

Login as a First Impression

For sites that are completely blocked off by default, login is the first experience with a new system/site. For anyone who is invited to a system, its the same case. In fact, I would argue that a seamless login is the most important introduction to any web based system. It should be flawless. Absolutely flawless. 

And this is where "we the Plone" fall flat on our face. A sampling of the issues, mostly focused on the ones dear to my heart at the moment:
  • The login, registration, password reset pages are too slow from relying on a framework that it doesn't need, causing more complications with frustrated users. We can't login 100 people at once even with load balancing. Trainers around the world know exactly what I'm talking about. How can you ramp up a system that people can't login to fast and accurately?
  • We are 100% not ready for mobile. There are some issues with random phones that we will never be able to address but we also need to catch up with HOW people use mobile devices. The best example is the shitty network experience. What happens when you click on a  registration link and the network goes out before you can complete? You go back to the email invite and RE-CLICK. But wait… whats that? Plone only allows you to click once and the link expires? 1999 called and wants their user restrictions back. 
  • The messaging/wording of invite and password reset emails is robotic and offers no indication to what the user just signed up for or were invited to. They get the email and have questions like "Wait, so how to I get to the home page?" and "What is my username?" and "Who is admin?". If you have signed up for basically any service at any point lately I'm sure you know what a great invite email feels like.
  • Testing? What's that? 
  • Have you seen this code? I mean seriously (WARNING: NSFW) look at that shit. It's 10 years of whacked out random bug fixes that no one has any idea if its ok to rip out or not. Its 20+ different files spewed throughout the code in portal_skins style that requires a diagram the size of my kitchen table to print out. Bugs languish in the tracker for years because everyone is terrified to touch it. It is officially unmaintainable code. Don't get me wrong, it was great in its hay day. But I'm sorry, it's time for us to go our separate ways.
  • Customization. Ugh. Enough said.
  • There is no OOB way to block off a site.
  • and so much more… I don't have time to list them all. Have a favorite login gripe? Comment below!
Summary: It's a liability to Plone and more importantly my projects, and my job these days is to minimize liability. I'm coming for you login!

Battling the login monster one head at a time takes too long. Instead we cut out the heart, then roast the heads in olive oil for 8 hours, top with a dollop of creme freche and a sprinkle of truffle oil. Serve immediately with a spicy Triple.

I Love You but I've Chosen Rewrite

In good faith of open source complaining, I am determined to help fix it. In fact, Matt Hamilton has already agreed to help and get this handled and I secretly suspect that he has more deep down pain than I since he is taking off with it and already planning a quick weekend sprint to kick it off. Are you one a member of the login burned? Help us out!

Here is a brain dump of the things I personally want to accomplish with login rework:
  • Login gets dirt fast. It should handle 100 simultaneous logins on 1 site, 1 box, standard hardware. I want to say 300 but 100 is a good target and we can't have mass training sessions without this. I think a lot of the other options can help on this. I am tired of pointing to caching as the solution. There are a lot of transaction issues in this but we have to start somewhere. The skeletons oh the skeletons!
  • Stop basing on main template (this also applies to 404, 500, etc). If a site is closed off and resources were just recooked, thats 20+ resources the browser has to load and thats the immediate impression for the users. Get this down to less than 3 files (a login splash type thing, ideally 1 page with embedded resources). Ability to customize VERY easily (diazo?) but more importantly having a good default. 
  • Mobile. Responsive, quick. Avoid redirects at all costs and where they are make it sane. I recently saw password reset on initial login fail on a variety of mobile devices. We are doing something wrong/old school/something. 
  • Integrate iw.rejectanynmous to core. 
  • Sane invite messages. Default system invite messages are horrid. They don't have site urls, nor indicate the username or who or what or… anything really. Ideally this message can be customized TTW (e.g. welcome to the site. this is our new intranet and I want you to use it like x,y,z your login is x the url is y and I am your new overlord)
  • Forgotten password. Oh god. Expire on click is a disaster, and the methodology is generally buggy.
  • Tests. Tests everywhere.  I want robot going crazy too.
  • Security. Lots of it.
  • Login/reset/all forms rewritten as z3c. This allows us to extend and add things like site agreements. 
  • Simplicity. There are too many options to be sane at the moment. We need to not even look at the code, and think "what do people REALLY need to configure in login" (especially that can't be done in PAS). We need to worry about our 80% use case first. I will be rabid about this. Login, login, login. And that's it. For now.
  • Rip out openid as it is. A simple pluggable solution is the answer to proper integration.
  • Default captcha for open registration.
  • Integrate some of the login api work that has been done. 
And on my "after that is done" wish list:
  • Must reset password is weird and has never worked properly as I have wanted it implemented. The ability to expire passwords from some control panel has been on a wish list for many clients over the years. Time based expiration as well. That works, not that is a hack into the current whacky code base.
  • Tracking for site admins. Who hasn't logged in in 2 weeks? 1 month? Who has NEVER logged in? How can I make sure people are actually using the site? What kind of data do we need to capture to answer security compliance questions? We can't hide behind LDAP integrations for that forever. Also not first pass, but the ability to generate these reports must be considered.
In the category of "really dreamy some day if I can find the time":
  • Plone as oauth consumer. It's 2013 and "login with Facebook" isn't going away. *sigh*. I don't know that this should be in core but the ability to do setup oauth is HAWT.
  • Plone as an authentication provider. 
We are ripping out portal_skins piecemeal so that we can get the new stuff out to integrators ahead of time to test then merge it back into core for the release. Login is its own package, plone.future.login and anyone is welcome to help the rewrite. The theme is release early, release often, simple, fast, extensible.

Easy enough right?

Tuesday, June 11, 2013

PSM 2013 Days 1-4: Everything you Never Wanted to Know About Plone 5

My, my, my it's been a while Ploners. I deeply apologize for lack of communication on my part and my only excuse is laziness, impatience, and hubris.

How does one sum up the realization that communication in the Plone community has hit rock bottom? One can't. So this will likely be the longest blog post I ever write and hopefully the last one of this length. Anyone who has ever said they get pissed that "we" don't communicate will leave this post with sincere regrets about asking for more info. If you are lucky I will put a TOC on this manifesto, but don't hold your breath. It's technical, it's marketing, and everything in between. Grab a cup of coffee and join me on the 7 day adventure that was Plone Symposium Midwest 2013 (PSM13).

Technical note: unlike certain content management systems like Plone, blogger does not have pull quotes. I'll do my best to mimic them for you lovelies, but I'm limited here. 

Pre Sprint

Pre-sprinters at the park
 PSM13 was kicked off by a pre-sprint. 10+ of us rolled into Oshkosh early, with the intention of focusing on the portal_skins removal plip. I arrived a day later than the usual suspects to see that things were already kicked off on redefining the javascript integration story for Plone which generally distracted us from the goal of coding for and drove most of us to the overarching question of...  Seriously, can we define Plone 5 for real and really mean it?

Plotting, coffee, arguments, persuasion, a whole lot of momentum, and 2 days later, a document was born. That's right folks, its in writing, and its happening. Get ready.
Alanis Morisette InterludeThis may seem like a very trivial document folks, but I assure you its one of a kind. Not only does it list what we plan to do, but it even has marketing reasons and measures of completeness. Get your lottery ticket now. Book a flight to loch ness and prepare to capture sasquatch. This could never happen again.
I'm sure you don't trust us, and considering that the first talk of Plone 5 like things started in December of 2007, I totally understand. Why is this time different? First, all of these features are already in progress, and in fact many of them are complete. There was talk of a 4.4 release and that is likely hitting the wayside in exchange for the opportunity to make many overdue, much needed improvements (read:change is coming). 
This Time, in the Key of A MajorWhat is a major release? A major release is an opportunity for us as developers to break some backwards compatibility in exchange for overdue large infrastructure upgrades and extra fancy new features. These changes affect highly customized sites the most so if you are running stock Plone, chances are that you are going to be A-OK. In general, we do our best not to break anything for ANY upgrades but some changes can't be avoided. Hence - major release!
Second, we reached out to integrators at the conference, business people, developers, etc to get feedback. What you see documented is by no means final, but rather a general consensus of what generally sounds reasonable to cut a major release. Think something is missing? Submit a PLIP NOW. Not sure why something is or isn't there? Ask a question in the comments and I will gladly explain. The posted document has open comments and if you want to have access to help us gather collective business reasoning, just ask.
Deco vs Collective.Cover or How I learned to Stop Hating and Start WAITINGOh dear. This was very much debated, but you'll notice these are both omitted from Plone 5. If we were to include either one of them, there is a good chance the release would be delayed even more, and both technologies have some serious technical issues before they can really be integrated. In addition, it was crossing the line of "maybe too much at once". They can still both be used as ad ons and I encourage the continuing development of both.
Third, we realized that the basic changes present a need to prepare add-on developers and integrators for the set of changes that are coming up. We need to get the community on best practices NOW so that the shock of Plone 5 doesn't hit us later. Almost all of the technologies and framework to make your custom integrations and add-ons compatible with Plone 5 are available for use TODAY. However, modern best practices are not documented well, and we realize that the success of Plone 5 relies on people upgrading their Plone 2.5 habits to modern development and integration practices. Documenting these best practices is at the top of all of our lists and we will do what we can to make sure that you aren't shocked. 
Tough Love InterludeI know integrators, it's hard to change old habits. But, progress demands it. If you are particularly concerned about a change to the infrastructure and how it will affect your deploys, we will be putting together a FAQ to go with the release. Start asking here or on the PLIPs or on the Plone 5 document. We'll make sure that you're "story" has a translation. We aren't ask you to go back and upgrade all sites, just that you become familiar with modern Plone practices and start off new sites with them. A quick list:
  • Theme with Diazo
  • Use z3c.form for forms (not formlib)
  • Don't make CPT workflows (not like you wanted to anyways)
  • Use BrowserViews not portal_skins. Once you start, the fun won't stop. 
  • Stop making custom archetypes and use Dexterity
  • Think about your reliance on z3c.jbot: in theory that is a task for Diazo these days. UPDATE: People are bitching about this statement. I don't know what to tell you. I prefixed it with "in theory"  and a little "Think about" because I have never seen a need for jbot myself. That's right, I have never used it. I'm sure it's great, but my general thought is that it is a crutch for a more real problem that needs to be solved. This is not part of my expertise or something I care to fight about or elaborate on so here is my advice: do whatever you want. This blog post is not here to prevent you from thinking.
Fourth, we have no BDFL or dominant company at the moment to drive development and set a roadmap (and we are excited about it). Many historical leaders and companies have moved on to different places in life. All of the statistics show the community moving to a less centralized development pattern and at a faster rate (more on that research in a later blog post). When you see the data, you'll get tingles I'm sure. This means that we need to coordinate differently and make decisions differently.

Because of this, we realize the need to reach out for help to hit this vision so here is your ample notice and opportunity for all of the community to help us reach this goal. We aren't the community that can lock Martin Aspeli in a room and expect Deco to pop out a week later anymore. We have to be a bit more deliberate and communicate much more clearly. Someone said "failing to plan is planning to fail" and I almost spit out my beer. Fuck that shit, I'm planning to kick ass.

In particular, we are reaching out to companies to help us support this vision by offering resources to help out a particular PLIP. For example, SixFeetUp is offering QA time for new features like and Netsight is interested in helping get the Plone login story fixed (with one of my clients also having a vested interest). Please check out the story and ask your boss, clients, etc if there is some way that your company, institution, whatever can get behind a change and help is make Plone 5 better. I'll update this post with anyone who pledges to chip in!
We Need Marketers, not DevelopersOne thing that you will hear more of as these blog posts start pouring out of my butt is the notion that we aren't really suffering from lack of developers. We can always use more of course, but what we REALLY need are people with "soft skills". We need people who can start getting ready to market and push, who can make campaigns, and translate developer speak to business leaders and decision makers. Got some of those lying around? Contact me and we'll take advantage of them tomorrow.
In summary, Plone 5 is happening this time because we now understand the importance of communicating with all of you NOW and not after. All of us have promised to blog, talk, and communicate more. In exchange, we are asking for your help. Help as developers, integrators, and most importantly, business people and marketers. Key contacts are listed on the document and hopefully each leader will write a post explaining the change and what it means to you. When in doubt, just ask them.

Which is a perfect segue into my personal vendetta Plone 5 project: removal of portal_skins.

Goodbye CPY

Wildcards fantastic home brew
At the Plone Conference in 2012, I started working on the removal of cpy/vpy scripts. It's been slow and I confess I haven't dedicated the time I wanted. At this moment I think its for the better because there have been some realizations in the meanwhile on the right way to do this.

Initially I was focused on only upgrading cpy/vpy scripts but have broadened the scope to idealism in the way that only a masturbatory developer could: Down with portal_skins!

Now before you freak out, let me say that YOU, integrator, developer, all around good guy can still upgrade your plone product which uses things in portal_skins. However, my vision has a portal_skins free Products.CMFPlone. Everything that is there will be moved into plone_deprecated and you can let acquisition be all magical and do weird stuff still. In addition, your custom skins and what not will still work (there is no guarantee that this will still be the case in Plone NextBigRelease though). However, a major goal of Plone 5 is to return core to represent the current best practice of developing in Plone

And now the most important question: WHY? portal_skins are part of this notion of acquisition. Security and performance reasons have show us that maybe this isn't the best way forward. In addition, modernizing the underlying framework relies on us moving beyond this notion. But wait, there's more. Most of that stuff existed before test cases were culturally enforced. The code is untested and intricate, so people are terrified to touch it. We can't fix bugs on files that everyone is afraid to modify. It get's better. Customization of page templates in portal_skins is shotty at best. It doesn't survive upgrades. Moving all forms to z3c.form gets us on one form technology that can be plugged and extended, and should survive future upgrades much better. Last but not least, times have changed. Resources like js and css shouldn't be managed in the registry. Anything bigger than a small site should be compressing with modern tools and hosting in a web server and/or a CDN. We need to recognize that the industry standards have changed and we are behind. Time to play a little catch up.

Moving all of portal_skins is a much larger task and this meant changing the approach to the change. At first it was a branch on Products.CMFPlone but I had a couple of realizations that led me to believe that the majority of changes should actually be done in a new package, which will then be merged back into core at the end. I'll bullet point the reasons since I'm running out of transition words:
  1. Constantly merging back in changes in every package made me want to throw my laptop out of the window. Git has been merging like a dickhead lately and I had several errors from that waste a lot of time. 
  2. I want these changes for my own projects. Yesterday. I am willing and have the capacity to put them in live sites. Mostly performance reasons, but also integration pain points. I suspect other people do as well.
  3. We can document and keep track of the effort in a more sane matter. When merging in commits I was losing track of the W5H of what happened because this is such a long ranging project.
  4. Integrators and add on developers can pull the changes at any time and see if their shizzle works.
  5. We have a lot of test cases to write. I'm emotionally tied to this thought that we can start fresh and outside of core will just seem more approachable.
All changes will go into plone.future.* packages that will be grouped by general integration points.

Grace Lim, the Plone Ranger
People will be able to grab them at any point. At the moment I see these as:
  • plone.future.formscripts: All of our core actions like a add, move, delete, etc.. are on code that hasn't been touched in YEARS. These are things that are highly unlikely to be uncustomized. This also includes control panel forms and their conversion to z3c forms. I can't imagine that most people can't start using this as soon as a release is cut. At first it will be just a few scripts and I will cut releases after each new thing is added. Ideally we can get these out in the wild, slowly, before the big bang.
  • plone.future.login: Oh god, login is worth a whole blogpost at least this length. It can't be approached in the same set of changes with any sort of sanity. 
  • plone.future.resources: Plone 5 will have a new diazo theme so this won't affect you. Old themes will still work, but if you have properly based your site on Sunburst, then you have the OPTION to use this package, which will contain 1 properly minified js file, 1 properly minified css, and various icons moved out of portal_skins and into resource registries. I know I have several sites that likely won't redesign for a while and will benefit immensely from this. 
In order to smooth this transition and to allow you as an add on developer and/or integrator there are a few other things that I intend to include:
  • A script to scan a directory of code that issues warnings for usages of things that have been deprecated.
  • A script to scan a directory of code that issue warnings for all plone.future references once the packages have all been merged back into core.
  • An intense upgrade guide that matches said warnings and indicates old school vs new school ways of doing things.
  • Tests, tests, tests!
Ideally each one of these items is updated AS the feature is removed to limit the last minute documentation work. I'm in the process of using cut, copy, paste, delete, and rename as an example and setting up this framework, after which I'll start cherry picking work that has already been done and calling for more help. The hard work and dedication that went into plone.api has been inspiring and its my hope to walk away from what could be a tedious task with an immense amount of pride. This is a chance to fix a whole helluva lot of things.

Overall, a pre-sprint was the best thing to happen to a symposium/conference since reliable wifi. 


When you thought this blog post couldn't get any longer, it did. It will continue to grow until you all REGRET  knowing what's going on. Should you have made it to this point, obviously you haven't learned. 

It's like the city of Oshkosh just knew...
Being on the Plone Foundation board has been fruitful this year, and I'm super ecstatic about the push to spend money on sprints and kickstart this Plone 5 process. I was so excited in fact, that I gave a talk about it. With that victory has come a little burden to bear, and that burden is a bear by the name of "fundraising".

In order to dump money into sprints this year, I promised to raise the money we dumped for next year, so we can do the same thing. Turns out that I am a TERRIBLE fundraiser with a serious time deficit and intense lack of skills. Enter Jason Lantz, who gave a talk on how he built a fundraising platform on Plone for the innocence project. How disgustingly appropriate! After spending a full day hashing out ideas with him I realized how little I knew about raising money for non-profits and how much beer I will owe him the next time we meet up.

He has been a community lurker for over 10 years and is very excited to help us, the good people of Plone, get our fundraising shit together. His work is open and he is working on repackaging the add on for use by everyone (if you are a non-profit and you are interested, head over to github to see the progress). I am excited to work with Jason and in addition a whole new team of people excited to kick off fundraising efforts. Expect to hear more from us on that later and remember: you don't have to wait for a fancy donation website to support the foundation. Go to to help out now. The money that you donate is going to things like bringing K.K. Dhanesh over to Oshkosh from India to sprint for the first time!!


I've hinted at the severe lack of communication that goes on in Plone and we have lots of people (including myself) that have vowed to make this a little easier on people. This includes but is not limited too:
  • Eric Steele, Rok Garbas, David Glick, and myself vowing to blog more. Twitter has killed the blog and we need to go back to putting complete thoughts and ideas on paper for those that can't explain MultiAdapters in under 140 characters. I encourage all developers to get back to the paragraph.
  • Eric Steele will be trying to get together a regular call of team leaders, which will be attended by Rose Pryune who will act as a translator and post back to the community. 
  • A revamp of the marketing team to be led by Eric Rozeboom. There is a lot to be done here and I'm sure he will post a wonderful plan soon and start recruiting. I know in particular that I am looking for someone to help us better utilize our adwords account. Know someone???
  • Heidi Reinke of UW Oshkosh College of Business has volunteered to have her marketing class for fall semester take on Plone as a use case for marketing. I can't wait to see what she comes up with and if you get contacted out of the blue by people doing research - don't be shocked! 
And look guys, its in writing. No backing out now!

Lots of talk about communication led to some solid realizations on all sides. Developers don't like to communicate in lengthy posts like this and a lot of "translation" gets lost because of it. Forcing people to write docs is, however, not the solution. The oral interview is MUCH more effective and we have to spread that word. Want to know what's going on in Plone? Don't wait for a blog post. Ping a core member, ask them on a call, and write up a post for everyone else to consume. 

That Stinking Contributor Agreement

In addition to being a Plone Foundation Sponsor, hosting a kick ass pre-sprint barbecue complete with home brew, and maintaining several high quality Plone plugins,  Talin Senner of Wildcard Corp has volunteered to help us finally kick this long standing issue with the Plone Contributor Agreement. I am eternally grateful for them picking this up and rolling with it since it was making my head spin and I was dangerously spread thin.

Mailing Lists

We REALLY need someone to put a nice front end on mailing lists. The lovely Heidi made a statement along the lines of "why would i use plone? signing up for the mailing list makes this software look like its from 1990". OUCH. Interested? Ping me. We just need a initial UI into the basic mailing lists. 

In addition, we should think about making plone-accounce a mail chimp list, considering that:

  1. The UI doesn't suck at all
  2. It's for communicating out, not within

I'm Running out of Steam

I didn't even get to talk about Grace Lims video project for coders and their kids, the Plone Ranger, the packages that were released and the intense code sessions, the work on EVERYTHING from coredev docks to mock, realization that we need help with adwords... oh god. That's another 6 hour plane ride of info. For now, sleep.

More sprint reports at:
Followup Awesomeness:

Saturday, August 25, 2012

Plone South America Sprint Report: Day 1!

Holy Moly! Plone Symposium South America has been amazing, and the strong local community really shined through today at the sprints. I usually don't do these report things but I'm just so golly proud I'm going to gush about all that got done today at the sprint that has no name!

Fun Facts:
* 18+ new contributor agreements already
* 6 people made their first commit to Plone core today already. Many of these people have been plone users/integrators for 5+ years so I'm really excited to get their input into core going forward
* Plone has an amazing community in South America that takes names and kicks ass
* Only 2 machines had buildout issues and both were resolved in under 10 minutes. That has to be some kind of a record.

plone.api gathered even more momentum. A sampling of what got done:

 * closing open tickets and adding several new methods
 * update error reporting so that errors are useful
 * support for localized documentation in sphinx
 * tests for dexterity support
 * code for granting roles locally and globally

plone.api.json was born and core implementation completed. Testing, docs, and hopefully a demo will be worked on tomorrow.

The Plone TODO tutorial is almost done. We did a coding dojo with 6 people, 3 of which were php developers, to test the documentation and find holes. It could use a couple more passes and some refining but please check it out and report bugs there! It is fully tested, and will be guaranteed to work with new releases of Plone.

Internationalization of buildout.coredev docs into Spanish and Portugese has been started and a LOT of progress is made. It's become very clear to me personally that getting started in Plone has been hindered for a long time by assuming proficient knowledge of English. If anyone is looking to translate key docs for the coredev buildout and plone.api into a local language, please join us in #sprint tomorrow or just holler a bit and I'll find you.

Plone IDE debugger has been fixed and now working on integrating rope.

In addition we got several major bug fixes from for, excellent support from Interlegis for wifi and a place to crash, and super yummy pao de queijo.

Who knows what will come of tomorrow. Having a boring weekend? Join us in #sprint!

Monday, May 7, 2012

Plone Contributor Agreements

This is an open letter about my frustrations with the Plone contributor agreement process. I have tried many times to discuss this in a private setting but I feel no movement and have resorted to stupid antics like writing open letters as blog posts. This is my last effort to push this forward.

Dear Plone Foundation Board -

The current state of the Plone contributor agreement process is abysmal. It is careless, out of date, and undocumented at best. Don't worry, I am not talking about e-signing. We all gave up on that. I am talking about simple things that make me want to go postal. If the developers in #plone can get it together and be nice to newbies, you can do the same.

The steps to make it sane are trivial:
  1. Update the agreement. Get rid of the stuff that no one fills in and the fields that you will never follow up on (e.g. "Please write your physical mailing address here, so we can mail a physical copy back to you." Ahem...). Every time some one fills this out at a sprint, they ask what "Program" is and I always respond with "Pretty sure it's Plone... I think...". I also have to ask them to add their github user name and put it somewhere on the bottom (or I forget then have to contact them later).  Other gems in this legal document include: "If you have any questions, or would like something to be changed, ask [Plone Foundation Contact for Assignments Email Address] via email." In its current state, the agreement is a joke. Please spend 5 minutes and update it.
  2. Update the documentation for new contributors. From our communications, I understand that scanned agreements can be accepted. Maybe you should write that somewhere since everything now points to snail mail (used to be a joke, now just sad). You could also have an email address set up so that it doesn't take 3 emails to find out who "gets the agreements now". You could set up one email, such as, that redirects to whomever is in charge of the agreements at the time being. They could even answer questions and you could update certain documents to have contact information once and never have to update it again. Related: internationally mailing agreements is cruel and unusual punishment. 
  3. Update the documentation for superusers. I have run several sprints and have superuser access to everything needed to make things work. I try to do the right thing but I constantly feel at risk. Let me count the ways:
    1. When triaging tickets with patches, I have no idea which people have signed an agreement and we can accept the patch and who has not. This is not fair to me OR the poor ticket reporters that I pester asking if they have signed or not. 
    2. During virtual sprints, such as tuneups, I often spend time recruiting people to send in their agreements. Does this count as a normal sprint? Can I give them perms once I see the agreement? No one knows the rules. Write them down, please. 
    3. Similarly, there is no list of who has and who hasn't signed the agreement. It would make my life so much easier if I could just validate that. People forget if they signed it in the past and then its a whole debacle. Keep in mind that as a sprint host, I am the one who has to answer questions about whether or not agreements are received or what the status is and can they have permissions yet. 
  4. Be responsive. When people sign agreements, especially mail it in, its because they have something they want to commit. A one month turnaround time is horrid. Motivation is a fleeting thing. Furthermore, please don't make people open a ticket for core access in trac. It's annoying. If you get their github username upfront in a certain document, you can just add them. DONE.
  5. Bonus Round: Follow up. How about a nice welcome email? Maybe a link to instructions on getting the buildout going and how to fix tickets? This can be very easily done with a mailing list which could then be used to send updates like "hey contributors, we moved from svn a year ago" instead of people opening tickets in trac. 
In summary, I'm asking you to give a shit about this poop stain of a process. It is a frustrating, out of date introduction to the Plone developer community and we deserve better.


PS. Have word processor, will edit.

UPDATE #1: The email exists! It's If your agreement is in limbo, email them today and ask whats up.

Also, apparently we technically don't accept scanned documents yet. I hear conflicting things so at the moment I guess just... no.

UPDATE #2: There is a list of approved contributors at Quick, everyone click it and watch crawl! It's a half solution since it doesn't actually list the trac username for quick search but at least it's something.

Wednesday, August 24, 2011

Talking about Talks

When we started planning the conference I intended to blog about EVERYTHING as a form of documentation. Whoops. No time like the present to catch up!

Without a doubt, setting up talks has been the most time consuming process in the conference planning so far. I want to shed some light on what I did this year, why it took so long and why it was so painful. This will give me some much needed catharsis and I would also be interested in hearing your feedback in the comments or elsewhere. The goal is to provide a solid, pain free template for next years organizers and for anyone else planning a conference in the future.

The Plan
The plan was simple enough: setup a Google moderator account and get feedback on what people want to see. Everyone who is planning on submitting will vet or obtain ideas there. Then, have people submit the talk to the website with their bio and their talk (which will be magically normalized of course). The netsight product will take care of voting, scheduling, and display. Clean hands, everything automated, go to the pub.

The Reality
Google moderator worked "just alright". The main issue was that most people thought this was the talk submission process, and were pimping for votes SXSW style. This made it super confusing when we actually asked for talks to be submitted. Nonetheless, feedback was gathered and there were a lot of interesting ideas thrown around. 

Talk Submissions
Our "plan" did not include validating what was done last year code-wise ahead of time. We didn't realize that no permissions were set up for an open site, and everything was completely customized for Bristol. We never got logins integrated like we wanted either. Whoops. Deadline and pressure was mounting so we threw up a Google Form. Enter stage left: the vile mistress Regret.

Immediately we realized that people couldn't edit their submissions after clicking submit and started emailing us changes instead. Also, people had to triplicate their bios and many of them said things like "see other bio". This was not really fair to the submitters or us. At least the form looked nice, was embed-able, and I could add fields as people reminded me that I was missing important things like email address and first time speaker status (thanks to all those who took the time to send feedback - this is all now documented for next year). Totally not worth it though.

We decided up front there would be no extensions so that lit a fire under us to make sure people submitted (I personally get annoyed by our "deadline extended!" community habit). The post for talks went up and they start coming in quickly. At 3.5 days and 2 rooms, we were looking at around 65 talk slots to fill (not including related technologies track which was organized a bit differently). There was a big bump in submissions at first but then things started to trickle down to the point where we were nervous wouldn't reach our target number of talks. 

So we set up a raffle for a free conference ticket and doubled newbie chances to win. This went REALLY well, and encouraged people to submit multiple talks. Later, this gave me the opportunity to pick the strongest talks for a particular person and not have to turn down a great speaker that just picked a bad topic. This gave us plenty of great talks to chose from.

The other thing that happened is that people didn't believe the deadline was real and/or missed it. Some people submitted by email. Others by Google docs. Some talks were "implied". This process went on far too long. To give you an idea what I was dealing with, here are talks to format stats:
  • Google Forms: 72 (4 were submitted late)
  • Google Docs: 17
  • Email: 4 (2 never responded with bios)
  • IRC: 1
  • Chat: 1
If I messed up your talk, I deeply apologize but hopefully you understand why things slipped through the cracks. This goes back to the earlier point on not being able to edit talks. Lesson learned. 

Once all the talks were in we had to import them into the conference website for voting (for those keeping count, this is the 3rd e-format for talks). It took a good 2/3 of a day to set up the styles, update the CSV importer and Dexterity types, and deploy. It was easy drudgery. At some point a unicode problem was introduced we couldn't have any authors or titles with non-ascii letters. By that point I said "f*ck it", ran the import, and asked for help in manually cleaning up the bad encoding. Many thanks to bdbaddog on that one. This could all be avoided in the future.

Voting again was somewhat confusing since "we already voted". The controls aren't super intuitive but luckily they were the same as last year and didn't require authentication. All the reports were already there that I needed and people seemed to figure it out just fine. I will mention that there wasn't a single surprise result in there. Everything lined up just nearly exactly as I thought it would. It did give me numbers to work with for scheduling, which was a huge benefit (technique will be described below).

After all the votes had been cast, I stared at the computer for at least 2 hours thinking about where to go next. No matter what, code had to be updated (last years schedule was a hard coded html template) and it would be nice to make something reusable but I wasn't sure if it was possible in a timely manner. I looked at a couple calendar integration tools but none of them played well with the Dexterity type we were using. In the end I resorted to notecards and giant blocks of paper.

Process pseudocode (maybe someone can code this up for next year): 
  1. Transfer talk title, speaker, and vote count to postcards (format #4). If the talk was 45 minutes, leave it fill size. If it was 30 minutes, cut it in half. Talks go on 1 of 4 colored postcards: All, Beginner, Intermediate, or Advanced. This refers to level of development experience needed to see the talk. This was the easiest way for me to think of preventing talk conflicts. Note: I read what the speaker claimed their audience was but 9 times out of 10 there was a discrepancy from what was claimed and what the extended talk summary said. In those cases, I went with my gut.
  2. Sort each pile by number of votes. For each pile with too many talks, move the worst rated n talks to a separate pile. They aren't excluded, just removed from consideration until all the most popular talks are handled. Try to make all the piles an equalish size. Set aside 1/3 of the worse rated talks for multiple submitters for the same reason in a different pile. Talks that are almost exact duplicates get the same treatment. Side note: the person who submitted the most talks was Carlos de la Guradia at a whopping 6 talks!
  3. Draw a big calendar. I used some GIANT post it notes. Lay out the tracks and physically write in things that can't be changed such as keynotes, lightening talks, foundation meetings. Set up a plan ahead of time. I decided I would put "All" and "Beginner" talks in track 1, "Intermediate" and "Advanced" talks in track 2, and "Related Technology" talks in track 3. For each track I alternated between all and beginning, intermediate and advanced as much as possible. I pitted "All" talks against "Intermediate", and "Beginner" against "Advanced" as much as possible in attempt to avoid beginner/intermediate talk clashes. 
  4. Work in breaks and lunches. I went for a break or lunch about once every 2 hours.
  5. After getting all the super high rated talks mapped out and un-conflicted, pull in the reserve stacks and added them in by popularity and amount of space left in the track. Flex time talks really came in handy. The size of the cards fit perfectly for my mocked up calendar.
With this strategy, the hardest scheduling was the related technology track, since there would inevitably be clashes between the more advanced talks and those. When I had a conundrum, there was almost always a similar or duplicate talk in my backpocket that I just threw into the schedule at a different time. It took me a moment to get over the fact that there is no harm in having almost the same talk twice if they are both highly rated and well respected speakers: a conference schedule is not an ER diagram!

Last but not the very least was putting these talks in electronic form. I gave up on using the conference talks add-on as soon as I found After an hour of beer and wallowing over the fact that I should have used that from the beginning, I spent the next 8 hours adding speakers, talks, keywords, etc to the new site (format #5). There is an API but all of the talks needed to be keyworded, slotted, and mapped to users so I sucked it up and just hammered it in. So much for automated.

And the 2011 Plone Conference Schedule was born.

No one is paying me hourly to make decisions for this conference so I have a tendency to revert to geeky habits and "make" or "wrangle" things instead of searching the web for tools and starting there. At first I was fitting conference stuff in at the end of the day and making poor choices. Now I tend to block of entire "conference days" to help reduce the decision fatigue factor. It helps a lot.

There is also a natural tendency with the conference to just get things done so people "stop bugging me about it" or because "if we don't do this soon we are screwed". I can't speak for past organizers but I have a feeling it's one of the core reasons why there is no reusable conference framework despite all the years of the conference being around. Day job money always trumps conference "profit" [<-- hilarious!]. It really takes a solid effort and motivation to do the right thing for the future. Just writing this post helps keep me focused and remembering to reuse where possible, be it our own code or someone else's.

Suggestions for Next Year
  • Get feedback on whether or not moderator actually influenced talks this year before going that route again. I have a sneaking suspicion it didn't make that much difference. Instead, use feedback from THIS years conference to purposely direct the speakers for next year. You could also encourage people to submit multiple talks from the beginning and weed out the weakest ones later.
  • Beware of the seductive siren that is Google Forms. 
  • Do the raffle for a free speaker ticket again. In fact, give away several if you can manage.
  • As a potential conference speaker, please please please use whatever form was submitted and submit your talk on time. I highly encourage next years organizers to set and enforce rules on talk submissions. "Go here and do it by X or it's out". The favors and special considerations will kill you. They killed me, and I didn't even honor all of them I think. I don't even know if I did or not!
  • Use or something like it from the get go. Plone is not good for this. SCHED prints out nicely and can be print out and cut up for manual organizing. It is mobile ready. It takes talk submissions and has a voting process. It is everything. I paid a $99 fee to get an add free version. Totally worth it. If someone steps up to sponsor the mobile version, we will be even better off.
  • There are still some things missing with SCHED. Do your research before jumping on it again. I have already started bothering them for key missing features so maybe next year they will have their shizzle together more. In your research, don't forget things like: voting, editing your own profile and talk, multiple tracks and venues, mobile support. Bonus if you find ajaxy drag and drop and auto buffers for talks.
  • As far as scheduling, the alternate talk sizes was a slight bit more overhead but in the end it actually gave me a bit of play room and the ability to fill empty slots. I will be interested to see how that goes.
  • We set up a ton of mailing lists for speakers, sponsors, etc with mailchimp. At the end of the conference, don't let 2011 organizers forget to get feedback for 2012. We tried a lot of new things like variable talks, staggered schedules, related tech - all of them need to be evaluated and reconsidered for next year.
  • If you have a bunch of people working dev, make sure someone is NOT developing and can be a manager. We know this on contracts: don't forget to apply the same philosophy here. (If I say it enough, I won't let it happen again). The perfect example is when we started "integrating" Brown Paper Tickets into the site. Put a bunch of people super geeked to give back into one room and all the sudden you've integrated something that doesn't need integrated to begin with (thanks to Jon Stahl for bringing some reason to that situation before it got out of hand). I should not have been even trying to dev anything in this scenario - role mixing is like vodka and redbull: it feels awesome at the time but the aftermath often involves vomit. 
  • While Brown Paper Tickets is local and a bit cheaper, Event Brite is integrated into just about everything already. Mailing list tools, scheduling tools, etc all support importing users directly with the API. Something to consider.
  • Shouldn't "The State of Plone" talk be a keynote? We have a unique situation with space this year in that none of the rooms can technically hold more than 300 people (fire marshall Liz says they can). For the main keynote we rented out a space in the movie theater that is attached to SFSU. It will be awesome: you can drag your hungover butt in, eat popcorn and nachos, and get your mind melted. But it's $1000/hour. Yeah. Time to get in the movie theater business. 
  • Does that mean multiple tracks for Lightening Tracks and popular talks? No. We will be broadcasting live to overflow rooms in these cases. The crowd tends to thin out for these so hopefully we won't need them. We will use the preliminary results from scheduling on to decide which talks get overflow rooms in general. In those cases, we ask that people who are not actually paying attention use the overflow. You know who you are Mr/s. Email McYoutube.
  • My bio is weird - I didn't write one - what happened? If you didn't write your bio, there is a good chance that I did (under the influence of beer and exhaustion of course). Feel free to log in and change it. 
  • Can you fix talk X clashing with talk Y and move talk Z? Sure. If you give me the full swap formula and it passes through my "we can't do that because XYZ drama" filter at I'll seriously consider it. Also, please note that these will all be recorded so you can go back and watch something at any point in the future.
  • Will this schedule be changing? Likely. The general timeline is not going to change and key events will not move. Some talks may get shuffled here and there though and I fully expect some last minute additions/subtractions.
  • Wait, did you say reusing from last year? Yep. All the work we do on the site is open and started with an injection from the 2010 Plone Conference site code by Netsight. I encourage anyone who wants to change something to contribute at Little by little we can make a difference for the future. Hopefully in 5 years, everything will be easy peasy. Well, the tech part anyways. The dealing with people part needs its own documentation.
Many thanks to all the feedback, advice, and help along the way.  Feel free to comment below on changes, suggestions, etc.