[IMC-Tech] grant, small clarification

[mark burdett]

Hi, 
Personally I also have a lot of questions about the proposal, which I 
haven't even tried to answer for myself (yet), mostly because my local 
IMC isn't involved.  Some of my concerns: 1) how would the 6-digit 
budget contribute to actual current expenses of the indymedia network; 
2) what might be the unintended side effects of "top-down" management 
of a huge tech project by a couple sponsoring IMCs along with possible 
external constraints from the funders; and 3) how might the project 
stifle or imbalance the current horizontal network of volunteer 
techies.

I think full answers on Toya's questions are missing in action so far, 
but I will give some of my thoughts, based on my own interpretation and 
limited knowledge.  At the moment there is only a few paragraphs to the 
proposal, and no details about project plan or budget, presumably 
because it's only at the first step of the process.

> 1. How this proposal will address data retention problems and the
> others examples of data security problems I listed above?

The only thing the proposal talks about so far is that at the moment 
many indymedia sites are using old more-or-less unsupported CMSs with 
spam problems and potential security vulnerabilities.  So a basic goal 
would simply be upgrading to a modern CMS that can securely handle 
posts (preventing cross-site request forgery, submission of unfiltered 
HTML files, spam floods) and securely render the user-submitted content 
(applying filters and so forth).  This is an area where Drupal has some 
good built in facilities but also needs user education so the site is 
configured correctly.  So another goal would be to have what Drupal 
calls an install profile (in other words, initial installed modules and 
configuration) to ensure sites get a secure configuration.

> 2. How this proposal will address lack of hosting spaces, bandwidth
> and system administration  people?

I would really hope that a lot of the funds could be put towards 
hosting spaces and bandwidth.  It would be incredibly sad to see an IMC 
get a huge grant and just hire some developers for a year because it 
couldn't find any volunteers.  The system requirements are pretty 
straightforward (LAMP stack) and multiple sites can be installed on one 
codebase, so in my opinion at least it wouldn't make any of this 
worse for the participating IMCs...

> 3. Is there a way to build a geographically-distributed data
> redundancy out of this  solution?

It would be nice for the proposal to directly address this, at least 
making it a goal to come up with a proof of concept.  Drupal doesn't 
necessarily have good answers for all the classic problems that people 
run into when scaling web applications, like lag problems when you 
replicate databases to opposite sides of the globe.  On the other hand 
there *are* people building Drupal sites with load-balancing, failover, 
Content Delivery Network, and other techniques, so it's not uncharted 
territory.  There's a need for research and testing and documenting.

> 4. Who will be the maintainer  of this new solution? Update the code,
> look for security holes etc.

I for one would volunteer to look for security holes in any custom 
indymedia code out there but I certainly wouldn't need funding to do 
that.  What I would hope is that the solution reused and when necessary 
created off-the-shelf components that live on Drupal.org, relied on the 
existing solid community to report vulnerabilities, and made use of the 
Drupal security team to send out security advisories and the standard 
means to notify site admins that they need to upgrade a module.  on 
Drupal.org, each "project" (module or whatever) has one or more 
maintainers who are responsible and there's a process for others to 
take over if something is abandoned.  In other words, symbiotically 
take advantage of the larger community and avoid reinventing any 
wheels.

> 5. How could this solution work together with the new-cms project?

I need to read the latest summary on what's up with new-cms.  I only 
know some basics about the multi-layered system.  One idea would be 
that a Drupal CMS could act as a front-end for other network-based 
systems.  For example I developed a Drupal distro (in a day job) that 
functions as a front-end/client for a remote non-Drupal backend 
connected via webservices; this was fairly straightforward because 
there are so many "hooks" where custom functionality can be 
implemented.

To me the goals of the new-cms project are the kind of innovation what 
would really deserve a huge grant, in comparison to the Drupal proposal 
so far.  Although at this point you can go back to the top regarding my 
intial concerns about the grant...

--mark