Feed aggregator

Microsoft's Edge Was Most Hacked Browser At Pwn2Own 2017, While Chrome Remained Unhackable

Slashdot -

At the Pwn2Own 2017 hacking event, Microsoft's Edge browser proved itself to be the least secure browser at the event, after it was hacked no less than five times. Google's Chrome browser, on the other hand, remained unhackable during the contest. Tom's Hardware reports: On the first day, Team Ether (Tencent Security) was the first to hack Edge through an arbitrary write in the Chakra JavaScript engine. The team also used a logic bug in the sandbox to escape that, as well. The team got an $80,000 prize for this exploit. On the second day, the Edge browser was attacked fast and furious by multiple teams. However, one was disqualified for using a vulnerability that was disclosed the previous day. (The teams at Pwn2Own are supposed to only use zero-day vulnerabilities that are unknown to the vendor. Two other teams withdrew their entries against Edge. However, Team Lance (Tencent Security) successfully exploited Microsoft's browser using a use-after-free (UAF) vulnerability in Chakra, and then another UAF bug in the Windows kernel to elevate system privileges. The exploit got the team $55,000. Team Sniper (Tencent Security) also exploited Edge and the Windows kernel using similar techniques, which gained this team the same amount of money, as well. The most impressive exploit by far, and also a first for Pwn2Own, was a virtual machine escape through an Edge flaw by a security team from "360 Security." The team leveraged a heap overflow bug in Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. The team hacked its way in via the Edge browser, through the guest Windows OS, through the VM, all the way to the host operating system. This impressive chained-exploit gained the 360 Security team $105,000. The fifth exploit against Edge was done by Richard Zhu, who used two UAF bugs--one in Edge and one in a Windows kernel buffer overflow--to complete the hack. The attack gained Zhu $55,000. At last year's Pwn2Own 2016, Edge proved to be more secure than Internet Explorer and Safari, but it still ended up getting hacked twice. Chrome was only partially hacked once, notes Tom's Hardware.

Read more of this story at Slashdot.

Walmart Unveils 'Store No. 8' Tech Incubator In Silicon Valley

Slashdot -

An anonymous reader quotes a report from Bloomberg: Wal-Mart Stores Inc. is creating a technology-startup incubator in Silicon Valley to identify changes that will reshape the retail experience, including virtual reality, autonomous vehicle and drone delivery and personalized shopping. The incubator will be called Store No. 8, a reference to a Wal-Mart location where the company experimented with new store layouts. Marc Lore, chief executive officer of Wal-Mart's e-commerce operations, announced the incubator Monday at the ShopTalk conference in Las Vegas. The world's biggest retailer has been overhauling its online team to better challenge Amazon.com Inc. with greater selection and lower prices. Lore founded Jet.com, which Wal-Mart purchased in September for about $3.3 billion in pursuit of Amazon in the e-commerce race. Lore said Wal-Mart has an advantage over "pure play" e-commerce companies because of its large network of stores that attract shoppers for such items as fresh food. The incubator will partner with startups, venture capitalists and academics to promote innovation in robotics, virtual and augmented reality, machine learning and artificial intelligence, according to Wal-Mart. The goal is to have a fast-moving, separate entity to identify emerging technologies that can be developed and used across Wal-Mart.

Read more of this story at Slashdot.

Google Wants To Create Promotions That Aren't Ads For Its Voice-Controlled Assistant

Slashdot -

Earlier this month, some Google Home users noticed what appeared to be audio ads for Disney's "Beauty and the Beast" movie. After some intense backlash, the company released a statement claiming that the ad was not an ad, but that it was simply "timely content" that Disney didn't pay for. Google's UK director of agencies, Matt Bush, has since spoken out about the company's plans with advertising via the voice-controlled Assistant. Business Insider reports: Bush explained Google isn't looking to offer brand integrations in voice for the time being, since it didn't have enough data to come up with an ad product that adds value for consumers. "We want businesses to have a phenomenal mobile experience and then building on that have a phenomenal voice experience," Bush told Business Insider at Advertising Week Europe. "That might not be, in the early instances, anything that has to do with commercials at all. It might just be something something that adds value to the consumer without needing to be commercialized." Bush explained that the consumer experience with voice is very different from that of text search because the use cases for voice navigation differ depending on the device the function is used on and the context the user finds themselves in. "We don't want to start putting in commercial opportunities that we think users don't want to interact with," Bush said "We don't want anything to come in-between the user and their access to the information they're actually looking for. If a brand can add value in that space, fantastic." Bush cited mobile search ads as successful executions of using context and personal user insights, but voice promotions are unlikely to take the same form. "It's unlikely to be what you see from search as it currently stands, where you might have three or four ads as the top results of a search," he said.

Read more of this story at Slashdot.

Burglars Can Easily Make Google Nest Security Cameras Stop Recording

Slashdot -

Orome1 quotes a report from Help Net Security: Google Nest's Dropcam, Dropcam Pro, Nest Cam Outdoor and Nest Cam Indoor security cameras can be easily disabled by an attacker that's in their Bluetooth range. The vulnerabilities are present in the latest firmware version running on the devices (v5.2.1). They were discovered by researcher Jason Doyle last fall, and their existence responsibly disclosed to Google, but have still not been patched. The first two flaws can be triggered and lead to a buffer overflow condition if the attacker sends to the camera a too-long Wi-Fi SSID parameter or a long encrypted password parameter, respectively. Triggering one of these flaws will make the devices crash and reboot. The third flaw is a bit more serious, as it allows the attacker to force the camera to temporarily disconnect from the wireless network to which it is connected by supplying it a new SSID to connect to. If that particular SSID does not exist, the camera drops its attempt to associate with it and return to the original Wi-Fi network, but the whole process can last from 60 to 90 seconds, during which the camera won't be recording. Nest has apparently already prepared a patch but hasn't pushed it out yet. (It should be rolling out "in the coming days.")

Read more of this story at Slashdot.

Wells Fargo: All ATMs Will Take Phone Codes, Not Just Cards

Slashdot -

Given the prevalence of smartphones nowadays, Wells Fargo has announced plans to upgrade all 13,000 of its ATMs next week to allow customers to access their money using their cellphones instead of traditional bank cards. Wells Fargo would be the first to upgrade all of its ATMs with the feature across the United States. ABC News reports: To access their money, customers would get unique eight-digit codes from their Wells Fargo smartphone app, and enter the code into the ATM along with their PIN number. The machines will still accept debit cards as well. One limitation of the one-time code, though, is that it won't work on the secure doors that many branches have for non-business hours that require a customer to swipe an ATM or debit card to gain entry. Wells Fargo said those secure doors are found at a small percentage of branches, mostly in major metropolitan areas like New York City or Chicago. Wells said it plans to roll out another upgrade to its ATMs later this year, which will allow customers to access the ATMs by holding their smartphones up to a reader on the machine, instead of entering the eight-digit code. It would be similar to using Apple Pay or Samsung Pay, the bank said.

Read more of this story at Slashdot.

Trump Adds To NASA Budget, Approves Crewed Mission To Mars

Slashdot -

An anonymous reader quotes a report from NBC News: President Donald Trump signed a law on Tuesday authorizing funding for a crewed NASA mission to Mars. The new bill (S.442) adds a crewed mission to the red planet as a key NASA objective and authorizes the space agency to direct test human space flight programs that will enable more crewed exploration in deep space. The space agency has $19.5 billion in funding for the 2018 fiscal year, which starts this October. Trump had allocated $19.1 billion for NASA in his budget, which is slightly down from the current year, but still an improvement from the past decade, which saw the end of the space shuttle program. The commander in chief signed the bill surrounded by astronauts and his former Republican rivals, Senator Ted Cruz of Texas and Senator Marco Rubio of Florida, who both sponsored the bill. Getting to Mars, though, isn't expected to happen during the Trump presidency. NASA has its sights set on getting to the red planet in the 2030s. In the near term, NASA plans to test its Orion spacecraft and Space Launch System rocket, in addition to visiting an asteroid and redirecting a chunk of it into orbit around the moon. Astronauts could later visit the boulder and use the mission to test some of the tools needed for a Mars mission.

Read more of this story at Slashdot.

Who's Liable For Decisions AI and Robotics Make?

Slashdot -

An anonymous reader shares a BetaNews article: Reuters news agency reported on February 16 that "European lawmakers called [...] for EU-wide legislation to regulate the rise of robots, including an ethical framework for their development and deployment and the establishment of liability for the actions of robots including self-driving cars." The question of determining "liability" for decision making achieved by robots or artificial intelligence is an interesting and important subject as the implementation of this technology increases in industry, and starts to more directly impact our day to day lives. Indeed, as application of Artificial Intelligence and machine learning technology grows, we are likely to witness how it changes the nature of work, businesses, industries and society. And yet, although it has the power to disrupt and drive greater efficiencies, AI has its obstacles: the issue of "who is liable when something goes awry" being one of them. Like many protagonists in industry, Members of the European Parliament (MEPs) are trying to tackle this liability question. Many of them are calling for new laws on artificial intelligence and robotics to address the legal and insurance liability issues. They also want researchers to adopt some common ethical standards in order to "respect human dignity."

Read more of this story at Slashdot.

O-MG, the Developer Preview of Android O is here! (Android Developers Blog)

LWN Headlines -

The Android Developers Blog introduces the first developer preview of Android O. This version includes background limits, notification channels, autofill APIs, PIP for handsets, font resources in XML, adaptive icons, and much more. "Building on the work we began in Nougat, Android O puts a big priority on improving a user's battery life and the device's interactive performance. To make this possible, we've put additional automatic limits on what apps can do in the background, in three main areas: implicit broadcasts, background services, and location updates. These changes will make it easier to create apps that have minimal impact on a user's device and battery. Background limits represent a significant change in Android, so we want every developer to get familiar with them."

AMD Confirms It's Issuing a Fix To Stop New Ryzen Processors From Crashing Desktops

Slashdot -

AMD says the company has been able to figure out why FMA3 code is causing system hangs on PCs using a new Ryzen desktop processor. From a report: Although AMD didn't provide a detailed report on the problem's root cause, the company said that BIOS changes will be distributed to motherboard manufacturers to resolve the issue. Customers are encouraged to keep an eye on their motherboard vendor's website for an update. "We are aware of select instances where FMA code can result in a system hang," the company said. "We have identified the root cause." AMD released three Ryzen-branded desktop processors at the beginning of March that plug into motherboards based on AMD's new AM4 socket. The trio of processors include the Ryzen 7 1800X, the Ryzen 7 1700X, and the Ryzen 7 1700. However, all three reportedly cause a hard system lock when running certain FMA3 workloads. The problem was replicated across all three processors and a variety of motherboards.

Read more of this story at Slashdot.

Microsoft Outlook, Skype, OneDrive Hit By Another Authentication Issue

Slashdot -

Two weeks after a widespread authentication issue hit Outlook, Skype, OneDrive, Xbox and other Microsoft services, it's happening again. From a report: On March 21, users across the world began reporting via Twitter that they couldn't sign into Outlook.com, OneDrive and Skype, (and possibly more). I, myself, am unable to sign into Outlook.com, OneDrive or Skype at 2:30 pm ET today, but my Office 365 Mail account is working fine. (Knock wood.) I believe the issue started about an hour ago, or 1:30 p.m. ET or so. MSA is Microsoft's single sign-on service which authenticates users so they can log into their various Microsoft services. As happened two weeks ago, Skype Heartbeat site, has posted a message noting that users may be experiencing problems sending messages and signing in.

Read more of this story at Slashdot.

MidCamp - Midwest Drupal Camp: Call for Volunteers

Drupal Planet -

We need you!

Want to give back to the Drupal Community without writing a line of code? Volunteer to help out at MidCamp 2017.  We’re looking for people to help with all kinds of tasks including: 

Setup/Teardown
  • For setup, we need help making sure registration is ready to roll, and getting T-shirts ready to move.

  • For teardown, we need to undo all the setup including packing up all the rooms, the registration desk, cleaning signage, and making it look like we were never there.

Registration and Ticketing
  • We need ticket scanners, program dispersers, and people to answer questions.

Room Monitors
  • Pick your sessions and count heads, make sure the speakers have what they need to survive, and help with the in-room A/V

If you’re interested in volunteering or would like to find out more, please contact us.

Volunteer!

Acquia Lightning Blog: Forward Revisions and Translated Content

Drupal Planet -

Forward Revisions and Translated Content Adam Balsam Tue, 03/21/2017 - 14:46

Core contributors are currently working on a solution for #2766957 Forward revisions + translation UI can result in forked draft revisions. This issue can affect users of Workbench Moderation (that is, users of Lightning) too though.

The problem presents itself when:

  • The site uses Lightning Workflow
  • Content Translation is enabled with at least one additional language defined (let's say English and Spanish) 
  • A piece of content exists where:
    • There is a published English and a published Spanish version of the content.
    • Both the English and Spanish version have unpublished edits (AKA forward revisions).
  • An editor publishes the forward revision for either the English or Spanish version (let's say English).

The result is the existing published Spanish version becomes unpublished - even though the editor took no action on that version at all. This is because the system is marking the unpublished Spanish version as the default revision.

A workaround exists in the Content Translation Workflow module. If you are still using Drupal core 8.2.x (which, as of this writing, Lightning is) you will also need a core patch that adds a getLoadedRevisionId() method to ContentEntityBase.

Workaround Summary
  1. Apply this core patch.
  2. Add the Content Translation Moderation module to your codebase and enable it.

For more information and demonstration of the bug and the fix, see the video below.

Note: This is an alpha module with known issues and, by definition, is not covered by the Drupal Security policy and may have security vulnerabilities publicly disclosed.

Note: The Content Translation Workflow module works around the original issue by creating an additional revision based on the current default revision. This preserves existing forward revisions and their content, but effectively makes them past (rather than forward) revisions.

Bonus: The author of Content Translation Workflow, dawehner, has also created a companion module Content Translation Revision which adds a nice UI to translate individual revisions.

Palantir: Competitive Analysis: The Key to a Woman's Healthy Heart - Part 1

Drupal Planet -

Competitive Analysis: The Key to a Woman's Healthy Heart - Part 1 brandt Tue, 03/21/2017 - 13:45 Michelle Jackson Mar 21, 2017

In the healthcare field, meeting the needs of patients can be a matter of life and death.

In this post we will cover...
  • How health systems can conduct competitive analysis

  • How navigation organization and prioritization impacts the ability of people to find information on specific health topics such as heart disease and its impact on women’s health

  • How competitive analysis can help health systems conduct a cursory evaluation and improve information architecture to better serve people suffering from critical illnesses

  • How looking at peer competitors can help health systems better serve the needs of patients and their caregivers

Strategy work is essential to a project's success.

Let's Chat.

Competitive analysis is an exercise, the importance of which transcends the borders of many industries, including healthcare. By taking a look at how your site compares to your competitors, you can ultimately make changes that allow you to better serve your patient’s specific needs.

In recognition of Women’s History Month, we are focusing on women’s health, specifically heart disease, the number one cause of death for women in the United States. We are also honing in on on DrupalCon-host city Baltimore, which has launched several initiatives to combat cardiovascular disease. The goal is to take a look at how two health systems in Charm City categorize and present information about cardiovascular disease on their public-facing websites.

Let’s imagine you have been tasked by the American Heart Association (AHA) to compare and evaluate websites of local health systems in the field of cardiology in how they serve women patients who suffer from cardiovascular disease. Where do we begin? What competitors will we look at? What dimensions or features/site attributes are we comparing? What key tasks are important to patients and caregivers? How does search impact the site visitor journey to each competitor website.

By the time you finish reading this post, you will have the know-how to do a competitive analysis for a health-system or hospital website with a focus on particular health specialties and demographics. You will be able to see how your website measures against the competition at the specialty level and also in meeting the needs of specific patient and caregiver audiences.

What is competitive analysis?

As we discussed in Competitive Analysis on a Budget, competitive analysis is a user experience research technique that can help you see how your site compares with competitor websites in terms of content, design, and functionality. It can also lead to better decision-making when selecting new design and technical features for your site (e.g. search filter terms or search listing display). In this post, we’ll focus on the navigation and internal menu labels as our dimensions.

A Tale of Two Hospitals

Johns Hopkins Medicine and the University of Maryland Medical Center are two large university hospitals local to Baltimore that have centers dedicated to women and heart disease. The two centers are considered direct competitors because both offer the same service and function in the same way.

Fast Facts for Context
  • Women’s heart disease symptoms are complex and often differ from mens’ symptoms. 
  • Women suffering from heart disease may not experience any symptoms at all.
  • In 2015, the Baltimore City Health Department released a report that cited cardiovascular disease as the leading cause of death in the city.
  • According to the 2015 Maryland Vital Statistics Annual Report, approximately 1 in 4 deaths in the Baltimore Metro Area were related to heart disease.
  • National and statewide statistics confirm cardiovascular disease is the leading cause of death for men and women.
It all begins with search

Search plays a key role in how patients and caregivers, especially women, find information about health conditions and treatment. In 2013, Pew Research’s Health Online Report noted that “women [were] more likely than men to go online to figure out a possible diagnosis.” The report also noted that “77% of online health seekers say they began at a search engine such as Google, Bing, or Yahoo.”

Specific search queries will likely bring this group of site visitors to a specific page, rather than to the homepage. This means the information architecture of health system internal pages plays a key role in providing patients and caregivers with information and resources about medical conditions and services. Competitive analysis can help us understand if and how these pages are meeting patient and caregiver needs.

Keywords are key

Keyword selection drastically impacts the results that are returned during a patient and caregiver search query. To demonstrate this, let’s start with a basic keyword search to evaluate how sites are optimizing search for topics like women and heart disease. As shown below, keywords can transform the information-seeking experience for women.

Figure 1: Google search with “women heart disease baltimore md” as key words

The first figure shows the search query results for “women heart disease baltimore md.” Johns Hopkins Women’s Cardiovascular Health Center and University of Maryland Medical Center Women’s Heart Program landing pages are both listed in the search results (Figures 2 and 3).

Figure 2: Johns Hopkins Women’s Cardiovascular Health Center landing page

 

Figure 3: University of Maryland Medical Center Women’s Heart Health Program landing page

 

Figure 4: Google search with “heart disease hospital baltimore md”

Search significantly impacts patient and caregiver access to health and hospital information. Google provides results based on previous search behavior, so results may vary by browser and search history, among other factors. We tried these terms using a private session and when logged into Google and saw little to no variance.

As shown in Figure 4, using different keywords in the search query yields different search results. “Heart disease hospital baltimore md” returns Johns Hopkins Heart & Vascular Institute as one of the top search results, but University of Maryland Medical Center’s Heart and Vascular Center is not returned as a top result when logged into Google Chrome on during a private session.

This is important to note because the University of Maryland Medical Center may want to look into methods to improve search engine optimization. There are different ways to address the absence of your website or landing page, product or service at the top of the site visitor’s search results listing.

Menu hierarchy and landing pages - when alphabetization complicates user experience

If women with heart disease choose keywords like “heart disease hospital baltimore md,” and do not indicate their gender in their query, they are brought to Heart & Vascular Health landing pages for each respective health system. Both landing pages use alphabetization to organization centers and programs, Because the centers or programs dedicated to women and heart disease begin with “W,” they are situated at the bottom of the internal navigations.

This may pose a challenge to patients and caregivers entering the site from search queries that omit the word “women” (i.e. heart disease hospital baltimore md). These search query examples are not meant to represent the most common queries for people looking for information about heart disease in Baltimore; rather they demonstrate how different search queries can yield different results for people seeking this information.

Figure 5: Johns Hopkins Heart & Vascular Institute landing page

 

Figure 6: University of Maryland Medical Center Heart and Vascular CenterInternal Menu Labeling and Nesting

Now that we see how search impacts visitor pathways to the health system sites, let’s take a closer look at how Johns Hopkins Medicine and the University of Maryland Medical Center, differ in presenting information in the internal menus for the centers and programs dedicated to women’s heart disease and heart health.

Figure 7: Johns Hopkins Heart & Vascular Institute landing page navigation

Multiple internal navigations within the Johns Hopkins Heart & Vascular Institute landing page and the current placement of the Women’s Cardiovascular Health Center at the bottom of the navigation hierarchy might make it challenging for patients looking for this particular center. Since centers provide services for patients, the placement of “centers of excellence” under “clinical services” may complicate site visitors’ understanding of resources and the relationship between services and centers. These types of naming conventions should be examined more closely.

Figure 8: Johns Hopkins Heart & Vascular Institute landing page internal navigations

 

Figure 9: University of Maryland Medical Center Women’s Heart Health Program landing page navigations

Like its competitor, the University of Maryland Medical Center has multiple internal navigations, which may also be cumbersome to users. Patients and caregivers have too many options which may make it difficult for them to understand what they should do on this page. It may also make it challenging for them to complete key tasks (i.e. researching risk factors, find a physician, schedule an appointment, etc).

The University of Maryland Medical Center’s “Centers and Services might resonate better with site visitors because they can find both Centers and Services under “Centers and Services;” Johns Hopkins Medicine’s placement of Centers of Excellence under Clinical Services could be confusing. Patients typically go to a center to receive clinical services; they don’t often go to a clinical service to find a center.

The University of Maryland Medical Center’s Heart & Vascular Center use of “Services’” for one of its navigations might not be intuitive to site visitors. “Services” plays the role of a catch-all for conditions (i.e. aortic disease), topics (i.e. women’s heart health) and treatment options (i.e. heart and lung transplant) and may make it challenging for visitors to find what they are looking for on this page.

More specifically, a patient or caregiver looking for women’s heart health may not necessarily expect to find a program under “Services.” These items could be surfaced more quickly and more efficiently organized within Centers and Services so that the pathways to Women’s Heart Health are more intuitive to patients and their caregivers.

We’ll know if this is the case after we test these health system site pages with real visitors.

Figure 10: Competitive analysis matrixIn sum

So how do you design a website for women who may have asymptomatic heart disease? How do you integrate the needs of potential patients who experience neck and back pain as a symptom of their heart disease? We can gain a better understanding of specific cases like this by understanding the user journey of patients who exhibit non-traditional symptoms of heart disease and their caregivers by conducting competitive usability tests of these sites.

So what next?

Now that we’ve provided a cursory analysis and heuristic evaluation of the internal navigations of two health system sites, we’ll perform user tests on the websites to validate the some of the hypotheses we discuss in this blog post and compare the content and design of the two health system sites. Keep an eye out for that post in a couple weeks!

We want to make your project a success.

Let's Chat.

Android O First Developer Preview Featuring Notification Channels, Background Limits Now Available

Slashdot -

A year after Google released the Android N Developer Preview, the company has made available the developer preview of the next major version of Android, "Android O." You will not want to put it on your primary Android smartphone as the preview is likely to have rough edges. Google says as much. "it's early days, there are more features coming, and there's still plenty of stabilization and performance work ahead of us. But it's booting :)." The company is using the developer preview to give beta testers a sneak peek into some new features, such as "notification channels," which will offer users the ability to group notifications. There is also Picture in Picture, which will enable you to have a video appear in a small window on top of homescreen or any application. Google is also adding "multi-display support" and improved "keyboard navigation." Your guess is as good as mine as to what these features will actually do. There's also better "background limits" which will supposedly help save battery, and wider Wi-Fi support to include things like Neighborhood Aware Networking (NAN). No word on what "O" in Android O stands for.

Read more of this story at Slashdot.

KDevelop 5.1.0 released

LWN Headlines -

KDevelop is KDE's Integrated Development Environment (IDE). Version 5.1 has been released with LLDB support, Analyzer run mode, initial OpenCL language support, improved Python language support, and more.

Microsoft Just Showed Off Exactly What Salesforce Was Worried About

Slashdot -

Microsoft just took a direct swipe at Salesforce with a new enterprise-ready version of LinkedIn's customer relationship management product called Sales Navigator. From a report on CNBC: "Today's announcements take Sales Navigator to the next level," Doug Camplejohn, LinkedIn sales solutions head of product, said in a blog. The new product steps up competition with arch rival Salesforce. Microsoft beat out Salesforce to acquire Linkedin for $26.2 billion -- by far the company's largest acquisition to date -- in June. Salesforce CEO Marc Benioff was so concerned, he accused the company of "anti-competitive behavior" and urged regulators to investigate. Flash-forward less than a year and Microsoft's new Sales Navigator Enterprise Edition incorporates many features aimed at turning LinkedIn into a must-have tool for sales teams at big companies.

Read more of this story at Slashdot.

IBM, Remote-Work Pioneer, is Calling Thousands Of Employees Back To the Office

Slashdot -

An anonymous reader shares a report: Less than a year into her tenure as IBM's chief marketing officer, Michelle Peluso prepared to make an announcement that she knew would excite some of her 5,500 new employees, but also, inevitably, inspire resignation notices from others. In a video message, Peluso explained the "only one recipe I know for success." Its ingredients included great people, the right tools, a mission, analysis of results, and one more thing: "really creative and inspiring locations." IBM had decided to "co-locate" the US marketing department, about 2,600 people, which meant that all teams would now work together, "shoulder to shoulder," from one of six different locations -- Atlanta, Raleigh, Austin, Boston, San Francisco, and New York. Employees who worked primarily from home would be required to commute, and employees who worked remotely or from an office that was not on the list (or an office that was on the list, but different than the one to which their teams had been assigned) would be required to either move or look for another job. Similar announcements had already been made in other departments, and more would be made in the future. At IBM, which has embraced remote work for decades, a relatively large proportion of employees work outside of central hubs. (By 2009, when remote work was still, for most, a novelty, 40% of IBM's 386,000 global employees already worked at home). [...] "When you're playing phone tag with someone is quite different than when you're sitting next to someone and can pop up behind them and ask them a question," Peluso says. Not all IBM employees see it that way.

Read more of this story at Slashdot.

Code Enigma: Do you really need composer in production?

Drupal Planet -

Do you really need composer in production? Language English Return to Blog Do you really need composer in production?

It is now a common practice to use composer as part of the deployment stack. Is this always such a good idea?

Tue, 2017-03-21 16:26By pascal

The recipe goes like this : gitignore your "vendor" directory (or whatever folder your dependencies end up in), but commit your composer.lock file, then deploy. Your CI job will then « composer install » all the dependencies where there belong to, magically reproducing your initial files layout exactly how they were.

There are generally a few additional steps involved in between though. Typically, you lost half a day figuring out the right file permissions so that the var/cache of your app can be cleared and recreated properly by the webserver user, wondered for days why some of the builds were randomly failing before realizing that no token was set in this given job, meaning github API rate limit was sometime hit. Then another good day or two finding out how to apply two patches for the same projects when they slightly conflict. And your sysadmin might be slightly suspicious about those files being downloaded and executed directly on production outside of any VCS, and anxiously watching for exploit reports.

Now, you will assure me, you’ve nailed all that, and, apart from an occasional network glitch preventing packages to be fetched, all is running smoothly. Great.

But please, re-read above. Why are you doing all this? To "reproduce your initial files layout exactly how they were". Then why don’t you just commit the files and push them, then?

That is normally the point in the discussion when you’re supposed to use the words « reproducible » and « best practices ».

Reproducible

*/

Right, but what is more reproducible than moving prebuilt files around? You played the recipe once already on your dev environment, taking the risk of re-running it on production feels a bit like recompiling binaries from source simply because you can.

Composer is not magic. What it does is grab a bunch of PHP files, ensuring they are at the right version and that they end up in the right place, so they can play nicely together. Once you have the resulting file set already, why would you want to redo this over and over on each and every environment?

Best practices

Let’s have a closer looks at what is stated in the Composer documentation and the reasons why the project recommends not committing your dependencies:

  • large VCS repository size and diffs when you update code;
  • duplication of the history of all your dependencies in your own VCS; and
  • adding dependencies installed via git to a git repo will show them as submodules.

I’ll just ignore the repository size (because, frankly ?) and focus on the diff and history parts.

For one, the argument here is slightly misleading: reading the statement, you might be under the impression your repository will contain the whole git history of each and every dependency in your project. Nope, it will not. What you will end up with, along the life of your project, is the history of updates to your dependencies after your initial commit.

Which is rather the most important point here. This is a good thing! Why would not you want to be able to look at - and keep track of in your VCS - what was in update from Guzzle 3.8.0 to 3.8.1 or what difference there is between ctools 8.x-3.0-alpha27 and alpha26? Your « live » project is not only your custom code.

What would you find most useful, next time your client opens a ticket because the image embedding in the WYSIWYG editor has stopped working since the last release, when looking back at the commit « Upgrade contrib module media_entity from 8.x-1.5 to 8.x-1.6 » ? Seeing a one line hash change in composer.lock, or seeing a nice diff of the actual changes in code, so you can track down what went wrong?

The .git submodules point is fair, but easy to workaround, as explained on this very same best practices page. Also keep in mind it only applies if you use dev versions or obscure non-packaged dependencies.

*/

 

So, to sum it up, if you use Composer to build your code in production, you get:

   - Un-needed and time consuming deployment complexity increase, with small but real risks of failure on each and every build for external cause

   - No auditing of changes that are not your own custom code

   + Easier handling of .git « false » submodules for a few dev dependencies

 

On the other hand, if you commit the "vendor" directory, you get:

   + Easier and straightforward deployment

   + All code that lands on production gets audited/versioned

   - Small amount of work involved in dealing with possible .git « false » submodules

 

 

Then why ?

*/

But then, why is that such a widespread practice? I can only guess here, but I suspect there are several factors at play:

  • Fashion, to some extent, must play a role. There are very good reasons to do this for certain workflows, which may lead people to think that it can apply to any deployment workflow.
  • The fact that it is presented as « best practice » on the Composer project page. Many people apply it without questioning whether it is applicable to their use case.

My interpretation is that, more fundamentally, the root cause is confusion between "deploying" code and "distributing" code.

Moving a « living thing » for one environment over to another environment is not the same process as making a component or app available for other projects to reuse and build upon. Composer is a fantastic building tool, it is great for the latter case, and using it to assemble your project totally makes sense. Using it as a deployment tool, less so.

If we take another look at the arguments above from a distribution perspective, the analysis is totally different:

  • Large VCS repository size and diffs when you update code.
  • Duplication of the history of all your dependencies in your own VCS.

Indeed, in this use case, it all makes total sense: you definitively do not need the whole git history of any component you are re-using for your project. Nor do you want your repo for the nice web-crawler library you contribute on GitHub to contain the Guzzle codebase you depend upon.

In short, think about the usage. If you maintain, say, a Drupal custom distro that you use internally as a starting point for your projects, by all means yes, ignore the vendor directory. Build it with Composer when you use it to start a new project. And continue to use Composer to manage dependencies updates in your dev environment. However, once this is no longer a re-usable component, but instead a living project that will need to be deployed from environment to environment, do yourself a favour and consider carefully whether using Composer to deploy really brings any benefit.

 

 

 

BlogIntegrating Drupal with Microsoft SharePoint 2013 BlogIntroducing Blackfire on Code Enigma servers BlogThe Entity Reference Autocomplete module BlogSAML ADFS authentication in Drupal

Pages

Subscribe to Heydon Consulting aggregator