The forums at support.bryght.com were getting hit pretty hard with spam over the last couple of days, so I took the executive decision to temporarily close them. I'm committed to working on documenting what's happening so that we can feed back to the Mollom anti-spam project (see also mollom.com) so that automated posters are dealt with. If you have support issues that you would normally post to the forum, until we can resurrect them, please use the contact form and we'll look at your issue via our email ticketing system.

The third annual Drupal Camp Toronto event is coming soon. On Friday May 23rd and Saturday May 24th join the Toronto Drupal Users Group in celebrating two days of Drupal at the University of Toronto! We're putting together an exciting event this year. We have John Resig coming to talk about jQuery and ActiveState will be giving away prize packages. Plus we'll have two full days of information - tips, tricks, case studies and howtos. Make sure to register soon! We already have over 100 people signed up! Also, we are actively seeking both speakers and sponsors. Propose a session or contact us if you're interested in sponsoring or have other questions. Hope to see you there!

Summer is coming - which means it's time for Google's Summer of Code. This is the fourth year of the project (and the fourth year that Drupal has been involved). We continue to be one of Google's favourite open source projects this year grabbing 21 spots - which means a $105,000 investment in Drupal development this summer! I'm excited as this will be my third year as a mentor and my project this year will be OpenID Attribute Exchange support for Drupal. Attribute Exchange is one of the next important pieces in digital identity and one that I'm pretty excited about. My student, Anshu Prateek, has shown a lot of enthusiasm. I think it's gonna be a good summer!

Last night Roland ran the database maintenance on newer hosted service sites powered by Drupal 5. We are looking at doing another pass soon, because today we noticed there are a few other things about the newer databases that we can tune up. While some sites are singing along happily today, we did notice that sites that use the Image module heavily, especially those that use the Random Image block, are suffering performance issues. Today we upgraded the version of the image module to its latest official release, which seems to have fixed an issue with thumbnailos, but I'm not convinced that it improved performance much. Specifically, sites that use the Image module in Drupal 5 are experiencing Internal Server 500 errors, but for reasons different, I suspect, than database performance issues that plagued us in the recent past. We are continuing to investigate this specific issue.

After running the database maintenance, details of which are below, on over 350 sites over the weekend, we noticed an increase in speed for our flagship site bryght.com (its database was reduced to 1/10 its original size!) as well as some of the sites we targeted for special attention. We're still waiting for word from those we've contacted specifically, so until we hear from them, we're not ready to say what we've done has successfully rooted out the 500 error problems people have been seeing on the hosted service. (We're waiting to hear from them as they are the people who watch over the site the most.) This evening we'll run the database maintenance on our newer sites, but we don't expect to see as much improvement as we did with the older sites, partly because the newer sites handle their individual databases better, and because at the outset we had the "Database Logging" module disabled by default. The equivalent module on older sites was filling up databases, making them run slowly for many operations. A note on what we did to older databases, which we'll also do for newer sites tonight: we cleaned out the following database tables, which don't contain any content but rather user login sessions and old system logs: accesslog, watchdog, and sessions. Clearing out the last one means everybody on the site will be logged out. We hope that the inconvenience of having to login again is outweighed by a faster-running site overall. About 180 sites will undergo maintenance tonight, but like I say, we don't expect the performance gain to be the same as with older sites. At any time during the day, please let us know if you encounter Internal Server 500 errors and what you were doing when it happened so we can take a deeper look. We will update this post with a comment when we're done with tonight's maintenance, and follow up with a post tomorrow morning.

We have the database maintenance scripts written, and this morning we tested them out on one of our older sites (that we built for ourselves). We did say that we would do the maintenance overnight, but we were so happy with how fast and smoothly the test went that we decided to run it on 100 active sites on this, a Friday afternoon, and evaluate from there. We make backups on every site before proceeding with the maintenance, so no content will be lost. If you see something unusual or unexpected on our site, please continue to report it and we'll look at it right away.

Another day, another round of database performance issues on our server. Many, possibly all, sites are experiencing 500 Internal Server Errors. Our sysadmins are on the case. I'll post more information when we have it. We have a plan to address the performance issues, which we will test and implement overnight over the coming few days.

A firewall connectivity issue caused by an errant system overloading our network pipe resulted in a two hour outage on all Bryght Light sites and Bryght VPSes. We have blocked the errant system. Please let us know if you experience any further issues.

Yesterday morning everybody on the hosted service experienced their site going down, and since then sites have experienced numerous 500 errors. (Some sites have experienced this off and on for the past few weeks as well.) We are currently finishing with the checks of all databases on the hosted service, and then we will run some proactive maintenance—i.e. deleting the data from sessions, accesslog and watchdog tables that have not been automatically cleared like they should have. Don't let that stop you from reporting errors you see that you think are out of place. If you see "500 error", please send in a report with the URL of your site and we can double-check that you're on the list for the planned maintenance.

I know it's late notice, but I'll be hosting a free workshop tomorrow night, April 2nd at 7pm as part of the PHUG + RMI free workshops. For those of you here in Toronto that are unaware, PHUG is the new local PHP User Group. They have a lot of momentum and are an exciting group - I look forward to more collaboration in the future betweeh PHUG and DUG-TO. The workshop will be Drupal Basics - a crash course in everyone's favourite CMS. We'll look at the core Drupal concepts, how building sites in Drupal works, and some basic theming tricks. It's a free event, but space is limited so please register. Looking forward to meeting some new faces!

I know it's late notice, but I'll be hosting a free workshop tomorrow night, April 2nd at 7pm as part of the PHUG + RMI free workshops. For those of you here in Toronto that are unaware, PHUG is the new local PHP User Group. They have a lot of momentum and are an exciting group - I look forward to more collaboration in the future betweeh PHUG and DUG-TO. The workshop will be Drupal Basics - a crash course in everyone's favourite CMS. We'll look at the core Drupal concepts, how building sites in Drupal works, and some basic theming tricks. It's a free event, but space is limited so please register. Looking forward to meeting some new faces! UPDATE: P.S. this isn't an April Fool's joke ;)

Dries finally took the wraps off his other new Drupal related venture: Mollom. digg_url = 'http://digg.com/software/Mollom_new_FREE_anti_spam_filter_for_websites'; I've been amongst the beta testers on mollom (I'm uid #8!) for a long time now, here on this blog and with some other projects. I have to say, it's impressive. It's sort of like Akismet but has some interesting goals that are slightly different. The key is in calling it "content monitoring" rather than just "spam blocking" (which it already does effectively). Think: high powered moderation tools - with network intelligence. Congrats, Dries, on another one! (When do you sleep?!)

With almost a week gone by since I left Boston, it's high time to do a quick recap of DrupalCon Boston 2008. Despite spending most of the week battling a nasty stomach flu, making two trips to the Apple Store in Cambridge, and being without my laptop (which suffered a failed keyboard and trackpad), I had a great time and want to offer my congrats to the organizing team for a solid event! Although I took part in 6 sessions, I only presented one of them on my own: OpenID and Identity in Drupal. I was pleased with how the session went - packed room with lots of great feedback and discussion. For those interested, check out the slides on slideshare. Otherwise, it was really great to see all the old faces and meet some new ones. For anyone who missed it, the Acquia party was a blast (Orbit rocks!). Looking forward to the next!

Good Morning, Boston! We're just an hour away from getting this thing rolling - it's gonna be a crazy week. Here's the sessions where you'll be able to find me:

• Drupal Multimedia
• OpenID and Identity in Drupal: the future of user.module
• Drupal Security - Best Practices and Process Discussion
• Zen and the Art of Drupal
• Fast Company Case Study
• The Drupal Association Panel
• Drupal Podcast Live

I'll be doing updates here and from twitter. Don't forget to follow walkah :)

Here we go again! One week from today, DrupalCon Boston 2008 will get underway. For the 3rd straight conference, I'll be doing a session on OpenID in Drupal: OpenID and Identity in Drupal: the future of user.module Those of you who have attended my OpenID talks at previous DrupalCons should definitely come out to this one, as I would like to dive a bit deeper into roadmapping future changes, additions and directions for the code as well as touching on rolling out OpenID support across the Drupal.org infrastructure itself. I'd also like to discuss additions and changes to user.module that will better accommodate alternate authentication mechanisms. Can't wait to see you there! Oh, and yes, I'll bring my socks ;-)

Picking through my email and RSS on a Sunday afternoon, I noticed that jabber.org has finally relaunched using Drupal! I think this is exciting, as it brings together two of my favourite technologies. I've been peripherally involved in the XSF/jabber.org Drupal initiatives for a few years now. While I wasn't as closely involved in this site launch as I'd hoped to be (due to time constraints), they've definitely got my support and I hope to help this initiative continue to grow! Congrats Peter and team!

There have been reports that Harvard recently had a Joomla! based website compromised, and the database contents have been made available via BitTorrent. Of interest - the compromise was apparently via the usage of an insecure password. From the Torrent Freak article: A file included with the release labeled password.txt carries a message: Thomas gatton….stupid people, you don’t use a secure password While it's not entirely clear whether it was an insecure system password or an insecure Joomla! password used - it does highlight an important aspect of security. Ensuring that you write secure code is only (a small) part of the security problem. With our recent Drupal 6.0 release, we have tried to incorporate several changes to help our users be more secure:

• Password strength checker: when selecting a password now in Drupal, users are advised when their passwords are "weak". Encouraging tougher to crack/guess passwords particularly for admin and privileged users.
• OpenID support: Even a strong (hard to guess / crack) password can be compromised by a clever attacker if you consistently log in without SSL (i.e. when you're at that internet cafe). Also, remembering several (hundreds!) of complicated, strong passwords can be daunting and frequently leads to poor password choices. By including OpenID authentication support, Drupal users and administrators no longer have to remember passwords to every site they administer. They can use their OpenID - which in turn can implement stronger authentication methods to limit potential vulnerabilities. Development Seed has a great article on how they use OpenID to avoid sharing passwords for admin accounts.
• Update module: One of the biggest security challenges is keeping you site up to date. Drupal sites tend to be a combination of Drupal core and several (10 - 50) contributed modules - keeping them all up to date is a complicated task. It's also a crucial security precaution.

The point being: writing secure code is one thing, but there is a much trickier, critical task in educating users and administrators. It's something we're working towards within the Drupal Security Team and within the community in general. We're not done yet, and welcome your feedback and suggestions!

Last night we upgraded all 200+ sites on the hosted service from Drupal 5.6 to 5.7. The notes for the upgrade are the same as for when we released the new tag for VPS customers.

Happy Valentine's Day everyone! I case you hadn't heard, Drupal 6.0 has finally been released! It's been just over a year since our last major release and, while it feels sort of like an eternity, there is a *ton* of great stuff in this new release. I'm really proud to have helped contribute OpenID support (relying party) to this release - the first step in a larger plan to put (keep?) Drupal at the front of the digital identity curve. Those interested in hearing more, check out my OpenID session at DrupalCon. There's a ton of other great new stuff in 6: Update module (if you haven't used update status in Drupal 5 - you should), revamped i18n support, and Drag 'n' Drop everywhere (Nate, you're a rockstar)! Drupal, be mine. :-*

The last four releases of the Bryght Basic install profile for the open source Drupal content management system have been security releases. Not this time, for today's release—the new tag is 2008-01-29 (there's no 's' this time)—only contains bug fixes. Drupal 5.7 adds no features, but fixes a problem with the HTML filter that would not allow administrators to add or remove tags. There are 3 other issues fixed, which you can read about at the Drupal.org release notes page. We've updated our documentation on how to update to the latest tagged release. Even though there are no database updates for this release since Drupal 5.6, for VPS customers now's a good time to backup your database(s) just in case. We will post a new story once Drupal 5.7 is made available to hosted service customers. As usual, we included the Watchdog backport patch, and submitted a Drupal 5.7 compatible patch for those who want to do it on their own. The error for Google Analytics in the status log still persists; the fix is still to configure the module in Administer » Settings » Google Analytics or by disabling the module.