Introducing our new blog team
daniel at pocock.pro
Thu May 19 07:26:00 UTC 2016
On 19/05/16 07:52, Florian Snow wrote:
> Hi Daniel,
> Daniel Pocock <daniel at pocock.pro> writes:
>> Wordpress is available in Debian, would the packages be suitable for
>> you? The versions are here:
> The version does not matter so much as long as it still receives
> bugfixes. To be quite honest, though, I have had unpleasant experiences
By default, every package in Debian receives security fixes. Popular
web packages (like Apache, PHP and Wordpress) get these fixes within
just a few hours.
This means that the system-hackers group (or any other sysadmin) can
easily deploy those fixes to servers immediately using
apt-get update && apt-get upgrade
and this same command also deploys any fixes for the OS or other
utilities. Having a single channel for security and bug fixes like this
makes the whole process very efficient.
If a bug fix is not security critical and isn't in the stable version of
a package, you can use backports.debian.org to get a newer version.
> with Debian packages of web applications. This was several years ago
> and may not be accurate anymore, but back then, some of those
> applications had several changes made to them and that made it hard to
> find problems because the installation was different from most of the
> other installations out there.
These changes are usually made for some good reason and it varies a lot
from one package to the next. For example, the Drupal and Redmine
packages are slightly modified to make virtual hosting very easy on Debian.
> But aside from that, I am worried about several things in this scenario:
> 1. An OS update always updates the Wordpress install as well. This
> may break necessary plugins that are not available in Debian. So
> that means, the system hackers would always have to check with the
> blog hackers before performing OS updates. I don't think this is a
> very good solution.
That depends on the OS
Debian has only had a major upgrade once every two years. You don't
have to upgrade immediately, the previous version is usually supported
for at least one year and sometimes longer with LTS.
In any organization, it is very unusual for the sysadmin to upgrade a
whole system without consent of the application manager. I would hope
the system-hackers group would coordinate the date of any major OS
upgrade with you.
As packaged systems are very standard, you should be able to easily
replicate the server in a test environment and do a trial run of the
upgrade and test any plugins before upgrading the real server.
> 2. The Debian package does not (or at least did not) support the regular
> Wordpress update mechanism. That makes perfect sense from an OS
> package perspective, but it may cause some issues in our case
> here. (We might need to go through several older WP versions to get
> to the current one, for example, and the internal update mechanism
> makes that pretty easy).
You could do it this way:
a) lock the site to prevent any changes, put the database in read-only mode
b) dump the database to a file
c) load the database into a test server
d) run through the upgrading in the test server using any non-standard
procedures you require
e) dump the database from the test server to a file
f) load it into the real server again
g) put the site back into read-write mode
You would need to test steps (b) - (d) with a trial run anyway before
doing a real upgrade.
> 3. Also, however fast the security team may be, receiving and applying
> the bugfix from upstream will always be faster. With publicly
> facing software that is known for vulnerabilities, I'd rather have
> updates as fast as possible. This is also pretty easy with the
> internal update mechanism.
Debian security updates usually come within a few hours. The Debian
security team often receive private notifications of security bugs
before they are advertised publicly, so they can prepare new packages in
There is also the possibility of delays in the individual teams. Even
if you have a great team supporting the blog platform, if FSFE has 10
different teams supporting different applications, some of the teams may
not always be active all the time. Using a standard process that the
system-hackers can support ensures that only the system-hackers team
needs to worry about having somebody on call 24x7 for security updates.
Anybody who is concerned that the updates won't be fast enough could do
a much better service to the community if they volunteered to help the
Debian security team or help the system-hackers team achieve a 24x7
> Don't get me wrong, I love Debian and I am not the kind of person to use
> external repositories all the time or something like that, but for web
> applications, I tend to go with upstream. That being said, things have
> not been decided yet and I really appreciate your input. I will keep it
> in mind during my next round of tests.
>> I had several sites running on Drupal myself but I found that it becomes
>> tedious dealing with PHP security bugs and such things on a regular
> Agreed. That is exactly my experience and the reason for looking for
> alternatives to Wordpress.
>> Consequently, I moved many of the sites to a simple static hosting
>> solution using Bootstrap and jekyll
> Thank you for mentioning this. I have set up several sites with Jekyll
> and Bootstrap and I am generally happy with it. There are some more
> modern systems that I worked with that have some advantages, for
> instance Pelican and Acrylamid.
> However, the problem here is usability. We need to find a way to make
> the editing process easy for non-technical bloggers. I would imagine
> some of our users are more interested in the political side of Free
> Software and may not be hackers themselves. Finding a good solution for
> them as well has to be our goal. That is going to be one of the biggest
> issues the team will have to tackle.
Is anybody aware of a web-based tool that can be used to edit text files
and commit the changes in a Git repository? That could be customized to
make a web front-end to edit the blogs and some cron job could run
jekyll to re-publish the site.
Maybe something like that already exists as a turn-key solution and if
not, somebody could write some scripts like that and I would look at
sponsoring it as a package in Debian.
More information about the Discussion