Barry Jaspan

Following on the Data Architecture Design Sprint during a cold and snowy Chicago week in February, two Drupalcon presentations, a lot of writing, and even more debating, I am really looking forward to next week's Fields in Core code sprint. Our goal is to re-organize Drupal's content APIs and data storage around Fields instead of Nodes; think of it as "CCK in core, except for the admin UI." When the dust settles, everything will continue work just as it does now, but we will have a framework in place to allow Drupal and the community to get maximum leverage from what it is best at: Adding Value to Content.

Both Drupal and Dries Buytaert have received many honors recently. As an MIT alum (6-3 '92), however, I'm particularly pleased to see both of them in the TR35: Technology Review's annual list of leading young innovators. Since I'm already 38, this is probably the closest I'll ever come to making that particular list. :-)

The TR35 appears in the current issue of Technology Review magazine (my copy arrived today) as well as online. The easiest way to see the video is at Acquia's web site.

Also staring in the video is the Most Awesome Cat in the Universe and yours truly (who is used to getting second billing to the cat).

As part of Acquia's security testing for Acquia Drupal, I've been experimenting with automated methods for detecting security vulnerabilities in Drupal and contributed modules. The time has come to report on my progress. If you want to learn more about this and are going to DrupalCon Hungary 2008, vote for my session proposal.

Data tainting is a kind of dynamic program analysis (it operates while the program is running) that can automatically detect one of the most frequent sources of security vulnerabilities: insufficiently validated user input. The idea behind data tainting is that when data is received from an untrusted source (such as GET request parameters or some parts of the database), it is marked as "tainted." Any data derived from tainted data (such as by string concatenation, passing function arguments, etc.) is also marked tainted. When tainted data is passed to a security-sensitive destination (such as the HTML response to a page request), a taint error is raised. Finally, when tainted data is validated in specific ways, the taint mark is removed so the data can be used freely.

What I am calling "Taint Drupal" is based on Taint PHP work by Wietse Venema along with some Drupal-specific customization particularly regarding the database. For more details, keep reading.

On Thursday, August 7 2008, I'll be speaking at LinuxWorld at the Moscone Center in San Francisco. My talk, Q+D7: Social Media Web Sites on LAMP: How Drupal Changes the Game, will demonstrate how to use the Drupal open source web publishing system to rapidly assemble a highly functional Web 2.0 site on the LAMP stack. I'll walk through the process of building a branded community web site using a custom developed module in PHP, along with out-of-the-box Drupal features such as blogs, ranking and promotion and discussion forums.

I am declaring a personal crusade to improve Drupal’s “Developer Experience,” which I hereby abbreviate as “DX.”