Forum OpenACS Q&A: Advice to ACS newbie wanting to do the problem sets, learn ACS

Situation:

Person coming from windows background discovers and devours P & A
Guide to Web Publishing (i.e The Book).  Goes to Arsdigita.com's site.

Browses through problem sets.  Decides it looks like working through
problem sets to learn how to develop dynamic web sites and other
useful (and hopefully marketable) IT skills would be a good idea.

Might want to develop web sites for small businesses and non-
profits.  The person looks forward to learning *nix, databases,
programming, XML, and lots of other good stuff.

Reads documentions and forum threads.  Notices several broken links
and that the software versions recommended are dated.  Notices lots
of stuff is circa 1999; wonders what would be the advice **today** --
and will they still be able to work thru it today as a "home study
student" without having a Linux guru handy.  Notices lots of problem
set related forums are inactive.  Wonders about the best sources of
help.

Wants to select a good version of Linux or another OS to learn *nix
and work through the problems sets with -- but cringes at the errata
list for RH 6.2 -- and notices some links for secuity fixes on
Redhat's site for 6.2 don't work.  Wonders how to make RH 6.2 secure
if the download links for security fixes don't work anymore.

Thinks Yikes!  Crackers!  I want a secure box that's not easy to
compromise!

How best to set up a Linux box to learn *nix, ACS/OpenACS and work
through the problems sets?

What versions of what software to use in December of 2001?

Learn ACS and Oracle or OpenACS and Postgresql?

Which OS and version will be good to learn on?

Can one work through all the problem sets on OpenACS?  Which set?

What is your advice and counsel to such a person?

Would you even recommend this course of action or another?

OS: RedHat 7.2 (because it's as good as anything else and most popular which means that you have the greatest chance to find the software/help from other people on the net).

If you don't want your box to be hacked, don't plug it into Internet or run behind a tight firewall e.g. in a hardware router with NAT. Really. If you don't have the expertise to secure your box then don't take risks or acquire the expertise.

If you just want to learn *nix, databases, programming, XML then expect to be a beginner after 5 years of hard work (http://www.norvig.com/21-days.html). In other words: don't expect anyone to give you a reasonable advice on achieving such broad goals because there is none (except maybe: work hard, read books, program a lot etc.). If you want reasonable advice set reasonable goals.

Whether you'll use PostgreSQL or Oracle, RedHat 7.2 or FreeBSD, ACS or OpenACS doesn't really matter. Just pick one and run. Fundamentals are important and they are the same. Details like difference between rpm or dpkg are not important. For learning all those choices are good.

OpenBSD 3.0.  Best thing about it?  Secure out of the box.  Second best thing about it?  Documentation that is actually accurate, and useful - which is better than you will find for Solaris or Linux.

Postgres - easier to administer, takes less system resources.

OpenACS 3.2.5 to start, then when OpenACS v4 comes out jump to that.

I've read several post declaring that it was the existence of "step by step" online help/guides -- that specified particular versions, software and locations with links -- that enabled the poster to get ACS installed, learn what they needed to produce useful sites and succeed with ACS.

I think, for the community to thrive and grow -- with the enthusiasm regular infusions of new blood provides -- that there needs to be the same sort of step by step detailed guides for newbies now as there was when RH 6.2 was current.  One for each platform known to work be it RH  7.2, FreeBSD, OpenBSD Potato or whatever.  A guide someone new to *nix could sit down with and, assuming no incompatible hardware, follow to have a working Open/ACS system to learn and grow on.

While it's true that "you can just use whatever you like" and "lots of folks use RH 6.2 in production just fine", things are not quite so easy for a newbie.  Take RH 6.2 for instance.  The newbie will install the base distro -- then be faced with applying all the patches before they get rooted.  Quite a task for a newbie to even get to the point of being able to do useful ACS stuff.  For someone who has applied the patches over time, no big deal.  It is a big deal for a newbie starting from scratch with the base distro.  If there were a distro consisting of RH 6.2 with all patches applied and an up to date 2.2.20 kernel -- along with RPMs of the other packages needed for OpenACS, then "use this/our distro based on RH 6.2" would be OK advice for newbies IMO.  But such is not the case today AFAIK.

I wish I had the time and expertise to produce the above.  Because I would.  Lacking the existance of said newbie resources, I think it would be quite helpful -- and in the community's benefit -- for current documentation to be at least updated with an eye to current versions and platforms that work -- and preferably enhanced to be more like the step by step guides of old geared to newbies working through the home study course and problems sets.

It's these newbies that will grow into producing and enhancing new ACS packages/modules.  IMO, this community could really benefit from having OpenACS specific problem sets for working thru similar (or even the same, updated) learning task as existed in 1999 for Classic ACS, but dealing with Postgres instead of Oracle.  The old problem sets have links to resouces that no longer work.  Not good for newbies.

Again, I want to be able in good conscience to steer newbies to Open/ACS; but need to both know what specific advice to give as to what platform to get started with and know there are enough workable learning resources for them to sink their teeth into and learn how to develop useful communities and sites -- very similar to what one would learn working thru the Classic ACS problem sets in 1999.

Thank you for your input on this,

Louis

The kind of documentation you mention exists, its just not in the
most intuitive place at the moment.

Initial drafts of installation guides for several different platforms
can be found at new-file-storage (https://openacs.org/new-file-storage).  This  is not the end location for this type of
documentation, just a working repository until OpenACS 4's
docs get formalized.

Enjoy,

OS: RedHat 7.2 (because it's as good as anything else and most popular which means that you have the greatest chance to find the software/help from other people on the net).

If you're in Europe, I'd make that SuSE. At least at one point in time, they were outselling Windows in Germany.

Why do people keep perpetuating the myth that xxxBSD is secure out of the box?

NO distribution is secure out of the box.

I don't think that ACS/OpenACS is a good platform to learn. It's way too complex and learning curve is too steep. It's a good platform to build sites if you have a lot of experience and/or are ready to bite the bullet. I can imagine that a newbie might get to the point of launching the default site following step-by-step guide but:
  • he won't learn much in the process
  • he won't be able to do anything more than that (and become frustrated as a result)

While psets are useful, don't make it sound like nothing can be learned without them. They are just problems to solve with some tool specific hints about how to solve them. If one really has no idea what would be useful to do, it should be possible to solve pset problems in just about any web server that can embeed some scripting language and talk to a database.

Maybe OpenBSD's motto "secure by default" has something to do with it.
Yon, I think you're going to have to support that claim about OpenACS not being a good platform to learn. Of all the platforms I've worked with, it's one platform where there is a lot less "voodoo magic" going on than on many other platforms.

I think, in general, learning how to build good db-backed web sites is tougher than most people have made it out to be. It's not as hard as, say, building an RDBMS, but it's harder than writing some HTML, too.
OpenACS is not perfect by any means, but I've found that most tools that are simpler to use than OpenACS are tools in which one builds systems that are not efficient, make poor use of the database, or later cause huge architectural problems.

But maybe you had something else in mind...

Hi Louis, I find myself in a similar situation to yours, coming mostly from a Windows background (though I've touched a Unix shell at school and done some simple web/db stuff on the Mac) and having discovered and loved to read P&A's guide. Though I've been in love with Java and created xml handling servlets for web projects it's been refreshing to see the perspective that Java isn't ideal for web development, though I still keep a positive eye on Cocoon for web publishing.

Regarding how to set up a secure Linux box to learn U*ix, a short account of my adventures may be helpful:
Last spring I decided to put an old pc to use as a firewall and router for my home network, I'd never installed Linux, but I did know that it was good for that purpose. So I grabbed .iso images with the most recent RedHat version from a local mirror (then it was 7.1, have upgraded to 7.2 since) and put them on plastic, and found almost everything I needed in the Home-Network-mini-HOWTO, though the RedHat manuals were also helpful. This howto covers RH6.X, and as I wanted to utilize the stateful firewall capability in the 2.4 kernel I skipped chapters 3.4 and 4 in that howto and instead consulted a good Linux 2.4 stateful firewall design tutorial. There I learned everything I needed for setting up my firewall except how to do portforwarding (NAT) to services within my LAN, but Linux 2.4 NAT HOWTO helped me on that.

Having been a Java for everything kind of dude I was first attracted to Tinman but the Oracle dependency makes it an impossibility for me, so I've been lurking on this site for a while (this is my first post :), have been more interested in starting with OpenACS 4.x rather than 3.2.5 (just for the sake of investing time in the newest of what is new for me anyway) but haven't yet been brave enough to dive in and try to get a clear picture of the system from it's sources, being a caveman that needs to RTFM I've been holding my breath for some official 4.x documentation and meanwhile focused on my daytime job as a Lotus-Domino whore. Well, it's not entirely true that I've been holding my breath, I've spent some quality time with PostgreSQL and it's excellent documentation (running it on that same ole' firewall pc). Though I'm aware of OpenACS 4.x Installation and Testing (under Red Hat 7.1) and Brief OpenACS 4 Installation Guide I feel a need for some documentation that gives many sized pictures of the system and how it's parts fit together and where I come in customizing it (and maybe even contributing to it), and I understand that something like that is on it's way. I did have a look at the ACS 4.x documentation and it seems to give a good insight to that system. Does it help understanding OpnenACS 4.x to read this, or does it just confuse?

Hey Louis, I was in your position almost a year ago. I started off at ArsDigita.com, and came from a windowsish background. After reading Phillip and Alex's book, and finaly getting the ArsDigita pun (I'm not in to music or hisory or latin) I started to mess around with ACS (1999 was fairly recent then, and PGSQL wasn't in a state that I considered reliable enough for my goals).

Anyway, the point: By installing on various platforms with various walkthroughs I was able to learn only what was missing from X walkthrough at a time. Most I have learned about Linux, I have learned from trying to get Oracle to work on my RH-7.0 box.

If you want to learn SQL or run a site right away, then advanced walkthroghs are what you need, at least until somthing goes wrong. Like me sitting in new house with a Duron 750 and a Zoot CD, and not knowing how to properly recompile the kernel so it works with my Chip)

However in light of your post I have come to think that if the newbie community grows, It may be nice to make a newbie section in the discussion forum, and even some newbie docs on the web site.

Good luck Louis, and I hope I will be able to apply whatever knowledge I gain/have gained to helping you out with the OpenACS.

Per Yon's comments:
(not a criticism or debate, Yon, just a reply)

**********
While psets are useful, don't make it sound like nothing can be learned without them. They are just problems to solve with some tool specific hints about how to solve them. If one really has no idea what would be useful to do, it should be possible to solve pset problems in just about any web server that can embeed some scripting language and talk to a database.
**********

What I found most useful about the problem sets was the suggested/required outside reading included with the "task to do".

This solves the very big problem of knowing how much of what to study in what order.  As Phillip has stated in his other writing, the way computer subjects are usually taught is for the student to spend a semester in subject A, then a semester in subject B, and after 2-3 years of this start to put it all together and hope not much was forgotten.

I think Phillip's approach is superior.  As we all know, there are just way too many topics making up what a well rounded developer needs to know to be proficient.  By definition, newbies are not able to correctly guess/know how much of which subjects to learn in what order.

FWIW, I think the problem sets did a WONDERFUL job of seasoning the lessons/task with outside reading with, as far as I am capable of telling, JUST the right subjects at JUST the right depth and detail that encouraged JUST the kind of thinking and questioning in the learners mind so that they "got" the gist of what was beneficial to know at that stage of their learning.

I think Phillip was masterful at this.  Phillip would even say something like "skim this for now and then come back to it later" or "this is a good reference" -- letting the learner know what to study like a subject in school .vs what to become familiar with and have at the ready for reference.

A lot of his stuff were (and still are, IMO) exceedingly good introductions to subjects and topics that left the reader with not only a great conceptual framework, but also the benefit of many lessons learned by hard won experience.  As a bonus, he made it both entertaining and engaging to read, too!

After all, isn't that one of the primary things this very forum does for many here?  Saving us from wasting time by sharing the benefits of our relevant experiences?  Heck, that's the purpose of lots of online communities.  As an example, think of PC tech sites like 2cpu.com, amdmb.com and arstechnica.com where folks in the forums share what components/cards work in what motherboards with what driver software to install -- and avoid -- to get their PCs running as desired; stable or over clocked.

People can then can spend that saved time and money productively bearing fruit rather than tilling the same ground.

Where would society be if we all had to reinvent the same wheels and learn the same lessons?  I'm NOT saying there is no need to learn the lessons one learns by experience.  Heck, now I can usually figure out what the problem most likely is before I even look at the code due to my experience doing maintence work on very large old very patched up systems for so many years when some bug rears it's head for me to squash.

Think of the problem set zeros some folks put together.  Just what someone needed to know and familiarize themselves with before boot camp.  Maybe I look at the problem sets as a whole as "problem set zero for one's first "real" production DB-backed website/webservice".

Heck, being a mainframe programmer/analyst for going on 13 years, I'm under no illusions of an easy "cook book" approach to guru like status as a web services developer.  However, I am today and have been for many years perpetually blessed by the fact that when I started I had formal training classes (was #1 in the class, BTW) at work and mentors to guide me in the basics I needed to know instead of being left to flounder.

The company I started with developed their people expecting *at the time* to enjoy the benefits of their increased productivity for 2 or 3 decades; so it made sense to make sure everyone got a good grounding and help to minimize the "wash outs" who could have made it if only they had some guidance and help in the beginning.

Just like what would benefit this community by not losing newbies who "could have made it" and become productive contributors of the community if only they had had enough help and guidance in the beginning to get them over "newbie hump" with all the new stuff they have to learn.

Detailed guidance and how to's would help greatly, IMO.  People's lives clamor with so many competing interest that anything we could do to give folks an edge to stay the course until they overcome "newbie hump" would work wonders for community growth over time, IMO.

Heck I recall it took 14 months after I started before the "buffer overload" ebbed away and another 3 years before I was pretty much "fully qualified" -- and I was told by serveral in my work group that they never saw anyone come along as fast as I did; was told I was performaing like someone with ten years of experience after 4 years, so I'm no duffer or lazy learner who wants it all handed to me.

I'm under no illusions of "quick senior level knowledge" without the benefit of years in the trenches; I know that following an install how to and doing five problem sets and some outside reading do not an expert senior db-backed web developer make.

The folks at the company I started out at in IT knew what ALL new programmer/analyst needed to know -- how much of what in what order -- and also what they didn't need to waste time becoming expert at, too; just like Phillip and the senior folks here.  IMO, THAT'S the value and immense public service Phillip's writtings  -- including the psets -- and sites like this provide.

I'm hoping what has been produced so far does not fall into drab disrepair and become an online shanty town, but is rehabbed, modernized and brought up to code (pun intended) -- because I think what Phillip and this community has produced in the past -- and this comminity itself -- is worth it.

Sincerely,

Louis

Ben, what I meant is that no complex platform (which includes, but is not limited to, ACS/OpenACS) is a good way to learn, at least not from the point of view of a newbie. It's because the combined complexity of *unix, managing AOLserver, managing postgres, knowing Tcl and SQL etc. is way beyond what I expect newbie to master in a short period of time. If someone doesn't know what upvar in Tcl does or how to write join in SQL then it's hard to expect that he'll understand a complex system like ACS.

What I would consider to be a good learning path is to first get reasonably good with SQL by playing with just the database, get reasonably good with Tcl/adp by playing with just AOLserver, then get a grasp on basics of HTTP like cookies and headers and only then start playing with systems like ACS that combine all of the above in a quite complex way.

I didn't mean that there is any other similiar toolkit that would be better but that a newbie should do things step by step because a complete toolkit (any reasonable featureful toolkit) is probably more than one can bite at a "newbie" level.

Yon,

I see, that makes sense. I'm wondering where the happy middle-ground is. Playing with a large setup like OpenACS may indeed seem daunting to a user starting out and doing OpenACS bottom-up (starting with Linux and installing everything). But playing with individual pieces may not be all that exciting. The really exciting part for people who try out AOLserver, for example, is when they realize they can do some powerful stuff in 10 lines of code....

I guess that, to catch a new user's attention, it's nice to have an entire system easily installable as an RPM (or other package), allowing people to try out the full power of the system in a few lines of code...

But I think we're in agreement overall!

Agreed. In theory you could have a few kind-of-psets as described by Louis that would take someone from the point of having a vanilla OpenACS site running to "a few cool things that can be built with ACS fairly easily". If well done such document could be very useful for novices (for the reasons given by Louis). But such document is purely hypothetical beast at this time and "well done" is not easily achieved in practice.
Collapse
17: Just Do It (response to 1)
Posted by Stephen . on

The thing I got out of boot camp is a new style of learning. Just sit down and do it. Don't think about doing it, don't ask someone else how to do it, don't make a thorough examination of the literature for 3 months before doing it.

Place a Linux CD in the drive and install, you don't need your hand held. In this day and age, it's even easy. Install AOLserver. You may run into some problems, but you'll learn alot. Start the psets.

It will be frustrating as hell because you don't know how to use emacs or vi, you don't know Tcl or SQL, you don't even know where the log files are. But you'll figure it out, you'll understand how it all plugs together, and you'll never forget. And let's be honest, it's not rocket science. What we've covered so far will take hours, not weeks.

There are 3 psets, taking 3 weeks (unless you have a life...). You don't install the ACS untill week 2, you don't use it for real until week 3. When you've finnished you will be able to build any site you can see on the Internet, so the saying goes. I think that's still largely true. If you look back you'll be amazed at what you've achieved in such a short space of time. If you look around you'll see that you know more than most out there.

You should be glad that the psets are a little out of date! It will give you the oppertunity to find out where the Oracle and Postgres documentation is, and how to use it. To build anything real, you're going to have to do this anyway. Don will be sending you an email about porting soon...

If you get cracking, you'll be done by the new year 😊

(http://philip.greenspun.com/internet-application-workbook/)

Collapse
18: Reference Implementation (response to 1)
Posted by Tapiwa Sibanda on
I remember seeing this presentation on the aD webpage sometime ago.

Does anyone know what came of this?? Maybe we could borrow a few ideas.

Docs on how to get this "reference implementation" as they called it would go a long way to helping us newbie get up to speed with the ACS.

All the great things(games?) have an easy mode (chess, baseball, soccer) and almost anyone can take part. If you are really serious though, you can dig deeper (grandmaster, world cup etc). I think if we all think of the greatest games/tools, you could get involved in a couple of hours. If you were committed, you could eventually be miles ahead of the competition.

Striking this balance between ease of use and power will not even happen overnight, but is where we should be heading.

re: NO xxxxBSD is secure out of the Box.

Disclaimer: I'm an OpenBSD developer

I think we (OpenBSD) are pretty close. We've been 4 years without
a remotely exploitable vulnerability in the default configuration
(ie - out-of-the-box install). That means none of our last 8
releases have fallen to an out-of-the-box vulnerability.

As for getting OpenACS running on OpenBSD 3.0, that's one
of my Christmas projects. I'll let y'all know.

I have OpenACS running on OpenBSD (2.8 with a recent make world).
I should have the source and everything cleaned up in the next few days.  If you up for making and aolserver and openacs port for OpenBSD I'd be more than willing to help out.
My intent wasn't to start another Flame fest. I have stated many times that openBSD is an excellent system and is secure.

Can it be more secure? Surely, as people add non-core (audited) software any other vulnerablilties arise. Add and ftp server and you can have the most secure box in the west and now it isn't.

I also didn't say xxxBSD wasn't secure, I said NO distribution is secure out of the box, and anyone who relys on someone else to secure their box is asking for trouble.

Collapse
Posted by David Cohen on
Hey, Louis--you want a clue how to get started? Why don't you check out my "Advice for Bootcampers and Other Beginners" and "Problem Set Zero" and the like? After all, I basically wrote them for you.

The docs are all here.

While some of it is, no doubt, out of date, most of it should still be quite useful in orienting you. Enjoy.

Thank you for pointing out the link, David.

Thanks to everyone here!!  I really want to see this community flourish.  Being newbie friendly is a great way to help things flourish, that's for sure.

Take care everyone.  Looks like this thread can become a good reference for folks going forward.  This is great!

Louis

Louis asked me to respond to this, so I'm respond...

The main things that computer programmers have to learn in order to become Internet application developers are (1) concurrency control (RDBMS programming and SQL), (2) data modeling (SQL again), and (3) page flow design (user experience).  The old 6.916 problem sets were an attempt to teach these things as quickly as possible and also introduce ACS, which the students would be using immediately afterwards as a substrate for their projects.  I still think that these psets are fairly effective on a per-student-hour basis.

If a student were setting everything up him or herself and wanted to learn the preceding concepts plus some of the details of ACS, I guess I'd recommend (a) Linux (I'm not qualified to say which version is best but I'd want one with a journaled file system), (b) PostgreSQL (easier to install and maintain than Oracle), (c) OpenACS 4.x (vibrant developer community of whom questions may be asked).

I think it may be a problem that nobody in the OpenACS world has picked up the old psets and edited them so that the step-by-step instructions work with PostgreSQL and OpenACS 4.x.  Learners always get stuck on the trivial stuff, e.g., finding the error log in the file system, rather than the slightly deeper stuff, e.g., interpreting the contents of that error log.

Thank you very much, Mr. Greenspun!

Take care and absolute best wishes to you and yours,

Louis

If you are concerned about security there is good book that guides you through how to set up an intranet using secured services (Apache-SSL, PostgreSQL), etc with Red Hat 6.2. The new version of this book is written for version 7.1/7.2 but they only released the book under GPL licence only after it has been for purchase for a while (hope that time will come soon :)). Hope this link helps

http://www.openna.com/products/books/securing-optimizing-linux/old.htm

With regards to Philips comment: I'll have to rewrite the PSets til end of March 2002, as my students are going to be taught OpenACS 4.x after that time (currently they learn on ACS 3.5). For me to do this though I first need to dig a little bit deeper which will take time, so if anyone else wants to help ....
For tcl, postgres, aolserver, linux etc. specific questions, it seems other sites specializing in those specific technologies best address them.  For example, the most obvious place to find answers to linux security issues is to discuss it at linux-centric websites.  OpenACS needs to focus on it's own technology and how it integrates with other technology.  With that it mind...

Philip Greenspun has identified my current problem: "PostgreSQL and OpenACS 4.x. Learners always get stuck on the trivial stuff, e.g., finding the error log in the file system, rather than the slightly deeper stuff, e.g., interpreting the contents of that error log."(Greenspun).

How does the OpenACS installation architecture differ between Oracle and Postgres installations?

More specifically, Where is the openACS installation architecture described for a postgreSQL-OpenACS4.x installation?

For the record, I have been RTFMing at https://openacs.org/doc/architecture-install.html and https://openacs.org/doc/installation.html documents as well as the others listed in this thread and other threads/forums... and references to 4.x documentation at the bottom of the 3.x docs at https://openacs.org/doc

Our new documentation is under construction.  There's already a new installation guide that's up on a private server with comments enabled via loquacious.  Things aren't quite far enough along for those working on the docs to feel comfortable opening up things for free-for-all comments from everyone yet, but they'll get there before much longer, I think.  Not until after the upcoming holidays are over, of course.

If you're interested in helping out by writing documentation, e-mail Roberto Mello and Vinod Kurup directly (just search for them here, they've both posted a lot and I'm too lazy to look up their e-mail addresses for folks).  As soon as the New Year's post-party haze has lifted I'm sure they'll be willing to incorporate you or other volunteers into the process.

If you don't have time to help out directly by writing, you'll have the opportunity to comment on the docs directly relatively soon and that, too, would be a very big help.

Hello Torben,

Thank you for sharing your thoughts.  I would like to respond; not so much in the spirit of debate as just sharing my point of view for you and others in the community to consider.

Of course the RTFM approach *does* work.  However, I think there are several drawbacks for BOTH the newbie AND the community.

First, as I understand it, one of Mr. Greenspun's objectives with the "home study course" and problem sets was to expose the newbie to JUST the amount of *nix, database, scripting language, SQL and whatever else they needed *at that level of their expertise*, while stretching them and letting them learn how to find out more.

IIRC, I read something to the effect that Mr. Greenspun felt this was superior to the usual approach of spending a semester learning X, then Y, then Z then finally getting around to developing a web service.

With newbies, they don't know how much of what they need to learn at the early stages.  This is the main problem.

They risk getting side tracked for too long -- and in the wrong areas.  They also risk getting "lost" to the community since life is so busy and so many things in the open source world are competing for their attentions besides the need to RTFM X dozen times before they get to the point of having positive reinforcement for their efforts.

Lets say that by taking the RTFM approach, a newbie -- who keeps at it -- takes an extra 1-3 months to get productive.  Lets say in that time they could have gotten another site up for someone if they had better, up to date and security minded step by step guides for newbies when they started.

By the time 1000 newbies take this path, there would be another 1000 openACS sites out there providing POSITIVE PR for the community.  This is one of the things I had in mind when I talked about such up to date documents helping the community thrive.

Furthermore, lets say the newbie, being new to *nix -- let alone *nix security -- just takes the RTFM approach and "just does it".  They install RH 6.2 for instance.  Heck, that's what the docs say to use.  They even apply some patches.  At least the ones they THINK they need.

Not having been burnt yet, they don't really appreciate the need for great security yet.  Even if they did, they wouldn't know how to go about installing and configuring things securely.  THAT'S the point.  Sure, they can get there if they just RTFM -- eventually.  Eventually sure can be a long time for a newbie when it comes to *nix security.

1000 newbies do this, put up 1000 OpenACS sites that give the community a black eye in the minds of others as being software that's "not secure".  That's how suits and non geeks think.  Saying the newbie is at fault and didn't kow what they were doing would be moot at that point since 1000 potential paying customers who might have needed to hire OpenACS skilled people would have already decided not to use OpenACS anymore.  1000 organizations the newbie "helped" now swear off OpenACS.  They choose some other software for their web/net needs.  1000 potential jobs for someone with OpenACS expertise just went bye bye.

How different it might be if the newbie has an OpenACS "distro" / ISO that allows them to set up and offer OpenACS on top of up to date securly configured software foundation consisting of securely configured and installed Linux, or *BSD.  Because the newbie didn't start out with up to date securely set up software, the above IS a risk -- not just to the newbie but to the impression the public will develop of OpenACS.

Sure, there are very experienced OpenACS community members who would have no trouble setting up secure web service installations for folks.  But for any community to thrive, new blood and new members are needed.  This is what newbies are of course.  Why not help them not to bleed so much when they get started?  Why not do so by helping the newbie out with either step by step guides and/or some *nix and *BSD "distros"?

Sure it's not the fault of OpenACS software if the next 1000 newbies botch the web services they do for the next 1000 organizations.  It's the fault of poor system administration.  My point is, why not take the risk of the community getting BAD PR away by having up to date documentation that incorporates GOOD security practice/installation/configurations using up to date *nix like recent Linux, FreeBSD and OpenBSD versions?

This would help the community in getting GOOD PR in this post 9-11 more security conscious age by helping newbies set up web services using OpenACS based on secure implementations/configurations.

My thinking is it not only benefits the next 1000 newbies -- it benefits the next 1000 opportunities for the community to get GOOD instead of BAD PR in the minds of those making decisions on what software to avail themselves of -- and hire folks to provide and maintain.  Since OpenACS is not a monopoly, of course, this seems like an important consideration to me.

Basically, IMO, what's needed is something much like the old "home study course" and problem sets based on up to date software that community members having security expertise have "blessed".

Something a newbie can sit down with, follow and have at least all the software installed on a box they can hang off their internet connection and NOT get rooted or otherwise compromised.  Something they can then go on to install on a clients server and then "customize" for the clients needs.

THEN, thanks in part to the efforts of the next 1000 newbies armed with their OpenACS distros, we might see more and more demand for OpenACS expertise in addition to good PR that OpenACs not only does the job but gives the suits and non geeks "warm fuzzies" in the area of security -- a big selling point going forward, IMO (that's NOT going away).

I think basing the communities documentation off stuff like up to date Linux, FreeBSD and OpenBSD versions would help.  To me, telling some newbie to just RTFM and get a stock RH 6.2 distro and apply the patches (lots of lots if you haven't checked recently) then download bastile and follow that borders on the type of hazing some frat would do.  And if the newbie gets rooted and their OpenACS web services they do for some local organization for "gratis" since they are learning gets a black eye due to their newbie ideas of what constitues OK security, the community loses instead of gains.

Better to have an OpenACS distro of Linux, *BSD or whatever for the newbie to have a secure set up after instalation IMO.  This would benefit the community as well as the newbie.

The next 1000 newbies ARE going to wonder thru here.  Disregarding the benefit to the newbie, the question is how much benefit is the community going to derive from their 1000 journeys?  I think having up to date docs with up to date software with step by step instructions leading the newbie to at least have a secure setup after installation would provide a lot of good PR for the OpenACS community -- and eliminate the risk of unjustified blame and bad PR in the minds of others who make decisions on which software to use for their web services -- OpenACS or something else.

Best Wishes and Happy Holidays to everyone,

Louis

Don,

Thanks for the update.  We were posting at the same time.

Happy Holidays and Take Care,

Louis

P.S.  I hope Santa is good to everyone!

Hi Don and Louis,

Sorry for the delay... I forgot to click "Notify me of new messages" on this thread. [Is there a way to be notified of all messages all threads automatically? I like information overload]

Louis, your thoughts are right on the button of mine --exactly. I was just about to post a draft OACS infrastructure schematic, but thanks to Don's message, I'll contact the "dockeepers" and see if I can help accelerate the docs.

holiday cheers to you and everyone!

I should have known better than to ask about auto alerts all forums. I found the link... I may be slow at this, but gaining speed.... ;D
Actually, interface-wise, it makes sense for you to automatically receive email notifications for a thread you've posted on. Or at least to give the user that option explicitly. It's how I would customize the bboard to work.