Welcome to the latest episode of On the Air with Palantir, a long-form podcast by Palantir.net where we go in-depth on topics related to the business of web design and development. It’s January 2017, and this is episode #7. In this episode, Director of Professional Services Ken Rickard is joined by Cathy Theys of BlackMesh.
Allison Manley [AM]: Hello and welcome to the latest episode of On the Air with Palantir. A podcast by Palantir.net, where we go in depth on topics related to the business of web design and development. It's January 2017, and this is episode number seven. This time my colleague Ken Rickard does the interviewing work for me. Ken was at GovCon in 2016, and was speaking with Cathy Theys, who is the Drupal community liaison at BlackMesh. She's got some fantastic information about how to get started in Drupal.
Ken Rickard [KR]: Today we're talking to Cathy Theys. We're at Drupal GovCon, which is a great event here in Washington D.C., Cathy is the Drupal community liaison for BlackMesh. Cathy, is there anything else we should know about you as we get started?
Cathy Theys [CT]: Let's see. Right, so Drupal community liaison. I go to a bunch of events for my job. I fix issues in Drupal. I had a long history of dealing with the mentor program. I tend to serve as a contact point when people have questions about how you get things done in the community or there's a tricky situation coming up, they might ask me my opinion on it, how to deal with that.
KR: I know you from the Chicago Drupal community. I know I run into you at a lot of events where you're helping onboard new Drupal developers.
KR: That's one of the things that you're passionate about.
KR: I think that's a really interesting question here at GovCon, we're dealing with a lot of agencies here who are new to Drupal. The keynote we just sat through was about moving the NIH onto Drupal for the first time. They talked about what that was like. I mean what brought you here, to GovCon specifically?
CT: BlackMesh, we're based in Ashburn, Virginia, so we're super close by, local. There's a bunch of us here, there's like eight or nine of us here, so it's really great because I travel a lot. I don't get to see my coworkers all the time, so I go to an event like this, we all get to hang out together and that's really nice. The sessions here are pretty top-notch. There's a lot of interesting topics, both for developers and for agencies. There's a really good range of beginner to advanced ones. It's really great.
KR: And I learned yesterday that I think this is officially the biggest non Drupal Con event in the United States.
KR: Yeah. We surpassed [inaudible 00:02:32] bad camps, so that's good. I want to go back to again your role in the communities to help onboard new developers.
CT: Mm-hmm (affirmative).
KR: In particular, you're a liaison to make it easier for folks to work with Drupal. Like I said, in the keynote, we were dealing with an agency coming on to Drupal for the first time. I think my first question really is, for a government agency or other organizations using Drupal for the first time, what advice do you have for them getting started?
CT: The very, very first thing, I think is important is that the agency makes sure that they have an organizational node on Drupal.org. That's just a piece of content where you can put your logo and your company description. It just allows a way of referring to yourself within the Drupal community. Drupal.org is really important for the Drupal community. It's the hub of everything and it's our central conical repository for asking questions and getting answers. So just establishing your agency is the very first thing. Then I think the next thing that's important to do, is to take anybody associated with that agency that might every touch Drupal and make sure they have user accounts. The profiles on these user accounts can be quite complex, but there aren't a lot of required fields.
It's like pick a username, give an email address, you don't even have to say your real name, but what the agency wants to make sure that their developers do, or not their developers, their tech team, right, does is makes a user account and associates it then with the organizational node that's there. That will immediately open up a lot of doors for getting information out of the community. Without that it can be really difficult to really get the most benefit out of it. Those are I think the first steps.
KR: That's interesting to me because we're making, I think we started with the assumption that you're going to have to interact with the community in order to get your project done and be successful.
CT: Yes, absolutely.
KR: What is it I guess about Drupal that makes that sort of a requirement?
CT: Some parts of Drupal are core, the central package, and other things are contributed projects, themes, modules, distributions. Then there's also custom code, the internal tech team might put together. Much of that is extremely high quality. Some of it isn't. Some of it has information about how to use it, but might be targeted towards a particular kind of role in a company. If the documentation for something is targeted toward a site builder, and you have a back-end developer trying to figure out what's going on, the quality of the project can still be good. The documentation is kind of sort of in place, but it still might be confusing if that documentation isn't written for exactly who you are. So you might want to clarify something with somebody, because when you have a chance to clarify something, ask a question, and get an answer it means that the total time that you spend trying to figure something out will be shorter. Typically, that means it costs less. I think that's really important for agencies.
They want to make that their people are very efficient so that the project can get done in a reasonable time. There are not scary reasons for needing to interact with the Drupal community. I think a lot of projects will just have questions and clarifications and very little custom code that they need to do. But they may not realize that that's possible if they're not talking to Drupalers and getting those clarifications. They might go off on a wrong assumption like, "Oh wait, this doesn't do what I want. I'm going to do a whole bunch of custom stuff." When you have the chance to interact with people, you can kind of make sure you're on the right path. You don't go down that way of getting on a custom code. You may have some and that can be really good, but custom code is very difficult to maintain. Especially if you have turnover in your tech team.
CT: And if you don't have automated tests for it, then that can additionally be complicated. When you're just getting started on a project, right, you have this clean slate. You haven't changed Drupal, you don't have any of this custom stuff. If you know that you want to limit your custom stuff, and then talking with the community can help you do that. I think one of the reasons, in addition to maintenance of custom code, one of the reasons why keeping that to a minimum is important is for security reasons. Interacting with the Drupal community can provide a really nice opportunity to make sure that your stuff is secure.
When you do have to make custom code or patch a module or whatever, and you ask the question on Drupal.org, typically perhaps an issue associated with the theme or the module that the question is about, that gets you started in the right direction. Then you may be like, "Oh. Well I think it should be like this." Or "This is the custom solution we're going to use with this." Because you have the issue, because you asked the question, then you can present the changes that you think are needed on the issue. When you do that, what you get is you get the entire Drupal community, which is quite large, I mean it's got to be, life if you add up people who contribute to contribute stuff, then it's got to be like 10,000 people, I think.
KR: Right. It's a gigantic international community. One of the advantages we always talk about with open source is essentially that none of the problems you're talking about are unique, right? Your project is special to you and it's important, but it's-
CT: And the combination of aspects of your projects could be quite unique. Individually, those have probably come up already.
CT: Yeah. Then when you post these changes on this issue where you started asking just some questions, and you have the whole entire Drupal community what you get is a chance that somebody in there might have experience with evaluating changes and their security implications. They might see your change, they could run across it, spot something, and then ... Nobody's going to do that and not reach out. The way people reach out then is a lot of different ways. It could be in a comment on the issue, it could be contacting somebody through their user profile, it could be going to look to see what company they look at and who else works there. So that ties back to this first step, right, of the organizational profile and the user profiles. I think for government agencies, security is quite often a very big concern.
The nice thing about doing this, or the opposite of doing this let's say, right? Is you start your project, your internal team you're like, "Go learn Drupal. Go do it." And they don't ask anybody questions, so they want to change something, and they keep their change internal only. Then they don't even have a chance to get this free, possible security audit. I mean it's not a formal thing, but if you don't put it out there, on Drupal.org, then you don't even have that opportunity and you're completely missing it.
KR: Right. It's worth noting for people who aren't aware. So we talked about sign up for an organizational cap, the next thing you have to do really is sign up for security alerts. Security notifications I mean, security notifications come out every Wednesday.
KR: Sometimes there's none sometimes there's several. It's worth noting that any module that you download from Drupal.org that has an official release, it's not an Alpha software, it's not a Beta, is covered by Drupal security team.
CT: Right. What that means though is not that it gets a security review before release, but that if somebody notices a security problem that they can bring it to the security teams attention, typically privately. Then somebody will look at it. It's reactive in that sense. The security team also does several proactive things, but it doesn't just be like, "Oh you can't make an official release until we look at your code." We don't go quite that far.
KR: Right. But it is nice to have that layer of accountability, so when we say, "Oh we think there might be a security issue with his implementation." You can report a security issue and the security team will have a, essentially someone who's trained in security review take a look at things. Yeah, I've participated in those issues. It's quite an impressive process.
CT: Yeah and super high quality people that have a lot of experience looking at it. I'm also on the security team, but I'm a new member. Mostly I just help other people with things. Like you asked, you're getting started, what are some of the first steps? We talked about some of the things. Making those profiles, starting to use Drupal.org to talk to people, to ask questions, and to post possible changes. I think the thing is the agency, it would help the agency take advantage of all these benefits only if they have their tech team doing this. So putting in place some internal processes that encourage this will help make sure it happens. If you want somebody to do something, you should give them an environment where it's easy for them to do it and they see the benefits from it. If you can, you make doing it part of a bigger process.
Yesterday, here at GovCon, I went to see Damien Mckenna's talk. It was called Free, Libre and Open Source Software and You. It was absolutely about this. You have an internal group, you know you should be doing something with the community or contributing, like what the heck do you do? So I highly recommend that people check out his information that's on the GovCon site, it's on the schedule for Wednesday. But there were kind of two or three important things I think that I can say pretty quickly and that is that one step to encouraging people to do this interaction with the community is just to start tracking the interactions that happen. Without necessarily asking, like setting expectations for what people should do. Every project that you answer a question on or things, like just start tracking the interaction that happens. So you can see how that changes over time. I think that's good to have in the process.
One of the ways to encourage communicating on Drupal.org about things, and have it be part of the process, is internally when you have to make a change to something is to track as part of the identifier for that change, the issue number and the comment number. You can't then internally track it as part of your process, if it doesn't have an issue and it doesn't have a comment number. So you could make some kind of standard like in your git-commit message, make sure you use this pattern in this string. Or when you name your patch file, or when you set up your composer json and you're pulling a change, that part of documenting that is the issue it came from and the comment number. Then you can't really get around it, because it's like, "Oh I can't commit it without a number." And then people do and so that can be really nice.
I think the other kind of getting started recommendation that Damien had that is pretty decent is to plan for your tech team to have 10% where they don't have to track what they're doing. So it's not like directly billable or on a particular thing that's in the current sprint, but it's just 10%. Damien says people can do things like four hours on Friday afternoon, tends to work pretty well because you don't really want to be deploying any changes on Friday afternoon, but you have these people and you're paying them to do something. So they might as well be doing something productive.
KR: Right. He's basically talking about, baking aside sort of 10% is internal training time or just community time.
KR: To get things up to speed.
CT: And for that it can help to have some sort of orientation for people. Some agencies might identify one person on their tech team, like you said, that will spend a significant part of their time figuring out what the heck this community is and being the point for communication there. If people don't have that, they might want to get ramped up by bringing in somebody for maybe a day, or two days, and be like, "This is how you communicate with the community." Because telling people, "Oh you have 10% time to do whatever you want." They're going to do things that they're interested in and probably that they kind of sort of know already. If they're like, "Yeah 10%, I could contribute to some Drupal project." And they've never done it before, and they're all on their own and they don't know what to do? The odds of them using that time for that are kind of low. Including some kind of orientation for how to do that will help make sure people can be successful when you expect them to do it.
KR: It's good also to review the types of contributions that people can make, because this is something we talk about with contributors all the time.
CT: Yeah. I switched my description of talking about who these people are, the tech team, right? Halfway through the conversation.
KR: Right, right.
CT: Because I think people have this expectation that the only people who might be doing this interaction with the community are back-end developers, or possibly [inaudible 00:17:14] femors, but that's really not true at all. It's site builders, and junior people on the team. It could be anybody because there's so many different levels of questions. It could be like, how do I use this API? Or it could be like, I'm evaluating these three modules, or it could be we have this ambitious goal for this project, can we even get it done? Those are not all the same role, but they're all on the tech team.
KR: Right, correct. Editors have questions too. We were working on a project and I had to say, "Hey I'm using the Wizzy Wig to upload images, but I can't upload files through it. So what do I do?" And the answer was, "Well we go to Drupal.org and we look around and know if there's a module that handles that." Yeah. It's a project question.
KR: And it's a technical question, but it's not a developer question.
CT: Right. I think it's nice when we're ... One of the super awesome things about the Drupal community that is a little difficult to explain to people who might be getting involved, is how thoughtful the Drupal community is. How we're always looking at the processes that we have, and can we improve them, and what happened, and what should happen? One of the ways that that can be apparent that that's part of our community ethos is that we frequently go through changes in language that we use to describe things. So that we can be usually more accurate, and also more compassionate, more inclusive.
CT: I like that when we use language that's more inclusive, we're quite often being more accurate. Like an example here at this event, and a lot of Drupal events that people might end up going to, is that we use a lot of rooms. We take over conference centers, and typically one of the areas in the past used to be called The Coder Lounge.
KR: Right, right.
CT: Over the last couple years, people in the community who may not be even involved with the camp, sort of take ownership of things. It's open source, right, you see a problem and you fix it. Sometimes people will take sharpies to signs that say Coder Lounge and they'll make them more accurate and also more inclusive, by crossing it out and changing it to Contribution Lounge, because that's what happens in those rooms. When people get together and they're like, "I had this question about Drupal. Perhaps it's an issue we might eventually need to fix something." Or, "I have a question about an issue." So the activity in those rooms is not people coding always. The people in those rooms are not just coders. You can get usability specialists, designers, all kinds of people, marketing people.
I was in Montreal recently for Dev Days, which was a Drupal event. I was in the contribution area and somebody was walking through and they're like, "I need help." And people were like, "Well what do you need?" And they're like, "I need a native English speaker." I'm like, "I'm a native English speaker." And so I started talking to them more and it turns out they were working on writing a showcase that featured their new distribution that they were putting out for Drupal 8 that is going to be kind of the replacement for commons. This person, which was like the project lead, and they had their whole team there and they were doing last minute changes to make this distribution available so a bunch of people could get a nice benefit, not just their agency.
Stated explaining to me, and I was reading the showcase that they wrote, and we didn't just end up talking about grammar and native English things. Because I'm outside to the project, and I'm not familiar with it, and I don't have any expertise in commons, I had a lot of questions. There were some wordings that they thought were clear and that I didn't think was clear. They would switch audiences sometimes, like sometimes be talking to developers or evaluators. They were talking about the community as us sometimes and sometimes the agency is us. Just because I didn't know anything about their project, we were able to work through this together. We actually had a super fun time. We were able to work through this together and come out with a much better showcase that then ended up being a featured showcase on Drupal.org.
Was that coding, in a Coder Lounge? No. Was it contributing to the success of a project? Absolutely. Was it somebody working on the computer by themselves? No. It was just me asking questions. I would read it and I'd be like, "Well what does that mean?" I didn't even have to know anything and I still helped with the contribution. So when we say tech team, it really is more inclusive. When we say contributing, we really mean contributing in the widest possible way.
KR: Yeah. It's probably good to wrap up by talking about that concept of contribution and collaboration. I mean it is one of the driving forces I think for why people, especially government agencies, would want to use Drupal rather than a propriety system. Because this idea is, if we solve this problem the first time then it can be reused. Reused by other people.
KR: For example in Australia, the Australian government has a common Drupal distribution that all agencies can use to kick start their projects. Sort of a fascinating piece. A lot of the stuff that we've been talking about here is around baking that knowledge into your project. Making sure that your project is planned with these interactions in place.
KR: What I'm getting at a little bit is are there parts of your project that you don't want revealed immediately? Is that you need to be planning for? Because sometimes there is proprietary business logic or-
CT: Yeah absolutely.
KR: Or secret things. So do you need to be planning out like, this is release worthy. I'm thinking of an example from the White House. The White House, for example, very specifically released certain code when they did their big WhiteHouse.gov project.
KR: So is that something that sort of project managers ought to be thinking about upfront?
CT: Well you definitely can't just release everything. Perhaps including a little bit of research into the project as to what the common best practices are, and how people make that decision, and being able to spend some time educating your team is good to build into the project. Doing that, when you do decide to keep some things private, doing it with the understanding of the costs of that and the repercussions. It can still be the right decision to make, but you would want to do it with the knowledge of what's going to happen because of that. Like you are solely responsibly for maintaining it. You are going to need to invest more money in doing maintenance and security, and all these other things. It can still be the right decision, but it's going to affect the project differently.
CT: Even if you make that, it's still good to understand what the benefits would be if you did release it, so that you can understand what the cost you are incurring are when you don't.
KR: Sort of as a wrap up, is there any sort of last pieces of advice you have for people getting started? Like the best thing you've ever done or that sort of one special thing? Maybe, I mean what's the best way to approach the community? It might be a question, like you've never contributed before, you have a question, I don't know.
CT: So the best way to do it, is to start digesting the stream of information that's coming out of the community. Pick your favorite medium, I really like podcasts, there's Drupal Planet RSS feed, that aggregates blog posts and announcements together. Many camps record and publish, for free, their sessions. If you like to watch something, listen to something, or read something, like pick whichever one those are, and just time box four hours or whatever, over a couple days and be like, "I'm going to learn something about whatever." Because whatever information you're looking for it's out there. People communicate really, really well in the Drupal community. The one thing I want to add, when we talked earlier about first steps, and we talked about making user accounts and you mentioned signing up for security email lists. The way people do that is in their profile.
CT: You can subscribe to the security announcements via their profile. Profiling is super important.
KR: It is super important, because it's the way that we do communicate. I want to thank you for spending the time with us today. You've been really fun and informative.
CT: You're quite welcome. It was nice.
AM: Thank you Ken and Cathy. If you want to hear past episodes of On the Air with Palantir, make sure to visit our website at Palantir.net. There you can also read our blog and see our work. Each of these episodes is also available on iTunes and of course you can follow us on Twitter, @Palantir. Thanks for listening.