Why Tendenci doesn’t support epub uploadS through the standard ui.
We love knowledge and knowledge sharing. And all of us read a lot – more and more on mobile readers. And yet the Tendenci software doesn’t support uploading epub files. First understand you have TONS of options to achieve your business goal and keep your site secure.
Free ebooks? We recommend you upload the epub to a resource like an Amazon S3 bucket or Dropbox and link to it from your site. That immediately solves the problem – you have a link to the resource on your site, just not “in” your site for safety and security.
Selling ebooks? Look at Amazon or Shopify or google it for tons of options. Even if the books are free, “selling them” on shopify will give you analytics and insight into consumers who are interested in your topic because they are being delivered to people next to other books!
As for the upload restrictions in Tendenci, here is why we are cautious:
While knowledge is great, security is more important. YES – TECHNICALLY YOU CAN PUT EPUB FILES ON YOUR TENDENCI SITE. But to do so your network administrator will need to do it for you for security reasons. The reason is that epub and mobi files can contain viruses or malware just like many other file formats (*cough* “Adobe flash” *cough*).
A book can have a code example. Depending on how your browser or e-reader “reads” that code example it may or may not execute the code. And that may or may not be malware. Typically the code itself would not be infected and would pass a virus scanner. Rather it would call another site and download a virus from that alternate location.
Two screen shots from the epubzone.org site are pasted below.
To be sure I love learning sites that have code that I can use to learn with in my web browser. MOOCs are awesome. But Tendenci is not a MOOC. So our current system is not set up to allow uploads of epubs or mobi given the millions of people who log into hundreds of open source tendenci sites hosted or in the wild. We are just cautious.
And again – there are alternatives.
Upload it to a different location and link to it <– RECOMMENDED!
Sell it with a company like Amazon who takes care of all of it for you <– RECOMMENDED!
Have your Network Administrator upload it if you must. But if this is the case, why not just make it a PDF? <– NOT RECOMMENDED
PS – One part of being a hacker is you are frequently accused of being an “Eeyore.” This is tiring. And incorrect. Caution online is really – well – the teamwork of Q and Bond. Aware of current reality. Curious. The ability to think perhaps a bit deviously. To know what is possible – both good and bad – to protect you.
Stop using URLs without the www or some other prefix. They are not your canonical domain (so sayeth Google) and in fault tolerant networks they aren’t scalable (so sayeth Amazon and every other cloud provider.)
In the old days we had physical servers with specific IP addresses and the server routed a visitor to the correct site. Ah, the good old days. Now everything is flipped. In the cloud we use multiple smaller virtual servers and your web site can literally exist in different places at the same time. That means your IP address can be different at any moment.
So without getting too much into the cloud magic, one thing it does require to help future proof your site is for people to use a “real” URL for their website.
WAIT! Chill out, it’s not the end of the world. It’s not like https://tendenci.com doesn’t redirect to https://www.tendenci.com – no need to change your business cards or letterhead. But your “canonical name” includes a hostname (the “www” or “intranet” or “webmail” parts of the name.)
What you do NOT want to do is insist on blah.blah because it will, I promise you, come back to hurt you in the near future. It’s the Internet – things change. So we change with them.
Let’s assume a user is navigating to your website www.acme.com. However instead of typing www.acme.com, they only type acme.com. Time to get a little technical. Hostnames are connected to a DNS based CDN like Akamai via a CNAME, which is a type of DNS entry that aliases the IP address resolution of one hostname to another hostname. For example www.acme.com could CNAME to webserver.acme.com and when resolving www.acme.com, DNS would follow the resolution chain of webserver.acme.com. For a fully qualified hostname like www.acme.com, you create a CNAME that will resolve to a hostname your CDN controls, which intern directs users to a CDN server that will serve your user. However it’s not possible to create a CNAME for a root domain like acme.com. It must have an A record, which resolves to an IP address. To get around this, many websites resolve their root domain to the IP address of their origin, and then have their origin server perform a HTTP redirect to their www hostname. This is another place your Origin can be revealed.
Can we hack a work around? Yes, in fact many clients still have “A” records that point to an IP address. Just know this is a case of “you’re doing it wrong.” Your registrar should do the redirect to a FQDN like www.tendenci.com and then have a CNAME record for it. It’s the future. And I’m just the messenger.
While these systems make it more convenient to develop and distribute content, they cause some challenges when people use search engines to reach your page. For instance:
Consolidating link signals for the duplicate or similar content. It helps search engines to be able to consolidate the information they have for the individual URLs (such as links to them) on a single, preferred URL. This means that links from other sites tohttp://example.com/dresses/cocktail?gclid=ABCD get consolidated with links tohttps://www.example.com/dresses/green/greendress.html.
Tracking metrics for a single product/topic. With a variety of URLs, it’s more challenging to get consolidated metrics for a specific piece of content.
Determining the URL you want people to see. You prefer people reach your green dresses product page via https://www.example.com/dresses/green/greendress.html rather than https://example.com/dresses/cocktail?gclid=ABCD.
Addressing syndicated content. If you syndicate your content for publication on other domains, you want to consolidate page ranking to your preferred URL.
To address these issues, we recommend you define a canonical URL for content (or equivalent content) available through multiple URLs.
The good news? By fixing your DNS to NOT use the apex domain your web site is ready for the future and more fault tolerant today. It’s a good thing.
Why do we point out all of the ways to copy your Tendenci site (or most sites really)? Doesn’t that make it easier to leave?
Yes. Yes it does. BUT people rarely leave. Or if they do, they typically stay on Tendenci and self host. They’re still part of the Tendenci community which helps us all.
Another reason we promote exports and offsite backups is because we know the more freedom you have, realizing you have that freedom especially on the Tendenci open source platform, makes it less likely for clients to leave.
Think about it. Why would anyone who actually understands their product is open, does far more than other options, is lower cost, and they can self host if they want… why would that person make the decision to leave? It’s illogical.
I mean, who wants to be the President of an Association that takes it backwards in time to proprietary technology or an older open source software built on an unpopular programming language? That’s not in the best interests of the association long term.
Popular programming languages means more coders for open source projects written in that language. And more capable people to modify and customize your install if you choose.
One of our goals is FREEDOM from the tyranny of per-user-licensing, proprietary products that want to own YOUR DATA, long term contracts, sites that post your events on THEIR site so if you leave then the history of that event is gone in the blink of an eye. Companies don’t own your data and they shouldn’t trap you.
A Longer Explanation for those who like knowing all of the details. Because we like being open and transparent.
Let’s keep it simple. Think about tires. When you buy tires, over time, they wear out. You can’t keep adding tread to them. At some point you have to get new tires or you are in an unsafe vehicle risking your own safety as well as that of everyone that rides with you or is near you on the roads. It’s irresponsible to drive an unsafe vehicle.
Or as Billy Joel explains it:
WHY CAN’T WE JUST KEEP GOING AS IS? YOU KNOW, JUST IGNORE IT?
(Yes, I really got this question recently.) Because software that is outdated can have security holes. Security updates are the most important. Tendenci runs on top of lots of other amazing open source products, which are called “dependencies.” Tendenci’s dependencies are listed here in the code.
Yes you have your own site. But you are sharing email servers, backup servers, email relays, security scanners, proxy servers, firewalls, access control lists, IDS/IPS systems and they are all are part of an environment that is watched very closely.
Going back to the car analogy. Porsche doesn’t make every component or the tires that are installed on their cars. When you wear out the tires, you have to upgrade. Similarly if a component that Tendenci uses is not maintained by the project behind it, then you are in danger of hurting others. A simple example would be if someone found a way to hack your site and sent spam emails, then the shared email server for the server-farm your site is in could get black-listed. That hurts ALL of the clients using that shared resource. Just like when your tire blows and you wreck into another car. It is then fundamentally your fault for not maintaining your vehicle.
Why do I want to upgrade if I just don’t care about security?
This is a bad idea. There is performance, functionality and a ton of new features you are missing out on. For more click the image below to go to the newsletter that highlights a lot of it.
And this is what we now consider baseline – responsive across all devices.
If you are thinking “THIS IS THE FIRST I HAVE HEARD OF THIS!?” .. um…
No. No unfortunately it is not. It’s just the first time it got your attention. We get it given we also miss communication sometimes given the amount of noise in our inboxes. Here are some links below so you can catch up a bit. And Tendenci 7.x is WAY ahead of Tendenci 5 because of industry changes – you really want to upgrade.
But yes, we have communicated this over and over and over. Links:
Your users and the search engines expect you to have an SSL encrypted and mobile responsive website that is ADA compliant. NEW technology that consumers use and new behaviors have emerged and people expect more. Blame Al Gore and Apple and Microsoft. Tech changes fast.
WE LACK THE POWER TO MAKE EXCEPTIONS AS WE DO NOT CONTROL THE FRAMEWORK.
To our open source and our hosted clients, it is imperative that you do NOT ignore the pending “end of life” for the 5.x version of Tendenci. You must upgrade. From December 2015:
If you are not a programmer or developer then you will need to work with one to complete the upgrade. It can be our team or a Django developer of your choice.
Please remember that Tendenci is fully open source and available at https://github.com/tendenci/tendenci/ in addition to the documentation linked above. No gotchas or hold-backs. Just very direct and honest communication of the facts and accountability through code reviews.
Did clients get charged upgrading from Tendenci 6 to Tendenci 7?
No, they did not. The upgrade from Tendenci 6 to Tendenci 7, then 7.1 and now 7.2 was all done automatically. These sites were already responsive and it is the front graphics changes that require human intervention as opposed to scripted updates.
Why are you charging to upgrade from Tendenci 5 then?
Because the layouts used back then were not standardized because there was NO CLEAR STANDARD. Thus every site was a bit different. On Tendenci 6 and 7 they are strictly standardized on the front end on Bootstrap 3+, a front end responsive framework made by Twitter. The appearance of Tendenci 7 sites is very diverse, it’s just the behind the scenes name-spaces that require updates.
Do we have to use your company to upgrade?
Of course not. Tendenci is open source. The whole freedom thing. We are the only membership management software company ranked in the top 20 by Capterra that is open source. You are part of a community with Tendenci, not some locked down solution that holds you hostage.
If we don’t use Tendenci to upgrade, who can we use?
Python and Django are very popular. You are free to use any developer you want, self host or host with us.
The whole point of Tendenci is to enable freedom so you aren’t trapped with a proprietary vendor that locks you in by retaining control over your data, including redirecting links from your events to their domain so when you leave, you lose all of your inbound links and search engine rank. We do not support that practice. Unfortunately many non-profit boards don’t catch it until it’s too late and make the mistake of locking in future boards with no way out.
How easy is it to leave Tendenci? How do we know you won’t make it difficult?
Well first because that would be against our values. We make it easy to leave because folks have a tendency to come back when they experience the alternatives. We have found that the easier you make it to leave, to be free, the less likely people are to leave because the alternatives don’t share our values, particularly when it comes to data ownership. It’s your data. You own it and should have access to it at any point. Period.
I don’t plan to leave WordPress specifically because I know that I can leave if I wanted to take the hassle on myself. I don’t – I have my hands full taking care of our team and clients. I just like knowing that freedom is an option because WordPress is like Tendenci – OPEN SOURCE.
You sound kind of over-the-top about open source and data exports? Prove it!
We can also run backups directly to your own AWS cloud instance for S3. Actions speak loudly.
Type “Tendenci exports” into Google to see the number of options to export your data.
T5 clients – for you it’s not all automated but you have the same rights as everyone else. By that I mean, if you are on T5 not all of these exports were available 5 years agothrough the interface but we will gladly provide a full database export that you can then import into postgres yourself. (Note: The technology simply wasn’t available back then, but the moment it became possible (which happened when we were on T6) we enabled clients to do full database downloads themselves. It’s YOUR DATA.)
Is this “charge to upgrade” going to happen every two years?
This one is a trick question. We have more work than we can do so charging you for updates is not our goal. But you already know that if you use the nav editor and the theme editor so you can make your own updates. Tendenci is about empowerment.
Tendenci is open source so you can work with a different developer and host with them if they are more cost effective for you.
Disruption causes adaptation which comes with a price tag
Disruption happens. That darn iphone. With candor, LTS releases tend to last two years. We didn’t invent the iphone or android so the switch to mobile responsive design was effectively dictated by changes in technology. We do our best to keep your costs down, but when Steve Jobs changes the world, we all get caught up and have to adapt. That isn’t a conspiracy, it’s an opportunity.
Are you sure? Is there ANY way I can upgrade for free?
I so wish I could wave a magic wand and make your entire site bootstrap3 responsive, but I can’t. Our contractors and employees deserve to be compensated just like you do. But you know that. Maybe there is someone your know, or maybe you, can redo your site’s theme in bootstrap3 to control costs. It is an option.
What I do know is YOU will not succeed with a non-encrypted and non-responsive web site. When we chose to make ALL SITES RESPONSIVE for all releases after Tendenci 5, yes, it required us to contract with graphic artists for your upgrade and obviously these talented people deserve to be paid for their work.
What is Tendenci doing to help us control costs?
We already have far greater functionality at a lower price than all of the proprietary vendors. True, we don’t have a sales team to fill out a 5 page excel RFP, but we have a demo site where you can see for yourself at https://demo.tendenci.com admin/admin login (resets every two hours.)
The comparison grids several competitors have on their sites are WILDLY INACCURATE. Our target client wants the additional functionality of Tendenci, to be a part of a community, they understands open-source, they are cause focused more than monetary focused, and knows how to do due diligence.
Tendenci open source means GREATER FUNCTIONALITY. The freedom is a bonus.
But the competition says they have greater functionality?
They don’t. Do a fact check and judge for yourself. Facts are facts. See above. Just for fun, ask to look at their code. #heh Why? Because a community of interested people will add to Tendenci and everyone benefits instead of all of the money going to a proprietary vendor who says they own your data.
Your data is your data.
Do I really need to upgrade my Tendenci site now as it’s been fine the last 11 months since you first told us we had to upgrade? Can’t this wait until next year?
NO! November 30 2016 or you need to self-host or move to a dedicated server. We cannot be responsible if the underlying software is no longer being maintained and therefore may not be secure. That legal burden falls on your board.
Why can’t I get a personal hand written note like in the old days?
Man, I miss those days. Unfortunately, we simply can’t identify every stake-holder inside of every NGO/NPO/Association/Business we work with or who self hosts. By definition there is constant turn over on non-profit boards. And we have no way of tracking open source clients using Tendenci in the wild.
We love our open source clients, but we aren’t “big brother” and don’t currently have a 100% method of tracking or communicating with these awesome developers outside of the blog, facebook, twitter and newsletters.
OK, after we upgrade, what then?
We are working hard to keep upgrades and updates automatic and at little or no cost. The evidence speaks for itself in the no-cost site updates from 6.0 to 7.2x. Judge us by our actions.
Yet, if someone invents another disruptive technology, well, logically there could be a cost for an upgrade once it requires changes that can’t be automated.
If you host with us, contact, budget and schedule your upgrade. If you self host then please read all of the documentation which explains the full process and is posted and available online at https://tendenci.readthedocs.io/en/latest/
So how much does does this cost if we go with Tendenci team to do our upgrade? It scales with the type of upgrade you want to do and they are listed on our site here:
It’s always hard to have a crucial conversation with clients. I strive for candor and fairness as the leader of the company behind the community. We want you happy. Technology changes. We’ve done our best to keep the price as low as possible. Thus in closing, I’ll leave you with another image of a happy puppy because they make us smile, and like Tendenci, they enjoy a community of supporters but also being able to run free every once in a while.
Why? Because all companies that store information, like electric companies, phone companies, email providers, search engines, etc, must respond to requests from the government. That includes us. The solution is transparency reporting because we think you have a right to know.
Why now? The (previous) absence of transparency reporting including a canary clause was brought up at a recent convention. We listened to you. We agree with you. So we fixed it. It’s pretty boring and let’s hope it stays that way.
Thank you to the client who asked about it! Tendenci is a community and we appreciate dialog that helps the community. Y’all rock!
On our little company blog on our tiny corner of the Internet (relatively speaking I guess) this is the current reality. Mind you this is just our blog and not attacks on our site or on client sites.
Tendenci blog stats – blog.tendenci.com
132,055 Blocked malicious login attempts
282,058 Spam comments blocked by Akismet
Note that Tendenci is not a blog platform – it’s on Python and Django and open source https://github.com/tendenci – but our blog is on wordpress as my personal blog is. WordPress is doing an amazing job fighting hard against the constant php attacks.
The numbers above speak for themselves. I still think WordPress is the best blogging platform out there. But just WOW. I just don’t know that people understand what they are up against.
Yes I’ll share some of the data on attacks on our cloud infrastructure which aren’t that far off as a percentage. This is just me pointing out that the Internet isn’t a nice place. If you have a WordPress blog I HIGHLY recommend you install JetPack from WordPress (free) as well as Securi. It’s worth it.
This is just part of our efforts at Tendenci to avoid downtime from the inevitable security updates. More on this to follow as we continue to review automatic security updates causing unintended consequences at times.
An automatic security update installed on one (1) of the Tendenci Docker servers in our AWS US-East data center on Sunday May 8th at approximately 11:10pm CST.
The update included changes to the file system to increase security. The automatic conversion took significantly longer than prior updates resulting in some sites being offline during this time period.
Dear clients – we will be doing some unscheduled maintenance to build out a more redundant infrastructure. Specifically this means the network team is making copies of entire servers to so they can be brought back up in the case of a security issue quickly and easily.
The decision to create the extra server images in addition to the normal site backups was made based on security information we received from official and unofficial sources. We recognize any outage is an inconvenience and will work to keep security as our top priority.
The ETA for outages is approximately 30 minutes per server. Most likely less as our cloud is fairly distributed.
I am typing this at 5:40 PM on Saturday April 16 CST 2016. I will keep updating this same blog post as we get better data on timelines.