SSL Encrypting all Tendenci Hosted Sites

NOTE: This is a cross post. The original post is at: https://www.tendenci.com/news/ssl-encrypting-all-tendenci-hosted-sites/

Encrypt All The Things

To our clients. The above graph is a filtered subset of what is a *typical* day of network alerts. As the media has stated, the issue is quite real.

We greatly appreciate you and it is important to us that you remain safe. To further advance that objective in the current geopolitical environment, all hosted Tendenci sites will be encrypted going forward per our CEO.

Why? Because security. The Internet has changed and we must adapt.

Adapt? Remember when that Steve Jobs guy invented the iPhone and suddenly sites that were awesome the week before… well… they weren’t as awesome the next day? The. Next. Day. Technology is like that.

FAQs

Continue Reading: https://www.tendenci.com/news/ssl-encrypting-all-tendenci-hosted-sites/

 

Tendenci 5.x EOL is Approaching !IMPORTANT!

URGENT REMINDER – TENDENCI 5.X IS APPROACHING “END OF LIFE” AND STOPS BEING SUPPORTED IN NOVEMBER 2016. 

tendenci-mobile-responsive-standard

Mobile and responsive is the new baseline and we need to get everyone updated for security and to be secure and mobile responsive. The timelines are listed on our site at https://www.tendenci.com/tendenci-life-cycle/ .

timelines

Upgrade pricing from 5.x to 7.x is a one time cost and we’ve done our best to standardize them and make the process affordable.

https://www.tendenci.com/tendenci-upgrade-options/

A Longer Explanation for those who like knowing all of the details. Because we like being open and transparent.

Let’s keep it simple. Think about tires. When you buy tires, over time, they wear out. You can’t keep adding tread to them. At some point you have to get new tires or you are in an unsafe vehicle risking your own safety as well as that of everyone that rides with you or is near you on the roads. It’s irresponsible to drive an unsafe vehicle.

Or as Billy Joel explains it:

WHY CAN’T WE JUST KEEP GOING AS IS? YOU KNOW, JUST IGNORE IT?

(Yes, I really got this question recently.) Because software that is outdated can have security holes. Security updates are the most important. Tendenci runs on top of lots of other amazing open source products, which are called “dependencies.” Tendenci’s dependencies are listed here in the code.

Yes you have your own site. But you are sharing email servers, backup servers, email relays, security scanners, proxy servers, firewalls, access control lists, IDS/IPS systems and they are all are part of an environment that is watched very closely.

Going back to the car analogy. Porsche doesn’t make every component or the tires that are installed on their cars. When you wear out the tires, you have to upgrade. Similarly if a component that Tendenci uses is not maintained by the project behind it, then you are in danger of hurting others. A simple example would be if someone found a way to hack your site and sent spam emails, then the shared email server for the server-farm your site is in could get black-listed. That hurts ALL of the clients using that shared resource. Just like when your tire blows and you wreck into another car. It is then fundamentally your fault for not maintaining your vehicle.

Why do I want to upgrade if I just don’t care about security?

This is a bad idea. There is performance, functionality and a ton of new features you are missing out on. For more click the image below to go to the newsletter that highlights a lot of it.

some-new-stuff

And this is what we now consider baseline – responsive across all devices.

If you are thinking “THIS IS THE FIRST I HAVE HEARD OF THIS!?” .. um…

No. No unfortunately it is not. It’s just the first time it got your attention. We get it given we also miss communication sometimes given the amount of noise in our inboxes. Here are some links below so you can catch up a bit. And Tendenci 7.x is WAY ahead of Tendenci 5 because of industry changes – you really want to upgrade.

But yes, we have communicated this over and over and over. Links:

  1. Tendenci’s Version Lifecycle is here: https://www.tendenci.com/tendenci-life-cycle/
  2. Dates are driven by Django Supported Versions timelines: https://www.djangoproject.com/download/#supported-versions
  3. Tendenci Notification in News on Tendenci bumping from django 1.4 to 1.8 https://www.tendenci.com/articles/tendenci-open-source-lifecycle/
  4. Tendenci email newsletter sent to all clients onTendenci bumping from django 1.4 to 1.8 and some of the great new functionality https://www.tendenci.com/tendenci-upgrade/

Your users and the search engines expect you to have an SSL encrypted and mobile responsive website that is ADA compliant. NEW technology that consumers use and new behaviors have emerged and people expect more. Blame Al Gore and Apple and Microsoft. Tech changes fast.

WE LACK THE POWER TO MAKE EXCEPTIONS AS WE DO NOT CONTROL THE FRAMEWORK.

To our open source and our hosted clients, it is imperative that you do NOT ignore the pending “end of life” for the 5.x version of Tendenci. You must upgrade. From December 2015:

https://blog.tendenci.com/django-1-49-eol-drives-tendenci-5-eol-date-time-to-upgrade/

From the DjangoProject website:

django-supported-versions

And the future is outlined as well:

django-future-roadmap

PLEASE DO NOT IGNORE THIS NOTICE. TENDENCI IS A COMMUNITY. AND OUR COMMUNITY IS PART OF THE DJANGO ECOSYSTEM. WE MUST STAY SAFE.

Is there a charge to upgrade your site from Tendenci 5 to Tendenci 7?

Yes. Why? Because from Tendenci 6 forward we require all sites to be responsive (meaning they work on mobile devices). To achieve this we chose bootstrap as the front end css framework for standardization. Bootstrap 3 is very flexible with many options for low cost templates such as found on wrapbootstrap.com

What is the cost of upgrading from T5 to T7?

If you are a developer, there is no cost besides your time. Just follow the instructions at https://tendenci.readthedocs.io/en/latest/ . If you run into a problem post an issue on github at https://github.com/tendenci/tendenci/issues

If you are not a programmer or developer then you will need to work with one to complete the upgrade. It can be our team or a Django developer of your choice.

Please remember that Tendenci is fully open source and available at https://github.com/tendenci/tendenci/ in addition to the documentation linked above. No gotchas or hold-backs. Just very direct and honest communication of the facts and accountability through code reviews.

Did clients get charged upgrading from Tendenci 6 to Tendenci 7?

No, they did not. The upgrade from Tendenci 6 to Tendenci 7, then 7.1 and now 7.2 was all done automatically. These sites were already responsive and it is the front graphics changes that require human intervention as opposed to scripted updates.

Why are you charging to upgrade from Tendenci 5 then?

Because the layouts used back then were not standardized because there was NO CLEAR STANDARD. Thus every site was a bit different. On Tendenci 6 and 7 they are strictly standardized on the front end on Bootstrap 3+, a front end responsive framework made by Twitter. The appearance of Tendenci 7 sites is very diverse, it’s just the behind the scenes name-spaces that require updates.

Do we have to use your company to upgrade?

Of course not. Tendenci is open source. The whole freedom thing. We are the only membership management software company ranked in the top 20 by Capterra that is open source. You are part of a community with Tendenci, not some locked down solution that holds you hostage. 

If we don’t use Tendenci to upgrade, who can we use?

Python and Django are very popular. You are free to use any developer you want, self host or host with us.

The whole point of Tendenci is to enable freedom so you aren’t trapped with a proprietary vendor that locks you in by retaining control over your data, including redirecting links from your events to their domain so when you leave, you lose all of your inbound links and search engine rank. We do not support that practice. Unfortunately many non-profit boards don’t catch it until it’s too late and make the mistake of locking in future boards with no way out.

How easy is it to leave Tendenci? How do we know you won’t make it difficult?

Well first because that would be against our values. We make it easy to leave because folks have a tendency to come back when they experience the alternatives. We have found that the easier you make it to leave, to be free, the less likely people are to leave because the alternatives don’t share our values, particularly when it comes to data ownership. It’s your data. You own it and should have access to it at any point. Period.

An example: I believe (this is Ed typing) that WordPress is the best blogging platform in the world and I also love that it is open source. This blog is on wordpress. Yes we pay for hosting. And no, I don’t plan to leave WordPress. Even my personal blog is on wordpress hosted at another provider.

I don’t plan to leave WordPress specifically because I know that I can leave if I wanted to take the hassle on myself. I don’t – I have my hands full taking care of our team and clients. I just like knowing that freedom is an option because WordPress is like Tendenci – OPEN SOURCE.

You sound kind of over-the-top about open source and data exports? Prove it!

We’ve proven it. Look at our history. Look at our open source project.

Tendenci Commits
Tendenci Commits

 

 

 

Data doesn’t lie. And your site most likely has a repo on https://github.com/tendenci/tendenci/ to which we can provide you access. (they are obviously secured for your protection.)

We can also run backups directly to your own AWS cloud instance for S3. Actions speak loudly.

Type “Tendenci exports” into Google to see the number of options to export your data.

T5 clients – for you it’s not all automated but you have the same rights as everyone else. By that I mean, if you are on T5 not all of these exports were available 5 years ago through the interface but we will gladly provide a full database export that you can then import into postgres yourself. (Note: The technology simply wasn’t available back then, but the moment it became possible (which happened when we were on T6) we enabled clients to do full database downloads themselves. It’s YOUR DATA.)

Is this “charge to upgrade” going to happen every two years?

This one is a trick question. We have more work than we can do so charging you for updates is not our goal. But you already know that if you use the nav editor and the theme editor so you can make your own updates. Tendenci is about empowerment.

Tendenci is open source so you can work with a different developer and host with them if they are more cost effective for you.

Disruption causes adaptation which comes with a price tag

Disruption happens. That darn iphone. With candor, LTS releases tend to last two years. We didn’t invent the iphone or android so the switch to mobile responsive design was effectively dictated by changes in technology. We do our best to keep your costs down, but when Steve Jobs changes the world, we all get caught up and have to adapt. That isn’t a conspiracy, it’s an opportunity.

Are you sure? Is there ANY way I can upgrade for free?

I so wish I could wave a magic wand and make your entire site bootstrap3 responsive, but I can’t. Our contractors and employees deserve to be compensated just like you do. But you know that. Maybe there is someone your know, or maybe you, can redo your site’s theme in bootstrap3 to control costs. It is an option.

What I do know is YOU will not succeed with a non-encrypted and non-responsive web site. When we chose to make ALL SITES RESPONSIVE for all releases after Tendenci 5, yes, it required us to contract with graphic artists for your upgrade and obviously these talented people deserve to be paid for their work.

What is Tendenci doing to help us control costs?

We already have far greater functionality at a lower price than all of the proprietary vendors. True, we don’t have a sales team to fill out a 5 page excel RFP, but we have a demo site where you can see for yourself at https://demo.tendenci.com admin/admin login (resets every two hours.)

The comparison grids several competitors have on their sites are WILDLY INACCURATE. Our target client wants the additional functionality of Tendenci, to be a part of a community, they understands open-source, they are cause focused more than monetary focused, and knows how to do due diligence.

Tendenci open source means GREATER FUNCTIONALITY. The freedom is a bonus.

But the competition says they have greater functionality?

They don’t. Do a fact check and judge for yourself. Facts are facts. See above. Just for fun, ask to look at their code. #heh Why? Because a community of interested people will add to Tendenci and everyone benefits instead of all of the money going to a proprietary vendor who says they own your data.

Your data is your data.

Do I really need to upgrade my Tendenci site now as it’s been fine the last 11 months since you first told us we had to upgrade? Can’t this wait until next year?

NO! November 30 2016 or you need to self-host or move to a dedicated server. We cannot be responsible if the underlying software is no longer being maintained and therefore may not be secure. That legal burden falls on your board.

This is NOT Tendenci making the decision or driving the timeline. We blogged about this last December in particular as soon as we learned of the announcement from Django. See above.

Why can’t I get a personal hand written note like in the old days?

Man, I miss those days. Unfortunately, we simply can’t identify every stake-holder inside of every NGO/NPO/Association/Business we work with or who self hosts. By definition there is constant turn over on non-profit boards. And we have no way of tracking open source clients using Tendenci in the wild.

We love our open source clients, but we aren’t “big brother” and don’t currently have a 100% method of tracking or communicating with these awesome developers outside of the blog, facebook, twitter and newsletters.

OK, after we upgrade, what then?

We are working hard to keep upgrades and updates automatic and at little or no cost. The evidence speaks for itself in the no-cost site updates from 6.0 to 7.2x. Judge us by our actions.

Yet, if someone invents another disruptive technology, well, logically there could be a cost for an upgrade once it requires changes that can’t be automated.

If you host with us, contact, budget and schedule your upgrade. If you self host then please read all of the documentation which explains the full process and is posted and available online at https://tendenci.readthedocs.io/en/latest/

So how much does does this cost if we go with Tendenci team to do our upgrade? It scales with the type of upgrade you want to do and they are listed on our site here:

https://www.tendenci.com/tendenci-upgrade-options/

It’s always hard to have a crucial conversation with clients. I strive for candor and fairness as the leader of the company behind the community. We want you happy. Technology changes. We’ve done our best to keep the price as low as possible. Thus in closing, I’ll leave you with another image of a happy puppy because they make us smile, and like Tendenci, they enjoy a community of supporters but also being able to run free every once in a while.

happy-puppy

Our first transparency report

probably not a canary

We just posted the Tendenci government transparency report for January 1 to June 30, 2016 to our site. Nothing to report, but a new process put in place keeping with the values of the Tendenci community.

Why? Because all companies that store information, like electric companies, phone companies, email providers, search engines, etc, must respond to requests from the government. That includes us. The solution is transparency reporting because we think you have a right to know.

Tendenci Transparency ReportingWhy now? The (previous) absence of transparency reporting including a canary clause was brought up at a recent convention. We listened to you. We agree with you. So we fixed it. It’s pretty boring and let’s hope it stays that way.

Thank you to the client who asked about it! Tendenci is a community and we appreciate dialog that helps the community. Y’all rock!

You can find Tendenci’s transparency reports at https://www.tendenci.com/transparencyreporting/

What’s next? We would love to hear from you about your best practices for data retention. If you are willing to share, please post those in the Tendenci forums.

rolling outages today and tomorrow April 16 for additional security precautions

Dear clients – we will be doing some unscheduled maintenance to build out a more redundant infrastructure. Specifically this means the network team is making copies of entire servers to so they can be brought back up in the case of a security issue quickly and easily.

The decision to create the extra server images in addition to the normal site backups was made based on security information we received from official and unofficial sources. We recognize any outage is an inconvenience and will work to keep security as our top priority.

The ETA for outages is approximately 30 minutes per server. Most likely less as our cloud is fairly distributed.

I am typing this at 5:40 PM on Saturday April 16 CST 2016. I will keep updating this same blog post as we get better data on timelines.

Refactoring Tendenci 7.1

Tendenci-Logo

The time has come for us to refactor Tendenci, the fully Open Source Solution for Nonprofits and Associations.

Why?

The current version of Tendenci (7.x) has significant changes which are not compatible with Tendenci 5. This has prevented us from publishing the new code to make it easier for new users to install.

When?

We will begin publishing Tendenci 7 as a package possibly as soon as October 1, less than two weeks from now. It may not get pushed out on October 1, but people who are using the open source version and are on the 5.x release need to be prepared. The actual date Tendenci 7 will be pushed out as a package is when it is ready. But please plan on October 1.

Who?

Well, if you are hosted on tendenci.com’s servers and we manage your web site then you don’t have to change a thing and it will all just happen in the background. Clients on version 5 will remain on version 5 because of the theme changes made between version 5 and 6. Clients on version 6 will be upgraded to Tendenci 7.1

If you have your own developer or you are a developer, maybe jump over to github and the docs and keep an eye on things for the next couple of weeks. Maybe even submit issue requests for features.

Why are you telling us if there is nothing for us to worry about?

Because not everyone hosts with us and we need to try to make sure their IT team knows the upgrades are possible, but will require your technical team to do them. This is important to us even if they aren’t hosting because they are part of the community.

In fact growing the open source community of people using Tendenci is the biggest driver pushing us to refactor Tendenci. We’re geeks and collaborate on github.

tendenci-github

Wait, what does “Refactor” mean again?

It means making it easier for programmers to work on the code. Technically from wikipedia they define it as “Code refactoring is the process of restructuring existing computer code – changing the factoring – without changing its external behavior.”

It’s time to refactor so we have more happy programmers. Tendenci is just too hard to install in the wild right now. That isn’t right. Plus Happy programmers means more contributors and it builds on the virtuous cycle that is what makes FOSS (Free Open Source Software) so cool. It truly takes a village.

Can’t you just contact every one who self hosts?

Unfortunately we don’t have a list and Tendenci doesn’t “phone home” so we really don’t know how many people are using it by self installing. But we care about them and we’re doing everything we can to get the word out. Everyone should be backing up their sites of course, but still, if you click “upgrade” and your layout goes wonky that isn’t fun. No data will be lost, but what a hassle.

If you self host we are working hard on these documents so you can smoothly upgrade your site (after running backups of course)
https://tendenci.readthedocs.org/en/latest/

Where is everything documented?

Over at readthedocs. Click the image below and you’ll be on your way.

tendenci-readthedocs

What if I self host and I don’t want to upgrade?

You should be fine as long as you don’t try to do an automatic upgrade. And of course you will need to keep an eye on the django project LTS timelines. https://www.djangoproject.com/download/

If you are on Tendenci 5, because of the changes with the django project itself you will need to upgrade from T5 to T6 and then to T7.1. This is all documented at https://tendenci.readthedocs.org

If you need legacy files they are linked at the bottom of this post.

OK, tell me the biggest benefit of refactoring again?

A programmer will be able to type “sudo pip install tendenci” and make a few server configuration changes and they’ll have a site up and running quickly. This matters because ease-of-use changes behavior. If you want to move forward, we have to take care of our programmers first! They care about you, so it is a virtuous cycle.

Wait, I want more technical info!

We’re gonna be pushing the technical details to https://tendenci.readthedocs.org/en/latest/ as soon as we get it all tested. We’ll be able to push the master branch to pypi again and life will be grand!

Wait, this stuff is too technical! (the opposite of above question)

I apologize for the technical stuff, but sometimes when working with software it can be technical. Just know that if you self host, talk to your local programmer and they will take care of you with the documentation we are posting at https://tendenci.readthedocs.org/en/latest/

So if I self host, and my webmaster clicks “update tendenci” and I’m on version 5 my site will break?

Yes. You’ll be able to fix it and you won’t lose any data, but you’d probably want to just restore a backup. And then go to https://tendenci.readthedocs.org/en/latest/ for the technical info.

What if I don’t wanna upgrade ever and my server is completely isolated on a ship in the middle of the ocean? 

OK, well, we like an occasional steak so you have our sympathy for a diet of 100% fish. But secondarily we have all of the historic zip files, that are still on github but will be removed, available for download for some time at https://www.tendenci.com/download/release-archive/ 

Intermittent Rolling Outages Tonight as Patches are Applied

To our Tendenci 5 and 6 clients. We will be applying updates to the sites tonight and tomorrow night. Please expect intermittent outages of up to 30 minutes during the course of the upgrades as we migrate sites and continue our focus on increased security.

Note these will be rolling updates and will not hit every site. While they are preventative in nature, they are critically important to prevent future issues.

Congratulations to the New York Emmys!

Congratulations to our long time clients the NY Emmys!

We wish them a wonderful gala tomorrow to go along with their new mobile responsive Tendenci 6 site.

 

Screen Shot 2015-05-01 at 4.32.48 PM

NYEmmys Mobile view

 

Amazon’s Announcement of End of Life for Windows 2003

Note: This bulletin is a repeat of the January 22, 2015 EOL announcement, the helpdesk notifications and numerous direct calls to the clients impacted.

REMINDER: EOL for Tendenci 4

Scope of impact:

Clients still running Tendenci 4 classic.

Deadline:

April 21, 2015 is End of Life for T4. The Windows servers on our network will be shut down and be offline permanently. Original EOL Announcement here.

Why do you keep repeating this?

Just to be sure. Because we care. We want you to land safely. Sometimes our contact doesn’t relay to the board with the urgency needed. This is a hard deadline and once the servers are shut down on April 21, 2015 and archived there is no easy way to restore them.

We are concerned and want to be sure the right people within your organization know. We have been banging on this drum for some time.

April 21, 2015 is End of Life for T4. You have options. Click that link as your options although they are much more limited since we announced it in January.

Here is Amazon’s announcement stating the same thing in line with Microsoft’s timelines.

Amazon Web Services

Dear Amazon EC2 Customer,

Microsoft is ending support for Windows Server 2003 on July 14, 2015. If you are running Windows Server 2003, this may put your applications and business at risk, since there may be no security or software updates.

AWS provides you with options, whether you are moving to a modern MicrosoftWindows Server operating system, maintaining 32-bit applications in the AWS Cloud, or rewriting legacy applications.

You can migrate your applications to Amazon Elastic Compute Cloud (EC2) instances running a newer version of Microsoft Windows Server (2008, 2008 R2, 2012 and 2012 R2). Preconfigured Amazon Machine Images (AMIs) with different combinations ofWindows and SQL Server are available. Amazon EC2 running Windows Serverenables you to run any compatible solution on our cost-effective, high-performance, reliable cloud-computing platform.

Sign up to attend the Windows Server 2003 Migration webinar, or visit our WindowsServer 2003 page to learn more.

Sincerely,

The Amazon EC2 for Windows Team

 

The World is a Big Place: We’ve Gone Virtual!

Two years in the making, November 2014 marked the launch of our initiative to be a virtually enabled team!

We have moved out of our corporate office space in Houston’s Energy Corridor and are now stretching our wings in the boundless space of working in the virtual world – any time, any place.

With employees and partners situated all over our lovely planet Earth, it only made sense to reduce our carbon footprint and embrace the flexibility that comes with working without walls. A lot of planning went in to setting the company up for this change, altering our processes and finding new systems that increased communication and tracking. Here are some of the things we have changed.

1. Using HipChat for internal communication.

hipchat

Our employees are online during corporate business hours and we have a running chat going for constant communication. By linking to client sites or helpdesk tickets, we can share information, collaborate on projects and retain our water cooler discussions. We also hold daily standup meetings via HipChat to make sure everyone has the information they need for the day ahead.

2. Implementing HelpDesk for client communication.

Helpdesk

Our new ticketing system at helpdesk.tendenci.com allows our clients to submit a request directly into the queue where any member of the team can grab the ticket and begin the dialogue. By having all requests in one place, tickets don’t get lost in one employee’s email, assistance can be shared among the team and we can spot trends that indicate where a systemic solution may be needed. Screenshots and other files can be uploaded to the tickets, too, for better communication.

3. Switching to a VoIP-based phone system.

If you are still reading, this is where we could really use your help! We are using a national VoIP vendor but have had calls dropped or not ring through. Very embarrassing. Can anyone recommend a good option for a virtual phone system? We love to talk to our clients! In the meantime, if you are having trouble reaching us over the phone, please use helpdesk.tendenci.com to ask your question so that we can reach you!

And while working in your slippers does have its advantages, sometimes you just need to meet up in person to review a project. Those of us in the Houston area still meet to collaborate as teams a couple of days a week at one of the many co-working facilities in town, such as the space at Houston Technology Center in Midtown and ShareSpace out on the East Side.

So if you drive by the old office, you won’t see our name out front as we are no longer rooted in one place. We have set up a mailbox for written correspondence at this address:

Tendenci, Inc.
14027 Memorial Drive #177
Houston, Texas 77079-6826

And our dropbox for payments remains:

Tendenci, Inc.
P.O. BOX 301750
Dallas, Texas 75303-1750

But as to where we are physically located, well… spread out a world map, close your eyes and point. There we are!

(This is the first of three blog posts that discusses the tools we are using as the brain can only process so much in one day. Talking about mine, not yours! We welcome any feedback on tools you have used in your virtual work environment to increase communication – the biggest hurdle we are facing a dispersed team.)

Server Reboots Today Jan 14, 2014 for Security Patches

First – it is Wednesday and Microsoft pushes out patches on Tuesday evenings. So in an overabundance of caution we will be rebooting the Tendenci 4 Microsoft Servers between 4 and 4:30 PM today (10 minutes from now or sooner as I type this.)