Hello Torben,
Thank you for sharing your thoughts. I would like to respond; not so much in the spirit of debate as just sharing my point of view for you and others in the community to consider.
Of course the RTFM approach *does* work. However, I think there are several drawbacks for BOTH the newbie AND the community.
First, as I understand it, one of Mr. Greenspun's objectives with the "home study course" and problem sets was to expose the newbie to JUST the amount of *nix, database, scripting language, SQL and whatever else they needed *at that level of their expertise*, while stretching them and letting them learn how to find out more.
IIRC, I read something to the effect that Mr. Greenspun felt this was superior to the usual approach of spending a semester learning X, then Y, then Z then finally getting around to developing a web service.
With newbies, they don't know how much of what they need to learn at the early stages. This is the main problem.
They risk getting side tracked for too long -- and in the wrong areas. They also risk getting "lost" to the community since life is so busy and so many things in the open source world are competing for their attentions besides the need to RTFM X dozen times before they get to the point of having positive reinforcement for their efforts.
Lets say that by taking the RTFM approach, a newbie -- who keeps at it -- takes an extra 1-3 months to get productive. Lets say in that time they could have gotten another site up for someone if they had better, up to date and security minded step by step guides for newbies when they started.
By the time 1000 newbies take this path, there would be another 1000 openACS sites out there providing POSITIVE PR for the community. This is one of the things I had in mind when I talked about such up to date documents helping the community thrive.
Furthermore, lets say the newbie, being new to *nix -- let alone *nix security -- just takes the RTFM approach and "just does it". They install RH 6.2 for instance. Heck, that's what the docs say to use. They even apply some patches. At least the ones they THINK they need.
Not having been burnt yet, they don't really appreciate the need for great security yet. Even if they did, they wouldn't know how to go about installing and configuring things securely. THAT'S the point. Sure, they can get there if they just RTFM -- eventually. Eventually sure can be a long time for a newbie when it comes to *nix security.
1000 newbies do this, put up 1000 OpenACS sites that give the community a black eye in the minds of others as being software that's "not secure". That's how suits and non geeks think. Saying the newbie is at fault and didn't kow what they were doing would be moot at that point since 1000 potential paying customers who might have needed to hire OpenACS skilled people would have already decided not to use OpenACS anymore. 1000 organizations the newbie "helped" now swear off OpenACS. They choose some other software for their web/net needs. 1000 potential jobs for someone with OpenACS expertise just went bye bye.
How different it might be if the newbie has an OpenACS "distro" / ISO that allows them to set up and offer OpenACS on top of up to date securly configured software foundation consisting of securely configured and installed Linux, or *BSD. Because the newbie didn't start out with up to date securely set up software, the above IS a risk -- not just to the newbie but to the impression the public will develop of OpenACS.
Sure, there are very experienced OpenACS community members who would have no trouble setting up secure web service installations for folks. But for any community to thrive, new blood and new members are needed. This is what newbies are of course. Why not help them not to bleed so much when they get started? Why not do so by helping the newbie out with either step by step guides and/or some *nix and *BSD "distros"?
Sure it's not the fault of OpenACS software if the next 1000 newbies botch the web services they do for the next 1000 organizations. It's the fault of poor system administration. My point is, why not take the risk of the community getting BAD PR away by having up to date documentation that incorporates GOOD security practice/installation/configurations using up to date *nix like recent Linux, FreeBSD and OpenBSD versions?
This would help the community in getting GOOD PR in this post 9-11 more security conscious age by helping newbies set up web services using OpenACS based on secure implementations/configurations.
My thinking is it not only benefits the next 1000 newbies -- it benefits the next 1000 opportunities for the community to get GOOD instead of BAD PR in the minds of those making decisions on what software to avail themselves of -- and hire folks to provide and maintain. Since OpenACS is not a monopoly, of course, this seems like an important consideration to me.
Basically, IMO, what's needed is something much like the old "home study course" and problem sets based on up to date software that community members having security expertise have "blessed".
Something a newbie can sit down with, follow and have at least all the software installed on a box they can hang off their internet connection and NOT get rooted or otherwise compromised. Something they can then go on to install on a clients server and then "customize" for the clients needs.
THEN, thanks in part to the efforts of the next 1000 newbies armed with their OpenACS distros, we might see more and more demand for OpenACS expertise in addition to good PR that OpenACs not only does the job but gives the suits and non geeks "warm fuzzies" in the area of security -- a big selling point going forward, IMO (that's NOT going away).
I think basing the communities documentation off stuff like up to date Linux, FreeBSD and OpenBSD versions would help. To me, telling some newbie to just RTFM and get a stock RH 6.2 distro and apply the patches (lots of lots if you haven't checked recently) then download bastile and follow that borders on the type of hazing some frat would do. And if the newbie gets rooted and their OpenACS web services they do for some local organization for "gratis" since they are learning gets a black eye due to their newbie ideas of what constitues OK security, the community loses instead of gains.
Better to have an OpenACS distro of Linux, *BSD or whatever for the newbie to have a secure set up after instalation IMO. This would benefit the community as well as the newbie.
The next 1000 newbies ARE going to wonder thru here. Disregarding the benefit to the newbie, the question is how much benefit is the community going to derive from their 1000 journeys? I think having up to date docs with up to date software with step by step instructions leading the newbie to at least have a secure setup after installation would provide a lot of good PR for the OpenACS community -- and eliminate the risk of unjustified blame and bad PR in the minds of others who make decisions on which software to use for their web services -- OpenACS or something else.
Best Wishes and Happy Holidays to everyone,
Louis