Monday, June 15, 2009

Go Daddy Shared Hosting

I recently noticed that Go Daddy's shared hosting service does not offer the latest versions of various software—such as PHP and MySQL—which I find disconcerting. I called their technical support number, but was not given a satisfactory answer as to why they do not offer the latest releases—neither major nor minor—of fundamental Web software. Go Daddy's customer support is normally very good, but my question is admittedly more esoteric than what they usually field.

Next, I emailed my question to Go Daddy's customer support in order to give them more time to research the issue. I was told simply that they "have no time line to provide in regards to updates applied to shared hosting servers." Fair enough, but it didn't really get to the heart of my question. I emailed them again with a refined question: "[W]hat is the rationale for not using the latest stable releases of PHP and MySQL?" I was referring specifically to bug-fix releases, and pointed out that numerous security holes had been fixed since the versions they offer. The response this time was that "new releases often contain features that may be exploited in a shared hosting environment and must be extensively reviewed by our administrators for security before being implemented with our network." This answer might apply if I had asked about major upgrades, but I did not. As it stands, the versions they are using have more security problems than the minor upgrades to which I referred.

I refined my question one last time: "[W]hat is the rationale for not installing [bug-fix releases] to fix the many security and performance bugs that currently threaten the shared hosts?" I then implied that I would be blogging about this issue, and wanted to represent Go Daddy's policies as accurately as possible. This time a week went by before receiving the following response:

Your email correspondence has been forwarded to the Office of the President for a response.

As we understand, you are inquiring about bug-fix updates for services included within our Shared Hosting environment.

Before we install periodic updates on our servers, each new update must first be fully tested for compatibility in our environment to ensure that widespread issues are not caused when these versions are rolled out on production servers. Please rest assured that after testing has been successfully completed, the respective updates are then installed.

We do thank you for your understanding and hope this information has been helpful to you. Should you have any other questions or concerns with which our office may assist, please feel free to contact us directly.
They state that each new update must be fully tested, which I can appreciate; however, some of the bug-fix releases have been available for several months. How long does this process take? I think it is clear that the advantage of fixing numerous known bugs far outweighs any potential disadvantage of introducing new bugs. PHP and MySQL are open-source software, and all bug-fix releases are carefully vetted, and used immediately by a large community of early adopters. Moreover, all fixed bugs are published, which makes it easier for attackers to exploit a vulnerable system. Granted, this process is not foolproof, but for large projects it has a solid record. I welcome any comments on this issue, as I am by no means a security expert. My intent is not to disparage Go Daddy's upgrade policy, but rather to raise questions which I hope will lead to improved service.

When I discussed this issue with my co-founder, he suggested that this might be a sort of perverse incentive for users to upgrade to (i.e., pay more for) a dedicated server, on which one could install whatever software one desires. Unbeknownst to him, the second email I received actually did suggest that we consider a dedicated host. Less cynically, I suspect that it is probably just a matter of allocation of resources, with the less-expensive shared hosting service naturally receiving less attention. In any event, we will continue to monitor this situation so as to protect Truth Rally's site and users from known vulnerabilities that have yet to be patched. If our service is successful, though, we will be forced to upgrade to accommodate increased traffic, so this issue—at least for us—would then be moot.

Tuesday, June 9, 2009

Yet Another Sprout Update

We received a 30-day warning from Sprout today regarding the widget featured on the landing page of our temporary sign-up site:
Please note: If you don't return to the site in the next 30 days to sign up for either a free account or a subscription, we will terminate your account and you won't be able to log-in. Thank you very much for your support.
Based on the last update from Sprout, the drop-dead date was June 28. Now it appears to be July 9, which means we have been granted an extra 11 days to go live with our actual site (currently in development). The clock is ticking!

Wait a minute. When did they add back a free account? I just now reread the prior warning message from late April, and sure enough I missed this:
In response to customer feedback, we are offering a limited free account, in addition to the four paid levels of Sprout Builder... If you currently have more projects than is permitted in the level you desire, you need to delete projects from your account before subscribing.
The project limit for the free account is three, which is very reasonable. Okay, I just looked at the subcription page and there is a catch: The free Sprout is ad-supported. Our current widget features no ads, so we'll just wait until July to sign up.