Introducing: Project Health Checks

Introducing: Project Health Checks

GForge Next has everything that teams need to plan, execute, and document their work. You can start with simple features like kanban and source control, add workflow steps, code reviews and wiki articles, even integrate your build process and Zoom meetings.

But embracing all of these features and flexibilities can eventually make anyone feel a little lost:

On the one hand, we want all of these features. We need them. OTOH, we can’t (or really, really don’t want to) pay for training or plugins, or spend hours in Stack Overflow, to get the best use out of the tools we’re already paying for.

What we really need is a tool that tells us how we’re doing as we use it. Automatically. One that grows with our usage, making recommendations that apply to our process. Most importantly, one that doesn’t get in the way of actual productivity.

That’s why, starting in version 23.0, we’re rolling out a new item in Project Admin Reports called Project Health Checks. This new report will be run automatically against each active project in GForge Next, and provide insight, metrics and advice on features you may want to use, configuration options that need tweaking, or processes that may not be working for you. All of these Checks are designed to help you spend less time on your tools and more time getting things done.

Data + Analytics = Advice

Because GForge Next is a single service (with a single API and database), we can take a comprehensive view of each project – from users and roles, to releases, tasks and sprints, to the code changes, and even the configuration of access controls, workflow and integration settings – and look for patterns across all types of related data.

Report Format

The Project Health Check is run automatically once a month, and all project admins are notified when results are available. Each report is organized into Categories, Checks, and Results:



In the screen shot above, “Commits” is the Category. Other Categories include Tasks, Sprints/Releases, Backlog, and Project Configuration, and more are planned for later this year.

Within each Category are a number of Checks, each of which looks for a single kind of pattern, warning, or possible improvement.

Each Check can yield one or more Results, depending on how many Users, Trackers, or other related data appears in your Project.

You can collapse and expand Categories and Checks. Collapsed sections will show summary counts of the Results that are hidden, like the colored boxes at the top of the report.

Result Types

Checks fall into these categories:

  • Green boxes are OK/Success results, which shows that your project is performing well in this area.
  • Yellow boxes are Warning results. These don’t necessarily indicate a problem, but a trend that’s going the wrong way, or an easy opportunity for improvement.
  • Red boxes are Failed results. These results may point to a problem with your process, or a measurement that is way outside recommended boundaries.

Navigation and Customization

For the Warning and Failure Results, clicking on the result will take you to a blog post, wiki article or video with details about the issue, why it might affect you, and how to fix it.

Our Health Checks make some assumptions about projects and teams in general, and not all of these assumptions will apply to your situation. If there are Checks or Results that don’t make sense, you can turn them off completely, and exclude them from totals and future Health Check reports. Disabled Checks can be re-enabled at the bottom of the report.

What’s Next?

As we start running Health Checks for SaaS customers, GForge staff will be contacting project admins directly to offer personalized walkthroughs of the data, discuss fixes, process improvements, or GForge Next features that might help, and get feedback on wording, content, and future Checks to be implemented. SaaS users can also use the “Get Support” button anytime to request help with this new feature.

GForge How-To: Project Admin SCM Settings

Hello and welcome to another GForge How-To. In this series, we teach you tips and tricks to help you maximize your experience with GForge. This time, we’re talking about the Project Admin SCM page, and the settings available there.

The settings on this page are as follows:

Access Method toggles between accessing your SCM over SSH or HTTPS; SSH is the default.

Git LFS support enables and disables Git LFS support.  

Code search indexes the code in your promotion model branches for searching.   Code tagging indexes the project’s code to tag related tracker items and user commits.  

Enable Anonymous Read allows SCM to be read by anyone, including anonymous users.  

Associate Tracker Items has three choices: you can keep commits unattached to tickets, attach them when you want, or require that every commit associates to a ticket.  

Restrict Tracker Item Associations requires commit ticket IDs to reference a ticket in the project.  

Commit Notifications sends an email to everyone monitoring the SCM repo when someone commits.  

Validate Committers ensures that each commit is pushed by an authenticated user.  

Validate Assignment automatically assigns a specified ticket to a committer.  

Access Text shows any text you type in on the main SCM repo page.  

Browse Text shows the text you type on the SCM Browse page.

As you can see, the SCM settings available to project admins can help in customizing and correcting GForge to fit any project’s needs. If you have any questions or feedback about the Project Admin SCM page, you can send us a message here. Make sure to check your inbox for more GForge How-To’s in the future!

GForge How-To: Navigating GForge

Hello and welcome to our first article in a new series called “GForge How-Tos” where we share short, compact tips on getting the most out of GForge. Whether you are using GForge in our Cloud or on-premises we are confident you will find new ideas for getting the most out of GForge.

This week we want to cover how you get around in GForge using either the Mega-menu or by using the Project menu.

Mega-menu

The GForge Mega-menu is the primary way for navigating everything GForge has to offer. The mega-menu is context sensitive which means users will only see projects and features you have access to. Additionally the mega-menu will also give project and site administrators access to their specialized administrative features.

The mega-menu

For the impatient, here’s a quick video we did on navigating your projects in GForge.

Project Menu

Once inside a project, you will have access to the GForge Project Menu which is a subset of the mega-menu that allows you to quickly access different features within the current project. Don’t worry, the mega-menu is always there in case you need to navigate away from the current project.

Now, whether you are using the mega-menu or the project menu, there are some icons you should become familiar with since doing so means you will be able to quickly switch between the features within your project:

This icon is for your Project Homepage. Choose this option to view your project homepage which, by default, includes the name, description and team of your project along with some additional summary information.
This icon links you to your source code. If you’re not in Git, it will say CVS or SVN, depending on your specific version control system. This page provides information about accessing your repository , integrating into your commits, and general info about your repository. 
The Standup allows you to browse team members and see exactly what they’re up to, according to their To-Do list. Each person can drag-and-drop between what they want to do and what they’re doing, and everyone else can view this. Finally, you can see what each person has committed and changed lately. 
Sprints are a very useful tool for your team to create and follow through on their plans. Each team member commits to complete certain tickets within a set time, and GForge keeps track of it all.
Releases is where you can manage and publish all of your project’s releases. There is a list of all releases and you can see basic information about each release and package.
Your project’s Builds page allows you to keep track of your CICD pipeline in Jenkins.
The Wiki is great for publishing anything you want your customers or team members to know. All wiki pages are fully versioned and can be locked or monitored by users.
In Docs, you can view a list of documents for each folder in the project. You can also open and download any unlocked document in the project, create new folders within the project, upload new files (as independent files, whole folders or even ZIP files), download whole folders, and monitor the project documents. 
On your Discussions page, you can participate in all the forums and chat rooms attached to your project.
This is a Tracker page. Of course, you may have multiple trackers; they will all have this icon in the Project Menu. You can hover over the icon to see the name of each tracker. The tracker page is the central location of all tickets in a tracker. You can view, add, and delete tickets within the tracker, as well as edit tickets you have access to
Assuming you have proper access, Tracker Admin page allows you to quickly administer trackers. This is where you can add, delete or change existing trackers including the defining of custom fields and workflows.
My Reports gives you the ability to see all your projects from a distance. Here you can create and share reports about the tickets in the projects you have access to.
This symbol is for the Teams page, which is available for project admins. There, you can view and filter a list of all team members, manage requests to join the project, and invite new team members to your project.
This is the Project Admin page, where you can administer all aspects of your project.

As you can see, we’ve given you a couple of ways to quickly access all the great features GForge has to offer. If you have questions or feedback on how we can improve navigation drop us a note. Also, stay tuned because next week our second How-To installment will take a deeper dive into the features available within the mega-menu.

Securing GForge on Apache httpd Server

It’s a series of tubes, you know.

Secure connections are integral to keeping your important information safe, on the Internet or your private company network. For years it’s been fairly simple — turn on SSL, buy a certificate and let the browsers ensure that your data stays private. Unfortunately, it’s no longer that simple.

Over the last 15 years, computing power, virtual servers and good, old-fashioned software bugs have all conspired to make much of the encryption plumbing from the last 15 years obsolete. In fact, it’s very likely that if you’re running Apache httpd and mod_ssl, you’re allowing protocols and ciphers that expose your server (and your data) to needless risk of compromise.

Note: If you’re a customer, and GForge Group manages your server, these security updates are already in place. Get in touch if you have any other questions.

Check Yourself

It’s actually pretty easy to test your system, and it can be done in production, without affecting your current users.

For servers that are on the Internet, you can use an online scanner. Here’s SSLLabs, from Qualys:

https://www.ssllabs.com/ssltest

Enter your site’s URL and click Submit. After a minute or two, you’ll get output like this:

SSLLabs Scan Results (yikes!)

In the report details, you will find explanations of anything marked as a problem from your server, including how to close security holes that were found.

If your server isn’t on the Internet (i.e., on your internal network), then you’ll need to download and run scanning tools yourself. Here are some popular ones:

  • TLS Observatory — An open-source scanner from Mozilla, written in Go. You’ll need the Go runtime to run this on your server or desktop, or you can use the Docker image. Performs scanning for both the SSL/TLS version and cipher suite(s) in use.
  • Cipherscan — Another tool from Mozilla, written in Python.

Get With The Times

After running your scans, you’ll need to decide what changes (if any) to make to your SSL configuration. It’s important to understand that choosing the most up-to-date settings will leave out some older clients. Fortunately, Mozilla also has a great online tool to help you balance security with compatibility.

https://mozilla.github.io/server-side-tls/ssl-config-generator/

Give this tool your current version of Apache httpd and OpenSSL, and you’ll get various choices for maximum security versus maximum compatibility.

Our Recommended Configuration

In the end, we went with the Modern configuration, but added the AES256-SHA256 cipher back to the list. This allows only TLS 1.2 (the most secure), but adding that one cipher back keeps compatibility with older non-browser clients like curl, so that existing SVN and git over HTTPS are not broken.

Here’s the configuration snippet we recommend for GForge servers:

<VirtualHost *:443>
    ...
    SSLEngine on
    SSLCertificateFile /path/to/signed_certificate_followed_by_intermediate_certs
    SSLCertificateKeyFile /path/to/private/key
    # Uncomment the following directive when using client certificate authentication
    #SSLCACertificateFile /path/to/ca_certs_for_client_authentication

   # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"
    ...
</VirtualHost>

# modern configuration, tweak to your needs
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

Real-World Scenarios, Episode 1: Changecause

The folks at Changecause were good enough to publish a blog post about their efforts to make bug reporting easier for people outside their team.  It was a clever solution for gathering issues from end-users, but there are also a few trade-offs at work.  GForge satisfies the same requirements in a much more elegant (and supportable) way.

Third-Party Integration, Squared

The first anti-pattern is integrating two third-party tools to each other.  Yes, it’s neat, and it’s fun, and I’ve done it, too.  Heck, github has dozens of third-party integrations – so cool.  But what happens when one endpoint changes its behavior, its API signature, or just goes away?  Who do you get help from?

kid pointing both waysHey kid, where’s the trouble?

It’s trivially easy to get caught by a problem like this.  In fact, I’d say it’s inevitable.  And it’s outside your control.  At my last job, this happened to us three times in about six months, with some A-list players.

You may be paying (probably too much !) for your task-management tool, in which case at least you will have a defined service level – that is, someone you’re paying to help you out when things don’t work.  But most small and medium-size software shops rely primarily on free tools, which usually means you’re on your own.  Even if you have an SLA with both (or all) involved vendors, it is extremely likely that they won’t agree on the source of the problem, or its solution.

The Core Competency Question

One of the reasons that these ad-hoc integrations happen in the first place is that it’s software, which is probably your personal core competency anyway.  You spend an hour building something, and it works.  You get a good amount of value out of a minimal amount of your time, and you exercise some control over your otherwise frantic and unpredictable startup experience.

Except that this integration is not your company’s core competency.  Neither is bug tracking, or version control, or DBMS, or any of the other foundational tools that you use to build, e.g., Changecause.  So that hour you spent may have saved some other hours of distraction, handling complaint emails, but it didn’t add a new feature to your actual product.  And, over the next couple of weeks you’ll spend another eight hours tinkering with the integration to add a field, to handle an API change, or to update the API key again.  At that point, you may still be breaking even but it’s clearly not a big win.

Edit: While waiting for my other GForgers to give me their feedback, I happened across this pretty relevant blog post.  I’ve bookmarked it for yet another blog post in the future.

Okay, Smarty Pants

…how would you do it with GForge, then?  I thought you’d never ask.

I would build that same bug submission form in your website, instead of embedding the Google Doc form.  Gather and validate the data using your existing web app framework, like you’re doing for the rest of your app (instead of a different technology, with a different set of quirks and bugs).  Then I’d pack it all up on your back-end server, and send an email to your GForge project.

GForge has really good integration with email.  You can create a bug/ticket/suggestion or whatever you want via email, by sending to the right email address.  By default, it’s [projectname]-[trackername]@[gforgehost], e.g., gforge-support@gforge.com.  You can even customize the email address, e.g. support@gforge.com, which is what we do for customer support.  Customers can just send us an email to start a support request, and the GForge Support Tracker captures the entire conversation, including attachments (like screen shots, logs, etc.).

It’s still a minor diversion from your core competency.  But at least it’s a direct connection between your own technology (which you’re responsible for, anyway) and GForge, which we support every day, for some of the biggest companies in the world.  If you want to tweak the form, ask another question (or allow a screen shot), go for it – GForge will still capture everything you send in the e-mail, just the way you sent it.

If you’d like to try it out for yourself, start a free project at gforge.com, or visit gforgegroup.com to download the installer and run it on your own server.  If you’re trying it out and have questions or comments, let us know!

Thanks,

M.

PS – I also enjoyed another blog posting by Changecause, this one about their internal planning/task workflow.  It’s somewhat similar to where we’re going internally, and has inspired me to build a GForge template.  I’ll post an update about it sometime soon.

GForge AS Makes File Uploads Easy…

We’ve been hard at work improving much of GForge Advanced Server and some changes reach deep into our product.  One great example of this is the new way you can upload files to your GForge instance.  File uploads have always been possible in our Docman, File Release System (FRS), Wiki and Tracker.  When we gave Docman a much needed user interface overhaul, we included drag-n-drop support allowing you to upload files to your GForge projects by simply dragging a file from Windows Explorer, Mac OSX Finder, etc to the browser.  When we implemented this change we made the file upload  control a reusable widget that has been integrated everywhere we allow file uploads.

The video below shows just how easy this is now:

GForge Live Discussion (aka Chat)

One of the big new features in 6.2.1 was the Live view on our Discussions plugin.  It’s basically a chat room, about a project, a document, or just about any other object on your GForge site.  All of the conversations are automatically saved as Discussion Threads for later viewing, and are searchable along with everything else in your project.  They’re also access-controlled, so you can allow the right people in on your sensitive discussions.

The best part?  No installs, no widgets, no special ports to open or configure.  It’s all regular web traffic in a regular browser window.

We use Chat all day long at GForge – it’s a huge productivity tool for folks that can’t (or don’t want to) yell over a cube wall.

If you’re not already using Chat, you should definitely check it out.  Here are three short videos by our own Olivia, detailing three great features that make our Chat one of a kind.

 

Project Activity Feed

From any Chat tab, each user can choose to see project-related activity as it happens.  This is great for keeping up with what’s going on, without having to ask anyone what they’re doing.

 

Auto-Link, Auto-Preview

When you post through the Chat window (or via email, or directly in the Discussions web page), GForge automatically picks up on what you’ve entered.  We’ll pre-render graphics, embed the YouTube player, show a nice preview block for other URLs, and even provide links to other GForge objects that you mention by ID.  And when you mention something in GForge, we’ll also add a note to that item, tying back to the Discussion where it was discussed.

 

Emoticons, Sounds, Images

Aside from the very real productivity and team benefits, it’s also fun to make a little noise once in a while.  GForge has a huge set of emoticons that you can click on or type in to let others know what you think.  There’s also a sounds button, with an expandable set of sound clips you can play for everyone.

GForge in One Minute

So, Intern Olivia Treu recently headed back to school…but she left behind a whole raft of how-to screencasts about GForge features.  So many, in fact, that we had her created a YouTube channel to keep them all organized.

Since we’re rapidly wrapping up the 6.3 release, I’m going to highlight a new screencast or two every week for the next few weeks, starting with the original GForge In One Minute:

Enjoy!