
An open-source web platform for the new President of France - esnard
https://symfony.com/blog/an-open-source-web-platform-for-the-new-president-of-france
======
devrandomguy
Wow, the modern PHP community is on fire! I had no idea. I basically rage-
quitted PHP years ago, after repeatedly inheriting a series of Wordpress
wrecks.

Just curious, how does a PHP application handle server side rendering? By
shelling out to a headless browser? What if the content is so personalized
that server side caching isn't helpful, is it still viable to SSR a React
client?

~~~
pstadler
Same here, I left PHP during the early 5.x releases. Unfortunately, I
inherited some Symfony applications recently. Unfortunately, because the whole
stack is terribly slow and held together by an insane amount of YAML and XML
configuration files. Add "annotations" (that are parsed out of doc blocks and
compiled into another bunch of PHP files) to the soup and party like it's
1998. That pile of classes you end up with will serve quite some traffic
behind a good caching layer, typically in the shape of a well configured
Varnish instance. Needless to say that runnig this on your own machine during
development will not exactly give you the excitement of working on a fast,
modern platform. Rest assured, "print_r() and die()" is still a thing.

Besides that, memory management is mediocre; just DON'T do long running
processes with PHP. You want to enable a module? Good luck finding the right
php.ini. Keeping a persistent connection pool to a database or similar is
generally hard and intransparent, due to the fact that each instance serves
exactly one request, but hey, at least PHP "automatically recovers" from
errors...

I left for good.

~~~
Revisor
> Unfortunately, I inherited some Symfony applications recently.
> Unfortunately, because the whole stack is terribly slow and held together by
> an insane amount of YAML and XML configuration files. Add "annotations"
> (that are parsed out of doc blocks and compiled into another bunch of PHP
> files) to the soup and party like it's 1998.

That sounds like a wrong configuration and/or architecture. Symfony is in my
experience fast if you follow the best practices.

Maybe you should find out the bottlenecks before you blame Symfony.

> just DON'T do long running processes with PHP.

We run long-running workers just fine.

> You want to enable a module? Good luck finding the right php.ini.

That depends on your OS. In Debian/Ubuntu you just run phpenmod module and
restart the service.

I don't know... Your criticism seems to stem from not looking at the issues
closely, or maybe you were stuck in a really old, abandoned system. But that
woukd have been ugly regardless of language.

------
dhruvkar
It's fun reading backend setups for different types of organizations.

The author mentions having no budget, but then lists several third party
resources in building the site.

Can the author or anyone else guesstimate what costs were involved in building
to scale and if the DDOS attacks spiked their bills?

Also, is a containerized deployment the defacto procedure for apps in 2017?

~~~
nraynaud
I'm sorry, the accounting is meant to be public, but I can't find it. It might
be too early, or google is failing me.

On a related note, the total budget for the candidates had to be less than
17M€ all included before the first round (then they could spend 5.6M€ more for
the second round). A lot of that goes into organizing rallies.

edit: I guess they are meant to be here
[http://www.cnccfp.fr/index.php?art=584](http://www.cnccfp.fr/index.php?art=584)

~~~
heyts
Accounting breakdown for the 2017 election is not yet available, apparently.
This page list accounting breakdown for the 2012 and 2007 presidential
elections:
[http://www.cnccfp.fr/index.php?art=720](http://www.cnccfp.fr/index.php?art=720)

I also would be curious to know the production and operating costs for a
website of this kind.

------
acoard
This was a fantastic read, thanks for sharing.

Was the Kubernetes cluster necessary/useful for this sort of architecture? I'm
asking as someone who has basically no experience with Kubernetes, but I'm
familiar with the rest of the pieces.

>As any other high-profile web site, we were the target of some attacks
coordinated and carried out by powerful organizations. Most of the attacks
were of brute-force nature and the aim was to take the web site down rather
than infiltrate it.

I'm surprised that the attacks were just brute-force attacks. Assuming state
actors wanted to compromise Macron's site you'd think they'd have more to
throw at it.

Also, I wonder if the security implications of open sourcing your code change
if you think you will be targeted by state actors. Generally the advice is
open source leads to more secure code as more eyes on the code == more
exploits found and fixed. Do we make an exception to this advice when dealing
with state actors, or does it hold?

Phrased another way, do any

~~~
tgalopin
Kubernetes was the key part in our development process: it gave us the
flexibility, stability and scalability required to handle million of users
while still deploying multiple times per day.

At the beginning of the campaign, we had only one node in the cluster, as we
thought it would be enough. However, while it was enough most of the time, it
had issues under DDoS attacks: as the node was the only one, it was the master
node of Kubernetes and when it overloaded, Kubernetes crashed.

To avoid this, we used three smaller nodes instead, to avoid having a node
overloaded leading to the whole system crashing. Kubernetes handled the
following attacks really well with this setup, and it did not cost more for
us.

About the attacks: they threw more at us (XSS, SQL injections, etc.) but most
of these attacks were still automated. Perhaps have they tried something even
more subtle, but I doubt it: they prefered to hack emails :) .

I have to admit making the project open-source was a quite difficult decision:
I really wanted it, but I also knew we would be potential targets of powerful
organizations. We decided to do it because in the end, the argument you stated
was stronger: open source does lead to more secure, stable and quality code,
and this project showed it. Note also that we didn't advertise much on this
project during the campaign, so perhaps was it not clear for potential hackers
that the code was open.

------
Fiahil
Hopefully, our new government won't be hostile to open source projects started
under them. I would be happy if I could send pull requests to one of many
institutional websites, rotten to the bone, we have today.

And it's also refreshing to see them using google cloud and github !

------
oskenso
Laravel has brought me back to php land
[https://laravel.com/](https://laravel.com/) its a great framework for rapid
web app development :D

------
dorianm
He also wrote this project with PHP / Symfony a few years ago:
[https://github.com/ungdev/EtuUTT](https://github.com/ungdev/EtuUTT)

------
SFJulie
Wow, this sites supports spamming which is illegal regarding european law.

[https://github.com/EnMarche/en-
marche.fr/blob/master/src/App...](https://github.com/EnMarche/en-
marche.fr/blob/master/src/AppBundle/TonMacron/InvitationProcessor.php)

Got one of this email that was oblviously sent by a member of "enmarche" in
bulk the mail address domain was pointing on an obviously cybersquatted domain
in .fr which is illegal on this TLD (fr law)

So they are proud to have made a tool obviously usable for commiting felony.

Our president supports infringing the laws.

That's the reason, I think ethic and liability should become a must in
software industry. You cannot say, I ignored it would happen and it is not my
fault.

