After a few final attempts to get new volunteers or other forms of help, I decided it is time to put the Drupal Theme Garden to rest; I simply don't have the time and the interest to be its responsible maintainer. And after these attempts (a few mails and requests on the infrastructure and theme developer mailing lists), it seems no one else has that time to spend or is interested in taking over. I posted a longer and in-depth story on my blog about the reasoning behind this action. In short, I have decided to discontinue the Drupal Theme Garden with the release of Drupal 5.0.

Just to be clear: this is not a call for volunteers. However, if you are seriously interested in taking over its maintenance, you must convince the infrastructure people, not me, to make you the new maintainer. In order to do that, you must be really serious and have serious time to spend on it: it makes little sense if someone takes over only to find that he or she loses interest after a month and to find ourselves back where we are right now.

I hope Drupal Theme Garden was of use to you, I hope it convinced some people who were looking for a good CMS that Drupal has decent theming capabilities, and I hope it helped you with your decision to use a contributed theme.

Comments

skor’s picture

It's always difficult to know when to shut down something you've put a lot of effort into.

Thanks for all your hard work.

greggles’s picture

See also the theme garden which is a private effort to maintain a theme garden.

--
Knaddisons Denver Life | mmm Chipotle Log

soupp’s picture

Sad to know that. It is/was a great and helpful project.

But Bèr! Thank you for your time and effort anyway!

Drupal Top Sites | Drupal Sites Directory

BioALIEN’s picture

Bèr, your contributions are noticed by the community. Thank you for all your time and dedication. I'm sure somebody will step up to the challenge.

------------------------------
BioALIEN
Buy/Sell/Trade with other webmasters: WebMasterTrader.com

dalin’s picture

Yes Bèr, thanks for all your hard work in this area. I (and I'm sure many others) discovered, via the Theme Garden, that Drupal can look great. I'm sure that your work has had a greater impact than you realize.

________________________
dave hansen-lange

________________________
Dave Hansen-Lange
Director of Technical Strategy, FourKitchens.com

webavant’s picture

I just wanted to say thanks and that the Drupal Theme Garden was the initial main attraction of Drupal for me. It really shows how versatile Drupal can be, also gives it a competetive edge over other CMS. With my limited programming experience, the initial selling points for me were simplicity and aesthetics... Drupal was the only one that had both, and it was the Drupal Theme Garden that showed me the aesthetics.

andrewfn’s picture

It is very sad news. The theme garden is really important since it is one of the few areas where non-technical people can see the potential of Drupal. I am trying to compile a list of important Drupal sites at http://quadruple.ca in order to convince potential customers to use the product.

sepeck’s picture

http://drupalsites.net/

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide

Sverre’s picture

Bèr
Thank you for all of the time you have spent on The Theme Garden. It is an invaluable resource, and one I have spent a fair amount of time surfing through over the last year or so.
I agree with with Andrew that it is a great area for those new to Drupal to begin to see the endless possibilities that Drupal offers.
If only there were more days in the week! I'll be sorry to see it go. :-(
--
Sverre Sverresonn
Group Scout Leader
21st Medway Scouts, Kent, UK
http://www.21stmedway.org.uk/

starbow’s picture

I wonder if any of the 5.0 themes provide flexible enough xhtml to be the basis of a sub-theme garden - one where all the themer provided was a new style.css file and images (no tpl.php files)? That would solve the security and apples-to-apples problems.

webchick’s picture

It was created for just this purpose. :)

BioALIEN’s picture

If this was the case for Drupal 5 where all themes are contributed as styles and images without modifying any core code (from any of the standard themes shipped with vanilla drupal5) it would make it very easy to maintain. In fact, I would step up for the challenge and be the new maintainer. But in reality, I don't think themers with any php knowledge would accept this. One of the wonderful things about the theme engine is you can do just about anything to it, so limiting t.d.o (themes.drupal.org) contributions to just styles.css and images would cancel out any of the hardcore skinners out there.

But we do need a middle ground - because it's a shame to lose this part of drupal.org especially when it's entering a new era. Can we evaluate this idea please?
------------------------------
BioALIEN
Buy/Sell/Trade with other webmasters: WebMasterTrader.com

Bèr Kessels’s picture

... it was created just for this purpose.

Though it /is/ rather different in both use and concept from Zen :).

I'd say, rule of thumb: Sympal Theme is for the Real Semantics/SEO/CSS Fans and CSS gurus. Zen offers ready-to-use styles OOTB, Sympal theme does not, it merely gives 'hints'.

---
Professional | Personal

seanr’s picture

I presume this page exists for a reason:
http://drupal.org/project/Themes

Granted, it's not nearly as nice as the Theme Garden, but why are there so few entries there? This main site should be the place to go for all Drupal related downloads, modules, themes, or otherwise.

Sean Robertson
webolutionary@webolutionary.com

Bèr Kessels’s picture

... that is part of the whole idea.

Especially the fact that there 'should be a better way to browse themes on the Theme Garden' has been somethin I have opposed to for this very reason: http://drupal.org/project/Themes should be the place to browse themes. That should be the place that should be improved, in that case.

However http://drupal.org/project/Themes does not offer 'previews' of a theme, which is what the theme garden does.

And are there any themes on Theme Garden that you don't see on http://drupal.org/project/Themes ?

---
Professional | Personal

rszrama’s picture

Interesting site just found through the Stylized Beauty theme here on drupal.org:

http://drupal-50x.themebot.com/

The main site has a gallery with 77 Drupal themes, 4.7 and 5.0. This is the 5.0 demo site with what looks like most of the current themes available for demo. It's got ads... but no big deal. They're easy to ignore Google Ads.

Bèr Kessels’s picture

What interests me most, is how they (if at all) manage to review the themes. It seems to me they don't. Which makes their system ratehr vulnarable. I may be called paranoid, but here is a simple idea, and teh main reason why themes.drupal.org did require so much review time:
I make a theme. I am no great coder, but I do include some ugly PHP. Chances are no-one will notice, because those reviewing themes are themers themselves mostly, not hardcore PHP developers. Think about fancy search fields that are not filtered. Think about hardcoded, but goodlooking (yet unsafe) login blocks. Hell, I could even put such things in deliberately and hide behind my ignorance as themer.

In short: Don't trust themes. Don't trust modules. Look at them, or get someone to do so. Drupal has a policy of allowing anyone with a good reason to contribute code, but that does not mean that these people are to be trusted. The amount of eyeballs going over modules in the contribs makes it rather secure (chances aer someone found that ugly part already, before you install it). But especially in themes, wich are eyeballed a lot less, and a lot less by PHP gurus, you should be careful.

So, how do you people manage to keep this theme directory secure? Do you manually read trough all themes? Or do you simply trust that what is in Drupal is probably secure? Did you harden your server and installation? Did you automate installation of modules?

---
Professional | Personal

rcross’s picture

I'm sure this is a naive idea, but it would seem that with the seperation of content, logic, and presentation that security of themes shouldn't be such a major issue. Additionally, couldn't we make use of the multi-site capabilities to help sandbox each theme, so that any "bad" code couldn't affect the rest of the site? I know opensoucecms.com simply reloads a backup automatically which might be usefull. I can respect that by allowing php code with out any review, there is a potential for problems - but i agree with some of the other posts that it would be a shame to loose this resource and that it would be ideal to come up with some mix between no review and full on security audits. Maybe only showcasing themes with some sort of tiered moderation to allow the community to review the code. Or Possibly, denying any themes where particular "dangerous" php functions are used or somehow enforcing that any "functionality" should be put into a module instead of a theme if it expects to be showcased. However, alot of this seems to be a bit pointless if theme maintainers can't even include a screenshot of the theme in the downloads section.

--Ryan

Bèr Kessels’s picture

If you read post you see that there is more to all this then simply reviewing themes.

That said, it is indeed very naive to trust theme(r)s. Drupal has no strict separation of code and logic: themes are plain PHP. Themes are far more powerfull then merely some CSS tweaks. Themes /do/ contain a lot of logic. Sometimes because the developer was lazy and found that themes were the simplest place to put that code. But most of the times because themes require php coding, but themers are not very knowledgable about writing secure PHP. And worse: themes are hardly ever reviewed as good as modules are, by PHP guru's.

---
Professional | Personal

jerryjvl’s picture

Maybe some middle ground between the two extremes can be found (review nothing, and review everything) by having some kind of 'certification' where devs can signal that a specific theme has been reviewed. That way many more themes can be easily included by themers, but concerned users can go by review status to decide which ones are 'guaranteed safe'.

webchick’s picture

Assuming for a moment that we had a collection of devs with the depth of knowledge required to do security audits, who had the kind of time to review every line of code in every theme... that means:

a) in the meantime they're not working on other things, like improving Drupal or building new/improving existing themes.
b) as soon as any change whatsoever to any theme is committed, the process has to start all over again.

Coupon Code Swap’s picture

You can always use ThemeBot for finding Drupal themes. All of the themes for Drupal 4.7 and Drupal 5.0 are showcased on ThemeBot. There are high quality screenshots in the gallery and each gallery entry was just recently updated with a direct link to the live demo for each theme.

Also, the slogan, mission statement, sticky, footer and right/left columns are all activated so you can see what they will look like in each theme. I don't know if this is a worthy alternative to Drupal Theme Garden, but check it out and let me know what you think:

http://themebot.com

Regards, Sean

chx’s picture

Very nice idea. But read this whole topic and think again on providing demos. Slideshow should be enough.
--
The news is Now Public | Drupal development: making the world better, one patch at a time. | A bedroom without a teddy is like a face without a smile.

--
Drupal development: making the world better, one patch at a time. | A bedroom without a teddy is like a face without a smile.

Coupon Code Swap’s picture

Perhaps I should rethink making the live demo available publicly. I think it is a nice feature, but not necessary since the screenshots are super high quality. There are bunch of themes, not just for Drupal but also for all the other content management systems. And more are on the way. Some of the themes have pretty sloppy coding (none of the drupal themes of course ;) which makes me a bit uncomfortable.

A couple questions. If a specific theme is hacked, is there any way to pinpoint the theme and even more specifically the vulnerable code (doubtful, but thought i'd ask)? Also, if a theme were hacked on one of the live demos which is hosted on a subdomain, for example, drupal-50x.themebot.com, would the hacker be limited to the Drupal installtion on that subdomain, or could they potentially gain control of the entire site?

Thanks in advance.

------------------------------------
http://themebot.com
http://upadesha.com

Bèr Kessels’s picture

or could they potentially gain control of the entire site?

Worse: They can take control over your whole server easily. Google for "Chroot", "SELinux", "SuExec" and "file permissions" for more information. Also have a loot at paranoia.module, it makes things a litle more secure, though won't protect you against crackers that get root access.

The only thing you can do, is read trough the themes, manually. And investigate them on SQL injection, XSS and so more. In general, distrust any theme that has forms hardcoded, including a search form! In general, distrust any theme that has SQL or business logic (PHP) hardcoded. I am not saying that they are insecure, but themes containing the above, are simply made insecure.

Bèr
---
Professional | Personal

Coupon Code Swap’s picture

Thank you for the feedback Bèr. I took all of the live demos offline yesterday. It is bad enough with just one content management system, but when you've got several CMS theme demo sites and no idea what level of PHP expertise the theme designers have, it becomes a huge security risk. This was something I was concerned about earlier and I'm glad this topic was raised, so I can deal with it before getting hacked. I've put a lot of work into themebot and it would be a shame to have something like that happen.

The screenshots in the themebot gallery are very high quality and show the entire theme. That should be sufficient for previewing a theme. And, if info about the theme i.e. width (fixed or fluid), code compliance, layout (table-based or css), and browser compatibility are included by the theme designers it makes a live demo unnecessary.

This brings up another issue. I think many people who download themes for a CMS are unaware of the security risks that could be present in a theme. It would be great if there were a way to organize some kind of security audit team for drupal.org, and when the code for themes or modules is scrutinized, it could receive a seal of approval or something along those lines. This would definitely be a bonus for using Drupal. But of course, it would take a lot of time and volunteer effort.

Since you worked on Drupal Theme Garden do you have any suggestions for ThemeBot going forward? If you see anything that could be added or improved, please let me know.

Sean

------------------------------------
http://themebot.com
http://upadesha.com

Bèr Kessels’s picture

The most technical suggestion is to use a Xen (or any other) VM with a clean mirror. You simlpy overwrite the live Xen VM with the clean mirror every night. That way a hacked server will be cleaned out after at most 23 hours and 59 minutes :)

However, there are at least fifteen themes last time I did a review (being over 60%) that don't have any PHP nor hardcoded forms: they can be considered secure, since they don't _have_ the opportunity for security issues. So limiting the amout of previewable themes to the ones without any PHP might be an option too.

Another suggestion is to automate the screenshotting. You run a closed (Apache authentication) server, where only you, and the IP's of browsershots.org can come. Browsershots will then make H- Res screenies for mac-Safari, various IE versions, Opera, Konqueror and what more: very useful IMO. The only issue with Browsershots, is that they remove a shot-set from the site when it was not accessed for X time. Maybe you could contact them about your idea to tie Drupal themes into their service, so that they can make an exception or so.

And the last is to make the shots yourself. I am only aware of one scriptable system for that, called khtml2png. It needs a full Xorg and KDE-lib installation, so its not very server-friendly, but it works extremely well for large screenshots, especially long screenshots (going down the full page). You could run a script on a local installation with all the themes installed to extract Hi-Res schreenhots for each theme yourself.

That said. I beleive the real option is to provide better integration between developers' sites and Drupal.org. If I make a theme and contribute it, who, better then that developer, could provide a live preview. She (he) get the kudo's the credits, the GoogleSchmoogle, while the preview is live and especially designed for that theme.

Bèr
---
Professional | Personal

rszrama’s picture

I agree with the last option. It warms my heart to see a live demo on the developer's site, especially when the theme is actually in use. That's what I really like to see anyways... how do I feel browsing actual content on this thing? I liked the ThemeBot site and hope you figure out a good way to keep it afloat!

Coupon Code Swap’s picture

Your input is very helpful. I've got daily backups going to a separate server. Considering that, would it be worth the risk of being hacked for the sake of providing live demos? Your mention of browsershots.org brings up an important reason why I wanted to have the live demo, so that people can test out themes in various browsers. (I think it would be too cumbersome to have separate screenshots for each browser.) Of course, it would be best if theme developers provide a live demo, and any one who submits a theme can add this. However, many people end up abandoning their themes and that leaves a lot of broken links.

ThemeBot is growing. I'd like to eliminate the advertising (it barely trickles in any revenue) but I need to have a way to provide a useful service on the site that benefits users and brings in some money to pay for the ongoing maintenance and development. Working on that.

I'm going to be adding a new CMS soon and also a section for standard HTML templates. I've also got some functionality in the works to improve filtering of themes. That may take a while though.

------------------------------------
http://themebot.com
http://upadesha.com

Coupon Code Swap’s picture

Considering that, would it be worth the risk of being hacked for the sake of providing live demos?

To answer my own question... NO. If somebody finally did find a theme they could hack, there would be no way to trace which one it was. And, it wouldn't be worth the headache. I guess there just won't be live demos for content management systems that have php-based templates.
------------------------------------
http://themebot.com
http://upadesha.com

zeta ζ’s picture

If it is PHP that causes the security issues, why not generate a static (X)HTML page and then serve that, with the .css, instead of the .php?  I assume this is what you have done.

Looking good BTW.

rup3rt’s picture

The crossbrowser firefox extension PageSaver http://pearlcrescent.com/products/pagesaver/
takes great fulllllllllllllllllll length screenshots.

IEs 4 linux lets you run IE browsers on linux to empathise some retrocidal giddy user despair
http://www.tatanka.com.br/ies4linux/page/Installation

R3

taherk’s picture

Excellent site Themebot... I added you to mydrupal resources on my website

______________________________________
Drupal Tips, how-to, Themes @ http://mydrupal.com

Coupon Code Swap’s picture

The live demos for Drupal 5.0 are up and running on ThemeBot. There is a convenient link below each 5.0 theme in the gallery to view the live demo. The demo link can also be used to validate each theme :)

ThemeBot Gallery

In running validation, I found what I believe is a small bug with the output created by Drupal 5.0. The CSS id "edit-submit" is defined twice. Once for the form generated by $search_box and again for the login form.

themegarden.org’s picture

We have found the Drupal Theme Garden very useful in the past. Since the Garden is closed now, we decided to provide new space for showing various themes in all its glory. Initiative to do that resulted in ThemeGarden.

To begin with, we tried to make site similar to original one. However, we certainly plan to introduce an improvements in the future. Any suggestion for improvement is most welcome.

The TheamGarden.Org team.

themegarden.org

ceege111’s picture

What would be really great is a way to view a lot of themes at once in thumbnail view - it's too slow to click through the themes now that there are so many

The thumbnails should be big like they are on the drupal site - and clickable to the relevant theme in themegaden...

http://drupal.org/project/Themes

Thanks

C.J.

claudio.lente’s picture

People,

i have used the site http://themegarden.org/drupal50/ to test many drupal 5.x themes.

I have used too http://theme.drupaler.net/

Good luck to all.

Coupon Code Swap’s picture

I've added a system to ThemeBot that should help improve the quality of themes in the gallery. You can Read the article here. More features are in the works.

------------------------------------
ThemeBot - Find and Share Web Design Templates

themegarden.org’s picture

From now on the Drupal 4.7 themes are available at the themegarden.org. Also several Drupal 5 themes are added. All themes are shown as is, on live Drupal engines.

themegarden.org