Event management with Indico
There are a number of free systems out there for handling the needs of conferences. Among the others that were considered are Symposion, which is used by linux.conf.au, and OSEM, the openSUSE event-management system. Both are capable systems, but neither seems to have been developed with the idea that others might want to pick it up and run it. In particular, every Symposion installation seems to require a fair amount of low-level customization. The installation documentation for both is, to put it charitably, a bit scant. Indico, instead, comes with a nice installation manual that makes the task something that is, if not actually easy, at least achievable without having to actually learn the entire code base first.
Indico is the event-management system used by CERN; it is released under
GPLv3. Since CERN runs a great many events, Indico's features tend
to be well exercised and tested. Concepts like time zones, multiple
![[LPC Indico site]](https://static.lwn.net/images/2018/indico-lpc-sm.png)
languages, and delegation of responsibility for individual events are
fairly well supported. It is clear that CERN has put considerable
resources into developing Indico, and we benefit from its release
to the world.
The code itself is, it must be said, a bit messy. It is a big collection of Python 2 code, JavaScript code, Jinja2 templates, and Sass source files. Finding where a particular page is implemented can often be a bit of a challenge, and making changes doubly so. The good news is that there is a customization mechanism that allows the replacement of the Jinja2 templates, so some aspects of the site can be easily changed. Some templates are not customizable, though, and changing anything implemented in Python is somewhat more involved.
The top-level concepts in Indico are "categories" and "events"; categories are really just folders that can hold either events or more categories (but not both). The category system is used to organize the events which, in turn, form the leaves of the tree. For a small operation like LPC, the category mechanism is of little use, but larger organizations may appreciate it.
There is a room-scheduling system built into Indico; it can track the attributes of each available room (size, audiovisual capabilities, etc.). Control of rooms can be delegated to specific owners. The origins of CERN show through in many places, and the room system is one of them; rooms are scheduled entirely separately from events. That makes sense if you are running the meeting facility and have to manage multiple events occurring there; it's a rougher fit for an event that moves to a new venue every time, but it works well enough.
Events in Indico have most of the features needed to track their life cycle. Each event has a home page with a reasonable degree of customization; pages of information can be attached to the home page. There is an elaborate mechanism for proposal submission and review. Events can be split into tracks and sessions, with a different coordinator for each session; the schedule for the whole thing can be managed in a reasonably straightforward way. For those who need it, Indico also offers a registration system, though LPC is not using it.
Proposal submission is a little quirky in a CERN-like way. An event can
have both a "call for abstracts" and a "call for papers". The former is
essentially the CFP that speakers at free-software events are used to,
while the latter is the way that the full papers for accepted abstracts are
submitted. Few free-software events require the writing of an actual paper
![[Indico CFP setup]](https://static.lwn.net/images/2018/indico-cfp-sm.png)
these days, so the call for papers feature will go unused by LPC. A fair
amount of template wrestling was required to turn "call for abstracts",
which reads strangely in our community, into "call for proposals".
The abstracts mechanism allows a fair amount of flexibility in the questions that are asked of aspiring speakers. The answers to the questions cannot be acted upon at submission time, though; one can ask for acceptance of the code of conduct, but not require an affirmative answer to accept a proposal.
The part of the form for specifying the names of the speakers is positively screwy, though; its use essentially requires searching through the database of all users known to the system. In its default form, it can be used to extract the names, email addresses, and phone numbers of all users. Your editor intervened in the code to limit that exposure, but the main CERN site operates that way. When asked about this behavior, the Indico developers said that the system was behaving as designed.
On the review side, the designated reviewers can look at proposals and vote on them. A suitably empowered account can accept or reject talks. An accepted talk becomes a "contribution" in Indico-speak; it can then be added to the schedule and managed by dragging talks to their desired time slots. The schedule itself can be made available in a number of formats.
One of the biggest shortcomings of Indico is that no thought has been given to small-screen rendering at all. After a fair amount of work with a rather blunt hatchet, the LPC site was made to be somewhat usable on mobile devices. Your editor would like to say that this work is going back upstream, but it is best seen as a proof of concept to give a hint of what a proper solution might look like someday.
Another gap is the absolute lack of any sort of facility for an event news stream. There is a site news feed, but it is global and is not even visible from within the pages for an event. Some sort of per-event blog would be a welcome addition to the system.
The Indico developer community is small, but it is friendly and helpful. Regular releases are made; version 2.1 came out on May 16. As noted above, the installation documentation is quite helpful. Documentation on actually using the system is a bit more spotty, but it is far from absent and often helpful. There are no real indications that Indico has ever been through any sort of security audit, and the project does not put out security updates. Chances are, there's an unpleasant surprise in there somewhere.
Overall, Indico is a good base upon which to build a conference web site.
The necessary core features are there, and the system is maintainable
enough, even if your editor gets grumpy occasionally about how kids these
days like to structure their code. With luck, it will serve LPC for some
years to come. LWN readers are invited to try it out; the LPC CFP is open
now, so this is a great time to exercise the system by proposing to give a
talk or organize a microconference on a topic you care about.
Posted Jul 3, 2018 18:43 UTC (Tue)
by pj (subscriber, #4506)
[Link]
Posted Jul 3, 2018 23:30 UTC (Tue)
by johill (subscriber, #25196)
[Link]
Posted Jul 4, 2018 3:00 UTC (Wed)
by cozzyd (guest, #110972)
[Link]
At bigger conferences, it often seems overloaded, but I'm not sure if that's inherent to indico or a result of either meager conference venue internet or the fact that the indico page is often hosted at a far-away institution (e.g. CERN or LBNL) on what could very well be an underpowered server.
Posted Jul 4, 2018 3:21 UTC (Wed)
by songmaster (subscriber, #1748)
[Link] (3 responses)
Posted Jul 12, 2018 13:34 UTC (Thu)
by pferreir (guest, #83556)
[Link] (2 responses)
That's not the case anymore. One of the nice things we've added recently was an export tool ('indico event export' command from your favourite shell) that allows you to export a ZIP with all the conference files and metadata. This archive can be restored in any other Indico server.
Cheers,
Pedro
Posted Jul 14, 2018 3:53 UTC (Sat)
by songmaster (subscriber, #1748)
[Link] (1 responses)
This is great if I am willing to install and run my own Indico server for archive purposes, but then I have to manage it and keep it up to date. From an archivist’s perspective I’d much rather get a tree full of simple HTML and media files that I can throw somewhere under an Apache web-root, maybe with some .js for client-side niceties but with no need to run server-side smarts at all.
I admit to being a bit of a pack-rat, but I have conference and mailing-list archives from my community dating back to the mid-1990s...
Posted Jul 16, 2018 12:11 UTC (Mon)
by pferreir (guest, #83556)
[Link]
Posted Jul 4, 2018 5:16 UTC (Wed)
by alison (subscriber, #63752)
[Link] (4 responses)
I'm very happy with LWN. Thank you thank you for NOT switching to 'material design' or somesuch other that values style over usability. Like a lot of other LWN readers, I suspect, I spend a lot of my day typing at a console interface, so LWN is plenty snazzy for me. There is more than one font! And colors even!
Posted Jul 4, 2018 8:16 UTC (Wed)
by k8to (guest, #15413)
[Link] (1 responses)
Posted Jul 4, 2018 11:18 UTC (Wed)
by dskoll (subscriber, #1630)
[Link]
Posted Jul 6, 2018 8:03 UTC (Fri)
by spwhitton (subscriber, #71678)
[Link] (1 responses)
Posted Jul 6, 2018 11:21 UTC (Fri)
by nix (subscriber, #2304)
[Link]
Posted Jul 4, 2018 11:31 UTC (Wed)
by hodgestar (subscriber, #90918)
[Link]
Disclaimer: I am one of the maintainers of Wafer.
Posted Jul 12, 2018 11:57 UTC (Thu)
by ThiefMaster (guest, #125623)
[Link]
> ...and the project does not put out security updates...
This is not true. See the changelog for both 2.0.2 and 2.0.3 - in both cases we have fixed minor security issues and documented/announced them as such:
> Chances are, there's an unpleasant surprise in there somewhere.
If this article was about 1.2 or any other legacy version I would agree with you. XSS and similar problems did happen back then, mainly due to the fact that HTML was generally allowed and only "sanitized" to disallow potentially harmful HTML, using a mostly homebuilt sanitizer (and nowadays we all know that this is not the way to go for security-related code).
However, if you happen to find any such "unpleasant surprise" in the current codebase, please report it to us (indico-team@cern.ch).
-- Adrian
Posted Jul 12, 2018 13:25 UTC (Thu)
by pferreir (guest, #83556)
[Link]
Hello,
It's really great to see such a complete article about Indico on such a respected site.
Just adding something to what Adrian (ThiefMaster) has already said: the CERN Security Team does conduct regular checks on all the web apps on campus and there is even a "whitehat" program whereby University students are authorized to "hack" CERN apps. Indico is one of the apps that are regularly targeted. We've also undertaken official security audits in previous releases and know that several institutions who adopted the tool have conducted their own audits or hired 3rd parties to perform them. We regularly receive feedback from such audits and act upon it. As ThiefMaster has said, we do have security-focused releases.
Then, while reading the article, one would get the impression that we have dismissed the comments you've made on our "user search" policy - actually, on the thread you've linked, I do suggest that we continue the discussion in the context of the upcoming GDPR "package" that will soon simplify management of personal data. Some of those behaviours are a consequence of the open and "small world" kind of ecosystem where Indico grew up (HEP community). We have been gradually trying to focus on more general use cases and have managed to do so in most parts of the system.
Once again, thanks a lot for the kind words and the constructive criticism. We are really glad that Indico is useful to yet another community, and one that is dear to us.
Pedro
Event management with Indico
Event management with Indico
Event management with Indico
Event management with Indico
Event management with Indico
Event management with Indico
Event management with Indico
Event management with Indico
Event management with Indico
Agreed. LWN is fast and readable. It's a pleasure to use.
Event management with Indico
Event management with Indico
Event management with Indico
Event management with Indico
Event management with Indico
https://docs.getindico.io/en/stable/changelog/#version-2-0-3
Since 2.0 where we use Jinja this is not the case anymore though: No escaping/sanitization happens at input time, but rather at display time everything is considered untrusted by default, and processed using Mozilla's bleach library. Even places that do allow HTML such as custom conference pages go through bleach (except that in that case more tags are allowed).
Event management with Indico