The trunk has been frozen until the release of 2.0.14 (planned for the 24th unless somebody reports a serious problem with the actual source). A bunch of bugs were fixed since the release of RC1, but no real problem due to the changes performed in the RC was reported (apart from an UTF8 related issue due to a sptupid change of mine).

The release should be announced tomorrow on the mailing-list, and until then people interested can download the SVN snapshot made today from the sourceforge repository (I may add a link to it in the left column block tomorrow, I'm just too tired right now). We'll try to make such snapshots regularly from now on, to ensure you can get the latest SVN changes without having to install a Subversion client.

I've seen several articles about CSRF and token/tickets systems lately, saying that such systems were secure, while I always was against token systems. The reason is simple: such systems complicate your code and bring absolutely no additional protection. Good developers out there spending their time on tickets system would rather work on something else than waste their precious time like that " style="display: inline; vertical-align: bottom;" class="emoticon" />.

The point is that there is no CSRF. This is a name given to another extremely dangerous type of attack: XSS. What some brainless people called CSRF is just a particular way to exploit XSS and nothing more. However they didn't discover anything, they just put another name on something else (the same applies to AJAX in fact: the emergence of these terms are just the symptoms of a society that has become so stupid and uncreative that it tries to disguize recycling into progress).

Continue reading "There is no CSRF"

There has been a lot of work done during the week. Both phppp and I have been working on features that would be needed for the rearchitecture of the xoops.org sites in the core and also CBB...

pemen is still working on the ldap integration, and once this is finished (during the week I hope) we're going to release 2.0.14RC1 to the public... Apart from many bug fixes, some 2.2 and 2.3 features have been added to this branch to reduce the differences there could be between all the 2.x branches. Some of the 2.3 theming layer features, like templates and images overloading have been backported to it and will also be added to 2.2.5...

2.3 work will go on after 2.0.14RC1 is relased, but when we can as it's been done here, we'll try to give you enhancements as soon as possible: features tightly tied to the 2.3 architectural changes will stay on the 2.3 branch only, but end-users features that could be implemented on all branches and released soon will be added to all branches simultaneously.

We'll keep you informed, but I strongly think you can expect an RC within a week " style="display: inline; vertical-align: bottom;" class="emoticon" />

At this moment while Skalpa is focusing on 2.3, I am working on branch 2.014 and 2.25.

Update on 2.25 is solely for security/bug fix, while some new (minor) features will be added to 2.014 since Skalpa is now able to get a hand back on 2.0.

While making bugfixes for 2.25, I found in some cases it requires much effort to finish a compete solution. For instance the path submitted by Dave_l, it is simple to fix the specific problem with a patchy solution but you will find many other places have the same problem. What I suggest is to leave such issues that not very critical by requiring much effort to next release or whenever we get hand on it.

3 releases have been in the making recently: the next 2.3 alpha, 2.0.14 and 2.2.5...

The 2.2.5 update will contain several fixes that phppp has taken care of (actually, I should give him access to this blog... he's as important as me here, so that would allow him to tell all personally about what he does).

2.0.14, on another side will be a bigger, although the exact things to be done to it haven't been finally discussed (just small private discussions between phppp and I, the real ones will happen on the SF forums). We agreed that the time taken on these branches should not interfere too much on our commitment to the 2.3 branch, however there are also many other things to consider, one of them being that users didn't benefit of enhancements done to a stable release for more than one year.

Thus, the patches we have and that could be added to 2.0.14 without requiring much work from us are seriously considered (well, that's not hard: there are 2 of them). This means that:
- pemen's LDAP integration hack (which has already been 2.2 anyway) will be added
- there are chances that I'll add the "blocks below content" feature that McNaz contributed a while ago (will need further review, but my first look was quite positive)

The fixes will have to be discussed to... we'll use this release to start re-implementing some of the bug fixes that were done during the 2.1/2.2 dev, but the problem here is that the way the CVS has been used during that time makes it completely useless, so we'll have to review and re-implement everything manually (so not all may be redone right now)

As those who are watching the SVN operations have been able to see, I've just merged the task #123542 changes to the 2.3 branch. This task branch has seen an insane number of changes or additions, and isn't really a good example of the way things should be done in normal circumstances, but the actual ones do not really correspond to this definition.

As personal contributions were not coming naturally after the release of alpha 1, I decided to go to a longer cycle, trying to take care of the particular points the few people I knew around needed to be done before being able to join.

So, instead of focusing on taking care of precise points and finishing them entirely, I tried to dedicate myself to those anticipated contributors as much as I could. Concretely this means that:
- what phppp and I needed to start making the new localization framework is here
- what pemen needed to integrate it's modular authentication system, and implement the corresponding configuration panels is here
- what would be needed to make a dynamic metas generator integrated to the theme engine is here
- The 1st draft of the new architecture technical doc/API will be published within a couple days

This means that the current source has some issues that would prevent it from being used in a public environment, but on the other side this means that at least 3 people will start working on the development from now on... and this was the most important.

All this has been tagged as 2.3.0-a2 in the SVN /releases/ folder, but may not be released as alpha 1 was, but more for internal use. However curious are free to look at it (just: don't forget to read the release notes if you want to be able to install it " style="display: inline; vertical-align: bottom;" class="emoticon" />).
Also, due to the amount of additions or new possibilities, I wont describe all here today, but it's going to start ASAP. Anyway, to give you a brief idea, here's the reduced changelog:

... but it's not fun nevertheless " style="display: inline; vertical-align: bottom;" class="emoticon" />


Well, sorry for this public inactivity you've seen during the latest weeks. My connection quality became quite irregular a bit less than one month ago, making me commit quite irregularly. Then, while I was still blaming my ISP, it finally came to an end 10 days ago when my modem entirely burnt (ok... for once it wasn't them).

That's in front of cases like this you start thinking that living in the countryside doesn't only have advantages... anyway the problem will be fixed soon. I had to move to Paris for the week after this week-end meeting with some french community members and should be able to send a few posts here until I come back home at the end of the week, with a shiny new modem, and lots of things to send to the SVN, to ensure a 2nd alpha can be released not long after (less than a week).

So there will be more news soon... before I can go back to coding, I'll post a few technical entries here during the week as much as I can: for those of you who had been worried about this point, this 2nd alpha will be the last release mainly written by your servant. Phppp and I will start working on the new i18n layer together as soon as alpha2 is here (as it will be based on his great xlanguage module), pemen who I met this week-end will have everything he needs to re-implement his LDAP/directories authentication classes, and if the oracles are with us Herve will work on implementing his dynamic metas generator as a theme plug-in... So my posts will be primarily for them, to provide them with something a bit more explanatory than the technical/API reference (1st version to be released with alpha 2 " style="display: inline; vertical-align: bottom;" class="emoticon" />) to speed up their learning of the new functionalities.

XOOPS 2.3.0 alpha 1 has been made available, and can be downloaded using the provided link in the main nav.

I wasn't really sure about how to announce this (as it is an alpha and thus is not intended to be used by everybody), so nothing has been sent on the announcements ML. Please give your feedback about this decision in the comments, I may change this next time.

Also, 2.2.4 is ready thanks to the dedication of phppp, so I'll package it very soon (here an anouncement should be made tonight for the release to be made tomorrow).

PS: Anyway, this should not be published as the main news on xoops.org. IF you want to talk about this in the forums there's no problem, but alphas should not be announced there as any RC or final release. Thx.

The roadmap for the next releases (2.3/2.4) has been published in the documents section, and will be added to the main nav right after this post.

Please note that the part describing 2.4 will be updated later on, as this release is expected to be bigger than what is actually written (but how much has yet to be defined, and will depend on the success 2.3 gets from other developers).

An important note too, before people start asking: 2.2 will not be discontinued until we are able to give something better to every 2.2 user. Some maintenance releases will continue to be published until 2.4.0 is ready (2.2.4 is almost ready and will be published in the forthcoming days).

My apologies for this small period of inactivity. Things are going to move forward again in the next days.

The site has been updated and smartsection will be used for documents management, the roadmap for 2.3/2.4 is ready, and 2.3.0 alpha 1 is almost there (well, it's been in the SVN repository for more than 1 week now, but as the roadmap is here it will be time to publish it too).

The technical library section has been prepared too, but is still empty right now. However I'm planning to start publishing articles in it soon (after alpha 1 has been released).