-
Celebrating Software Freedom
Today is Software Freedom Day and this year marks the twenty-fifth anniversary of the GNU project which shapes so much of what the Joomla community does and can do every day. Free software advocate and friend of Joomla Forest Mars asked me to say a few words at a software freedom event in New York, and this is more or less what I'm going to say.
Licenses shape software communities. From the moment of its conception the Joomla community has been a GPL community. It was made possible by the GNU GPL, supported by the broader GPL community (most notably in the first days by the Software Freedom Law Center), and building the kind of collaborative environment that the GPL fosters.
The core values of the Joomla project are
- Freedom
- Equality
- Trust
- Community
- Collaboration
- Usability
and the GPL helps us to live up to all of those both in our community of developers, designers and users and in what we seek to make possible for communities around the world that use Joomla to tell their stories, share information, run businesses and do untold numbers of other things that Joomla and its license make possible.
We are committed to being a free software community, and we work every day to make that a reality and live up to the ideals behind the GPL and to use the GPL to live up to our ideals.
-
Install from URL, JoomlaCode and 1.6
Today I was doing some work on JoomlaCode, looking at performance and logging to see what was happening and I noticed something really quite cool. Every week on average a little over 3600 extensions are installed into Joomla! 1.5 sites directly from JoomlaCode. You can do it yourself, navigate through JoomlaCode, find something you want to install but copy the URL of the download instead of downloading it to your computer. Then log into your Joomla! 1.5 site and paste the URL into the "Install from URL" box. Assuming you've got everything you need, it'll download and install the extension for you. Now it may not work properly in all hosting environments, especially ones who have disabled access to the web through either PHP or by blocking the actual connection at a firewall level.
Looking through the list of user agents we've got the usual selection of browsers (IE, Firefox, Safari, Opera), we've got tried and true downloader 'wget' grabbing files here and there, we even have some mobile browsers from DoCoMo flicking around the site and over 43k hits identifying as Google Chrome already. We've also got all of your friendly spiders floating about (Google, Yahoo!, MSN) as well as some language specific ones for languages like Chinese and Korean (e.g. Baidu). We've also got Feedreaders coming in and even some requests identifying themselves as various Java versions. Last but not least we've got Subversion clients coming in as well pulling up data from our various repositories.
So in 1.5 we added the ability to install from a URL, and it looks like people are using it. So what are we doing when we start looking at 1.6? Well we're going to start leveraging this to provide an update system that'll allow you to, within Joomla!, update your extensions. We're going to add some new extension types, such as libraries and packages. We've also done some work changing the way the installer system looks and we're unifying all of those extensions on under one 'manage' tab. Its not yet ready but its starting to take shape with little bits here and there coming together. We're nowhere near done with it but it is coming and we're hoping it'll have some really cool features for both developers and users.
To round up, Brad and Ron did some great work over the last few days upgrading JoomlaCode to the latest release of GForge and it seems to be running beautifully and has a new refreshing look. So we thank both GForge and Rochen for providing the application and hosting environment to keep JoomlaCode alive and the great resource it is for the community.
-
Joomla! Security, do you take it seriously like we do?
After the recent security update, it's still so saddening to see how many people do not take security of their (and their clients) Joomla! sites seriously. If an urgent security patch is released, there is a good reason for it. In any case, just follow the Security Forum for a few hours to see what I am talking about.
What can we all do about this?
Here's one way: http://feeds.joomla.org/JoomlaSecurityNews
You can subscribe via email and/or RSS the choice is yours.
Why not help us all out by spreading that link around as much as you can and encouraging more people to subscribe.
PS We have more and more RSS/Email subscription options available to our users on the JoomlaConnect site now as well. Just click your browsers RSS icon. We'll be adding more of the language categories when we have time.
-
JSST Is Coming...
We over here at Joomla are preparing a new team... The first letter of the name is obvious (Joomla!)... The second stands for "Security"... The rest will be left for the official announcement which should be sometime this week if all goes to plan. We (Joomla!) do take security VERY seriously, and have always taken it seriously. However, events of late have really proved what we have known for a long time; That we need a dedicated team just for handling core security. The wheels are in motion, and more information will be available as the steps unfold. So for now, suffice it to say that JSST is coming...
-
Hosting providers - Isn't it time?
Time for what? PLEASE read this: http://au2.php.net/register_globals - read the part in RED.
I've finished yet another posting spree trying to help users with security and performance issues and I am still SHOCKED at how many hosts still have register_globals ON serverwide. Come on hosting providers, isn't it time you you kept up? Isn't it time you closed this security hole that only you as a host can close, and help prevent cross server file compromises?
What about running suphp (or an equivalent)? Why are so many hosts STILL not running a 'more secure' environment for their users?
I am sure all hosts understand (they should!!) what I am talking about, but for the users, who I suggest take this and pressure your hosts, let me try to explain these two things in laymans terms:
1. With register_globals ON serverwide even if you as a user disable them (via a php.ini or .htaccess directive) under certain circumstances your site can still be compromised if another user account on the server is compromised or is used maliciously. It's that simple, and it happens day in and day out, people posting on the Joomla Forum making it apparent that this was the reason their site was compromised.
* Disclaimer: It's true, your host may have a method of working around this huge security hole, but even still, I ask "WHY?" register_globals has been off since php 4.2 by default, and we are well into the php5 world now.
2. suphp (or equlivalent). Running Apache/php via this method means permission problems for you users are a thing of the past (almost). Under this environment when php writes a file (ie installing a template for example) the files are owned by your user account. Files that are 644 are writable by your user (ftp), and yet other users on the same shared server cannot write to them. Again, why would you not want this simple extra layer of security, as well as making it so much easier for your users to mange their Joomla (and any other php script) website?
* Disclaimer: Again, there are circumstances when suphp is not efficient (dedicated server possibly, and extremely high load possibly), however at the least, check with your provider and ask them what methods they use and why.
.. anyway.. that's if for now. PLEASE, do your users, and by extension yourself a favor and consider my comments.
Oh, and I guess it goes without saying, since php4 is now EOL all hosts should be running php5 now.
News Feeds