Skip to:
Content
Pages
Categories
Search
Top
Bottom

Security Bug Report Contact


  • yehgdotnet
    Member

    @yehgdotnet

    It seems that contact emails and mailing lists might not be monitored.

    Are there any developers here so we report the issue privately?

    Thanks.

Viewing 25 replies - 26 through 50 (of 70 total)

  • John James Jacoby
    Keymaster

    @johnjamesjacoby

    I’m in a tough spot with regards to internet access until I’m home from holiday on Jan 3; home or not, getting updated versions of 0.9.x and 1.0.x out asap is my top priority.

    I’ve ported over the changes to KSES and clean_url into a branch in the BackPress repo ready for bbPress 1.0.x branch work.

    If anyone has cycles to review and test would be great :-)

    http://backpress.automattic.com/log/branches/bbpress-1.0-backpress

    I’ve ported over the changes to KSES and clean_url into a branch in the BackPress repo ready for bbPress 1.0.x branch work.

    If anyone has cycles to review and test would be great :-)

    http://backpress.automattic.com/log/branches/bbpress-1.0-backpress


    Ashfame
    Participant

    @ashfame

    @JJJ Its Jan 5 already!


    Ashfame
    Participant

    @ashfame

    @JJJ Its Jan 5 already!


    Ashfame
    Participant

    @ashfame

    Seriously, a security exploit fix is sitting in the trunk for 1 week


    Ashfame
    Participant

    @ashfame

    Seriously, a security exploit fix is sitting in the trunk for 1 week


    Mark McWilliams
    Member

    @markmcwilliams

    Ashfame:Seriously, a security exploit fix is sitting in the trunk for 1 week

    Give JJJ a bit of respect, he’s not the only guy who could make the required change, I believe a few people have the powers and such! Plus I’m sure you’ll see that bbPress doesn’t get as much attention, or have the same number of Core Committers. I’ll try and give JJJ a shout! :)


    Mark McWilliams
    Member

    @markmcwilliams

    Ashfame:Seriously, a security exploit fix is sitting in the trunk for 1 week

    Give JJJ a bit of respect, he’s not the only guy who could make the required change, I believe a few people have the powers and such! Plus I’m sure you’ll see that bbPress doesn’t get as much attention, or have the same number of Core Committers. I’ll try and give JJJ a shout! :)


    John James Jacoby
    Keymaster

    @johnjamesjacoby

    The trunk is technically 1.1, so both the 1.0 branch and 0.9 branches also need fixes, which means they both need testing. There is also another critical bug that’s cropped up that I’m working on currently, to get them both in under the same security releases.


    John James Jacoby
    Keymaster

    @johnjamesjacoby

    The trunk is technically 1.1, so both the 1.0 branch and 0.9 branches also need fixes, which means they both need testing. There is also another critical bug that’s cropped up that I’m working on currently, to get them both in under the same security releases.


    Ashfame
    Participant

    @ashfame

    My apologies if my tone was somewhat harsh but I am concerned about the way it is handled when compared to WordPress. WordPress security upgrade was pushed in record time of 4 hours. I am not blaming JJJ or anybody else.

    Its something I would have feel if I was a non-technical guy running bbPress unknowingly that my forums are vulnerable.

    How WordPress community would have reacted if a WP bug wasn’t fixed asap? They would obviously curse the people behind WordPress but since bbPress is a little pond, that doesn’t mean it should wait for 1 week. I know how much difference does it make when there are several developers on a project as compared to when there are only a few.

    I understand JJJ didn’t have proper access to internet but I really expected an update on Jan 3 & we haven’t got anything till now. May be there are issues which needs to be fixed before a release is pushed live but I certainly don’t feel right about it.

    That said, its all my opinion and it doesn’t intend to pinpoint any individual. For the record, I am only blaming the situation.

    I hope JJJ didn’t mind my tone. If he did, I apologize once again. I am just in favor of the bbPress community. JJJ, if you remember, I was the one who brought this topic to your attention on IRC.

    P.S. – I don’t run even a single forum of my own and views are certainly not biased for only my favor.


    Ashfame
    Participant

    @ashfame

    My apologies if my tone was somewhat harsh but I am concerned about the way it is handled when compared to WordPress. WordPress security upgrade was pushed in record time of 4 hours. I am not blaming JJJ or anybody else.

    Its something I would have feel if I was a non-technical guy running bbPress unknowingly that my forums are vulnerable.

    How WordPress community would have reacted if a WP bug wasn’t fixed asap? They would obviously curse the people behind WordPress but since bbPress is a little pond, that doesn’t mean it should wait for 1 week. I know how much difference does it make when there are several developers on a project as compared to when there are only a few.

    I understand JJJ didn’t have proper access to internet but I really expected an update on Jan 3 & we haven’t got anything till now. May be there are issues which needs to be fixed before a release is pushed live but I certainly don’t feel right about it.

    That said, its all my opinion and it doesn’t intend to pinpoint any individual. For the record, I am only blaming the situation.

    I hope JJJ didn’t mind my tone. If he did, I apologize once again. I am just in favor of the bbPress community. JJJ, if you remember, I was the one who brought this topic to your attention on IRC.

    P.S. – I don’t run even a single forum of my own and views are certainly not biased for only my favor.


    John James Jacoby
    Keymaster

    @johnjamesjacoby

    The recent WordPress security upgrade (regarding kses) wasn’t 4 hours from initial contact to release, but you’re right to say that having more eyes and developers did help to expedite the testing.

    Needless to say I wasn’t personally accessible to work on this until I was back from holiday, so it is me dropping that ball and not being prepared. I’ll take that responsibility even if no one expects me to. :)

    Honestly, the reminders get a little repetitive, but only because I get them from a few different places. Open source development is kinda like having 1,000 bosses, but I’m used to it and take pride in having people be worried about the state of things.

    I’ve got pretty thick skin and don’t take things personally. So, no worries. :)

    Another personal hurdle was learning exactly what the procedure is to actually push out a release of bbPress. Having never needed to do it yet, and having the only person who has in the past few years (Sam) not immediately at my disposal, it took a few days to get me setup and ready to be able to do it.

    The trunk and 1.0 branches are fixed. The 1.0 branch is ready for a release. I am going to do the 0.9 branch tonight, do some testing, make my first deployments, and look forward to things hopefully going smoothly for releases tomorrow or this weekend.

    I’m not new to bbPress, but I am new to the logistics. Don’t fret, I’m a fast learner. :)


    John James Jacoby
    Keymaster

    @johnjamesjacoby

    The recent WordPress security upgrade (regarding kses) wasn’t 4 hours from initial contact to release, but you’re right to say that having more eyes and developers did help to expedite the testing.

    Needless to say I wasn’t personally accessible to work on this until I was back from holiday, so it is me dropping that ball and not being prepared. I’ll take that responsibility even if no one expects me to. :)

    Honestly, the reminders get a little repetitive, but only because I get them from a few different places. Open source development is kinda like having 1,000 bosses, but I’m used to it and take pride in having people be worried about the state of things.

    I’ve got pretty thick skin and don’t take things personally. So, no worries. :)

    Another personal hurdle was learning exactly what the procedure is to actually push out a release of bbPress. Having never needed to do it yet, and having the only person who has in the past few years (Sam) not immediately at my disposal, it took a few days to get me setup and ready to be able to do it.

    The trunk and 1.0 branches are fixed. The 1.0 branch is ready for a release. I am going to do the 0.9 branch tonight, do some testing, make my first deployments, and look forward to things hopefully going smoothly for releases tomorrow or this weekend.

    I’m not new to bbPress, but I am new to the logistics. Don’t fret, I’m a fast learner. :)


    Ashfame
    Participant

    @ashfame

    That sounds cool! I understand your problem and totally appreciate your involvement.

    I have seen you around since my early days (3.5 years ago), so it feels safer than somebody new rolling out things. :)


    Ashfame
    Participant

    @ashfame

    That sounds cool! I understand your problem and totally appreciate your involvement.

    I have seen you around since my early days (3.5 years ago), so it feels safer than somebody new rolling out things. :)


    Ashfame
    Participant

    @ashfame

    ahem..


    Ashfame
    Participant

    @ashfame

    ahem..


    citizenkeith
    Participant

    @citizenkeith

    Any news?


    citizenkeith
    Participant

    @citizenkeith

    Any news?


    citizenkeith
    Participant

    @citizenkeith

    Really? No news or updates??


    citizenkeith
    Participant

    @citizenkeith

    Really? No news or updates??


    John James Jacoby
    Keymaster

    @johnjamesjacoby

    The news is in trac. There’s one ticket left in 1.1 and then it gets released. No sense in putting out a 1.0.4 to fix one bug that 1.1 will fix. Right now we’re in the middle of a WordPress, BuddyPress, bbPress trifecta release, so there’s three times as much testing to do to make sure nothing breaks.

    If you can’t wait for a public release, download the trunk and do some testing. :)


    John James Jacoby
    Keymaster

    @johnjamesjacoby

    The news is in trac. There’s one ticket left in 1.1 and then it gets released. No sense in putting out a 1.0.4 to fix one bug that 1.1 will fix. Right now we’re in the middle of a WordPress, BuddyPress, bbPress trifecta release, so there’s three times as much testing to do to make sure nothing breaks.

    If you can’t wait for a public release, download the trunk and do some testing. :)

Viewing 25 replies - 26 through 50 (of 70 total)

You must be logged in to reply to this topic.