Use Joomla 3.7.0 or go stright to 3.7.1-rc2

[WooDzu]

Hi there,

Looking at the security release on Wednesday.

Since there are no signs of backporting the patch for 3.6.x Is it recommended to update from 3.6.5 to 3.7.0 and then to 3.7.1 on Wednesday?
Or would it make more sense to go straight to 3.7.1-rc2 right now and then apply a file-diff update on Wednesday?

Personally, I think it is a horribly bad idea to include a critical security patch in a feature release given not everyone have had chance to test and move to 3.7 yet.

With thanks,
Peter

[Webdongle Elgnodbew]

Personally, I think it is a horribly bad idea to include a critical security patch in a feature release given not everyone have had chance to test and move to 3.7 yet

There are 3 main reason why updates fail

1. Joomla installed using 3rd party Template/quickstart packages
   those are customised Joomla installs and (imho) should bring out their own updates
2. Incorrect server settings/software
   make sure the server is correctly set up
3. Third party extensions that are not up to date
   beta and rc versions are available in plenty of time for 3rd party developers to test thier extensions on.

Further to that it takes only a few minutes to test your update on a test server (localhost) or subdirectory

[WooDzu]

On Monday, May 15, 2017 at 3:06:01 PM UTC+2, Webdongle Elgnodbew wrote:

Further to that it takes only a few minutes to test your update on a test server (localhost) or subdirectory

 Oh really? Does this estimates also include testing multiple extensions on both local and staging servers across multiple websites?
I am sure one can test a default Joomla installation in this time.

[Sergio Manzi]

Statistics, please:

• How many upgrades there has been from 3.6.4 to 3.6.5 in the past?
• How many now from 3.6.5 to 3.7.0?

If the latter is significantly lower than the former, and a serious security issue exists affecting 3.6.5, it would be criminal not to release a 3.6.6 security patch.

smz

--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cm...@googlegroups.com.
To post to this group, send email to joomla-...@googlegroups.com.
Visit this group at https://groups.google.com/group/joomla-dev-cms.
For more options, visit https://groups.google.com/d/optout.

[Webdongle Elgnodbew]

and a serious security issue exists affecting 3.6.5, it would be criminal not to release a 3.6.6 security patch

J3.6.x is eol once J3.7.0 is released https://docs.joomla.org/Category:Version_History ... so 3.6.5  is patched by updating to the next Joomla version (i.e. 3.7.0)

[Michael Babker]

We do not support minor branches individually as other projects do.  Everything is incremental, the only difference is one release type includes "major" features and the other is generalized bug fixes.  Based on our release strategy, we will not be creating backported releases if required.

On Mon, May 15, 2017 at 9:21 AM, Sergio Manzi <s...@smz.it> wrote:

Statistics, please:

• How many upgrades there has been from 3.6.4 to 3.6.5 in the past?
• How many now from 3.6.5 to 3.7.0?

If the latter is significantly lower than the former, and a serious security issue exists affecting 3.6.5, it would be criminal not to release a 3.6.6 security patch.

smz

On 2017-05-15 14:33, WooDzu wrote:

Hi there,

Looking at the security release on Wednesday.

Since there are no signs of backporting the patch for 3.6.x Is it recommended to update from 3.6.5 to 3.7.0 and then to 3.7.1 on Wednesday?
Or would it make more sense to go straight to 3.7.1-rc2 right now and then apply a file-diff update on Wednesday?

Personally, I think it is a horribly bad idea to include a critical security patch in a feature release given not everyone have had chance to test and move to 3.7 yet.

With thanks,
Peter

--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cms+unsubscribe@googlegroups.com.
To post to this group, send email to joomla-dev-cms@googlegroups.com.

Visit this group at https://groups.google.com/group/joomla-dev-cms.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cms+unsubscribe@googlegroups.com.
To post to this group, send email to joomla-dev-cms@googlegroups.com.

[Sergio Manzi]

That, as everybody else, I know.

It doesn't diminish the validity of my point, though (I think).

Are those statistics available?

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cm...@googlegroups.com.
To post to this group, send email to joomla-...@googlegroups.com.

[WooDzu]

Appreciate your responses. I decided to go production with 3.7.1-rc2 now and file-patch upon release as this is safer assuming no major changes between rc2 and the release version are introduced. Getting some b/c issues upon updating but investigating the matter now with the view that main production websites are running rc2 by the end of tomorrow, which will give them roughly 18 hours living live outside of business hours and before the release. Just enough to catch missed rc2 hiccups.

Please do consider changing the release approach. Announcing 'critical security update' should indicate hassle-free file update that covers only the vulnerability and everything else is either released earlier or postponed. Mixing critical fix with features guarantees upgrade issues especially for extension developers.

[Sergio Manzi]

They are here: https://developer.joomla.org/about/stats.html

3.5.x - 29.18%
3.6.x - 60.56% (3.6.4 29.97%)
3.7.0 - 9.86%

[Sergio Manzi]

Sorry, corrected:

3.5.x - 29.18%
3.6.x - 60.56% (3.6.5 29.97%)
3.7.0 - 9.86%

[Michael Babker]

Those stats are based on the stats collection plugin in Joomla installs and may or may not actually reflect the current state (sites coming offline, setting up something in a dev environment and moving to prod, test environments, etc.).  If you really want numbers you'd want to go to the downloads site which lists the number of times each package was downloaded.  But even that's not a good metric to use too because that would be a total count since the release.  The metric you want but won't get because there isn't an interface for it is how many downloads for a version happened over a given timeframe.

To post to this group, send email to joomla-...@googlegroups.com.
Visit this group at https://groups.google.com/group/joomla-dev-cms.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cms+unsubscribe@googlegroups.com.

To post to this group, send email to joomla-...@googlegroups.com.
Visit this group at https://groups.google.com/group/joomla-dev-cms.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cms+unsubscribe@googlegroups.com.
To post to this group, send email to joomla-dev-cms@googlegroups.com.
Visit this group at https://groups.google.com/group/joomla-dev-cms.
For more options, visit https://groups.google.com/d/optout.

[Sergio Manzi]

"The metric you want but won't get because there isn't an interface for it is how many downloads for a version happened over a given timeframe."

Yes, exactly, that would be the most meaningful metric.

Lacking that, we can try to draw some rough conclusion from what we have, and TBH what I'm seeing is a bit alarming.

We will see in the days after 3.7.1 release how things have gone and if a mistake was done, or not.

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cm...@googlegroups.com.

[WooDzu]

On Monday, May 15, 2017 at 5:42:20 PM UTC+2, Sergio Manzi wrote:

We will see in the days after 3.7.1 release how things have gone and if a mistake was done, or not.

I must agree. Time to book a domain for joomla-bleed.com or joomla-cry.com, more on time.

[Petros]

i don't want to be mean but if the stats provided don't even give the general picture of what's happening (at very rough approximations) and cannot be used for even backing up the validity of sergio's point tthen we should consider removing them at 4.0 and making the core lighter and probably earn some moneu that we spent in infrastructure?

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cm...@googlegroups.com.

To post to this group, send email to joomla-...@googlegroups.com.
Visit this group at https://groups.google.com/group/joomla-dev-cms.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cm...@googlegroups.com.

To post to this group, send email to joomla-...@googlegroups.com.
Visit this group at https://groups.google.com/group/joomla-dev-cms.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cm...@googlegroups.com.

To post to this group, send email to joomla-...@googlegroups.com.
Visit this group at https://groups.google.com/group/joomla-dev-cms.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cm...@googlegroups.com.

[Michael Babker]

The stats collection itself is fine.  We don't have a mechanism that purges "old" data (which can be a totally arbitrary measurement), so what is displayed through the stats collection API is aggregate totals since the system was placed online.  Those of us with database access can read the data and extrapolate a little bit more based on the last update timestamp, but that's about all.  That system doesn't give us a picture of how fast users upgrade to new releases as an example.  Even our snapshotting process would only give a partial picture about how much the numbers change over time, it is not designed to be a representation of the number of Joomla websites that are on the internet at any given moment.

As stated, the relevant statistics for Sergio's claim would come from the downloads numbers.  But we do not have a system in place to measure the quantity of downloads for a specific release over a specific timeframe (the data is there thanks to the Akeeba Release System logging mechanisms, we just don't have a UI for it or any form of analysis set up, nor do I feel we have a need to invest in this work at the moment).

We can in general gauge how many installations are running 3.7.0 right now.  We cannot gauge how many of those installations are brand new users, or sites that were upgraded, or when the upgrade was applied, or what version they upgraded from, or any other deep level analysis.

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cms+unsubscribe@googlegroups.com.
To post to this group, send email to joomla-dev-cms@googlegroups.com.

[Petros]

Thanks for replying! I falsely thought it was a current image of which version the sites now have.

Of course this is not something achievable now but i think it worths a lot investing in these stats so as to plan releases security fixes etc. 

Maybe keep it as a idea for next years google summer :)

[Michael Babker]

In terms of development and release management, the 3.6.2 to 3.6.3 upgrade should be no different to an end user than the 3.6.5 to 3.7.0 path.  The major version (3) did not change, therefore there should be 0 compatibility issues with the core platform (yes I also understand that some extensions have some "unique" behaviors which make upgrading Joomla break sites, that's not something that core can account for in every case) and there should be absolutely zero concern with being able to apply the update.  Yes, it would probably take a little longer in some cases for site owners and admins to review the update to apply it because it is a feature release adding more than a normal maintenance release, but that's really the extent of it.

There should never be a need for us to have "extended support" for a minor release branch, be it bug fixes or security patches.  Us doing so to me would communicate backward compatibility issues or that our contributors cannot be trusted to manage a software release series as set forth in the contract we have with our community (the development strategy).  So there is no need for us to create a 3.6.6 release, or 3.5.2, or 3.4.9, etc. etc. etc. as it is designed to be one continuous series.  We honestly could do things the way Drupal used to before their 8.0 release and only have a two part version number (i.e. 7.32), that's how a major release series is supposed to be managed basically.  We use a three part number and follow a widely accepted software versioning strategy that dictates when each part of the version number should change.  If there is fear about applying a feature release (3.6 to 3.7), we are doing something wrong.  The only time users should need extra planning for a release is the major bump (3.x to 4.0).

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cms+unsubscribe@googlegroups.com.
To post to this group, send email to joomla-dev-cms@googlegroups.com.

[Sergio Manzi]

I might totally agree with your points, but I'm ready to bet that's not the widespread perception amongst Joomla users (vs. developers).

So, my thinking is that if this is true, and again if there is an important security issue at stake, you'll have to swallow the bitter pill and, in the best interest of millions of Joomla users, release fix release patches (maybe also through exceptional channels, i.e. not the normal upgrading) for every currently widespread version.

Heck, even Microsoft released a Windows XP patch in the last few days...

[Michael Babker]

Bad comparison, Windows XP is a different major line than Vista, 7, 8, etc.  If they released a hotfix of XP Service Pack 1 while also patching XP itself then I might be a little more interested in what that release manager was thinking, in part so I can gauge their insanity.

If someone wants to fund a release team for Joomla to be able to better support that concept, go for it.  Take it from me though, as the masochist who had to do 3 very quick releases when we were supporting 2.5, 3.2, and 3.3, we do not have the resources to support being able to have security patches for "every currently widespread version".  Even if we only did the current minor branch plus the last one, it's still a big ask because we do not have dedicated release teams (every release since July 2013 has been coordinated by 3 people, most of us rotating around to help where needed).

[Sergio Manzi]

My point, of course, wasn't to draw a technical similarity of patching Windows XP and Windows 10 for a common issue, vs patching Joomla 3.w.x and 3.y.z

My point was that at exceptional times you must take exceptional measures.

I will not insist any more, though, and yes you have my sympathy for the difficult job at hand.

[WooDzu]

https://github.com/joomla/joomla-cms/commit/f61f8b5014dd077cb8fdb89939802d1197793340
Has it been prematurely released?

[Sergio Manzi]

See below…

It happened the same on two sites. I had to manually upgrade to 3.7.1 using Joomla_3.7.x_to_3.7.1-Stable-Patch_Package

​

[Michael Babker]

It's fine.  The CDN was slow to refresh to all nodes.

[Sergio Manzi]

... but why does it say that the "Latest" is 3.7.1 and then propose Joomla_3.7.0-Stable-Update_Package.zip as the Update package URL???

On 2017-05-17 16:23, Michael Babker wrote:

It's fine.  The CDN was slow to refresh to all nodes.

[Petros]

Thanks for your efforts!

[Michael Babker]

There are two files involved in the process, it's possible for the CDN to refresh one without the other.  Again, it is fine now.

On Wed, May 17, 2017 at 9:28 AM, Sergio Manzi <s...@smz.it> wrote:

... but why does it say that the "Latest" is 3.7.1 and then propose Joomla_3.7.0-Stable-Update_Package.zip as the Update package URL???

On 2017-05-17 16:23, Michael Babker wrote:

It's fine.  The CDN was slow to refresh to all nodes.

--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cms+unsubscribe@googlegroups.com.
To post to this group, send email to joomla-dev-cms@googlegroups.com.

Visit this group at https://groups.google.com/group/joomla-dev-cms.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cms+unsubscribe@googlegroups.com.
To post to this group, send email to joomla-dev-cms@googlegroups.com.

[WooDzu]

All clear now. There is no patch for 3.6.x since only 3.7.0 is affected.
Good excuse to get up to date, although I would preferred to stay on 3.6.x and avoid exposing the vulnerabilities for two these days.

Big thanks Michael and the team for all the hard work!