Flyspray 1.0 stable release will be here?

[* Neustradamus *]

Dear all,

I send you an e-mail here because I know that a lot of people would like a Flyspray 1.0 stable version with CVE fixes.

Latest Flyspray stable version is very old:
- 0.9.9.7 (2012-05-28)

I have done several tickets on GitHub to have a good 1.0 version.
- https://github.com/flyspray/flyspray/issues

Comments are welcome on GitHub.

At 2024-11-24, there is 12 years and 6 months of development:
- https://github.com/flyspray/flyspray/commits/master/

Badly no new commit since this date by peterdd:
- https://github.com/peterdd

I need help from all.

Can you reply here?
I think, it can help to have a comeback from Peter (who has already done a good work).

Thanks in advance.

Regards,

Neustradamus

[Marty Vance]

First a question: How many capable, available developers are in here?

Next, a correction: The first commit to this git repo (there are
hints of earlier activity in another VCS going back to July, 2004) was
2006-09-01. That's 19 (or 21) years of development through the end of
September, 2025.

Finally, a flood of numbers I pulled out of Git since yesterday.

4628 commits
20.20 commits per month average
77.29% of months below that average
7.42% of months with 50 or more commits

The two most active months, which wreck the curve:

February, 2015: 278 commits
March, 2025: 562 commits

Those two months are 18.15% of all commits.

Commits by year:

- 2006: 128
- 2007: 318
- 2008: 45
- 2009: 31
- 2010: 2
- 2011: 11
- 2012: 101
- 2013: 81
- 2014: 124
- 2015: 2020
- 2016: 494
- 2017: 153
- 2018: 238
- 2019: 296
- 2020: 57
- 2021: 326
- 2022: 24
- 2023: 70
- 2024: 107
- 2025: 0

On the master branch, 22.42% of lines in the ~HEAD are from that first commit.

98 total contributors.

The top 10 contributors by commit count (93.64% of all commits) are:

- peterdd: 2812
- floele: 407
- Psycho: 294
- Jouni Ahto: 285
- Psychokiller1888: 155
- judas_iscariote: 154
- Jordan Mendler: 107
- Landrok: 54
- Arborweave: 36
- Steve Tredinnick: 30

Only 294 commits were made by the other 88 contributors. 42 made just
one commit, 14 made 2 commits, 11 made 3 commits. Another 15 made 10
or fewer commits. Only the top 17 most active contributors made 10 or
more commits.

(Contributor means GitHub account; some authors used multiple
accounts, only some of which are obvious).

I would post the charts, but they would be rather large images to show
every data point.

There are 402 lines in ~HEAD containing TODO or FIXME, in 180 files.
49 of these contain dates between July 2004 and February 2006.

There are several comments that essentially roadmap features to
versions 1.0 and 1.1.

It's been several years since bugs.flyspray.org went down.

There is no clear roadmap (oh! the irony).

If it's not clear from all these numbers, I'll say it plainly: there
is no development team. There may have been before 2009, but not
since.

Flyspray is a zombie project.

Flyspray is bit-rotten. The oldest evidence of its existence is the
day after PHP 5.0 was released.

It is shambling forward carrying decisions, solutions, oversights, and
design from its early days, on the order that no drastic changes are
to be made before 1.0. I'm no stickler for pristine, idyllic, "only
best practices allowed" code, but Flyspray needs drastic changes to
feel viable in 2025. It doesn't even redirect after POST.

Flyspray is currently at 1.0-rc11. The first RC was Mar 23, 2016. I
can't recall any other project going beyond six release candidates;
yet Flyspray has claimed to be at the RC phase for nearly a decade.
There were nearly 3 years between rc10 and rc11.

The mythical 1.0 doesn't seem to be getting any closer. For those
waiting on a "stable" release, I suspect there are multiple
undiscovered CVEs lurking within this largely old code.

I've been using Flyspray since August 2016 with RC1. I just updated
my lone production install from a revision between rc10 and rc11, all
the way to ~HEAD. I use a very customized theme which depends on
minor changes elsewhere in the codebase.

I kinda panicked when I discovered the entire flyspray.org domain
disappeared. I looked at probably a dozen alternatives, but didn't
like the experience of any of them.

In the limited ways I use Flyspray, my main breakage concern is the
category management regressions.

I know I'm not the only one fearful about being trapped in a dead
solution. More of us need to get involved, some need to make hard
decisions.

If there are enough of us to form an active team (at least 3), I see a
couple options:

- Continue on someone's fork of flyspray/flyspray
- Create an entirely new project to build and improved Flyspray from
scratch using an established framework (i.e, Laravel)
- Ask Peter to give Flyspray over to others

> --
> You received this message because you are subscribed to the Google Groups "flyspray" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to flyspray+u...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/flyspray/AS8PR10MB74273C45D6F6C7E0131E6F58CB1AA%40AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM.

[Maciej Jaros]

Marty Vance (01.10.2025 22:14):

There are 402 lines in ~HEAD containing TODO or FIXME, in 180 files.
49 of these contain dates between July 2004 and February 2006.

Most of those todos are just nice-to-haves, not real issues. This actually happens a lot in code I've seen in my dev life (todo being used to state hopes and dreams).

Honestly FS was 1.0 a long time ago. It was quite stable for a long time before I started using it. With support of PHP7 and dropping some stuff from PHP4 it should have been marked as FS 2.0. As I understand it now supports PHP8 and there is a new skin, so the version should probably be 3.x or 4.x now. I think the main devs were just overly cautious.

I use and like FS for it's simplicity. Some parts of code are a bit specific and it's not easy to add extensions if you need them, but it's easy to fork it and make it your own. At my company we have been using 4 installations of FS (3 internal, one external). The external one was very simplified to avoid security problems and to make GUI simpler for customers. Looking at our readme[1], it seems we've been using FS for at least 10 years now. We have no plans of dropping it.

[1] = https://github.com/mol-pl/flyspray/blob/master/README.md

So yes, the original is stagnant, but FS is still alive :)

Regards,
Maciej Nux

[Marty Vance]

On Thu, Oct 2, 2025 at 2:29 AM Maciej Jaros <eg...@wp.pl> wrote:
>
> Marty Vance (01.10.2025 22:14):
>
> There are 402 lines in ~HEAD containing TODO or FIXME, in 180 files.
> 49 of these contain dates between July 2004 and February 2006.
>
>
> Most of those todos are just nice-to-haves, not real issues. This actually happens a lot in code I've seen in my dev life (todo being used to state hopes and dreams).
>

The majority of them are "Notes to future me" musings about logic flow
and potential bugs. More a development style thing. Still, their
relevance is questionable up to 20 years later. I point them out
because Flyspray has more "TODO/FIXME" lines per KLOC than any other
codebase I've worked with.

> Honestly FS was 1.0 a long time ago. It was quite stable for a long time before I started using it. With support of PHP7 and dropping some stuff from PHP4 it should have been marked as FS 2.0. As I understand it now supports PHP8 and there is a new skin, so the version should probably be 3.x or 4.x now. I think the main devs were just overly cautious.
>

The trigger for "1.0" could theoretically have been pulled any time
since about 2018... if there were well-documented specifications of
what "1.0" meant. That lack of definition and Peter's intermittent
activity are the primary contributors to version stagnation.

Flyspray still reads like a PHP5 application. It doesn't make use of
many features added in 7x or 8x; Flyspray's compatibility with those
versions is largely a matter of keeping up with function definition
changes. "Best practices" have evolved a lot since 2004, but Flyspray
hasn't kept up with them.

I'm no fan of JS, but Flyspray in 2025 doesn't have enough of it.
Peter apparently thinks there's just enough.

> I use and like FS for it's simplicity. Some parts of code are a bit specific and it's not easy to add extensions if you need them, but it's easy to fork it and make it your own. At my company we have been using 4 installations of FS (3 internal, one external). The external one was very simplified to avoid security problems and to make GUI simpler for customers. Looking at our readme[1], it seems we've been using FS for at least 10 years now. We have no plans of dropping it.
>

I like Flyspray for similar reasons: it doesn't do more than I need,
and the workflows are intuitive (except for it took me years to
casually discover where task dependencies are accessed in the UI).

> [1] = https://github.com/mol-pl/flyspray/blob/master/README.md
>
> So yes, the original is stagnant, but FS is still alive :)
>

Can we meet in the middle and say Flyspray the project is in an
indeterminate life state? Limbo, purgatory, iron lung... something
less than alive as indicated by no development activity this entire
calendar year?

> Regards,
> Maciej Nux

>
> --
> You received this message because you are subscribed to the Google Groups "flyspray" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to flyspray+u...@googlegroups.com.

> To view this discussion visit https://groups.google.com/d/msgid/flyspray/d151860c-47aa-4fe2-9e95-cdc8069eb07a%40wp.pl.

[Florian Schmitz]

Just to comment on this:

- Ask Peter to give Flyspray over to others 

If there are people here interested in continuing development of Flyspray, feel free to. We've always been open to new people taking over as this is what happened a couple of times in the past. Unfortunately Flyspray has not been popular enough to secure a stable base of developers pushing development forward, so if you are unhappy with its progress, you'll have to take action yourself.

Best regards,

Flo

To view this discussion visit https://groups.google.com/d/msgid/flyspray/CAMUCB90%3DL-8Us3uh%2Bt%2BUHeSdUARErWgdVHBPV7fgwgoVDU2DRg%40mail.gmail.com.

[Marty Vance]

Are you saying "Please, take the reins" or "Get your own damn horse"?
I've been involved in forking a project (not just a Git repo, a
project), so would prefer if Flyspray could change hands again.

Just out of curiosity, why are you still lurking around when your last
commit (as far as I can tell) was in 2012?

> To view this discussion visit https://groups.google.com/d/msgid/flyspray/CAKpEq-6q6nrx5kt4JbxxONcW6kDov5u-hjBqHFA-quksQ%2BktMw%40mail.gmail.com.

[Florian Schmitz]

I am saying "Please, take the reins".

I've been lurking around for the purpose of enabling anyone to take part in development who is willing to do so. I'm not going to get involved with development though.

Best regards,

Flo

To view this discussion visit https://groups.google.com/d/msgid/flyspray/CAMUCB90jt8ypoF3O9JLZsSzxxPctOSmedM3bKfPPUfqnnTMgaQ%40mail.gmail.com.

[Marty Vance]

I would be willing to consider having a hand on the reins IF:

1. At least two other developers who can honestly commit to being
active (at least 5+ hours a week) step forward to do the same.
2. This new leadership team can agree that identifying, building, and
releasing 1.0 is the first priority.

I know I can push forward, but I have no desire to go it alone.

> To view this discussion visit https://groups.google.com/d/msgid/flyspray/CAKpEq-4EinMxU%2Byr6Ted9GgmeZOr_UuENHHnM%2BEeQjdy9csuLQ%40mail.gmail.com.

[peterdd]

> Latest Flyspray stable version is very old:

> 0.9.9.7 (2012-05-28)

No, latest stable: 1.0-rc11

Please, please do not mention any 0.9* again. They contain real security issues, that were really used!

As told several times before, please do not get fooled by the 'rc' in the name. It has to do with the way the upgrades work (one file folder for each version upgrade).

As I haven't invested much time and testing time there, so I stayed at the setup/upgrades/1.0/ folder, so just making 'rc' releases as workaround.

Please see 1.0-rc11 like something 1.0.11, even if that breaks common sense of naming software versions or inner monk or linux distribution deny including releases with '-rc' in the name.

This is a compromise to release something working without having the work force to do everything right.

Every rc-release I was responsible for was in my opinion better in sum than the stuff existing before.

Only the 1.0-rc11 contained some regressions because of IMHO necessary inner changes, which are documented and already fixed most in the master branch.

There are 2 issues I like (must) to finish to release 1.0-rc12 (read 1.0.12)

The inactivity of myself the last time (2 years) had personal reasons. Sorry for that.

> It doesn't even redirect after POST.

??? I changed a lot of them to redirect after a successful POST, so no accidently resubmittings happen. There may some forms that don't do it yet, but that are probably seldom used ones.

> I kinda panicked when I discovered the entire flyspray.org domain
disappeared.

I still have everything of bugs.flyspray.org and wish to bring it back after the next release 1.0-rc12. I even use it do test against it, because it contains some real data back to 2003, including mess like utf-8/db-table conversion garbage and stuff like that.

It is the only with long history and 'many' once real user accounts, this software does not collect data of Flyspray installations, so I have no insight into how Flyspray is configured/setup in the world. There is no cooperation with large installs/organisations, just what is on github issues or is/was on bugs.flyspray.org

[Marty Vance]

On Fri, Oct 3, 2025 at 8:03 AM 'peterdd' via flyspray
<flys...@googlegroups.com> wrote:
>
> > Latest Flyspray stable version is very old:
> > 0.9.9.7 (2012-05-28)
> No, latest stable: 1.0-rc11
>
> Please, please do not mention any 0.9* again. They contain real security issues, that were really used!
>
> As told several times before, please do not get fooled by the 'rc' in the name. It has to do with the way the upgrades work (one file folder for each version upgrade).
> As I haven't invested much time and testing time there, so I stayed at the setup/upgrades/1.0/ folder, so just making 'rc' releases as workaround.
>
> Please see 1.0-rc11 like something 1.0.11, even if that breaks common sense of naming software versions or inner monk or linux distribution deny including releases with '-rc' in the name.
> This is a compromise to release something working without having the work force to do everything right.
>

Another reason to achieve 1.0: to resume a sensible numbering scheme.

> Every rc-release I was responsible for was in my opinion better in sum than the stuff existing before.
> Only the 1.0-rc11 contained some regressions because of IMHO necessary inner changes, which are documented and already fixed most in the master branch.
> There are 2 issues I like (must) to finish to release 1.0-rc12 (read 1.0.12)
>

Which two issues?

> The inactivity of myself the last time (2 years) had personal reasons. Sorry for that.
>
> > It doesn't even redirect after POST.
> ??? I changed a lot of them to redirect after a successful POST, so no accidently resubmittings happen. There may some forms that don't do it yet, but that are probably seldom used ones.

As of rev CF3DE63 (157 commits behind HEAD, between rc10 and rc11)
update task does not redirect after POST. I haven't had time to use
my install since I updated it last weekend to see if that has changed.

But really, web applications should redirect after every POST. If for
no other reason than to avoid the "Your browser must resend
information" prompt.

I've looked into doing this a couple times, Flyspray's backend needs
significant changes to do it properly. I don't see where in the
master branch log that this has been addressed, back to October 2021.

Aside: what are you trying to achieve with the categories tree render
thing in admin checks?

>
> > I kinda panicked when I discovered the entire flyspray.org domain
> disappeared.
>
> I still have everything of bugs.flyspray.org and wish to bring it back after the next release 1.0-rc12. I even use it do test against it, because it contains some real data back to 2003, including mess like utf-8/db-table conversion garbage and stuff like that.
> It is the only with long history and 'many' once real user accounts, this software does not collect data of Flyspray installations, so I have no insight into how Flyspray is configured/setup in the world. There is no cooperation with large installs/organisations, just what is on github issues or is/was on bugs.flyspray.org
>

If Flyspray is going to continue, the Bus Factor needs to be better
distributed. Let some of us help you.

>
>
>
> --
> You received this message because you are subscribed to the Google Groups "flyspray" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to flyspray+u...@googlegroups.com.

> To view this discussion visit https://groups.google.com/d/msgid/flyspray/6d3d21fe-c864-453e-8c4e-e217def7f971n%40googlegroups.com.

[Eric Blade]

I don't have time to put in much effort beyond discussion, but if hosting or DNS or something like that is a roadblock to helping keep things moving, that I might be able to help with.  

I haven't had my own flyspray in about a decade, but I'm still here and paying attention a bit :-)

To view this discussion visit https://groups.google.com/d/msgid/flyspray/CAMUCB90%2B1dq1__dkYQu5L%3DBKA_3a%2BfagVqgHW%3D9i2-cidk57nw%40mail.gmail.com.

--

Eric Blade - 707-992-5233 - blade...@gmail.com - er...@randomstreasures.com

"We’ll only survive once our morality comes from wisdom and love, not fear and guilt." - /u/Swordf1sh_

[peterdd]

marty schrieb am Freitag, 3. Oktober 2025 um 22:15:25 UTC+2:

> There are 2 issues I like (must) to finish to release 1.0-rc12 (read 1.0.12)
>

Which two issues?

category and user group management

> The inactivity of myself the last time (2 years) had personal reasons. Sorry for that.
>
> > It doesn't even redirect after POST.
> ??? I changed a lot of them to redirect after a successful POST, so no accidently resubmittings happen. There may some forms that don't do it yet, but that are probably seldom used ones.

As of rev CF3DE63 (157 commits behind HEAD, between rc10 and rc11)
update task does not redirect after POST. I haven't had time to use
my install since I updated it last weekend to see if that has changed.

Ok. Will look into it.

I am always happy to receive short PR with a description tackling 1 single problem people can understand and review and test easily.

 

Aside: what are you trying to achieve with the categories tree render
thing in admin checks?

The category management has/had several flaws which could lead to invalid trees under 'several conditions'. (concurrent editing for instance, or a PHP limit for amount of POST variables for large trees)

It is a simple tool I wrote for myself to immediatly see bad updates in a graphical way while trying to find, reproduce and address all the shortcomings of that implementation of *nested sets*. 

And also a user(admin) of a Flyspray installation could see what exactly looks bad (like line crossings) and report a screenshot without giving (text) information of categories away.

The editing of that nested set is client based javascript and the numbers for 'lft' and 'rgt' are trusted when in fact that should be logical validated as a whole tree backend side before starting overwriting the a tree in the database.

It is also unclear if and how the client javascript handles an invalid tree and if it 'heals' it.

I also looked at a few php libs for nested sets, but the few i looked at differ slightly from how trees are stored in the Flyspray db and in the end was easier to wrote/write the necessary stuff by myself 

(have studied ISBN: 978-0-12-387733-8, but enhanced it for Flyspray)

keywords: db transaction, commit, rollback, table locking

 

If Flyspray is going to continue, the Bus Factor needs to be better
distributed.

Yes.

 

[Marty Vance]

On Mon, Oct 6, 2025 at 4:55 PM 'peterdd' via flyspray
<flys...@googlegroups.com> wrote:
>
>
>
> marty schrieb am Freitag, 3. Oktober 2025 um 22:15:25 UTC+2:
>
> > There are 2 issues I like (must) to finish to release 1.0-rc12 (read 1.0.12)
> >
>
> Which two issues?
>
> category and user group management
>

Could you make a new Github issue for each detailing the current
situations and how existing open issues remain relevant?

Categories:

https://github.com/flyspray/flyspray/issues/923
https://github.com/flyspray/flyspray/issues/910
https://github.com/flyspray/flyspray/issues/897

Groups:

https://github.com/flyspray/flyspray/issues/933
https://github.com/flyspray/flyspray/issues/900
https://github.com/flyspray/flyspray/issues/819

Both:

https://github.com/flyspray/flyspray/issues/856

>
> > The inactivity of myself the last time (2 years) had personal reasons. Sorry for that.
> >
> > > It doesn't even redirect after POST.
> > ??? I changed a lot of them to redirect after a successful POST, so no accidently resubmittings happen. There may some forms that don't do it yet, but that are probably seldom used ones.
>
> As of rev CF3DE63 (157 commits behind HEAD, between rc10 and rc11)
> update task does not redirect after POST. I haven't had time to use
> my install since I updated it last weekend to see if that has changed.
>
> Ok. Will look into it.
>
> I am always happy to receive short PR with a description tackling 1 single problem people can understand and review and test easily.
>

In modify.inc.php it seems very few POST requests do a redirect. Of
the 60 distinct POST actions across all of Flyspray, 6 sometimes
redirect, 11 always redirect, and 2 have the redirect commented out.
Of 30 calls to Flyspray::redirect() in that file, 4 are commented out.

How much of index.php after the inclusion of modify.inc.php is
necessary bookkeeping/etc that should not be avoided by a redirect?

I made https://github.com/flyspray/flyspray/issues/943 for this.
Because this still feels drastic to fix so late in development, I'm
considering only addressing successful POSTs, and perhaps only the
most commonly used. I'll post a comment with a table detailing my
findings in a few hours.

>
>
> Aside: what are you trying to achieve with the categories tree render
> thing in admin checks?
>
> The category management has/had several flaws which could lead to invalid trees under 'several conditions'. (concurrent editing for instance, or a PHP limit for amount of POST variables for large trees)
> It is a simple tool I wrote for myself to immediatly see bad updates in a graphical way while trying to find, reproduce and address all the shortcomings of that implementation of *nested sets*.
> And also a user(admin) of a Flyspray installation could see what exactly looks bad (like line crossings) and report a screenshot without giving (text) information of categories away.
> The editing of that nested set is client based javascript and the numbers for 'lft' and 'rgt' are trusted when in fact that should be logical validated as a whole tree backend side before starting overwriting the a tree in the database.
> It is also unclear if and how the client javascript handles an invalid tree and if it 'heals' it.
>
> I also looked at a few php libs for nested sets, but the few i looked at differ slightly from how trees are stored in the Flyspray db and in the end was easier to wrote/write the necessary stuff by myself
> (have studied ISBN: 978-0-12-387733-8, but enhanced it for Flyspray)
>
> keywords: db transaction, commit, rollback, table locking

Celko trees are a well-established pattern with a fairly standard
library of relevant queries. I've worked with them several times, let
me know if you need any help.

How does Flyspray do it differently? "Show in List" and "Category
Owner" shouldn't make any difference, the rest of the categories table
looks like it should.

>
>
>
>
> If Flyspray is going to continue, the Bus Factor needs to be better
> distributed.
>
> Yes.
>
>

> --
> You received this message because you are subscribed to the Google Groups "flyspray" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to flyspray+u...@googlegroups.com.

> To view this discussion visit https://groups.google.com/d/msgid/flyspray/f169d7c7-efc6-4667-996f-93ffdc938311n%40googlegroups.com.