brian.teeman.net - Latest Comments in Automatic Joomla updates | Joomla GPS - brian.teeman.net

Re: Automatic Joomla updates | Joomla GPS - brian.teeman.net

Cinnamon Challenge — Fri, 26 Sep 2014 09:32:45 -0000

P.S. WordPress is better than Joomla! :-p

Re: Automatic Joomla updates | Joomla GPS - brian.teeman.net

Cinnamon Challenge — Fri, 26 Sep 2014 09:31:20 -0000

I disagree... and I don't care that you don't care. :-p

Re: Automatic Joomla updates | Joomla GPS - brian.teeman.net

Brian Teeman — Thu, 29 Jul 2010 18:32:26 -0000

I don't think I said you should wait at all.

What I was saying is that because of the way template overrides are done and that there can be issues with these overrides it is important to look and see what is being updated so that you can ensure that your site is correctly updated.

Otherwise you might be updating your site correctly but leaving it exposed to a vulnerability because you didnt upgrade the template overrides in your own template.

Re: Automatic Joomla updates | Joomla GPS - brian.teeman.net

Svein Wisnaes — Thu, 29 Jul 2010 18:20:06 -0000

I know this is an old post, but as the topic just came up again, I wanted to comment a little.

Brian - I totally agree that you need to check your overrides. But I can not see any reason to wait with any upgrade! Especially if you have made overrides.

I wish upgrades in Joomla where as easy as they are in WordPress. I was one of the people pushing hard for it and absolutely love it. Push the button and get the latests upgrades.

THEN - after the base has been upgraded, it is time to look at overrides to get them up to date as well.

I also agree with the comment that was made about not having things in templates that could lead to security problems. There should be a way to avoid this. Unfortunately, I am not a developer that can figure out that problem and I think it might be a difficult one to solve.

I have heard talk about automatic or easier updates in 1.6, but until now, nobody has said anything about it and I have not seen any blogposts about it. Should this not be on the list of functionality to test in a betacycle?

Re: Automatic Joomla updates | Joomla GPS - brian.teeman.net

Lawrence Meckan — Sun, 05 Jul 2009 01:38:46 -0000

Hit this issue so often it's not funny whilst consulting/contracting for other businesses.

And no, it's not pretty to fix, especially when dealing with fragmented custom templates.

The overrides change PHP behaviours which, in reality, should not be part of a template. Templates should stick to artwork, CSS and HTML (maybe a little JS), not behavioural changes inside PHP.

Studios and template farms use the overrides system to churn out templates quickly, without testing the quality and security of their own code in comparison to the security updates. And then get their clients breached because of it. I've had to clean up such messes.

Whilst overrides seem to be a good shortcut feature to better functionality, we are left with designers (who generally have little to no security knowledge about Joomla) hacking override templates to pieces, exposing new security holes.

The multiplication of work and effort in order to patch and secure everything due to the overrides also presents a quandary.

If it's creating more work at the expense of security, is the override system an overall positive or negative at the end of the day?

Re: Automatic Joomla updates | Joomla GPS - brian.teeman.net

Rick Blalock — Fri, 03 Jul 2009 12:35:25 -0000

Yeh I know about the changes. But that's my point is, if at all possible, there shouldn't be things in the view that would allow for these types of vulnerabilities. You're absolutely right about updating Joomla. I use overrides extensively and have used the Beez overrides for many a site so it's annoying to have to go through that stuff.

Ideally, the view won't have anything BUT html markup and stay away from opening up the system from within the view.

Re: Automatic Joomla updates | Joomla GPS - brian.teeman.net

Emerson Rocha Luiz — Fri, 03 Jul 2009 11:23:01 -0000

I Agree with thomas. Maybe if they put in some page some aspects that was changed on each release can help final users to pay atention in some special aspect, and provably give feedback more faster or even avoid problems.

its ok that we have one Bug squad on Joomla that make one good work, but maybe for a Joomla they need MORE help, and give information about problems and how they solve, can help a bit better.

For now, at least on last releases, people do not have at least one page with more detalied changelog, that can avoid users start to think that maintain joomla up-to-date fast can simple make they a problem

Re: Automatic Joomla updates | Joomla GPS - brian.teeman.net

Brian Teeman — Fri, 03 Jul 2009 10:34:17 -0000

Rick if you look at the template override changes in the last 2 releases of joomla you will see that both of them have modification to protect your site from xss and sql injection vulnerabilities

Re: Automatic Joomla updates | Joomla GPS - brian.teeman.net

Rick — Fri, 03 Jul 2009 09:09:52 -0000

Meaning....it's a view....there shouldn't be any DB calls or the like in it. Right?

Re: Automatic Joomla updates | Joomla GPS - brian.teeman.net

Rick — Fri, 03 Jul 2009 09:09:15 -0000

Perhaps the issue is template overrides should be made in a way that won't affect the security of the site.

Re: Automatic Joomla updates | Joomla GPS - brian.teeman.net

Brian Teeman — Fri, 03 Jul 2009 09:03:17 -0000

The issue I was trying to explain is that end users are using template overrides but most of them probably do not even realise that. They just download a template and use it.
joomla tells them to update for security purposes but they dont realise they have to update the template as well

Re: Automatic Joomla updates | Joomla GPS - brian.teeman.net

Thomas Kahl — Fri, 03 Jul 2009 08:46:29 -0000

I don't know the percentage of Joomla-Users that know what an SVN is. Do you think it is more than 10% ;-)

Re: Automatic Joomla updates | Joomla GPS - brian.teeman.net

Brian Teeman — Fri, 03 Jul 2009 08:36:46 -0000

I agree especial for the more technical user. Personaly I always download a full copy of the new release and then do a diff against the previous version/

Re: Automatic Joomla updates | Joomla GPS - brian.teeman.net

Thomas Kahl — Fri, 03 Jul 2009 08:20:35 -0000

... that's why a more detailed changelog would be useful. You multiply the work that has to be done when every site-owner has to check for the changes on his own. It would be much better if the changelog would show exactly what was changed. A simple "Fixed issue 1234 in file abc.php" doesn't help much.

Re: Automatic Joomla updates | Joomla GPS - brian.teeman.net

Alexander Schmidt — Fri, 03 Jul 2009 06:30:16 -0000

Thanks for the important advice with joomla updates and the template overides.