Geeklog

The Google Summer of Code 2009 is coming to an end. The results of the final evaluations are in and we're happy to announce that all of our students have passed. Congrats to Tim, Stan, Sean, Phaneendra, Kittipat, Choplair and Barry. Good work, guys! ... [More] So we're now looking into integrating their work into Geeklog. We haven't made a final decision yet, but it's quite possible that we will be rolling out the new features incrementally this time (instead of in one big post-GSoC release, which always tended to take much too long to complete in the past). Thanks to the power of Mercurial, integration should also be a lot easier this time (or so we hope). In the meantime, you can help us by providing some feedback on Stan's (Postgres) and Tim's (Plugin Repository) work or go ahead and try out our student's achievements by downloading directly from their Mercurial repositories. [Less]

Installing Geeklog got a lot easier over time, thanks in no small parts to Matt's work on the new installation script (as of Geeklog 1.5). Making the installation easier still, though, requires some help from the hosting provider. Which is possible ... [More] now by providing Softaculous to their customers. Softaculous is a free auto installer for cPanel and DirectAdmin. It allows one-click installation of many popular open source web applications. And unlike other auto installers, it does actually install Geeklog in a secure way. To make it easier for users of Softaculous to decide on a web application, it also has a rating option. So you can help Softaculous users choose a CMS by going to the Softaculous site and rate Geeklog. Thanks to Alons from Softaculous for adding Geeklog and listening to our feedback. [Less]

My name is Tim Patrick, and I am the GSoC student that has been working on the Plugin Repository. Introduction The Repository attempts to provide a central place where site administrators are able to install plugins with a single click. It is ... [More] modeled after the software management systems in Linux. Any site is able to set up a repository, which another site can connect to and search for plugins available. As well, patches and upgrades to your plugins can be installed by the user with one click, allowing for quick and easy updates, patches, and plugin installation. This will provide ease of use to the consumer, while more initiative to develop plugins for Geeklog. How it works Once a repository has been installed on the server, users for that site are able to upload plugins to the plugin repository. To be available for one-click installation, the plugins must adhere to the standards for plugin development as issued here: http://wiki.geeklog.net/index.php/Developing_Plugins If, however, it does not follow the standards, then it is still available in the repository, only for manual download and install instead of one-click install (with the option of manual download and install). Plugins once uploaded, may be edited, and reuploaded to the repository. Once a plugin has been uploaded, depending on the configuration, the plugin may have to be approved by an administrator before use. If the uploading author is an administrator, the approval need is no longer there and it is skipped, to allow less work for the administrators. The uploading author (and any maintainers the administrators may add to the project) can upload patches to the plugin, and upgrades. However, only the uploading author and administrators may remove the plugin from the database. On the client (end user site) end, the user has the choice of adding more repository URLS to his database of them. (Think APT-GET for those who have Linux)(The main Geeklog one is there by default). Existing repositories in the database can be deleted or disabled. As well, to prevent against malicious content, repositories are blacklisted, whitelisted, or neutral by the Geeklog admins. Attempting to install from a neutral repository results in a cautionary warning. Blacklisted repositories, however, may not be added to the repository database, to in an attempt prevent malicious people to use social engineering to install malicious programs in the guise of valid plugins. The client can update the local list of all plugins available by clicking on the Update Repository List, where the list of all available plugins for each repository is loaded to the client site for searching. (Think APT-GET UPDATE). The client can then search for a plugin using a search box, using the exact plugin name, or using the AND and OR operators to try to find matches. A list of matched plugins is returned, and the client can then simply click 'Install Plugin' for the plugin to be automatically installed. Alternatively, the are able to download the plugin and manually install it (Or if the plugin cannot be offered for automatic installation, that is their only option). Patches and Upgrades As well as offering the plugin for one-click install and / or manual download in the repository, the uploading author or maintainers can also upload patches and upgrades. To allow the patches or upgrades to be offered for one-click install, the following standard must be followed:http://wiki.geeklog.net/index.php/Patches_and_Upgrades On the client side, once the client clicks the 'Check for updates' link, a few things happen. First, the list of repositories is updated, for example, a neutral repository may have become whitelisted. Next, a list of all updates and upgrades available for each plugin is obtained from each repository whose plugins are installed, and if any are found, they are returned to the client. The updates / upgrades are listed, and allow the user to uncheck any they do not want to install. Once the user clicks in 'Install' button, for each available update / upgrade, the relevant database tables and plugin files are backed up, and the update commences. In case of serious error, the old files and SQL is rolled back, and the installer makes a note that there was a failed plugin install, and starts with the next update / upgrade. At the end, the client is notified of the result, as well as any which fail. Making development easier The other goal of this project, besides making it easier for clients to install plugins, is to make development of the plugins easier. This is accomplished by implementing a very easy API to follow to plugin installation, uninstall, patching, and upgrading, allowing the developer to spend more time working on the actual plugin, instead of trying to get the installation et all working. As well, distribution is not a problem, as well as the plugins being scattered about, as they will all exist in a standard place. Even though technically any site can add their own repository server, the reason this is in case it is a test plugin that only a few developers want access to and not to add to the main Geeklog one. I will be posting a guide on converting your existing plugin to work with the new repository. As well, I am working on a tool to automate this process. [Less]

FrOSCon is an Open Source Conference taking place on August 22. + 23. in Sankt Augustin (near Bonn) in Germany. Geeklog will have booth there again this year. FrOSCon offers a full program of presentations about various topics related to Open ... [More] Source usage and development. Many other Open Source projects will also have booths, giving you a chance to chat with the developers and representatives from the communities. At the Geeklog booth, we will be showing off the current version of Geeklog and also give you a sneak preview of upcoming new features, such as the results from this year's Google Summer of Code. So If you have a chance, drop by and say Hi! [Less]

Geeklog 1.6.0sr1 and 1.5.2sr5 address the following security issues: Gerendi Sandor Attila reported an XSS in the forms to email a user and to email a story to a friend. The "Mail Story to a Friend" function didn't check story permissions, so that ... [More] it was possible to email a story even if you didn't have the permissions to view it on the site. For Geeklog 1.6.0, we also fixed two bugs (an SQL error when the story submission queue was off and a call to a nonexistent function). The following files are available: a complete tarball of Geeklog 1.6.0sr1 an upgrade archive from Geeklog 1.6.0 an upgrade archive from Geeklog 1.5.2sr4 a combo update from any previous 1.5.2 version [Less]

Dear Geeklog users, today we are proud to announce the public availability of Geeklog with beta PostgreSQL support. This is the culmination of a Google Summer of Code project to implement this feature. PostgreSQL support builds on the already ... [More] impressive list of MySQL and MSSQL support. This continues to improve Geeklog’s interoperability, which now offers support for the most popular relational database management systems. However, please be advised that this is still in beta stage and should strictly be used on local and testing environments. Also please be aware, and I stress this, that only internal plug-ins are fully supported. They should be fully functional however, and if you find something wrong please let us know :). We are not yet supporting external plug-ins, however, if you want to contribute to this project, you are free to submit PostgreSQL compatibility patches for any external plug-in of your choice. We are releasing this beta for users to test this feature, provide improvements, or whatsoever you think will make it a better product at the end. To make this possible, users are advised to submit information on the bug tracker on project.geeklog.net with category Geeklog[Bugs]. You can grab the latest project source using mercurial by typing: hg clone http://project.geeklog.net/cgi-bin/hgwebdir.cgi/gsoc-2009-spalatnik/ If you have any questions please don’t hesitate to leave a comment, someone will probably get back to you quickly. If you want to discuss or brainstorm something, I will be available on the IRC channel as user “No_uO”. [Less]

The Geeklog Team is pleased to announce that Geeklog 1.6.0 is now available for download. This release incorporates the results of our successful 2008 Google Summer of Code students, namely site migration and improved plugin installation (by Matt ... [More] West), improved search (by Sami Barakat), and improved comments functionality (by Jared Wenerd). It also includes a new plugin to automatically generate sitemap.xml files (by mystral-kk) and a few other improvements. See below for details. Here's a quick rundown and some more information regarding the new features: Site Migration Ever since we moved the configuration data into the database (dropping the infamous config.php file) back in 1.5.0, moving a Geeklog site to a new server has been a bit of a pain since it required changing paths (and possibly URLs) that were now stored in the database. With Geeklog 1.6.0, workarounds are no longer required: The install script now has a handy "Migrate" option that will let you move your site to another server easily. Plugin Installation Installing a plugin still is a bit of a challenge: You have to rename and move 3 directories into their correct places before you can even kick off the actual plugin install process. With Geeklog 1.6.0 this, too, has become easier: You can now simply upload a plugin's .zip or .tar.gz file directly from the Plugins admin panel and Geeklog will do the rest. Okay, so there are a few caveats here: First of all, to make use of the plugin upload, your webserver needs write access to your webspace. This may not be possible or desired in some setups, in which case you can still use the old method. Also, some plugins will require additional files and directories to be present, which the plugin install code in Geeklog will not know about. Older plugins will still expect you to click on the install link (from the Plugins admin panel) to actually install the plugin, so the install process will only be semi-automatic. In other words: Older plugins may require an update before their install will be fully automated. Plugin authors, please refer to the Geeklog Wiki for information about the new Plugin Autoinstall. Search Improvements Traditionally, Geeklog's search results were separated into sections, depending on where they were coming from. So you got one section for hits in articles, one for comments, one for each plugin. For the average visitor of your site, however, that information wasn't really of any use. They are looking for information on some topic X and don't really care whether the most relevant post about it is an article or a forum post. So Geeklog 1.6.0 now does away with that separation and presents search results in a way that more closely resembles what people are familiar with from the popular search engines. Again, there's a caveat here: While the new search code does its best to try and guess what the relevant information in a plugin is, plugins will have to be updated to provide optimal results. Sami already posted the required code changes for some popular plugins (and those are in use here on geeklog.net). Plugin authors should consult the Geeklog Wiki to learn how the improved search engine is working and can be supported in plugins. XMLSitemap Plugin Geeklog 1.6.0 ships with a new plugin - but you will hardly notice it, since it does all its work automatically in the background. The XMLSitemap Plugin maintains a sitemap.xml file as supported by all major search engines. This allows the search engine's crawlers to easily find all the content on your site. The XMLSitemap plugin only has an entry in the Configuration admin panel but no further GUI or admin pages. Other Changes Other improvements, like Canonical URLs, support for Output Compression, and protection against Clickjacking have already been discussed elsewhere. Geeklog 1.6.0 also ships with FCKeditor 2.6.4.1. For a detailed list of all changes, please see the changelog in the included history file. [Less]

The second Release Candidate for Geeklog 1.6.0 is now available for download. Barring any surprises, this should also be the last stop before the release of the final 1.6.0. This releases includes fixes for the FCKeditor security issue, some more ... [More] fixes for the migration option of the install script, a fix for searches by date, and some more updated translations. [Less]

An advisory has been published, warning about "input sanitization errors" in all current versions of FCKeditor. Unfortunately, the advisory is a bit light on details and so it's not clear whether FCKeditor as packaged with Geeklog is affected or not. ... [More] A patch for these issues is supposed to be released this coming Monday (July 6). Here's what we know: The advisory mentions that "several" of the FCKeditor connector modules are affected and suggests removing all unused connectors. Geeklog only ships with one connector (for PHP), but it's not clear whether this connector is affected or not. There's a second issue regarding XSS in the FCKeditor samples. Geeklog does not include the samples, so we're not affected by this issue at least. The advisory recommends disabling the file browser for now. To do this in Geeklog, open the file fckeditor/editor/filemanager/connectors/php/config.php (from your public_html directory) and find the line that reads $Config['Enabled'] = true ; Change that to = false; and save the change. You will still see the "Browse" buttons in FCKeditor, but they won't let you browse your server's directories any more. If you don't use FCKeditor, you can simply remove the entire fckeditor directory (again, in public_html). It's very frustrating for us not to be able to provide you with more information. The above is a summary of the situation as we understand it, to the best of our knowledge. Once the update for FCKeditor is out, things will (hopefully) become clearer and we can provide you with more and better advice on how to secure your site. We're also delaying Geeklog 1.6.0rc2 until the FCKeditor update is available. [Less]

We're getting there: The first Release Candidate for Geeklog 1.6.0 is now available for download. There were only a few changes over beta 3, mostly in the install script. As the name "release candidate" suggests, we don't expect any more significant ... [More] changes now, so if you haven't had a chance to try out one of the betas, now would be a good time to give 1.6.0 a test drive before it becomes final. [Less]