Geeklog

My efforts to create a simple newsletter plugin have paid off. Built upon the staticpages plugin, Newsletter is gl 1.5.x and 1.6 compatible. Read the full article here and try it out here. -s

Geeklog 1.6.0 brings quite a few obvious improvements (new search, comment improvements, migration support, plugin uploads, XMLSitemap plugin), but also some minor useful changes. With this article, I'd like to point out two such new features: ... [More] Support for canonical URLs and output compression. Canonical URLs Consider the following URLs: http://www.geeklog.net/article.php/geeklog-1.6.0-other-new-features http://www.geeklog.net/article.php?story=geeklog-1.6.0-other-new-features http://www.geeklog.net/article.php/geeklog-1.6.0-other-new-features/print http://www.geeklog.net/article.php?story=geeklog-1.6.0-other-new-features&mode=print http://www.geeklog.net/article.php/geeklog-1.6.0-other-new-features?query=canonical All of these will take you to a page that effectively contains the same content (this article). These URLs represent duplicate content on a site and that's a bad thing for several reasons: For one, different people may use different URLs when linking to your content and the page rank that you will gain through the linkage will be split up between these different URLs. There's also the risk of being penalized for having too many forms of duplicated content on your site. With the "query" parameter, there is an infinitive amount of possible URLs that would all produce pretty much the same content. What can be done about this? Geeklog already adds a rel="nofollow" to the links pointing to the printable version of articles and static pages. You could also use a robots.txt or some clever URL redirects to further minimize the damage. But all those would have to be done outside of Geeklog and require additional work for each new article you publish. Fortunately, the big search engines agreed on a new and much simpler measure: A new meta tag that indicates the so-called canonical URL for a page. When you view the HTML source code for this article, you'll find this line in the <head> section: <link rel="canonical" href="http://www.geeklog.net/article.php/geeklog-1.6.0-other-new-features"> And you'll find the exact same entry for any of the different URLs for this article as listed above. So this entry tells a search engine that this is the preferred URL for this article and if it ends up here by using a different URL, it should treat it as if it had found it using this canonical URL. Problem solved. Geeklog 1.6.0 supports canonical URLs in stories, static pages, and the article directory. There is nothing for you to configure - it works "out of the box". Output Compression The geeklog.net index page weighs in at about 50KB (give or take a few KB) of HTML. That is 50KB that is being pushed down the line of anyone calling up the Geeklog homepage. It adds to the monthly traffic that the site is causing (which we fortunately don't have to pay for, thanks to our hosting sponsor), it adds to the traffic that any visitor pays their ISP for, and it does of course take its time to get to the visitor's browser, especially if they're on a slow connection. It's not much, but it adds up. Output compression can help here: Instead of sending the HTML "as is", Geeklog 1.6.0 can now optionally compress it before it's being sent down the line. With the 50KB compressed down to something like 8KB (typically), this can make a difference. Output compression is disabled by default. To enable it, go to Configuration > Geeklog > Miscellaneous > Miscellaneous and set "Send compressed output?" to "True". Geeklog will then start sending compressed output to those browsers that support it. While this feature should be considered experimental for now, it does seem to work quite well. If you can read this article, then it works, since output compression is enabled on geeklog.net. A potential downside of this option is that it requires slightly more CPU time on both the server and the client side. We haven't seen a significant increase in the CPU load on our server during the 3 weeks it has been in use here, though. A note to authors of plugins and other add-ons: To use output compression in your plugin, you will need to call the new function COM_output instead of simply echo'ing the HTML. And you need to send the entire content of the page at once! The "Geeklog way" has always been to collect the output in a string variable and send it with a single echo at the end of the script. If your plugin works like that, you can simply replace the echo with COM_output and immediately enjoy the benefits of output compression. [Less]

The third beta version of Geeklog 1.6.0 is now available for download. This version fixes a few more issues with the new search, addresses the XSS reported for the install script, and also includes a more prominent reminder to remove the install ... [More] script after installation or upgrade. The main reason for this third beta (instead of it being rc1), however, is the last-minute addition of a new minor security feature to prevent "clickjacking". This feature requires support from the browser, though, and is currently only implemented in IE 8 and Safari 4. Other browsers will surely add support shortly. [Less]

For the Geeklog installation on fsim-ev.de (a social website for the students of the university of applied sciences Regensburg) i've developed a private message plugin and a plugin where user can create groups with group internal dokuwiki-namespace ... [More] and group forum. If someone is interested in this download it from my mercurial repository http://fsim-ev.de/hg/pmessage/ and http://fsim-ev.de/hg/groupable/ [Less]

A recent posting on the Bugtraq security mailing list should serve as a reminder to always remove the install script after a successful install or upgrade of Geeklog: MaXe points out an XSS, a path disclosure, and a remote file inclusion in the 1.5.x ... [More] install script. The XSS is still present in the 1.6.0 install script and has been pointed out to us before by a person who called himself Nemesis. We'll take care of this in the next 1.6.0 release (probably rc1). So again: Please follow the installation instructions and the built-in reminders to remove the install script and the other security tips that we provide before, during, and after the install. [Less]

The second beta version of Geeklog 1.6.0 is now available for download. This release fixes quite a few rough edges in beta 1, for example in the search and the new XMLSitemap plugin. There are a few more issues remaining to be addressed and if you ... [More] find anything else, please submit a bugreport. The language files have had a few updates but are now ready for translation. For more information, please see the geeklog-translations mailing list. Addendum: If you are trying to install beta 2 over beta 1, you may run into a few issues with the XMLSitemap plugin. Try uninstalling, then re-installing the plugin, as there were a few changes in its config. [Less]

The first beta version of Geeklog 1.6.0 is now available for download. This release incorporates the following projects implemented during the 2008 Google Summer of Code: Site migration support and easier plugin installation, by Matt West Improved ... [More] search, by Sami Barakat Comment moderation and editable comments, by Jared Wenerd Other new features include a new plugin to produce proper sitemap.xml files (provided by mystral-kk) and quite a lot of "under the hood" fixes and improvements, e.g. many new and extended plugin API functions. Please see the included changelog (docs/history) for details. This being a beta, we want to encourage you to try it out and provide us with feedback and bugreports, but you probably shouldn't be running it on a live site just yet. To recap the 3 projects from GSoC 2008: Matt's improvements address the common problem of changing paths and/or URLs when moving a site to a different server. Plugin installs are now much easier, as you can simply upload the plugin tarball or .zip file directly from within Geeklog. Sami's new search no longer presents the results separated by plugins, which should be more in line with your visitor's expectations. And Jared's comment improvements provide a comment moderation queue, editable comments, comment notifications, and the ability for anonymous users to enter a name (similar to what the Forum plugin already does). Looking ahead, Geeklog 1.6.0 will be the basis on which this year's GSoC students will be working. And this time around, we should be in a better position to get the results out into a new release quickly, thanks to our switch to Mercurial. [Less]

1000 students have now been accepted for this year's incarnation of the Google Summer of Code. We had a really hard time selecting from the mostly excellent applications for Geeklog and AptitudeCMS this year. In the end, we decided on the following ... [More] students and their projects:For Geeklog:Sean Clark will be working on a test framework, mentored by Dirk HaunTim Patrick will create a plugin repository, mentored by Matt WestStan Palatnik will add PostgreSQL support, mentored by Vincent FuriaThomas Gutleben will implement a complete OpenID 2.0 library, mentored by Randy KolenkoPhaneendra Kaddi will add image and comment support to the webservices, mentored by Ramnath IyerFor AptitudeCMS:Kittipat Virochsiri will write a taxonomy plugin, mentored by Tony BibbsBarry Carlyon will work on the syndication API, mentored by Justin CarlsonCongratulations to Barry, Kittipat, Phaneendra, Sean, Stan, Thomas, and Tim, and we're looking forward to working with you during the summer.To those that didn't make the cut: Thanks again for your application. We had a lot of very good proposals this year and some of the decisions were really, really hard to make. If you have any questions regarding your application, please feel free to contact us through the usual channels. [Less]

Bookoo of the Nine Situations Group has posted yet another SQL injection exploit. This time, the problem is in usersettings.php and can again be used by an attacker to extract the password hash for any account. Geeklog 1.5.2sr4 fixes this issue and ... [More] is available for downloadas a complete tarball, for fresh installs and upgrades from any earlier releaseas an update for 1.5.2sr3 andas a "combo" update, bundling all the changes for 1.5.2sr1 - 1.5.2sr4. [Less]

Geeklog 1.5.2sr3 addresses the recently published exploit for an SQL injection in the webservices. It is available for downloadas a complete tarball, for fresh installs and upgrades from any earlier releaseas an update for 1.5.2sr2 andas a "combo" ... [More] update, bundling all the changes for 1.5.2sr1 - 1.5.2sr3.After installing this update, you can enable the webservices again if you need them (or leave them disabled if you don't - they are not an essential feature, unless you happen to be using an AtomPub client to post articles). After the recent series of security issues, we will of course now take a closer look at Geeklog's source code again and re-evaluate our security measures. What's interesting about the last two exploits, for example, is that they simply were not possible a few years ago, as they rely on new features in MySQL 5. So there's obviously room for improvement here.A quick overview of our plans for the near future: We're currently wrapping up the selection process for the student applications for this year's Summer of Code (results to be announced on April 20). We will also be publishing a beta version of Geeklog 1.6.0 at around the same time. Any results of a code review will then be available with the final 1.6.0 release (no due date, but tentatively before or around May 23, again in sync with the timeline for the Summer of Code.Sorry for the recent hassle and we hope you stick with us. [Less]