Maintenance of 5.4.2.2 (e.g. security updates)
Permalink
Dear concrete5,
since I'm running a website based on concrete5 version 5.4.2.2, I was wondering, if this version is still maintained and security fixes will be provided in the future too? What is the schedule for the maintenance of version 5.4.2.2 and when does one have to update to 5.5.x?
Thanks already for your support,
Andreas
since I'm running a website based on concrete5 version 5.4.2.2, I was wondering, if this version is still maintained and security fixes will be provided in the future too? What is the schedule for the maintenance of version 5.4.2.2 and when does one have to update to 5.5.x?
Thanks already for your support,
Andreas
Thanks for the quick reply, but I'm a bit surprised that no security updates are provided for the latest stable release for which nearly all add-ons are compatible. You state on the download page:
----
NOTE: Many add-ons haven't been updated to work with 5.5 yet. If you've got an existing site that relies on stuff in the marketplace, you should try running this update on a backup copy of your site before upgrading live.
----
This suggests for me that:
i) either I update to the new version and some add-ons for my website might not work
ii) or I stay with the old version where all add-ons will work, but no security fixes will be provided.
Could a solution be that the previous stable release (today 5.4.2.2) will always be maintained for 1 year after the release of a new version with security fixes only so that add-on developers have enough time to update to the latest release (i.e. today 5.5.x)? Is this feasible or do you think this will be too much effort from your side?
----
NOTE: Many add-ons haven't been updated to work with 5.5 yet. If you've got an existing site that relies on stuff in the marketplace, you should try running this update on a backup copy of your site before upgrading live.
----
This suggests for me that:
i) either I update to the new version and some add-ons for my website might not work
ii) or I stay with the old version where all add-ons will work, but no security fixes will be provided.
Could a solution be that the previous stable release (today 5.4.2.2) will always be maintained for 1 year after the release of a new version with security fixes only so that add-on developers have enough time to update to the latest release (i.e. today 5.5.x)? Is this feasible or do you think this will be too much effort from your side?
Bearing in mind that C5 is open source and we get what we pay for ;)
it is nevertheless surprising that the only solution is an upgrade.
As marinalink points out, not all addons are 5.5 compatible.
I'd add that the upgrade path isn't always straightforward - I have had a couple of sites break when upgrading (mysql errors and a site that's down) and I've have to get rather dirty undoing the upgrade. The forums have lots of meat on this topic too, so it's not just me being a bozo.
I can appreciate that there is zero chance of any feature changes, but surely if a major security snafu is found in the 5.4 branch, it's in the interest of the product as a whole and the Internet at large to patch it ASAP.
The last thing anyone wants is C5 becoming the next Wordpress, which seems to get hacked every other week.
it is nevertheless surprising that the only solution is an upgrade.
As marinalink points out, not all addons are 5.5 compatible.
I'd add that the upgrade path isn't always straightforward - I have had a couple of sites break when upgrading (mysql errors and a site that's down) and I've have to get rather dirty undoing the upgrade. The forums have lots of meat on this topic too, so it's not just me being a bozo.
I can appreciate that there is zero chance of any feature changes, but surely if a major security snafu is found in the 5.4 branch, it's in the interest of the product as a whole and the Internet at large to patch it ASAP.
The last thing anyone wants is C5 becoming the next Wordpress, which seems to get hacked every other week.
I'm fully aware that concrete5 is open source and I highly appreciate the quality of the product. I was really impressed of its capabilities. Many thanks to the team for this.
But I also agree with jero that it would be a pity if concrete5 would sacrifice on the area of security, since this is unfortunately a concern as we see with Wordpress...
Therefore I hope that it could be possible to implement security fixes in the 5.4 branch at least for one year after the first release in the 5.5 branch.
But I also agree with jero that it would be a pity if concrete5 would sacrifice on the area of security, since this is unfortunately a concern as we see with Wordpress...
Therefore I hope that it could be possible to implement security fixes in the 5.4 branch at least for one year after the first release in the 5.5 branch.
I'm also a bit suprised that there are no security updates on older versions.
For our company both suggestions made are no good solutions. They are both risky.
Are there any plans that this might change in the near future? That would be awesome.
For our company both suggestions made are no good solutions. They are both risky.
Are there any plans that this might change in the near future? That would be awesome.
No.
The way to move forward is to upgrade. This isn't an open source vs closed question, it's simply a choice of how software developers want to spend their time. We're passionate about new things, and while I understand upgrades always have risks, our upgrades do generally run pretty smoothly. That's where we will continue to put our efforts, and yeah as its been pointed out as concrete5 is open source you can certainly pick and choose what you want by hand and keep your site off the upgrade path..
The way to move forward is to upgrade. This isn't an open source vs closed question, it's simply a choice of how software developers want to spend their time. We're passionate about new things, and while I understand upgrades always have risks, our upgrades do generally run pretty smoothly. That's where we will continue to put our efforts, and yeah as its been pointed out as concrete5 is open source you can certainly pick and choose what you want by hand and keep your site off the upgrade path..
@Frz.
And what about those of us that are stuck on a version because the update doesn't work?
And what about those of us that are stuck on a version because the update doesn't work?
Why doesn't update work for you?
There are times where sites need to go through multiple version updates to get to current.
There are times where some custom code someone has developed might keep you from doing that.
There are times where add-ons that were built for an earlier version no longer are supported for the current version.
Am I missing a scenario?
There are times where sites need to go through multiple version updates to get to current.
There are times where some custom code someone has developed might keep you from doing that.
There are times where add-ons that were built for an earlier version no longer are supported for the current version.
Am I missing a scenario?
@Frz.
You are missing one.
When the update scripts fails with errors such as "1064: You have an error in your SQL syntax", mysql error: [1048: Column 'cID' cannot be NULL. They just go on and on.
You are missing one.
When the update scripts fails with errors such as "1064: You have an error in your SQL syntax", mysql error: [1048: Column 'cID' cannot be NULL. They just go on and on.
At a glance, that sounds like this one:
"Attempting to solve intermittent error in PagePermissionAssignments messages that happen on certain upgrades."
That we took on with 5.6.0.2:
http://www.concrete5.org/documentation/background/version_history/5...
I don't mean to come off dismissive of these challenges at all, because I don't believe we are. We work hard to fix bugs with concrete5, and we work hard to make sure the upgrade works. The way we do that is by throwing out bad ideas in favor of new ones. What I'm not going to agree to in the abstract is a schedule of maintaing bad ideas, while trying to push new ones, for free.
Given the complexity of the concrete5 ecosystem, I believe the final product of our work is pretty darn good. Can I tell you 100% of all sites will upgrade perfectly each time you hit that button, don't even bother with a backup first? No. Of course not. That being said I believe our release schedule shows we're ready willing and eager to follow up a major version change with the required point releases to work out edge case kinks.
It's not an impossibility we'd maintain a security patch on an older version from time to time. As we've been discussing the rather beefy changes in 5.7 we've been talking about maintaining a 5.6.2 version for a while. I can't promise that will or will not happen, but it's a thought. If it lets us move forward in bigger better new directions with 5.7, I'm all for it. If there was a dramatic security issue we'd also likely use this approach. The problem for us is we'd be shooting ourselves in the foot to just make it policy.
We're giving away software for free here, and we're giving away our time to make it stable and happy as well. Part of what we get back out of that giving is the feedback and testing from hundreds of thousands of unique installs and people doing things in their own way. Is every decision or line of code we write a slam dunk? No. But we're always willing to revisit or fix something and try again. Iterative development - it's what's for dinner.
All of that being said, yes if you have a support SLA with us - we'd work with you to both hot-fix any immediate bug in your current version as well as help you through the upgrade process:
http://enterprise.concrete5.com/services/support/...
My sense is there are other developers out there that could also provide help with upgrades, and piecemeal hot fixes as well. My sense is also that for one reason or another, we're a long way from having the frequency and scale of security issues that wordpress has recently. If there were something dramatic, we'd look at releasing patches for older versions.
"Attempting to solve intermittent error in PagePermissionAssignments messages that happen on certain upgrades."
That we took on with 5.6.0.2:
http://www.concrete5.org/documentation/background/version_history/5...
I don't mean to come off dismissive of these challenges at all, because I don't believe we are. We work hard to fix bugs with concrete5, and we work hard to make sure the upgrade works. The way we do that is by throwing out bad ideas in favor of new ones. What I'm not going to agree to in the abstract is a schedule of maintaing bad ideas, while trying to push new ones, for free.
Given the complexity of the concrete5 ecosystem, I believe the final product of our work is pretty darn good. Can I tell you 100% of all sites will upgrade perfectly each time you hit that button, don't even bother with a backup first? No. Of course not. That being said I believe our release schedule shows we're ready willing and eager to follow up a major version change with the required point releases to work out edge case kinks.
It's not an impossibility we'd maintain a security patch on an older version from time to time. As we've been discussing the rather beefy changes in 5.7 we've been talking about maintaining a 5.6.2 version for a while. I can't promise that will or will not happen, but it's a thought. If it lets us move forward in bigger better new directions with 5.7, I'm all for it. If there was a dramatic security issue we'd also likely use this approach. The problem for us is we'd be shooting ourselves in the foot to just make it policy.
We're giving away software for free here, and we're giving away our time to make it stable and happy as well. Part of what we get back out of that giving is the feedback and testing from hundreds of thousands of unique installs and people doing things in their own way. Is every decision or line of code we write a slam dunk? No. But we're always willing to revisit or fix something and try again. Iterative development - it's what's for dinner.
All of that being said, yes if you have a support SLA with us - we'd work with you to both hot-fix any immediate bug in your current version as well as help you through the upgrade process:
http://enterprise.concrete5.com/services/support/...
My sense is there are other developers out there that could also provide help with upgrades, and piecemeal hot fixes as well. My sense is also that for one reason or another, we're a long way from having the frequency and scale of security issues that wordpress has recently. If there were something dramatic, we'd look at releasing patches for older versions.
@Frz.
Of course.
Of course.
Just upgrade to the latest.
best wishes
Franz Maruna
CEO - concrete5.org
http://about.me/frz