Suggestion: Security Updates in own section

[CheersnGears]

I admit... I am terrible about doing security updates for my board software.

Rather than putting Security Updates in the general "News and Information" forum, perhaps it would be better to put security updates by themselves in a forum or blog exclusive to this type of notice. That way, someone (like me) can go back reference all the security updates and perform them. It could even be used to post instructions on what site owners need to do in the event of major security issues like heartbleed. (i.e. It's not IPS related, call your hosting provider, change your passwords).

Right now, they are mixed in with every other type of announcement and might be missed.

So how about it... a Security Announcements forum or Blog for this sort of thing?

[CheersnGears]

Bad idea or just wrong section?

[Charles]

It's a good idea but won't really apply come 4.0 as we will no longer do "patches" but instead increment the version number. You won't be able to miss it that way as the system will rant at you.

[steve00]

It's a good idea but won't really apply come 4.0 as we will no longer do "patches" but instead increment the version number. You won't be able to miss it that way as the system will rant at you.

oh boy .. can just imagine ... 4.0.999

[Makoto]

oh boy .. can just imagine ... 4.0.999

If IP.Board ever needs up to 999 security patches before its next major release, we should be seriously concerned.

[CheersnGears]

It's a good idea but won't really apply come 4.0 as we will no longer do "patches" but instead increment the version number. You won't be able to miss it that way as the system will rant at you.

But you still could be doing security patches between now and 4.0.... and possibly even after since there will be a large number of sites that cannot upgrade on day one of 4.0 Gold.

[CheersnGears]

My Point being... people are still using Windows XP and Microsoft is only just now ending support for security updates. I understand that IPS plans to continue to offer security updates 3.4.x for a while even after 4.0 comes out.

I'm really excited for 4.0, but I also know that I won't be able to upgrade for at least a couple months after it is released.

[Matt]

We're generally overhauling the entire distribution system for 4, so these ideas can be easily integrated. Right now we have to manually create patches and updates which is very time consuming whereas we'll be looking to automate the system for 4.

When we do release a security patch, we do the following things:

• Post on this forum
• Issue an email to customers
• Tweet the announcement
• Issue a bulletin that is visible inside every IP.Board installed.

One might say that if all those passed you by, then having the actual announcement in its own section won't really help.

[CheersnGears]

I'm not looking for another source of notification. That's my own fault. I'm looking for a consolidated repository of all official IPS security notices in a single place and not mixed in with other notices or customer threads.

Really, just a sub-forum somewhere containing the notices would be fine as long as only IPS can create a thread in there.

[Aiwa]

Playing devils advocate here...

Is there a reason you can't open the News and information forum and do a search for 'security' or 'patch' that will pull results from just that forum to create your 'consolidated repository'?

[Charles]

CheersnGears suggestion is valid :) It's just that with 4.0 we have a much better plan in place for security patches. For 3.x we might implement something like this as a quick-glance for people running 3.x since we don't want to mix them up.

[CheersnGears]

CheersnGears suggestion is valid :smile: It's just that with 4.0 we have a much better plan in place for security patches. For 3.x we might implement something like this as a quick-glance for people running 3.x since we don't want to mix them up.

For implementing the the patches, I'm glad to hear it.

For announcement and discussion of them too though?

Aiwa - Would it work? Sure... but that doesn't really make it a quick and easy reference now does it?

[Aiwa]

Aiwa - Would it work? Sure... but that doesn't really make it a quick and easy reference now does it?

Quick and easy is subjective. I perform searches of these forums hundreds of times per day, so I, personally, don't consider performing a search difficult or intrusive.

I was offering an alternative solution that you could use today. Sounds like Charles is taking the suggestion and looking at the best way to get you what you're after.

[TSP]

CheersnGears suggestion is valid :smile: It's just that with 4.0 we have a much better plan in place for security patches. For 3.x we might implement something like this as a quick-glance for people running 3.x since we don't want to mix them up.

How will that work in terms of cases where we have made some modifications to certain files?

I like the current way of just issuing security patches with the changed files. If we would have to upload the whole suite when a security patch comes around, then it would also be a lot more work to review the changes and ensure that our own modifications are still left in. Especially as you increment the version number in every single file for each properly released version (which makes it hard to see actual changes between versions in git diff btw)

[TSP]

CheersnGears suggestion is valid :smile: It's just that with 4.0 we have a much better plan in place for security patches. For 3.x we might implement something like this as a quick-glance for people running 3.x since we don't want to mix them up.

Quick solution would be to use tags and / or prefixes.

Aiwa - Would it work? Sure... but that doesn't really make it a quick and easy reference now does it?

If you want a link and not type it yourself, here you go: http://community.invisionpower.com/index.php?app=core&module=search&do=search&fromMainBar=1&search_app=forums:forum:1&search_term=security

[Charles]

Version 4.0's upgrade process will be different than 3.x's so those concerns won't be a problem.

[CheersnGears]

Version 4.0's upgrade process will be different than 3.x's so those concerns won't be a problem.

I am interested in more information about this. Maybe a blog post on the mechanics behind how the 4.0 upgrades won't (generally, I assume) break other modification we make to our boards.