I'm reporting two weeks at once as I had several days of and there was not that much of work done. Pretty much everything was bug screening, relaxing after previous security fixes and starting with new round of them.
Full list of changes for 2.7:
If you are upgrading from older version, please follow our upgrading instructions.
You can find more information about Weblate on https://weblate.org, the code is hosted on Github. If you are curious how it looks, you can try it out on demo server. You can login there with
demo account using
demo password or register your own user. Weblate is also being used https://hosted.weblate.org/ as official translating service for phpMyAdmin, OsmAnd, Aptoide, FreedomBox, Weblate itself and many other projects.
Should you be looking for hosting of translations for your project, I'm happy to host them for you or help with setting it up on your infrastructure.
Further development of Weblate would not be possible without people providing donations, thanks to everybody who have helped so far! The roadmap for next release is just being prepared, you can influence this by expressing support for individual issues either by comments or by providing bounty for them.
The most important change is that development repository has been moved under WeblateOrg organization at GitHub, you can now find it at https://github.com/WeblateOrg/wlc. Another important news is that Debian package is currently waiting in NEW queue and will hopefully soon hit unstable.
wlc is built on API introduced in Weblate 2.6 and still being in development. Several commands from wlc will not work properly if executed against Weblate 2.6, first fully supported version will be 2.7 (current git is okay as well, it is now running on both demo and hosting servers). You can usage examples in the wlc documentation.
Several years ago I've complained about uTidylib not being maintained upstream. Since that time I've occasionally pushed some fixes to my GitHub repository with uTidylib code, but without any clear intentions to take it over.
Time has gone and there was still no progress and I started to consider becoming upstream maintainer as well. I quickly got approval from Cory Dodt, who was the original author of this code, unfortunately he is not owner of the PyPI entry and the claim request seems to have no response (if you know how to get in touch with "cntrlr" or how to take over PyPI module please let me know).
Anyway the amount of patches in my repository is big enough to warrant new release. Additionally Debian bug report about supporting new HTML tidy library came in and that made me push towards releasing 0.3 version of the uTidylib.
As you might guess, the amount of changes against original uTidylib is quite huge, to name the most important ones:
Anyway as I can not update PyPI entry, the downloads are currently available only on my website: https://cihar.com/software/utidylib/
Since quite a long time phpMyAdmin had embedded the bfShapeFiles library for import of geospatial data. Over the time we had to apply fixes to it to stay compatible with newer PHP versions, but there was really no development. Unfortunately, as it seems to be only usable PHP library which can read and write ESRI shapefiles.
With recent switch of phpMyAdmin to dependency handling using Composer I wondered if we should get rid of the last embedded PHP library, which was this one - bfShapeFiles. As I couldn't find alive library which would work well for us, I resisted that for quite long, until pull request to improve it came in. At that point I've realized that it's probably better to separate it and start to improve it outside our codebase.
That's when phpmyadmin/shapefile was started. The code is based on bfShapeFiles, applies all fixes which were used in phpMyAdmin and adds improvements from the pull request. On top of that it has brand new testsuite (the coverage is still much lower than I'd like to have) and while writing the tests several parsing issues have been discovered and fixed. Anyway you can now get the source from GitHub or install using Composer from Packagist.
PS: While fixing parser bugs I've looked at other parsers as well to see how they handle some situations unclear in the specs and I had to fix Python pyshp on the way as well :-).
As you could see from the release news it has been quite busy week in terms of fixing security issues. It has actually started just after announcement of security audit funded by Mozilla SOS Fund. It seems this is best way to attract attention security reviewers and we got really a lot of it.
So most of work in last two weeks was to deal with incoming security reports. Fortunately there is still nothing critical if you are not using ancient unpatched PHP version which is vulnerable to null termination of strings. This was quite hard work as immediately once we started to think about releasing version with fixes, new report came in and the process repeated several times. Fortunately we've made it to do three security releases (one for each supported branch) and it seems that we've not broken anything (at least there is no bug report indicating that).
Let's see what next weeks bring and how much security work will be there, but we definitely should focus on doing some reviews continuously rather than doing such one off actions.
On the other side in terms of handled public issues this week was really low volume:
Last week was again focused on code cleanup. The biggest part is splitting up the shapefile library out of our codebase. It's original upstream is not active for years and people started to use the library from our code instead, so separating it makes perfect sense.
While working on that, the library got some basic tests, but I'm still looking for more complex testcases to cover even situation we do not use in phpMyAdmin.
Besides this, there were some bug fixes in phpMyAdmin itself and it's Docker container. Additionally here was quite some security work after we've published information about passed security audit, but that will be described later.
Last week was a bit more focused on improving our Docker container. It's still not perfect, but it works way better than before. I'm also learning Docker on the way, so the progress is not as fast as it could be.
When speaking about learning I've again learned some new things about PHP - this time it was fact that the debug_backtrace function returns reference to actual interpreters backtrace, so if you change something there, you change the parameters in the code above in the stack. It was quite hard to figure out, but fortunately easy to fix afterwards. Anyway if you have not matching library and PHP MySQL module, you could not connect to MySQL server with phpMyAdmin because of this.
Rest of work was regular bug screening and fixing, nothing really outstanding.
Last week was a bit relaxed for me as I had few days off, so the amount of work was also quite limited.
Quite a lot of time was spent on investigating issue #12243, which in the end turned out to be problem in Fedora packaging as it's using outdated SQL parser library, which contains many bugs which have been fixed meanwhile. This is now reported in their bug tracker and hopefully get fixed soon. Anyway if you're running phpMyAdmin from Fedora / EPEL packages, you might be bitten by various bugs which are already fixed upstream.
Also if you're looking for free software job, you can join me in working on phpMyAdmin, we're looking for second developer!