Entries by Garvin Hicking

Sebastian Spreen contacted us some time ago and offered to help out with a nicer presentation page of Serendipity templates, including some more convenient community features like voting and user-uploads.

His new website Serendipity-Templates.org is a nice addition to spartacus.s9y.org, where only a selection of templates is kept for automatted downloads and generic overviews.

So check out his page and tell him how you like it! The Serendipity team always appreciates the creation of sites dedicated to Serendipity, many thanks to Sebastian!

Since quite some time, Serendipity uses old-fashioned md5 hashes to secure your passwords for logins to the backend.

Because mechanisms to crack md5 hashes with rainbow tables or even "dictionary hash"-lookups are getting more and more popular, we have decided to finally take the step to raise the serendipity hashing mechanism to something salted, and more secure (SHA1). Even though md5 hashes are still reasonably(!) safe when you use long, randomized passwords, the old-style hashing is a one-way route to hell.

Serendipity has always been had high tributes to backwards compatibility and ease-of-use and ease-of-upgrading, we have decided to take the "soft" upgrade approach. That means, new Serendipity versions will accept your old MD5 login ONCE, and then will use your user-specified password to create the safer hash and store that to the database.

This will help in hypothetical attack situations, where someone might have gotten hand on your hash values stored inside the database, because he will no longer be able to reverse-engineer your original password.

We could need help from any developer or betatester trying out the new functionality. Upgrading to the latest snapshot (get it from the s9y nightly downloads) with Serendipity 1.5-alpha2 will deploy the necessary database upgrades. Note that the one-time MD5-login is only possible in the first 6 months after you performed the installation of this serendipity version (through a saved timestamp in the database), and after that timespan, you can no longer login with the old password and must reset your password through the Administrator (or manual means, if you are the administrator).

Once you perform the update (do not try this on production blogs currently), everything should continue as usual. If it does not, please report your exact problems here or in the Forums. It is suggested that once you have the new serendipity version you change your password, so that nobody that might have already gotten your old md5 hash can use the reverse-engineered password to login again with the new hash created from the same original password.

Feedback is appreciated. The current mechanism is subject to change and currently more a proof-of-concept - feedback will most definitely lead to improvement. :-)

Serendipity 1.4.1 has been released. This is mainly a bugfix release for the updated of the bundled Smarty library, which fixes issues with Serendipity 1.4.

Other small fixes include better antispam checks for pingbacks (they were too strict before), an update to the sql index key creation of the statistics plugin and removal of error messages on open_basedir enabled servers.

You only need to upgrade to Serendipity 1.4.1 if one of the mentioned bugs affect you. Updating is easy and documented online.

Due to some feedback on the forums, we were made aware of a bug of the bundled Smarty templating engine that can happen in some PHP environments and lead to PHP warning/error messages.

If this occurs for you, please simply download an updated version of the file bundled-libs/Smarty/libs/Smarty_Compiler.class.php and upload it to your blog directory. Of course we will integrate this update to a future point release of Serendipity.

The Serendipity-Team is proud to provide the final release of Serendipity 1.4, conveniently codenamed "Post-Christmas-Monk-Miles-Moondog".

There have been some larger improvements since the 1.4-beta release, so these are the highlights of this release in short:

• (new since 1.4-beta1) References to online plugin documentation have been added (if existing) and the display of the short plugin names has been added to the plugin configuration menus.
  
  
• (new since 1.4-beta1) Firefox now no longer autoremembers passwords at the wrong places
  
  
• (new since 1.4-beta1) Added SMF importer
  
  
• (new since 1.4-beta1) Added a new %parentname% permalink option for category links
  
  
• (new since 1.4-beta1) Fix to properly, longer (30 days) sstrong>remember the user settings in cookies, like for media insertion
  
  
• Improvements in the now Double-Opt-In comment subscription (plus support for fulltext comment notifications)
  
  
• new bundled default WYSIWYG editing component (Xinha, the successor of HTMLArea). This new component is more reliable and cross-browser capable than the old version, by still supporting everything that worked with HTMLArea previously.
  
  
• The Entryproperties plugin now uses the new widget-style configuration option to allow for custom arrangement of the entry-related features of this plugin to your liking.
  
  
• The bulletproof template has been enabled as the new default template. The frontend imitates the look of Carl Galloways Serendipity 1.0 relaunch template, while the backend is much improved with a fresh, distinct look.
  
  
• The Remote RSS-Feed sidebar plugin now is templated, so that you can achieve distinct look for certain feeds on the sidebar.

Serendipity also addresses some minor bugs usually only affecting very special environments. Other changes include new PostgreSQL ts_vector fulltext search, comment approval-by-mail for the spamblock plugin, better HTTP header status updates for CGI environments. For developers, some API improvements and new variables/parameters have been added. The performance of the entryroperties plugin can be enhanced by new configuration options that let you fiddle with the involved SQL generation.

The complete list of all changes is documented within the docs/NEWS file of the release. This serendipity release is also the first one to include checksums to verify your installation integrity.

Updating is easy and documented online: Just upload the new files onto your web, possibly refresh/purge your browser cache (and if you upgrade from Serendipity older than 1.2, you might need to purge your old cookies), go to the admin panel and you're done. For shared installations, make sure all deployed htmlarea directories are updated with the new files (if not, the old htmlarea will still be there, not Xinha).

Also, the new version contains release checksums. This makes sure that the files you uploaded correspond with the checksums generated through the release. This way, bad FTP uploads will no longer be driving you nuts. If this makes any trouble for you, try to upload the files in BINARY mode in your FTP client.

For the future, Serendipity is still planning on minor and major features. We always keep a close ear to the wishes of our users, some of those that cannot be solved instantly have been documented here: Future of Serendipity. If you're a developer or designer, and want to help in proving that Serendipity is a flexible and easy to use Blogging/CMS-application - your help is needed and appreciated! Speaking of which: Many thanks to all current developers and forum users, especially Don Chambers, YellowLED and Judebert. Your help has been, and is vital to the project.

On behalf of the team: Happy new year and have fun with the release,
Garvin