A Serendipitous Birthday Present

On March 29th in 2003, Jannis Hermanns officially renamed his jBlog to Serendipity. Now, 13 years later, we are still actively working on improving what was meant to be a simple and expansive blogging infrastructure.

In April, we will have our second user/developer meetup in Germany (Essen) and hopefully decide on a couple of remaining issues for releasing version 2.1 of Serendipity and launching the currently "work in progress" version of docs.s9y.org. This new page will better present Serendipity and offer new and more streamlined documentation.

A few years ago, a Serendipity Book was published in german language by Garvin Hicking, which was later open-sourced and put into our documentation repository. Out of this, our fellow core developer Ian (Timbalu) has put an awesome amount of time and effort into updating this german documentation for recent Serendipity versions.

You can find this on docs.s9y.org/Book/ and you will see that it is still marked as "Draft" - which means, we would appreciate your feedback and input. We do hope to get this book translated to english at some point, any help on this is appreciated.

On behalf of the team, many thanks to Ian (Timbalu) and we're excited to keep making Serendipity be a great blogging tool for your needs.

Serendipity 1.6.2 released

UPDATED: 2012-05-22 12:00 to clarify impact.

Good and bad things come in doubles, it seems. We are sorry to inform you that another security issue in Serendipity has been found by the High-Tech Bridge SA Security Research Lab (Advisory HTB23092). This issue has been reported today at 11:27 and we're happy to provide a quick fix for that.

You can either download the full 1.6.2 release, or apply this simple fix to the file include/functions_trackbacks.inc.php: diff on github.

The error here is that input is not properly validated and can be used (when magic_quotes_gpc is off) to inject SQL code to a SQL query; since our DB layer does not execute multiple statements, and the involved SQL query is not used to produce output code. Thanks to Pawel Golen it was made clear to us that this issue can in fact be used to remotely access the database through blind sql injection attacks (this method however is really slow and creates a lot of traffic, since only using 0/1 as a result of the exploit will mean a lot of queries to deduce the content). Thus you should definitely upgrade your installation.

Serendipity is an open-source based product with no specific funding, so we depend on nice people like High-Tech Bridge, Stefan Schurtz, Hanno Böck and all the others of the past to report issues to us. In turn we promise to fix them as quickly and transparently as possible.

Spartacus infrastructure change, Developers please read

Since the core Serendipity project is now maintained on github.com and every developer is quite happy about that, we decided to go the jquery-plugins route and delete all Serendipity plugins.

No, just kidding. We actually imported all data from the SourceForge.net CVS servers into the github infrastructure. The short version for normal end-users: Nothing should change for you!



All current Serendipity developers also have access to those repositories to contribute code. Developers now no longer should commit code to CVS (actually, they can't, because I took all their committing karma *eg*).

The harder task for the Spartacus infrastructure service is the actual publishing of data. The Spartacus plugin operates on a PEAR-like XML format for each plugin, which luckily is automatically generated by a small shellscript which runs once daily on one of our webservers (emerge.sh). That script iterates on a checkout of all plugins and templates, creates the XML and uploads it to all mirror servers (currently netmirror.org, s9y.org and now also github.com).

Downloading the files also either works via the files that are uploaded daily to netmirror.org and s9y.org, or you always could use the SourceForge.net server, that published the file via a nasty ViewVC oddity. The spartacus plugin of the current github core code (version 2.25) now can also retrieve those files from the Github.com servers.

For all users that currently use the Spartacus plugin with the SourceForge.Net mirror, our daily script now pushes all changes in the GitHub tree also to CVS, so that both repositories *should* be kept in sync. This is done via the gitclone.sh and gitclone.php scripts in the additional_plugins repository, for anyone that's interested.

Most likely, something in this script won't work properly, so in the next days it might be that some glitches in the matrix can occur. In that case, please report issues and remain seated. Or buy christmas presents for your beloved. Or your beloved developers.

BerliOS closing down, Serendipity moving

Serendipity's code repository is being hosted on BerliOS for several years. Their free service is now closing down, which means that Serendipity will move its versioning control to a new provider.

The current idea is to migrate SVN over to GitHub.com. This might even motivate some new contributors to get accustomed with the Serendipity core code and make contributing patches easier.

We are planning to move the code repository at the end of October and will keep you posted here. If there are people reading this who are well familiar with Git and especially SVN migration, please step up here or in the forums to help us in the process.

Asides from the SVN service, Serendipity is currently using this infrastructure:

  • A self-hosted webserver providing a phpBB board on http://board.s9y.org. This is quite active and will stay in the future.
  • A self-hosted wiki software on http://www.s9y.org/ that allows for a custom navigation and wiki documentation by users. We might switch this to another software, but are not happy with the way MediaWiki handles navigation. We'll see if GitHub is an option to power this.
  • A self-hosted Serendipity installation on http://blog.s9y.org/
  • The http://spartacus.s9y.org/ plugin and theme repository, hosted on SourceForge.Net
  • The code repository for plugins and themes, also hosted on SourceForge.Net and maintained through CVS. Depending on the usage license of GitHub, we are looking into if we can merge plugins/templates and the Core code on GitHub.
  • A issue tracker, hosted on SourceForge.net. We might utilize the GitHub-Tracker for this in the future.
  • A mailinglist, that is not very active anymore, also hosted on SourceForge.Net. Since we favor the s9y forums, we might not further spend time on changing this mailinglist.