xwiki-devs March 2010

xwiki-devs@xwiki.org

45 participants
125 discussions

[xwiki-devs] [ANN] XWiki Enterprise and XWiki Enterprise Manager 2.2.3 Released

by Thomas Mortagne

The XWiki development team is pleased to announce the release of XWiki Enterprise and XWiki Enterprise Manager 2.2.3. This is a bug fix release for the 2.2 branches. It fixes mainly one important regression around documents objects and references handling so if you are using a previous 2.2.x version you should really upgrade to 2.2.3. New features: * XWIKI-4983 - Add Reference Resolver for resolving string representations of references as a relative reference * XWIKI-4899 - Add Model API to get default Entity Reference values Improvements: * XWIKI-5003 - Add optional parameter support for Reference Resolvers and Serializers * XWIKI-5002 - Implement Explicit Reference Resolver and Serializer * XWIKI-4995 - Introduce duplicate() method in BaseObject and XWiiDocument to clone a document but with new GUIDs * XWIKI-4921 - LiveTable improvement to remember filter even in case of shift-reload or with Internet Explorer * XWIKI-4606 - Statistics exclusions by user * XWIKI-5028 - Improve the performance and functionality of the whatever:hover behavior * XAADMINISTRATION-114 - Extract successful registration message to a new page for easier customization and link to it from admin UI * Updated translations Important Bugs fixed: * XWIKI-4996 - Statistics broken in Oracle * XWIKI-5006 - Wiki Copy doesn't work anymore with relative references * XWIKI-5007 - BaseElement#setWiki produce nullpointerexception when called before setName * XWIKI-4987 - Cannot import as backup pack any longer * XWIKI-4992 - Counting documents using parametrized HQL query fails * XWIKI-4946 - Default values for the required macro parameters should be send to the server by the WYSIWYG * XWIKI-5016 - Display a message in place of the livetable infinitely loading in a environment where its JS can't be executed (example : noJS or in the WYSIWYG) * XWIKI-5013 - HTML code visible when inserting velocity macro displaying a property * XWIKI-5000 - Image links of office imports gets broken when using an OpenOffice 3.2 back-end * XWIKI-4994 - Invalid document references for Cloned and Merged Objects in Documents * XWIKI-4973 - Live table sort does not work for anything else than StringProperty fields * XWIKI-5009 - Saving a xwiki/1.0 document from another wiki can produce error or wrong backlinks * XWIKI-4130 - Three closing parenthesis, ))), are evaluated even though no open equivalence exists * XWIKI-4988 - After deleting an imported attachment the user is redirected to the Global Administration * XWIKI-5023 - Impossible to properly install XE from scratch * XWIKI-5026 - Wrong codes in ApplicationResources_pt * XE-620 - A double quote contained in a field listed in the livetable break the livetable * XE-623 - Live Table filtering does not work on fields with "Multiple Select" (but without Relational Storage) * XE-621 - Live table does not show if some fields value of type "StringProperty" contain carriage return * XE-616 - LiveTable impacted by velocity set to null option * XE-619 - Several bugs and improvements of the LiveTableResults macros * XE-614 - Errors in UI for deleted documents & attachments * XAADMINISTRATION-120 - SQL injection via "Forgot username" page * XAADMINISTRATION-119 - Exception displayed when entering an invalid email address in the ForgotUsername form * XATAG-36 - Inconsitent management of tags case For more information see the Releases notes at: http://www.xwiki.org/xwiki/bin/view/Main/ReleaseNotesXWikiEnterprise223 and http://www.xwiki.org/xwiki/bin/view/Main/ReleaseNotesXEM223 Thanks -The XWiki dev team

15 years

[xwiki-devs] [Proposal] New configuration strategy

by Vincent Massol

Hi devs, I've been wanting to make it easy to upgrade XWiki from one version to another for some time (I'm not talking about XAR upgrade here, that's the extension manager). I'm talking about XWiki configuration files. Here are the use cases I'd like to solve: UC1: Easy install: no need to explode the XAR to install XWiki. See also the comment about xwiki on http://java.dzone.com/articles/file-system-storage-and UC2: Easy upgrade: no need to take care about saving the configuration so that it's not overwritten by an upgrade UC3: Should be possible to have multiple installs on the same machine and running at the same time UC4: Should be possible to control the location of the configuration files for our automated functional tests (so that we control the configuration used) The configuration files I'm talking about are: * xwiki.cfg * hibernate.cfg.xml * xwiki.properties Proposed Solution: =============== 1) Look for a system property (e.g. xwiki.config.dir) defining a directory location and if defined look for the files in it using File IO (I know it's not JEE kosher but it's acceptable IMO). Could be relative or absolute. 2) If not found, look for a JNDI property that gives the location of the config directory 3) If not found, look for config files in [user.home]/.xwiki 4) If not found, emit an error explaining how to configure xwiki 1) solves UC3 and UC4 2) solves UC3 3) solves UC1 and UC2 Note ==== I'm not suggesting any backward compatibility here since it's a new way of configuring XWiki. It means upgraders will need to read the release notes/doc to understand how to configure XWiki. If really needed, we could devise a backward compat strategy, but I'm not sure we absolutely need that. WDYT? Thanks -Vincent

15 years

[xwiki-devs] HtmlUnit 2.4 released + some ideas for speeding up our functional tests

by Vincent Massol

FYI: http://bit.ly/9UmUis The part that is interesting: "Improved JavaScript support, now all jQuery and Mochikit tests pass, adding to already supported GWT and Sarissa" Since we're moving to Selenium2 and Selenium2 has a driver for HtmlUnit, we should try and see if using it would be good enough to detect JS problems in various browsers. The advantage of it over real browser drivers is that it runs much faster. Or we could imagine a scenario where we would use the HtmlUnit driver for standard functional tests and then use the real browser driver once per day to provide additional warranties, thus providing the best of both worlds. -Vincent

15 years

Re: [xwiki-devs] DNSSEC update and client side certificates

by Story Henry

In an interview of Dan Kaminsky last year he says the following: [[ Kaminsky: DNSSEC is interesting not because it fixes DNS. DNSSEC is interesting because it allows us to start addressing core problems we have on the Internet in a systematic and scalable way. The reality is: Trust is not selling across organizational boundaries. We have lots and lots systems that allow companies to authenticate their own people, manage and monitor their own people and interact with their own people. In a world where companies only deal with themselves, that's great. We don't live in that world and we haven't for many years. Q: How does DNSSEC help fix that? Kaminsky: One of the fascinating elements of the Verizon Data Breach Investigations Report is that if there was a hack, 40% of the time it was an implementation flaw, and 60% of the time it was an authentication flaw -- something happened with authentication credentials and everything blew up. At the end day, why do we use passwords? It's the only authentication technology that we have that even remotely works across organizational boundaries, and the only thing that scales today. Our existing ways of doing trust across organizational boundaries don't work. Passwords are failures; certificates that were supposed to replace passwords are not working -- period, end of discussion. DNS has been doing cross-organizational address management for 25 years; it works great. DNS is the world's largest PKI without the 'K.'All DNSSEC does is add keys. It takes this system that scales wonderfully and has been a success for 25 years, and says our trust problems are cross-organizational, and takes best technology on the Internet for cross-organizational operations and gives it trust. And if we do this right, we'll see every single company with new products and services around the fact that there's one trusted root, and one trusted delegating proven system doing security across organizational boundaries. ]] http://bit.ly/19P188 I came across this from the very interesting Wikipedia article http://fr.wikipedia.org/wiki/DNSSEC On 20 Mar 2010, at 19:44, Henry Story wrote: > Hi, > > Here are two issues with X509 that were hindrances for a solution like foaf+ssl to be deployed, but which can and are being fixed: > > 1. Client Side Certificate selection > ------------------------------------ > > Browsers currently do a very bad job of allowing the user to choose his certificate (Safari being the absolute worse). As a result I posted "Firefox Hackers Needed" > > http://bit.ly/cQ5f48 > > earlier this week. @snej who is working at Google put up a picture of a solution for this in Chrome using a foaf+ssl certificate created by http://webid.myxwiki.org/ > > http://bit.ly/azCXTU > > Vote for it! > > 2. Server side certificates > --------------------------- > > One factor that people mention often with foaf+ssl is that the server has to have his own certificate. This means registration with a CA which is costly and tedious and it does not really solve the problems of server authentication as Dan Kaminsky shows ruthlessly in "Black Ops of PKI" http://bit.ly/4Uwb2K . > > To summarise his talk, server security is in a double bind: > > 1- Dan Kaminsky's DNS poisoning attack which is very well explained by Rick Van Rein's presentation "Cracking Internet: the urgency of DNSSEC" ( http://bit.ly/2darr8 view with FFox > 3.5 as it uses ogg video) means that a DNS easily be hacked in 6 weeks, and a lot of money poured into the wrong people's pockets. So there is a financial incentive to break DNS. > > 2. The solution of using https with X.509 public key cryptography's backing cannot work because there is a race to the bottom in the way CA's issue certificates. For enough money it is not that difficult to become God and to pretend you are anyone. > > Given the above DNSsec has become urgent enough, that it is being deployed. > > - verisign will put .com in July http://bit.ly/dyd54E > - .org will be available in June http://bit.ly/abEJ28 > - .gov went dnssec in March 2009 http://bit.ly/bH27b0 > - The root will be signed July 2010 http://bit.ly/9YQMDJ > - a map of dnssec deployment http://www.xelerance.com/dnssec/ > > So listening to Dan Kaminsky you would think that he is against X509. Well certainly it could be improved a lot, but he is not quite as negative as one may think. X.509 with DNSsec seems to be something he thinks can work. > > What he told me after his CCC and HAR talks and what you can see in the last few minutes of the HAR talk "X509 considered Harmful" http://bit.ly/2darr8 is that once DNS is secure one could put the X509 (self signed even) certs into the DNS records. This would bypass the need for CAs. [ I hope I understood him correctly ]. I am not sure what needs to be done to make this possible with the browser vendors, but it would massively improve security on the web. > > As a result I have fait that the global situation on the internet will only make foaf+ssl solutions easier and more secure to deploy, enabling a completely distributed social network to emerge, free and without the spying, as Eben Moglen author of the GPL said so well recently http://bit.ly/brQmJz > > Henry >

15 years

[xwiki-devs] DNSSEC update and client side certificates

by Story Henry

Hi, Here are two issues with X509 that were hindrances for a solution like foaf+ssl to be deployed, but which can and are being fixed: 1. Client Side Certificate selection ------------------------------------ Browsers currently do a very bad job of allowing the user to choose his certificate (Safari being the absolute worse). As a result I posted "Firefox Hackers Needed" http://bit.ly/cQ5f48 earlier this week. @snej who is working at Google put up a picture of a solution for this in Chrome using a foaf+ssl certificate created by http://webid.myxwiki.org/ http://bit.ly/azCXTU Vote for it! 2. Server side certificates --------------------------- One factor that people mention often with foaf+ssl is that the server has to have his own certificate. This means registration with a CA which is costly and tedious and it does not really solve the problems of server authentication as Dan Kaminsky shows ruthlessly in "Black Ops of PKI" http://bit.ly/4Uwb2K . To summarise his talk, server security is in a double bind: 1- Dan Kaminsky's DNS poisoning attack which is very well explained by Rick Van Rein's presentation "Cracking Internet: the urgency of DNSSEC" ( http://bit.ly/2darr8 view with FFox > 3.5 as it uses ogg video) means that a DNS easily be hacked in 6 weeks, and a lot of money poured into the wrong people's pockets. So there is a financial incentive to break DNS. 2. The solution of using https with X.509 public key cryptography's backing cannot work because there is a race to the bottom in the way CA's issue certificates. For enough money it is not that difficult to become God and to pretend you are anyone. Given the above DNSsec has become urgent enough, that it is being deployed. - verisign will put .com in July http://bit.ly/dyd54E - .org will be available in June http://bit.ly/abEJ28 - .gov went dnssec in March 2009 http://bit.ly/bH27b0 - The root will be signed July 2010 http://bit.ly/9YQMDJ - a map of dnssec deployment http://www.xelerance.com/dnssec/ So listening to Dan Kaminsky you would think that he is against X509. Well certainly it could be improved a lot, but he is not quite as negative as one may think. X.509 with DNSsec seems to be something he thinks can work. What he told me after his CCC and HAR talks and what you can see in the last few minutes of the HAR talk "X509 considered Harmful" http://bit.ly/2darr8 is that once DNS is secure one could put the X509 (self signed even) certs into the DNS records. This would bypass the need for CAs. [ I hope I understood him correctly ]. I am not sure what needs to be done to make this possible with the browser vendors, but it would massively improve security on the web. As a result I have fait that the global situation on the internet will only make foaf+ssl solutions easier and more secure to deploy, enabling a completely distributed social network to emerge, free and without the spying, as Eben Moglen author of the GPL said so well recently http://bit.ly/brQmJz Henry Social Web Architect http://bblfish.net/ Social Web Architect http://bblfish.net/

15 years

[xwiki-devs] [VOTE] Backup pack: test for farm admin and for the whole import instead of testing for programming right and for each document

by Thomas Mortagne

Hi devs, To fix http://jira.xwiki.org/jira/browse/XE-615 i would like to change the test associated to backup pack. You can look at the issue for more detail on the issue but basically the problem is that on an empty XE guest does not have programming right which make impossible to import XE xar like it used to. You have to enable superadmin user with a password in clear in the xwiki.cfg file. I propose to change the way importer is working and test only once for the whole import and for admin right on main wiki which will make possible to install XE without having to enable superadmin. I feel it's secure enough but i prefer sending this vote mail to make sure more people can validate it's ok. Here is my +1. -- Thomas Mortagne

15 years

[xwiki-devs] Hover in Selenium2

by Alex Busenius

Hi all, I'm writing integration tests for the patch fixing http://jira.xwiki.org/jira/browse/XABLOG-99. In particular, I want to test adding, renaming and deleting of blog categories from Blog/ManageCategories page. My problem is that the "toolbox" with rename and delete buttons is only displayed on hover, and selenium complains that it cannot access invisible elements. I tried to use RenderedWebElement.hover() as follows: By locator = By.xpath("//a[contains(@href, \"" + name + "\")]/ancestor::span[@class='blog-category-level']"); RenderedWebElement category = (RenderedWebElement) getDriver().findElement(locator); category.hover(); but the n I get error "Unable to hover over element". Does anybody knows how to show these delete buttons? I'm using FF 3.6 on Linux. Thanks, Alex

15 years

[xwiki-devs] The problem with Todo Application

by Michelle Shi

Hi, I used the old todo Application in code zone. It has some problem, I record them here [ http://michelle.myxwiki.org/xwiki/bin/view/Blog/ProblemWithTodoApplications ]. Now I found that there is a cincubator project about new todo application [ http://incubator.myxwiki.org/xwiki/bin/view/Todo/]. This project seem to sovle all my problem. I wonder if there is a timeline of this application. Is there anything like roadmap of new Todo application? Thanks. Michelle

15 years

[xwiki-devs] XWiki was not selected for GSoC this year

by Sergiu Dumitriu

-------- Original Message -------- From: socghop.noreply(a)gmail.com Subject: Thank you for your application To: sergiu.dumitriu(a)gmail.com Hi Sergiu Dumitriu, Thank you for submitting "XWiki" organization application to Google Summer of Code 2010. Unfortunately, we were unable to accept your organization's application at this time. We received many more applications for the program than we are able to accommodate, and we would encourage you to reapply for future instances of the program. Best regards, Google Open Source Programs

15 years

[xwiki-devs] [URL] How to rename "bin" to "wiki" or something else.

by Nicola Nardino

Hi all, I'm wondering if it's possible to rename the "bin" part of the URL to something else. For same reason I can't drop the bin from the URL in Weblogic so I was wondering whether it could be possible to nicely rename it. Best Regards Nicola -- View this message in context: http://n2.nabble.com/URL-How-to-rename-bin-to-wiki-or-something-else-tp4755… Sent from the XWiki- Dev mailing list archive at Nabble.com.

15 years

← Newer
1
2
3
4
5
6
7
8
9
...
13
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

xwiki-devs March 2010