Products.cmfplone: Bring http://jone.github.io/plone-hotfixes under the Plone Foundation
I regularly use http://jone.github.io/plone-hotfixes/ to check the necessary hotfixes for specific Plone versions. It's a super useful tool by Jonas Baumann ( @jone ) and it looks well maintained.
Because it's so useful and even though it's still well maintained I think it would be a good idea to bring this project closer to the Plone Foundation and let it be manage there. It should be promoted and maintained with every security release.
/cc @plone/framework-team @plone/security-team @plone/plone-foundation-board @plone-foundation
thet
All 8 comments
If the hotfixes provided that information via JSON, any frontend could consume them and use it (i.e. the always dreamed button on the control panel to warn about them).
Should that be PLIPed?
gforcada
on 22 Dec 2017
I'd welcome moving it to the Plone Foundation. 馃憤
I sometimes fail to update the hotfixes list or version constraints of hotfixes quick enough (e.g. when I'm on vacation), especially when a new Plone version is released including a hotfix.
By moving it to the Plone Foundation the people releasing hotfixes and new Plone versions could update the list or notify someone who can; the bus-factor would be bigger.
The project is JavaScript-only, so that it can be deployed on github-pages. It has tests and all contributors have signed Plone's contributors agreement.
The hotfixes list is actually already stored in a JavaScript file, so it would not be a big deal to change it to JSON (remove the var hotfixes = more or less).
At 4teamwork we use this list for generating buildout config files for each Plone version with a list of hotfixes and their version pinnigs (we use allow-picked-versions = false). We include those buildouts in all projects, so we can install hotfixes by running buildout and rebooting, without the need to change the project buildout.
- https://github.com/4teamwork/ftw-buildouts/tree/master/hotfixes
- https://github.com/4teamwork/ftw-buildouts/blob/master/hotfixes/update.py
As long as I still get the hotfixes list for generating the buildouts I'm happy 馃槃 and maybe there are others interested in the buildouts too?
jone
on 4 Jan 2018
@jone, could you add me as an owner of this repository, than I could and will move it to the Plone org and would update that list as part of the hotfix release process.
loechel
on 25 Jan 2018
@gforcada I don't understand why that should be PLIPed based on this package, the hotfix list is already avaliable as JSON: https://plone.org/security/hotfix_json
there is also a set of consumers implemented: https://github.com/plone/plone.vulnerabilitychecks.core see https://github.com/plone/plone.vulnerabilitychecks.core/blob/master/docs/index.rst
This was already done at the sprint of the PloneConf 2013
https://github.com/plone/plone.app.vulnerabilities/pull/1
loechel
on 25 Jan 2018
@loechel moving the repository will break the public URLs, since it is published on github-pages, wich include user and repo-name in the URL.
jone
on 26 Jan 2018
@loechel I meant that plone.vulnerabilitychecks.core is not part of Plone. Having it installed would be great, maybe with a setting to turn it off if one is so paranoid about it.
gforcada
on 26 Jan 2018
@gforcada the core package does nothing by itself, so could go into core, but the three or for dependent packages could or should go as optional elements into the unified installer
loechel
on 26 Jan 2018
@jone ok thanks now I have access, and will push infos for future hotfixes upstream,
I think we could close this one.
loechel
on 26 Jan 2018
Related issues
pbauer
路
3Comments
zopyx
路
4Comments
pbauer
路
6Comments
rafaelbco
路
3Comments
pbauer
路
5Comments