We are now back from our holiday and returning to work - over a thousand emails to filter through, plus more forum posts and other incoming communications… Please be patient

Our trip was a good break away - however VENICE IS A DUMP, we were highly disappointed with Venice.  The place is nothing like the TV or Books portray and is infact nothing more than a graffiti plastered, rubbish strewn, smelling island in the middle of a lagoon with a massive industrial plant on one side and water on the other.  I would never recommend you go to Venice, unless you are a real lover of history and art - and never take a baby or wheelchair, see those lovely little bridges? well each one is actually a stepladder up and down again! steps, steps and more steps!!!

The hotel was the only thing that stopped us returning after a few days! The hotel room was a mini-suite and was simply amazing! (As was the local internet cafe!)

So back to work now - all systems go - but we ask for your patience if you have contacted us over the last week - we will get to your emails - promise!

I was out on the web today when I came across an article from someone who doesn’t normally blog ablout Joomla, but about Macs.

I advise you to read the full article, but to pad out my own blog post here is a short except:

However, I continue to believe that, the largest difference will be that Joomla will fail
because of their migration, whereas Apple executed a perfect migration.

First, “for those interested in migrating”… a product management failure right off the bat.
Joomla should be thinking that every site should upgrade, and they should be evangelizing

Joomla admins to start looking to making that transaction.
Second, saying that the migration process has issues completely ignores the fact that
migration should have been a paramount priority.

An interesting opinion from a regular Joomla user!….

Edit: I note that the Joomla Dev Blog now has a post on the migration procedure as well - I really should have a coffee before blog posting

We write this blog post with sadness. On the 4th December 2007 a nice white hat hacker notified the Joomla Core Development team of a CSRF Vulnerability in Joomla 1.0.13 and Joomla 1.5 RC3.There have been many reports of these vulnerabilities around the web since then.

The nature of the vulnerability means that your site cannot be hacked while you sleep (like many of the other types of 3rd party component issues), but requires you (the sites Super Admin) to be logged into Joomla Admin while at the same time surfing sites (maybe even your own) that contain links to [THINGS] that send [NAUGHTY] requests back to your Joomla Admin Console without you knowing. This can lead to complete disaster and even complete server compromise.

The Joomla Developers took only 4 days to fix this in Joomla 1.5 SVN and then shortly after released Joomla 1.5 RC4 stating they had fixed this category A5 Security [High] Vulnerability.

To date, no changes and no attempts by the core development team have been made to the Joomla 1.0.13+ SVN tree to fix this vulnerability in Joomla 1.0.13 Update: Changes are now in SVN for the next version of Joomla 1.0.x - about time!

In an effort to assist them we spent a few hours and backported code from Joomla 1.5 RC4 to Joomla 1.0.13 and made all the changes required to fix Joomla 1.0.13 and make it secure from this type of vulnerability.

Details of this can be found in the following forum thread:

http://forum.joomla.org/index.php/topic,248109.msg1136076.html#msg1136076

I personally emailed all three lead developers with the same information as I published there, including providing the diff/patch files to Joomla 1.0.13. I have been assured that once Joomla 1.5 stable is released time will be spent on fixing this issue in Joomla 1.0.13 (I object to this - why take 4 days to fix unreleased software and over 4 weeks to fix software running on millions of sites already?!?)

Here is my professional advice to help you stay safe from the known and publish vulnerability until the next version of Joomla 1.0.x is released.

The number one bit of advice I can give all site admins at the moment is to - LOGOUT OF YOUR JOOMLA ADMIN as soon as you finish using it, and do not surf around the internet in other tabs/browser windows while administrating your Joomla site, and if you allow users to modify your site’s frontend, be careful not to surf your frontend as well while logged in.

Do not install any 3rd party components/mambots/modules/AND TEMPLATES!!! from untrusted sources, if these components choose they can use this vulnerability to do[BAD] things…

Ever since the conception of Mambo/Joomla the passwords for admins and users have been converted into a md5 hash string and stored to the database.

In Joomla 1.0.13 (About time too!) this has changed.  The password is now “salted” and then md5 hashed with the salt, the salt and the password are both stored in the database.

This means that Joomla 1.0.13 breaks backwards compatibility with itself (you can’t downgrade to anything before joomla 1.0.13), and with some extensions like Community Builder and Forum bridges!!

Basically any 3rd Party Component that reads/writes/validates the password of an admin or user will now FAIL in Joomla 1.0.13 unless it is updated to know about the new changes.

The salting of passwords is a good security step - we praise the core team for doing it - HOWEVER no announcement has been made about this, no blog post has been made and users are now in the dark - remember, this means you can NEVER DOWNGRADE your site if you have problems so make sure you MAKE A BACKUP before upgrading to Joomla 1.0.13 - you have now been warned!

Here is a new listing (Joomla Tags) on the Joomla Extensions Directory (JED) Site

It has 13 anonymous votes - giving it 3stars out of 5

It has 5 (great) reviews all 5 star ratings.

Should the JED allow anonymous voting?! I dont believe so - I (any visitor) could quite happily vote down ANY extension on the JED without reason.

Maybe the votes should be linked to the reviews and not anonymous clicks? At least with good and bad reviews you can understand the reason for the current number of stars.

Surely a component such as our Joomla Tags, which has received 5 positive, 5 star reviews from real people (with joomla accounts - easily identified and traced if needed) should not have a 3star rating swayed by faceless anonymous people, who may or may not even used the component !?!?!?!?

This is not a commercial rant - but it can happen on any free component listing too.

Why allow the faceless to sway the rating?

DISCUSS in the Joomla Forum

I was asked today how I manage to keep up with the huge amount of new news about Joomla from the official source and other peoples blogs about Joomla - simple - RSS Feeds and Google Alerts!

Google Alerts:

The google alerts system allows anyone to subscribe to alerts for any keyword, We have several alerts set up with them, keywords for “Joomla”, all our product names and all our competitors names, along with some terms relevant to hacking and security in Joomla. When Google spots a blog post, news item or new web page containing these terms Google emails an update direct to my mailbox. Useful for finding new blogs too!

RSS:

I think most people know what RSS is by now, I’m not going to go too much into it, infact this blog post was more about Google than RSS - just know this, RSS is useful for looking for changes on a small number of websites, I have over 250 RSS feeds and I find filtering out the noise and finding keywords relavant to me and my company very difficult. (We use the sage plugin for firefox since we left behind our windows days and became 100% linux based. On windows we recommend FeedDemon)

No affiliate links in this post - just wanted to help you find relevant information about Joomla.

Last year I wrote a note about how we provide support for our customers after they have purchased, I am repeating that post now as I find that it is important to make the distinction between After Sales Support for a product you purchased, and demanding time from an over worked developer for free for your specific “want”.

This note is written as a clarification. I’m not angry just need to let people know what is acceptable Aftersales support and whats not.

When you purchase a product you obviously assume that you will get a certain level of support and assistance for the product you purchase - that is right and proper. However, there is a line between what is aftersales support and what is not support. There is a difference between what is expected and what is blatantly custom development or excessive handholding. Our components are very mature and have been installed on over 8000 servers worldwide - we have total confidence in them and we are dedicated to ensuring you get the best out of them.

Read the full article here…

Or read it in the FAQ where it has been for some time…

Viral marketing approaches (not to be confused with computer viruses) take clever little online ideas and try to make them spread by online “word of mouth” which usually means friends emailing other friends.

This year’s big viral winner may be ElfYourself, which is showing nothing less than stunning traffic over the past few weeks - looks like it’s beating out many major sites and might even approach the top 100 sites this week as it spreads. [nope - looks like it peaked near Christmas at about site 250 per Alexa measures].

Click here to see me make an Elf of myself

I was amazed when I logged into my Joomla site to find the warning that my Joomla version was exactly 100 days old today

Come on Joomla Devs - release Joomla 1.0.12, I know you are working hard on Joomla 1.0.12 (I see the tracker has been closed to new bugs, and core developers are crying out for bugs to be assigned them) and 1.5 but 100 days is a long time between security releases.

And any news on a feature freeze for Joomla 1.5? I see that function/method calls are still being changed daily by some core developers meaning Joomla 1.5 is still not a stable platform for the 3rd party developers! We (developers) are still having to change our extensions to call renamed methods.  Really is there any difference in calling a function initisalise instead of init ?? initisalise could be confused by some as initisalize ?

I, as many developers, cannot wait for Joomla 1.5 to stand still long enough for a beta or even a stable release — but I, as well as other developers, do not believe a stable version of Joomla 1.5 is very close.

We ordered a HP 2600n which showed on all product comparison websites as instock. (It still says its instock at printerland)

We had a phone call from printerland Andy to say it was not instock and that they dont publically state it is instock (It states here and here its instock). He suggested an OKI Printer, almost £100 more expensive, because we were in a bind we accepted and received the printer next day. We unboxed it and set it up.

It seems we are not the only ones to fall for their marketing - it appears to be a trend It seems they advertise items they dont actually have and allow you to order it - then call you and upsell you to a different model.
We use exclusivly linux in our office (As we are PHP Developers), and the OKI Printer (c3400) is not compatible with linux.

We called Andy at Printerland who said “Yes it is! Phone OKI!” So I did, and they said “100% not supported by Linux!”

So phoned Andy again next day and he said he could sell me another OKI printer that was 100% compatible with Liunx - he reeled off the feature list. This printer was over 200% more expensive than the original printer I ordered!!!! I declined.

Then he said I (THE CUSTOMER) Had to phone OKI and obtain a “Fault returns number” !!! - Customers should not have to phone OKI - I purchased from printerland - thats their job. (remember there is nothing wrong with the printer, yet printerland are expecting OKI to accept liability for printerlands misselling! dishonest at best!)
Andy is a good salesman, always pushing you to upgrade and then delivering the bombshell of the price.

So I am left with a £200 colour laser printer that is only compatible with Windows - and now printerland will not return my calls.

Never buy from printerland.co.uk, they might advertise a low price but they do not have the customer support to back it up.

UPDATE: Lets remember - I ordered a printer I knew was compatible with Linux - I knew it worked and I “knew” from their advertising on other sites that the product was instock!
29/11/06 UPDATE: Thanks to Misco.co.uk who have come to our rescue and provided us with the printer we required (HP c2600n) with next day delivery with 186 units instock! - For cheaper than printerland.co.uk !!!

30/11/06 UPDATE: Now I have given them a returns number from OKI (After an argument at OKI because we both know its not their fault but printerland are trying to recoup their costs from OKI, printerland missold the printer but are being underhanded in this whole process!) I am STILL waiting for collection of the printer and STILL waiting for a full refund. Andy is now avoiding me and not returning my phone calls - just about to email him again and see how far I can get!.

05/12/06 UPDATE: Well the printer was finally collected today by courier - however they had TOTALLY the wrong address - supplied by Printerland! The delivery driver apparently had tried to find us twice before without luck and just happened to walk into our local post office and ask if they had heard of us (which they did) and so he found us!!

07/12/06 UPDATE: Still No word from Printerland about a refund, they have had the printer back two days and still no call or email regarding the refund - thats almost 3 weeks since we started this!

07/12/06 UPDATE - What cheek! I just got an email from printerland! “As an existing OKI printer user we thought you might be interested in two special offers.” - “The new OKI C3300 A4 printer for only £179.99 + VAT. Usual web price £198.98 +VAT” Are they really trying to sell the printer back to me!?!?!?!?!?!?