dotProject

Version 2.1.2 was released tonight - 29th July 2008. You can get the update from:

dotProject Sourceforge Download

Further information on what is included in this release is available at:

http://docs.dotproject.net

We suggest that all sites upgrade as soon as is practicable to ensure that you have all the resolved bugs as well as the security issues addressed.

I guess it is a bit presumptive to call two developers a hackfest, however mosen and I have spent the last week hacking away at dp3 (dotProject version 3 for the uninitiated) and achieving some considerable milestones.

I have been a bit disillusioned with dp2 and dp3 was a pretty bold move to address some of the shortcomings we saw in the version 2 code. Ditching the old hand-crafted framework and suite of third-party libraries was the easy part, thanks to Zend Framework. Almost everything we looked at in terms of simplifying our infrastructure had a supporting package in Zend. Most of these packages are extremely well thought out and with a bit of effort can make any application shine. Why write your own database abstraction when Zend_Db has a rich collection of classes to support just about anything you want to achieve? Why write your own authentication classes when Zend_Auth does it far better and is far more complete? In addition we have used Zend_Translate, Zend_Form, Zend_Session, Zend_Date, Zend_Validate, Zend_Log, Zend_Mail and the entire Zend MVC architecture to improve the structure and stability of the product.

The benefits that we believed would be derived from moving to a stable framework are starting to be realised. One of the major hassles I saw with dp2 was the ability for third-party module developers to be able to integrate well with the base product. A lot of the work we've done is to ensure that the new structure has a stable and well-defined architecture and API (Application Programming Interface) to allow third-party developers to get real integration without having to change core code. Being able to put extra fields on standard pages, to be able to modify data on save of a standard object, and a heap of other benefits is going to be possible. Much of the support code for this is already in place.

Permissions has always been an issue and I've not really seen a sensible approach to permissions that makes sense in a project management environment. dp3 now has a completely new policy-based permissions system that is far simpler to understand and implement. Along with this is a far more extended ability to group people. We realised that Companies and Departments don't really make sense in a large number of cases, and people may have Branch, Region, Workgroup, Task Group, Team or any other hierarchy that they may want to use to identify groups of people. This is now possible. We've even extended the concept to have members of Projects, Tasks and other system objects that can either be active or passive resources (think of a programmer and their manager, the programmer may be an active resource on a task - doing the work, but the manager may want to be kept up to date with progress reports, hence a member of the task, but not an active one). Permissions is now handled further down the stack as well, so it is far harder to get around and is orders of magnitude faster than any other approach we've seen.

But what about the current functionality, I hear you ask. In all cases where the functionality makes sense it has been kept, while where we could do it better we are taking the opportunity to do so.

Thanks to deBortoli Wines we have been able to fly mosen down from Sydney and have the time to spend together talking about, planning, and coding the new infrastructure. And may I put in a plug for mosen (or Eamon as his parents know him). Here is a coder who has a commitment to quality and a dedication to see a project through. I've been really impressed with his ideas, his code and his thinking outside the box. If anyone out there needs a great programmer then you would be hard pressed to look past Eamon.

So it is on with the show - we have a great start and no roadblocks in sight!

After all these years as an admin on dotProject, you get to the point where you think you've seen it all. Having spent, what is increasingly close to 50 years on the planet does give you some expectations with regard to other people's behaviour. But every now and then along comes somebody who just reminds you that there are always new depths to be plumbed.

Yesterday evening (my time) a new user signed up to these support forums and immediately sent me this Private Message:

[QUOTE]I found critical sql injection in dotrojekt 2.1.1

It can be exploited to manipulate the SQL query and may reveal sensitive information.

I can open it for some donation.[/QUOTE]

I then watched this person read my response which politely advised that we'd be happy to lodge the details of the SQL injection quickly and provide a fix to the community - no response / no details, needless to say, were forthcoming.

I'm assuming that this person fully understands the legal definition of "extortion" and "blackmail". I am further assuming that they don't care, that this is some sort of new money making scheme for at least this person - money, after all, being the only thing that matters in this entire world. Why not take money when you obviously don't have integrity, brains, compassion, community spirit or intelligence.

So just on the off chance that there's any other lowlifes lurking around under their rocks out there. We will not be paying anything for any bug reports. Scare tactics are not funny and they are most definitely not effective.

So shelter1@inbox.ru which I know is a throw-away mailbox (but unfortunately their site is in Russian and I can't find a report lowlife's link in English), congratulations. By some quirk of human nature it's sometimes possible to forget that for every decent human being out there - who contributes to an open source project with no thought of personal monetary gain, glory or aggrandisement, without putting down the hard working people who contribute freely of their time and effort, without expecting anything much in return - there is at least one thing like you.

As part of the push to get dotProject 3 moving, we've organised a gathering of the team leader (who is taking a week off work to do this) and the developer who has been working on the dp3 job thanks to the kind sponsorship of De Bortoli Wines. The week of the 23rd of June those two have kindly consented to being locked into our office - here in cold wintery The Patch and they're going to be doing some collaborative development work.

Hopefully we'll find some time for them to take some personal moments out as well - maybe reinvigorate their Chinese Chess skills, take some time out at a winery and maybe dinner out a few times, just to make Adam feel a bit more like he's having a holiday (as this is very much a Busman's Holiday for him as php development is what he does all day every day) and convince Eamon that there are some fabulous things in the beautiful Dandenong Ranges and the Yarra Valley.

Either way it's a very generous offer from both of them to the community again - to give up valuable holiday time / to fly down and stay with us and put up with dog hair all over everything you own! Thanks to Mosen (Eamon) and ajdonnison (Adam) for this great gesture to getting more progress on dp3.

It seems that as usual, SourceForge have not been able to manage their user cron jobs and hence our nightly snapshot job has not run for some considerable time (and we were not notified).

My profound apologies to all who I've directed to the nightly snapshot only to find their problems not resolved. I've now moved the triggering of the snapshot to our own server so we aren't held in thrall by the whim of the SF.net administrators.

I would urge you to use the nightly snapshot as we get closer to a new release as it has important fixes that will ease your frustration and our support load.

The URL is http://dotproject.sourceforge.net/dotproject-stable_2.tar.bz2 (for the version 2 stable branch).

The head branch (if you are feeling adventurous) is http://dotproject.sourceforge.net/dotproject.tar.bz2