Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Fastest way to be notified about a security upgrade and apply patches
#1
What's the fastest way I can be notified about a security upgrade? I'd like to know if a security upgrade is available as soon as possible, so I can plan to upgrade the forum or try to patch the security issues right away.

I know the admin panel has a notification for new releases, but I'm not sure if the notification is available right away and if it is reliable. I think sometimes I've seen no notification even though I was sure a new release was available (maybe the panel couldn't connect to the server to get the notification, I don't know). Anyway, it also seems impractical to have to check for notifications continuously, either in the admin panel or here or anywhere. I'm also not sure where a new release is published first (here or on GitHub?). So if there's a simpler way to know right away if a new release is available, I'd be glad to know.

Also, I noticed that on GitHub, the "build" release contains a folder named /input/patches, where there seem to be diff files for the security bugs. If I wanted to patch the security issues right away, and plan to do the whole upgrade later (which might require more time, planning and testing), is this a viable way to do it? That is, download the "build" release, and apply those patches in /input/patches to the files. I discovered this by chance (those patches aren't advertised anywhere, why?), but if the patches can be used this way then they are going to be handy.

Thanks.
Reply
#2
See https://mybb.com/download/verifying/. By default MyBB fetches information on new versions once a day using its task system; sometimes connectivity issues are reported, but these are usually related to servers where MyBB is run.

End-user full & upgrade packages are published first at the same time on mybb.com and the Blog, followed by repository updates and releases on GitHub - see https://docs.mybb.com/1.8/development/release-workflow/, https://docs.mybb.com/1.8/development/se...-workflow/.

The patch files do exclusively contain security fixes, but note they're designed to be compatible with the most recent state of the feature branch at the time of release and may also introduce/add/change upgrader instructions, so manual corrections might be necessary before they can be applied to the previous version before all other, public changes were applied. These can do the trick for simple changes, though, and are mirrored in post-release synchronization commits.

Currently the patches are part of input for the package builder, but we're hoping to reorganize the process for future branches to be able to easily publish releases on a separate hotfix track, among other things.

Some recent discussions regarding security patches: https://community.mybb.com/thread-216531.html, https://community.mybb.com/thread-222147.html
devilshakerz.com/pgp (DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC) ▪ keybase.io/devilshakerz
Reply
#3
Thanks a lot for all the info. So it seems the fastest way to know about an update is to subscribe to the blog to get notifications of new posts, or use the RSS feed of the blog.
Reply
#4
(03-08-2019, 07:33 PM)reed Wrote: Thanks a lot for all the info. So it seems the fastest way to know about an update is to subscribe to the blog to get notifications of new posts, or use the RSS feed of the blog.

Yes, that's definitely the easiest way.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)