So, today's controversial (no doubt this blog will elicit replies bemoaning the built in Joomla search, why we use Google etc etc ) subject that I'm tackling:

Searching for 'stuff' on the Joomla.org suite of sites

What is one thing that Google knows how to do? Search. Therefore, we've setup an excellent tool, using Google to help you locate resources from almost all the Joomla sites in one place. To use it, you will need to start here: http://forum.joomla.org

Next, note the search box up the top right. After adding your search term and searching, be sure to use the 'refinement' tabs that appear on the next page. 

You'll notice from these tabs just how many of our sites this particular search tool uses. It works, and it works very well IF people use it.

I hope you enjoy that tip for today. Make sure you spread the word about it as well.

PS Thanks to all at that NYC Usergroup who listened to my voice for over an hour today while I answered their questions and shared Joomla "stuff" with them.

There are currently 5 Joomla! Amazon bookstores in the following countries:

• United States
• Canada 
• United Kingdom
• Germany
• France

These bookstores are one of the ways that OpenSourceMatters generates income to fund the Joomla Project: from providing servers to host our sites, purchasing marketing materials such as banners and brochures, promoting Joomla at Expos, conferences and Joomla Day events as well as to provide accounting, legal and administrative services.

Depending on the volume of books and other merchandise sold from each of the Joomla Amazon bookstores determines the commission received. Currently, it is anywhere from 4% to 6.5%. Our United States bookstore averages 6.5%. 

The Joomla Project receives a commission on all merchandise purchased though our bookstores, not only the purchase of Joomla books. This includes all other books, as well as music and other merchandise. Most people tend to purchase more than one item to save on shipping costs.

So the next time that you are planning to purchase a book or music, etc... please purchase it in one of the Joomla! Amazon Bookstores! Every little bit helps in generating the necessary income to fund the Joomla! Project.

Well... another day in the Stupid Section' (Security) of the forum. The cycle still continues though, and it's been a few weeks since I blogged about it, so it's that time again.

First off, WHY oh WHY do people not read the stickies and the forum note in this section? If they did, they would start off with this post and then follow this link to the Security Checklist. Are these links not clear enough? Do people these days, in the modern world, lack the ability to use the big box up the top right - SEARCH? 

My personal favorite (insert other word of your choosing) post for today is this one. These people *think* that a feature of Joomla! is an admin password expiry. Instead of bothering to consider that such a feature makes no sense at all, and perhaps entertain the fact that their site and/or host may well have been compromised they claim that we (Support) are hiding something from them. 

Anyway... that subject for another day, the one that we, the Joomla! Community should (obligated, must, have to, help me now) be providing free support to people. 

Seriously though, have you seen how extensive and well written the Security Checklist is?  Is it too hard to find? Perhaps we should close the entire security forum, as these days 99% of the posts come back to 2 things (the same two I have blogged about many times):

1. Users keeping their sites updated/patched and 

2. Secure Hosting setup (php5, suphp, among other things).

Are we not doing enough to educate people? Or are the webhosts to blame such as the one spoken of here. Surely it is not too much to expect that users will at least *try* to help themselves before they blame the Joomla! Community? Surely peoples hosting providers have a part to play also in placing the blame in the correct place (usually with the user or the provider) and if need be, learning from it?

Maybe I live in a different world.. or maybe we should just lock all threads in that forum from now on? People don't read the stickies or the notes up the top, what good is it?

Proof there is a problem:

• How to make joomla very secure ?
• User login error linked to security update for 1.5.7
• Hacked By X
• Hacked - Please be merciful

.. actually.. just read the entire forum. I can't find a single thread on the first page that is not down to one of the 2 issues I posted above. I can't find a single thread there either where the user would not have benefitted from using ultra-hidden-blend-into-the-rest-of-the-forum search box.

Now it's time I go and find a drink to calm myself down.

Previous posts of mine:

• Hosting Companies with Joomla Users: Listen up! 
• Joomla! Security, do you take it seriously like we do?
• Hosting providers - Isn't it time? 

I'm probably stealing someones thunder here but I'd just like to announce that the Joomla! Extensions Directory, or JED, today has reached over 4000 Joomla! extensions. This is a testament not only to the developers of our community who continue to produce new extensions to help you customise your Joomla! site the way you want it but towards the great JED Editors team who work behind the scenes to maintain the system and keep it up and running for the community. So thanks to the JED team for all their hard work and thanks to the developers who help to make Joomla! the great system it is today!

Perhaps it's the famous British reserve or just sheer laziness, but it has long surprised me that despite having one of the highest densities of Joomla users of any country in the world, there are remarkably few Joomla User Groups in the UK (just two*) and there has been only a single JoomlaDay (and that way back in 2006).  So it was a particular pleasure to be given the opportunity to play a part in kickstarting at least one new JUG in the UK and to help promote the upcoming JoomlaDay UK 2009.

The venue was the LinuxExpo Live event in London and it took place at the tail end of last week, 23rd to 25th October.  By the time we heard about the event I only had a couple of weeks to make all the preparations, so my apologies for the out-of-date flyers and the hastily thrown together CD's!  In the end it all went remarkably smoothly and it was a great pleasure to be able to meet and talk to so many people who use Joomla on a regular basis as well as the many people who came by having heard of Joomla but not knowing much about it.

Ryan Ozimek and I were on hand for the full three days and we were kept busy by a constant flow of people asking questions or just dropping in to say hello.  Well over 200 people visited the stand during the event.

Andy Wallace joined us and gave the upcoming JoomlaDay UK 2009 its first public outing.  Almost everyone I spoke to was interested in the event so I would recommend registering early to avoid disappointment.

James Kennard, author of "Mastering Joomla! 1.5 Extension and Framework Development" (available from the Joomla shop), also joined the stand and was kept busy answering questions.  As was Mike Lloyd, who as a Londoner was persuaded to take the plunge and finally get a London Joomla Users Group started.  Although London is a good four hours travelling time from where I live, I look forward to making it to at least one of the London JUG meetings in the near future.

Special thanks to our friends from Packt Publishing who arrived bearing a gift of books.  I put together a quick questionnaire with the books as prizes and this proved very useful in learning more about the people who were visiting our stand.  A huge thank you to Packt for supporting the Joomla project and open source in general.

Our gratitude is also extended to:

• uklinux.net and Linux User and Developer magazine for the stand space in the .org village and for promoting Joomla in the magazine.
• Rob Clayburn (pollen8) for being a great friend and fellow exhibitor.  Best of luck with Fabrik.
• Pete Coutts for his assistance in preparations for the event.
• The London Linux User Group for inviting us to join their special event meeting.  Good, honest pub food and interesting company.

Finally, a huge thank you to Ryan Ozimek, Andy Wallace, James Kennard and Mike Lloyd for their valuable time and support for the event.  We certainly raised the profile of Joomla in the United Kingdom!

* In case you are wondering about the two UK Joomla User Groups they are:

• Joomla User Group Norwich
• Joomla User Group Aberdeen

This is the week for the PackT 2008 Open Source CMS Awards. The week began with a new award that recognizes community. Two dozen open source projects and contributors were recognized by PackT, including Johan Janssens for his work with the Joomla! project.

Without Johan's contribution much of the Joomla! Framework we know today would not exist and it is good to see him honored with this award.

We thank Johan for his contributions to the project. He was one of the original Joomla! Core Team members who took a huge leap of faith, not knowing how much work lay ahead of us, to initiate the Joomla! project. In the two years Johan was active, he wore a number of hats, having served as a developer, a lead developer, a project manager, and a member of the Open Source Matters Board of Directors. Although his direct involvement with the Joomla! project has come to a close, he continues as a third party developer of Joomla! solutions.

Joomla! has been blessed with phenomenal growth. Recently, the seven millionth copy of Joomla! was downloaded (and that only includes copies downloaded from JoomlaCode since March 2007.) Nearly a quarter of a million people have registered in the Joomla! Forums and their questions are answered by a large, active, helpful body of volunteers. Others have generously contributed documentation, translations, money, patches, legal advice, Web hosting and system administration, articles, and time.

If you have visited the Joomla! Extensions Directory recently, then you, too, must be impressed by the body of work produced by Joomla!'s army of third party developers. As a result of the contributions of thousands of developers, we can Tweet and Ping and Flickr and comment and translate and backup and restore and microblog and quote and authenticate and RSS and more. Thanks to our hard working Extension Editors and to each user who provides feedback and ratings to help inform others.

We also recognize those of you who contribute locally. Thank you to each one of you who have started or helped with Joomla! Users Groups and Joomla! Day events. Thanks to those of you who have helped out with Expos and other events, or have simply demonstrated what Joomla! can do at your place of work or worship or neighborhood association. 

Our community powers Joomla! innovations and deployments. This spotlight on Johan is symbolic of the importance of every improvement each contributor brings, because in sum, that is what makes Joomla!. Again, many thanks, Johan, for your work, and many thanks to each of you who also help make Joomla! better -- in doing so, you are each Joomla!'s Most Valuable Players.

Some days we look at the web and see new and interesting things. Some days you just see stuff that breaks things. Today, Flash 10 is one of those. If you haven't heard the news, Flash 10 breaks a lot of web uploaders - ours included. Of course we're not the only one who has been impacted by this issue and it has been an issue during the beta. Solutions are coming out to resolve the issue and to Adobe's credit it has been documented. The issue in the short term is that Joomla!'s upload functionality isn't working if you're using Flash 10, so if this is functionality that you're really tied to try to avoid upgrading to Flash 10. Alternatively you can just disable the Flash uploader completely in Site > Global Configuration > System > Enable Flash Uploader and setting this to 'No'. At least for the current version of Joomla! (1.5.7) and for the next version that we're working on (1.5.8) we're not going to be in a position to update the library to fix the problem for Flash 10. Once fixes have been made available and tested we'll shift it into the next version of Joomla!.

So.. I was checking the subscription stats for http://feeds.joomla.org/JoomlaSecurityNews as I usually do and noticed that finally things are on the improve. We're now starting to see 100's of people each day subscribing either via email or RSS. At this time we have 5145 people subscribed. I'll start to get even more excited when that figure gets into the 10's of thousands.

Obviously this is due to all the help the community is doing to share this link and encourage others to subscribe. We've also added this option directly to the Joomla download page as was suggested by a community member (well, something similar).

Thanks again everyone, and keep up the great support. Joomla wouldn't be as popular as it is without all of your help. 

PS Don't forget to subscribe other areas of the project, see: www.joomla.org/rss.html

Earlier today, a rather prominent third party company (who have traditionally been involved with and supported Joomla) openly revealed details about a potential Joomla security vulnerability by posting it on their site.  I will not do the company justice by posting who they are or by publishing a link to their site.  It's incredibly disappointing, and disturbing that these developers (two of which had official positions) did not try follow the established procedure (or even a moral approach), but resorted to posting the vulnerability publicly and with an incorrect fix.

About the vulnerability

About two weeks ago, the aforementioned developers submitted a report to the Joomla! Security Strike Team detailing the potential vulnerability.  In accordance with our security response protocol, we engaged in discussion with the third-party developer, and determined that the issue was not of a critical nature, and did not warrant an accelerated release.  We were able to confirm the issue and determined that it would be fixed in 1.5.8 when it finished its normal cycle.  After consulting with the respective Joomla teams, we determined that since the "issue" is completely internal (a potential attacker must be an author or higher) it is not of a "critical" nature.

The post also mentions that they submitted the bug to the Joomla 1.5 bug tracker and that it was removed.  It is our policy that security issues are taken out of public view when they are published in the public tracker or on a public forum.  This is a responsible stance which is also followed by many other projects.  The company did in fact post to the tracker, and it was removed per our normal operating policy.  Disappointingly, the company had already publicized the vulnerability to their own mailing list prior to posting the issue on the tracker.  This was in direct contradiction of our belief in the need for discretion and professionalism when dealing with security issues, which cannot be overstressed.

About the "fix" they provide

First of all, applying third-party patches is never recommended.  It is always advised to either wait for either an official emergency patch or an official release that addresses the issue. 

In this case, the third-party developer removes a key feature that allows a site to protect itself from various malicious attacks.  This suggests a complete lack of understanding of why the feature was added in the first place.  Applying an unofficial patch could expose your site to unknown dangers.  If your site is subsequently hacked/defaced as a result of any third-party patch, we cannot help you. It's also important to keep in mind that these types of unauthorized patches circumvent the ability for the Joomla Project to properly support Joomla.

About their viewpoints

An irresponsible thing to do

Publicizing security vulnerabilities is nothing short of irresponsible. It is completely misguided to presume that publicizing any vulnerability forces the project to act. In this instance, the Joomla Project was aware of the issue and had determined the appropriate response with the best interest of the community in mind. Even a philosophical difference does not justify putting potentially millions of Web sites at risk. We have ZERO TOLERANCE for this kind of behavior.  The members in question have been removed from their respective Joomla positions.  It's saddening that it had to come to that, but we must take a firm stand against such irresponsible acts.

Generally speaking, people in the community are highly supportive of the Project. Unfortunately, this company isn't one of them (and on multiple occasions this has shown to be true). We'll probably never know what motivates people to act in such a manner.

In conclusion