Patch Status
In my last post I mentioned that I expected to have a patched release of the slidePresenter-0.30 branch by end of day today. However, the situation turns out to be a little more complex than I thought. I am now hoping to have a stable release of the 0.40 branch to release tomorrow (July 5, 2007).
In case you’re curious, here is a little more detail:
The nature of the problem lies in the fact that the “data” directory is expected to be writable by the web server, and to be located under the web server’s document root. In a shared hosting environment, this is a significant security hole.* *
The simplest fix would involve one of two changes, neither of which happen to be appropriate for slidePresenter: either turning off write privileges to this directory for the web server (which would completely prevent you from moving from one slide to the next, among other things), or move this directory out of the document root (which would prevent the slide images from being displayed). The alternative option, the one I want to implement, is to separate the data directory into two parts: one located above the server’s document root, for the data files that keep track of each presentation’s properties (name, description, current slide, etc.); and another, within the document root for the slide images themselves.
On a new installation, it’s not important that the structure of the data directory has changed since the last release. But for people who are upgrading an existing installation, it matters a great deal. If these users are going to be able to keep their existing presentations through the upgrade, slidePresenter will need to provide a way for them to reorganize their presentation data into the new structure.
It just so happens that this issue of upgrading to a new data structure is the one issue that remained undone in slidePresenter-0.40 when the beta version was released. This means that if I am going to spend the time to write upgrade scripts for a new release of the 0.30 branch, slidePresenter users might be better off if I would instead use that time to write upgrade scripts for the 0.40 branch, then publish a stable release of 0.40, and let users upgrade to that.
Although I would not normally discontinue support for the 0.30 branch until a stable release of the 0.50 branch, it seems in this case to be less work, both for me (avoid coding similar features twice), and for the community (avoid upgrading to 0.34 now — including conversion to a new data structure — and then again to 0.40 — converting to yet another data structure — soon afterward).
Note that this is still a fairly small community, so your concerns carry a lot of weight. If you have specific reasons why you will not be able to upgrade to slidePresenter-0.40 and need a patch for the 0.30 branch, contact me (see the README.txt file in the distribution). I will do my best to help address your specific situation.
** I should point out that this “significant security hole” is also in place in many very popular software packages, including WordPress, which powers this very site. Regardless, I believe it would be irresponsible to continue publishing slidePresenter without doing all I can to eliminate such a vulnerability.