[archived] General discussion

[nodiscc]

General discussion about Shaarli, this fork, sharing interesting resources, whatever. Offtopic allowed.

https://github.com/shaarli/Shaarli/wiki

[Salan54]

Hi, thanks for your work !
By default, links are opened in the same page/tab. Is there a way to open them in a new tab/page ? Thanks.

Bonjour et merci pour votre travail !
Par défaut, les liens s'ouvrent dans la même page/onglet. Y a-t-il un moyen pour qu'ils s'ouvrent systématiquement dans un nouvel onglet/page ?
Merci.

[nodiscc]

@Salan54 bonne question. Je pense qu'on pourrait rajouter une option pour que les liens s'ouvrent avec target="_blank" (dans un nouvel onglet). J'ai un peu bossé sur Shaarli ces derniers jours et j'attends les commentaires des autres mainteneurs et des utilisateurs sur https://github.com/shaarli/Shaarli/pulls et https://github.com/shaarli/Shaarli/issues avant d'entreprendre autre chose.

[nodiscc]

http://myrepos.branchable.com/ great software if you manage multiple git repositories (myrepos package in debian). Run mr register in each git repository, go back to the parent directory and run mr fetch; mr status

[e2jk]

I am no fan of target="_blank", instead just use the middle click on your mouse (or press the left and right buttons simultaneously if you have a laptop). That way you control which pages you want to open in a separate tab (if you plan to just check out if that was the link you wanted, or want to open multiple links at once) or if you want to just continue with that specific page.

A couple of arguments about this topic:
http://www.trilithium.com/johan/2005/03/target-blank/
http://www.nngroup.com/articles/the-top-ten-web-design-mistakes-of-1999/ (listed as one of the op 10 Web Design Mistakes of 1999)
http://www.searchenginejournal.com/when-not-to-use-target_blank-link-attribute/19924/ (OK when "linking to PDF document" or "link to supplemental information")

[nodiscc]

@Salan54 In fact I think I agree with @e2jk , you'd better use middle-click, or "open in new tab", as it allows you to control what links you want to open in a new tab. After thinking about it, I hate sites that force new tabs. It breaks the back button and spaws a myriad of tabs.

forcing new windows to open is disrespectful and hostile

@e2jk your links were quite good :) Sold for me, we won't add this. @Salan54 Please read the links mentioned above, and if you really want to force new tabs (I think you don't), you can add target="_blank" to https://github.com/shaarli/Shaarli/blob/master/tpl/linklist.html#L43 on your install. But it will get erased if you upgrade.

[Salan54]

J'ai lu avec beaucoup d'intérêt les liens indiqués par @e2jk. Je partage tout à fait sa position : il n'est pas souhaitable de forcer l'ouverture des liens dans un nouvel onglet depuis un site "standard". Mais Shaarli n'est pas un site "standard" mais un "annuaire de liens" et il me semble un peu extrême de vouloir appliquer ici la règle universelle.
Certes, je sais ouvrir un lien dans un nouvel onglet en usant des facilités offertes par les navigateurs. C'est déjà plus difficile depuis un navigateur tablette (ex: Dolphin). Je travaille souvent avec "mon" Shaarli ouvert dans un onglet sur une sélection de liens que je veux parcourir les uns après les autres et pouvoir garder l'onglet Shaarli ouvert tandis que les liens cliqués s'ouvrent dans d'autres onglets est très pratique. J'ai d'ailleurs découvert que c'est le comportement adopté par Firefox 33 quand on "épingle" l'onglet Shaarli.
Bref, OK pour adopter la règle "laissons l'utilisateur choisir d'ouvrir des onglets supplémentaires" pour les sites standards mais pas d'accord pour Shaarli. Ceci étant, je ne suis qu'un simple utilisateur et mon seul but en ouvrant le topique dans la catégorie "discussion" était de savoir s'il existait une méthode pour que les liens cliqués via Shaarli s'ouvrent dans un nouvel onglet : le "truc" indiqué par @nodiscc répond parfaitement à ma demande.
Merci à vous deux.
Sorry for the french message but my english is not good enough to express myself dans la langue de Shakespeare ;-)

[ArthurHoaro]

Hi there.

I'm quite new to this fork community and its goals, so I went through your issue/PR list. I'm a bit confused about themes, templates and plugins.

From what I understand :

• theme : custom CSS file (also resources like images or sprites?).
• template : all RainTPL template files with CSS and resources.
• plugin : also RainTPL files called by templates.

While I understand the requirement, those features look poorly compatible between them.
A theme is designed to be used with only one template, and every template needs at least one theme (its CSS + resources).

I suggest that themes should be placed inside one tpl directory (and those two would be merged).

About plugins, there is not a lot we can do the way they're made, except being well documented for templates creator.

And don't worry, I also know that's low priority. 🐃

[nodiscc]

@ArthurHoaro Good summary, thanks. Yes, we need to come up with a clean directory structure if we want to support third-party themes, templates and plugins. Themes and templates repos are currently experimental/unsupported, and serve the purpose of centralizing currently available ressources for Shaarli. Plugin support is not ready yet. They will need cleanup before they are actually usable. Your are right that the CSS files are template-specific. I'll post a directory/file structure proposal soon.

[nodiscc]

Regarding the directory structure change: I think we should get the plugin system working first. Please help reviewing #52. This system makes use of raintpl includes. So the dir structure will be influenced by this.

[nodiscc]

I am forwarding a discussion from Debian's security mailing list.

Re: poor code quality in shaarli package, remove from Debian?
10 messages
Emilien Klein <[email protected]> 1 janvier 2015 03:52
À : Paul Wise <[email protected]>
Cc : Debian Security <[email protected]>, Georges Khaznadar <[email protected]>, Julien Voisin <[email protected]>, nodiscc <[email protected]>
Adding nodiscc in CC, the main pusher of the community fork.

2014-12-31 21:20 GMT-05:00 Paul Wise <[email protected]>:
> Hi folks,
>
> I was discussing the CVE issued for the shaarli package with the person
> who found the issues (Julien, CCed)

Can you link to that CVE?
I will reported this upstream (github) to make the original upstream
developer and the community fork developers aware of it.

>  and came to the conclusion that the
> code is terrible, upstream maintenance has stopped and the package
> should be removed from Debian entirely. Here is our IRC log:
>
> <jvoisin> I'm quite sure that no one should use shaarli anyway. It's not maintained, and the code is awful :/
> <pabs> do you think it should be removed from Debian?
> <jvoisin> https://github.com/sebsauvage/Shaarli/ Last commit one year ago, almost 100 issues, …
> <jvoisin> I think so, yes
> <jvoisin> https://github.com/sebsauvage/Shaarli/blob/master/index.php#L302
> <pabs> seems reasonably well maintained in Debian, so I would suggest filing a bug on the package itself about this
> <jvoisin> This is not even remotely funny.
> <pabs> it seems pointless but what would the downside be?
> <jvoisin> This is predictable
> <jvoisin> and https://github.com/sebsauvage/Shaarli/blob/master/index.php#L440 looks like an arbitrary redirect to me
> <jvoisin> Anyway, I don't care that much about this 2500LoC PHP script
> <pabs> there are several more instances of this in the code
> <jvoisin> yup

The version currently packaged in Debian is from the [hopefully
temporary] community fork [0], due to the inactivity on the side of
the original developer.
[0] https://github.com/shaarli/Shaarli

We are working with the original developer to get things moving again
[1], but he has indicated that he doesn't expect to be able to merge
the community fork before spring.
[1] https://github.com/sebsauvage/Shaarli/issues/191#issuecomment-68188141

The last "officially" released version is 0.0.41beta (don't ask about
the versioning scheme... community fork going to 1.0 soon), the
version in Debian called 0.0.42beta is the state as represented in
HEAD of the official repo, but the fork is already almost 70 commits
further, fixing bugs, merging pull requests made towards upstream.
There is activity, as the users of Shaarli do demand that. Hence my
original effort to package that in Debian.
Since a large number of changes were made around/after the Jessie
freeze, I am currently waiting for Jessie to be released to push for
the release of a new community version, and package that in Debian.

I would much rather have shaarli removed from Jessie for now, but kept
in unstable/testing so that we can include the latest fixes from the
community fork, and include a fix for the mentioned CVE.
Is that an acceptable solution, security-wise?

    +Emilien

Salvatore Bonaccorso <[email protected]>    1 janvier 2015 08:18
À : Emilien Klein <[email protected]>
Cc : Paul Wise <[email protected]>, Debian Security <[email protected]>, Georges Khaznadar <[email protected]>, Julien Voisin <[email protected]>, nodiscc <[email protected]>
Hi Emilien,

Replying only on the last part:

On Wed, Dec 31, 2014 at 09:52:19PM -0500, Emilien Klein wrote:
> I would much rather have shaarli removed from Jessie for now, but kept
> in unstable/testing so that we can include the latest fixes from the
> community fork, and include a fix for the mentioned CVE.
> Is that an acceptable solution, security-wise?

This sound reasonable yes. Could you fill an according removal from
testing bug against release.debian.org to have it removed jessie.

Regards,
Salvatore

Georges Khaznadar <[email protected]>   1 janvier 2015 19:50
À : Salvatore Bonaccorso <[email protected]>
Cc : Emilien Klein <[email protected]>, Paul Wise <[email protected]>, Debian Security <[email protected]>, Julien Voisin <[email protected]>, nodiscc <[email protected]>
I agree too.

By the way: I wish you a happy new year!

nodiscc <[email protected]> 1 janvier 2015 20:45
À : Georges Khaznadar <[email protected]>
Cc : Salvatore Bonaccorso <[email protected]>, Emilien Klein <[email protected]>, Paul Wise <[email protected]>, Debian Security <[email protected]>, Julien Voisin <[email protected]>
Hello everyone,
feel free to remove the shaarli package from Jessie if it doesn't meet expected quality.
Keeping it in unstable might be reasonable, if you think so.
I'd like to see the CVE mentioned for Shaarli earlier, I can't find it at https://security-tracker.debian.org/tracker/source-package/shaarli
I help maintaining the community fork at https://github.com/shaarli/Shaarli, so please report any bugs you can find in the issue tracker if appropriate, and we'll try to deal with them.

Thanks

Happy new year to you all !

Emilien Klein <[email protected]> 1 janvier 2015 22:46
À : Salvatore Bonaccorso <[email protected]>
Cc : Paul Wise <[email protected]>, Debian Security <[email protected]>, Georges Khaznadar <[email protected]>, Julien Voisin <[email protected]>, nodiscc <[email protected]>
2015-01-01 2:18 GMT-05:00 Salvatore Bonaccorso <[email protected]>:
[Texte des messages précédents masqué]
Done: bug#774382 (note: might not be tagged appropriately?)
Thanks,
   +Emilien

Paul Wise <[email protected]> 2 janvier 2015 01:52
À : nodiscc <[email protected]>
Cc : Georges Khaznadar <[email protected]>, Salvatore Bonaccorso <[email protected]>, Emilien Klein <[email protected]>, Debian Security <[email protected]>, Julien Voisin <[email protected]>
On Thu, 2015-01-01 at 20:45 +0100, nodiscc wrote:

> I'd like to see the CVE mentioned for Shaarli earlier, I can't find it
> at https://security-tracker.debian.org/tracker/source-package/shaarli

It is listed in the Resolved section of that page, direct link:

https://security-tracker.debian.org/tracker/CVE-2013-7351

> I help maintaining the community fork at
> https://github.com/shaarli/Shaarli, so please report any bugs you can
> find in the issue tracker if appropriate, and we'll try to deal with
> them.

The chat log forwarded to you in an earlier message contains a few
issues, there are probably more though.

Personally I would recommend a rewrite using a web framework rather than
using raw PHP, you will avoid many of the issues straight away and it
will be far easier to add new features. I would also recommend using a
language other than PHP, eg Python+Django/Flask.

The OWASP community have documented many vulnerability classes, you
might want to have a look at their site:

https://www.owasp.org/

--
bye,
pabs

https://wiki.debian.org/PaulWise

nodiscc <[email protected]> 2 janvier 2015 19:35
À : Paul Wise <[email protected]>
Cc : Georges Khaznadar <[email protected]>, Salvatore Bonaccorso <[email protected]>, Emilien Klein <[email protected]>, Debian Security <[email protected]>, Julien Voisin <[email protected]>
>It is listed in the Resolved section of that page, direct link:
> https://security-tracker.debian.org/tracker/CVE-2013-7351

This vulnerability is currently fixed so there should be no particular problem with it, is there?

> The chat log forwarded to you in an earlier message contains a few
> issues, there are probably more though.

So far I see:

> <jvoisin> https://github.com/sebsauvage/Shaarli/blob/master/index.php#L302
> <jvoisin> This is not even remotely funny.
> <jvoisin> This is predictable

I fail to see in which way this is predictable. Do you mean possible collisions in SHA-1? Is mt_rand() itself predictable?
Keep in mind that there is a safeguard in place against bruteforce login attempts.
If you can suggest using something else, we will gladly change this.


> <jvoisin> and https://github.com/sebsauvage/Shaarli/blob/master/index.php#L440 looks like an arbitrary redirect to me

If you can think of a way this can be exploited for malicious purposes, please disclose it (either here or on the public bug tracker)
We will immediately start working on a fix and inform users about the issue.
By the way, I can't find a public archive of this discussion, is it available somwhere? It could provide valuable feedback.

> Personally I would recommend a rewrite using a web framework rather than
> using raw PHP, you will avoid many of the issues straight away and it
> will be far easier to add new features. I would also recommend using a
> language other than PHP, eg Python+Django/Flask.

We don't have the manpower for a rewrite now. We'd rather fix bugs that are reported to us, via the Github
issue tracker, or the Debian BTS.

> Anyway, I don't care that much about this 2500LoC PHP script"
Ugly code is ugly, and vulnerable code is vulnerable. The two are not to be confused.
Shaarli certainly falls in the first category.

As I said earlier, I think it IS ok to remove shaarli from Jessie as there is currently much work going on, but
in all cases please report bugs concerning actual security issues. OWASP good practices do not forbid using
PHP. They do warn about open redirects but AFAIK, https://www.owasp.org/index.php/Open_redirect can not lead to an exploit on Shaarli.
An Apache/PHP setup also has the advantage to be easier to deploy

You can see some recent commits at https://github.com/shaarli/Shaarli/commits/master
Current issues https://github.com/shaarli/Shaarli/issues?q=
This is the milestone for the next beta https://github.com/shaarli/Shaarli/milestones/0.9beta

Code contributions as well as documentation/discussion/reporting bugs is welcome

Thanks for your time working on Debian

Paul Wise <[email protected]> 3 janvier 2015 01:20
À : nodiscc <[email protected]>
Cc : Georges Khaznadar <[email protected]>, Salvatore Bonaccorso <[email protected]>, Emilien Klein <[email protected]>, Debian Security <[email protected]>, Julien Voisin <[email protected]>
On Fri, 2015-01-02 at 19:35 +0100, nodiscc wrote:

> This vulnerability is currently fixed so there should be no particular
> problem with it, is there?

Correct.

> I fail to see in which way this is predictable. Do you mean possible
> collisions in SHA-1? Is mt_rand() itself predictable?
> Keep in mind that there is a safeguard in place against bruteforce
> login attempts.
> If you can suggest using something else, we will gladly change this.

I'll let Julien clarify this.

> If you can think of a way this can be exploited for malicious
> purposes, please disclose it (either here or on the public bug
> tracker)

Sites with open redirect vulnerabilities are often used by spammers
which can result in domains getting marked as spammy in the various spam
DNSBLs.

> By the way, I can't find a public archive of this discussion, is it
> available somwhere? It could provide valuable feedback.

The discussion was just on an IRC channel so there are no public archives.

> As I said earlier, I think it IS ok to remove shaarli from Jessie

This has now happened:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774382#15
https://packages.qa.debian.org/s/shaarli/news/20150102T163914Z.html

> OWASP good practices do not forbid using PHP.

True, my aversion to PHP is due to having wrote some truely horrid and
vulnerable code a long time ago plus this article:

http://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/

I don't really want to get involved in auditing the codebase, but
searching the codebase for mt_rand shows that you are using mt_rand
salted SHA-1 for the password hashing. I would recommend switching to
the current best practice of using scrypt (or bcrypt).

http://pecl.php.net/package/scrypt

I'd also recommend not including the embedded code copies of jQuery,
qr-js/jsqrencode, jQuery UI, jQuery lazyload, RainTPL in the git
repository, they will only get out of date that way. I don't know how
things are done in the PHP world but probably there is a package manager
for PHP that users should use to install the dependencies?

In addition you are violating the GPL because you are distributing
qr.min.js without the source code for it (presumably qr.js).
[Texte des messages précédents masqué]

nodiscc <[email protected]> 11 janvier 2015 15:15
À : Paul Wise <[email protected]>
Cc : Georges Khaznadar <[email protected]>, Salvatore Bonaccorso <[email protected]>, Emilien Klein <[email protected]>, Debian Security <[email protected]>, Julien Voisin <[email protected]>
> searching the codebase for mt_rand shows that you are using mt_rand
> salted SHA-1 for the password hashing. I would recommend switching to
> the current best practice of using scrypt (or bcrypt).

Yes we should stay away from SHA-1
Thanks https://github.com/shaarli/Shaarli/issues/94

> http://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/

Thanks for the very good article, and true. Yes we should make shaarli smaller/cleaner; in progress https://github.com/shaarli/Shaarli/issues?q=label%3Acleanup+
A rewrite with flask would be good (but another project and different server config). Shaarli has the advantage of being already written and very simple to install.
We'll try to overcome problems with the platform



> not including the embedded code copies of jQuery,
> qr-js/jsqrencode, jQuery UI, jQuery lazyload, RainTPL in the git
> repository, they will only get out of date that way.

yes we should keep the libraries up-to date and versioned
(unstable has 1.7.2 vs 1.11 on jquery.com :/)
This was just done at https://github.com/shaarli/Shaarli/pull/99

There are PHP package managers (pear, pecl...) but we would need to include/depend on them.
Or the libraries need to be in debian repos (and other distributions)
Pear is also not-so-secure. PECL needs command line access, and is not packaged for debian.


> In addition you are violating the GPL because you are distributing
> qr.min.js without the source code for it (presumably qr.js).

aye sorry. https://github.com/shaarli/Shaarli/issues/96, this is fixed
(if a proper copyright/source notice is enough for GPL compliance, I think it is)

Is this ok if I copy this discussion to shaarli's bug tracker/general discussion?

Thanks for your help. More info is welcome

Paul Wise <[email protected]> 12 janvier 2015 00:54
À : nodiscc <[email protected]>
Cc : Georges Khaznadar <[email protected]>, Salvatore Bonaccorso <[email protected]>, Emilien Klein <[email protected]>, Debian Security <[email protected]>, Julien Voisin <[email protected]>
On Sun, 2015-01-11 at 15:15 +0100, nodiscc wrote:

> Thanks https://github.com/shaarli/Shaarli/issues/94

bcrypt is easily able to be differentiated from SHA-1 as it includes a
specific prefix, not sure how pikzen got that idea.

https://en.wikipedia.org/wiki/Bcrypt

> A rewrite with flask would be good (but another project and different
> server config). Shaarli has the advantage of being already written and
> very simple to install.

Please focus on the rewrite and try to get Shaarli users to migrate.

> yes we should keep the libraries up-to date and versioned

Please remove them from the git repository instead.

> (unstable has 1.7.2 vs 1.11 on jquery.com :/)

I expect after jessie is released the JavaScript team will be looking at
having multiple versions of jQuery in Debian, based on compatibility.

> There are PHP package managers (pear, pecl...) but we would need to
> include/depend on them.

Definitely don't include any third-party code, but do depend on them.
For people not using Linux distros or using Linux distros that don't
contain all the dependencies you can include a setup script.

> Or the libraries need to be in debian repos (and other distributions)

Yes they should be packaged for Debian instead:

https://wiki.debian.org/EmbeddedCodeCopies

> Pear is also not-so-secure.

Do you have any references about the Pear security issue? In Debian I
see we know about two minor issues in Pear:

https://security-tracker.debian.org/tracker/CVE-2014-5459
https://security-tracker.debian.org/tracker/CVE-2006-0931

> PECL needs command line access, and is not packaged for debian.

Why is command-line access a problem?

The php-pear Debian package contains the pecl command-line tool and
there are already various PECL modules in Debian, what is missing?

> aye sorry. https://github.com/shaarli/Shaarli/issues/96, this is fixed
> (if a proper copyright/source notice is enough for GPL compliance, I
> think it is)

That only adds the copyright/license information, it doesn't fix the GPL
compliance issue. Please re-read the GPL, especially GPLv3 section 6.

https://www.gnu.org/licenses/gpl.html

> Is this ok if I copy this discussion to shaarli's bug tracker/general
> discussion?

Fine by me.

So far:

• I wasn't able to find a way to exploit the redirect based on user POST.
• Pear/PECL/composer is not an option because Shaarli must remain installable on servers without SSH access (shared hosting)
• Versioned JS files & centralized licenses #99 should fix the license problem. Regarding GPL compliance, I think linking to the unminified source site is enough; see https://www.gnu.org/licenses/gpl.html section 6:

d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source [...] If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements.

So I think we meet the GPL requirements. Will ask for more info on the mailing list (I can't find a world-viewable archive of this list), comments are welcome.

Edit: my reply to the mailing list:

Hello,

I have forwarded this discussion at
https://github.com/shaarli/Shaarli/issues/44#issuecomment-70526704
with some more questions about GPL compliance (I really think linking
to the source is enough)

About the rewrite, there's already a bookmark sharing web application,
written in python at
https://github.com/bookieio/Bookie
I'll let you judge the complexity/simplicity of this vs. 2500 lines of
(ugly) php


Have a nice day

[e2jk]

FYI I have created a Gitter chat room to discuss Shaarli. Have a look at https://gitter.im/shaarli/Shaarli
I will add the "usual suspects" to the chat room as well.

[nodiscc]

v0.0.43beta released! Thanks to everyone involved.

[nodiscc]

I've registered a bountysource project for Shaarli. Anyone can now vote for issues there instead of adding +1s to the bug tracker. You can also place bounties (starting with $5 I think) on bugs; anyone that fixes a bug on which a bounty has been placed can claim it. The bountysource badge is displayed in the main README.

Sorting of plugin requests in #14 is almost over. The current plugin system implementation is on the new-plugin-system branch. Pull requests to improve it welcome, even dirty/unfinished, we'll rebase and squash later. Authors of original plugin requests have been informed. Plugin requests that are of no immediate interest have been moved to https://github.com/shaarli/Shaarli/wiki/Ideas-for-plugins

I've started removing owners from the organization (people that have shown no sign of life since the fork). The remaining owners are @e2jk @sebsauvage @Sbgodin and myself. It think it's enough since we are active in maintaining the code/issues. @ArthurHoaro has write access to the templates repository.

I've started reorganizing the shaarli-themes repo to make it compatible with 0.0.43beta and clean the stylesheets. I think we'll not implement a theme selector for several reasons; continuing in #22

[ArthurHoaro]

Maybe you can add the bountysource link in the readme.

EDIT: Uh nevermind. I was looking at my not updated fork repo.

[nodiscc]

@ArthurHoaro it's on top, next to to the gitter link

[nodiscc]

I think we could add some tag management/general organization tricks to the wiki, some have been discussed here #146 (comment)

[nodiscc]

I've managed to use my IM client (pidgin) to login to https://gitter.im/shaarli/Shaarli. It's not straightforward so here is how to do it:

• Go to https://irc.gitter.im/, login and copy your token
• In your messaging client, create a new IRC account. Server is irc.gitter.im, username is your Github username, password is your token (the server password, not the auth/NickServ password)
• Make sure you enable SSL. Works on both ports 6667 and 6697

[nodiscc]

Another bookmark sharing and management web app: https://github.com/plainmade/unmark / https://unmark.it/. Added to the wiki.

[nodiscc]

I've updated the milestones. Feedback welcome. 0.0.44beta will be released on Sunday after merging these patches.

[ArthurHoaro]

I think template support should be set before 1.0 milestone since it's an important change. Also I don't really see why #143 is in milestone 1.0 while most other minor (priority) improvements are in 1.1. But overall, that's great!

[nodiscc]

You're right. Edited milestones.

[nodiscc]

0.0.44beta released. Again, thanks to you all.

[nodiscc]

0.0.45beta released, fixes 2 small bugs.

[alexisju]

Dans le linklist, pour l'affichage de l'url d'une note, ce ne serait pas mieux que ce soit une url absolue qui soit affichée? Ca me pertube un peu de n'avoir qu'un morceau d'url affichée entre les balises et

[nodiscc]

Another interesting project that lists Shaarli: https://github.com/Kickball/awesome-selfhosted

Contributions are welcome :)

[alexisju]

I wonder if a hashtag system would not be interesting. The idea is that, in the description, any word ahead of # is linked to ?searchtags=[theword]

But maybe there is a potential difficulty of compatibility with a markdown plugin...

[ArthurHoaro]

I like the idea. There is no conflict with Markdown: #hashtag - # title (space required).

[nicolasdanelon]

Sorry but... what's the difference between the current tag system (_?searchtags=cms_)

[ArthurHoaro]

We should discuss that in #278.

There is no difference, except it creates an automatic link when you write an #hashtag in the description.

[nodiscc]

Time for a new release? There has been a fair amount of changes since 0.0.45beta, including bug fixes.

$ git log --oneline master...v0.0.45beta
f22a494 Merge pull request #295 from Knah-Tsaeb/patch-1
caaae9b Merge pull request #289 from virtualtam/make-clean
bb2948c [fix]  #293
d0ce99e Makefile: do not call `clean` before `test`
2ac5938 Merge pull request #290 from virtualtam/travis-container
39d06fa Travis: use the container-based infrastructure
874f858 Merge pull request #271 from virtualtam/php53
d1e2f8e PHP: ensure 5.3 compatibility, refactor timezone utilities
5b0ebbc Merge pull request #257 from ArthurHoaro/tag-http-referer
775803a Prevent redirection loop everytime we rely on HTTP_REFERER:
1dcbe29 English mistake cf sebsauvage/Shaarli#221
6ac95d9 Fixes warning 'Undefined index: searchtags' while filtering by tags.
7bd3542 Merge pull request #262 from ArthurHoaro/dup-tags
781e8aa Avoid tag duplicates
bba021d Merge pull request #268 from ArthurHoaro/dailrss-template
1b73f35 Merge pull request #269 from virtualtam/fix/read-config
f3b8f9f Include the whole <item> in dailyRSS
50c9a12 Fix: data/config.php was not imported
49ca756 Merge pull request #267 from virtualtam/linkdb/private-names
07b6fa7 LinkDB: prefix private members with an underscore
e92f1ba Merge pull request #255 from ArthurHoaro/config
dd484b9 All settings are now stored in config.php
7f1dfd1 Merge pull request #251 from virtualtam/linkdb/date-format
9186ab9 LinkDB::filterDay(): check input date format
46d83c2 Merge pull request #264 from ArthurHoaro/daily-nav
f3db377 Fixes #260: previous/next day links in daily
eee711c Merge pull request #254 from virtualtam/test/linkdb/datastore
0037fbe LinkDBTest: only check that the datastore is created and non-empty
fe4e883 doc: bump php requirement to php 5.4, fixes https://github.com/shaarli/Shaarli/issues/250
d72ae3d Merge remote-tracking branch 'ArthurHoaro/default-links'
2fbadc3 Merge remote-tracking branch 'virtualtam/linkdb/remove-globals'
da9b0e3 [doc] sync doc with latest wiki, build HTML
927a841 [doc] update CONTRIBUTING
eae648d duplicated id removed
41145f7 awesome.css restored. width bug fixed.
d257f25 Merge pull request #249 from fbartels/patch-1
ddfc400 Restore compatability with php 5.3
9c8752a LinkDB: do not access global variables
30e6f1c Fixes unit tests: checking datastore filesize instead of hash.
598376d Change fresh install default link
64bc92e move escape() and sanitizeLink() to application/Utils.php
eaefcba Merge remote-tracking branch 'ArthurHoaro/input-escape' into next
9f15ca9 LinkDB: add 'hidePublicLinks' parameter to the constructor
ae63027 add travis-ci.org build status to README
b6a88fa Add link to 'Running unit tests wiki page'
4c68c20 Merge remote-tracking branch 'nicolasdanelon/master' into next
38eb1e7 cursor pointer for label (ux improvement)
504a425 fix no javascript
c68da3f Page title if there is a single link Fixes #232
5f85fcd Working on shaarli/Shaarli#224
3d713bd Update awesomplete.css
e6cd88b filter input search responsive fixed (mobile)
0923a2b add tabindex 1/2 to search and tags fields
e883685 Merge remote-tracking branch 'origin/doc-contributing'
4a5827f Merge remote-tracking branch 'ArthurHoaro/daily-date' into next
adb1d6c Merge remote-tracking branch 'nicolasdanelon/master' into next
578a84b re-add readDb() missing from previous merge
38a0c25 Merge remote-tracking branch 'virtualtam/test/link-db' into next
0fe3641 Merge remote-tracking branch 'ArthurHoaro/search-tag-awesomplete' into next
7d338fa Merge remote-tracking branch 'virtualtam/travis' into next
25c4640 fix login desktop
f30aa97 login enhance for mobile
4de7144 Daily page: date format in template
ca74886 LinkDB: move to a proper file, add test coverage
3821b1e Create CONTIBUTING.md
a037ac6 Do not load links if they're hidden (also fix shaarli/Shaarli#202)
65d6251 Add awesomplete to tag search shaarli/Shaarli#49
13d07f9 Add Travis CI config
cbecab7 split annoyingpatterns list on multpile lines, add new patterns for removal:  * utm_content=  * fb=  * xtor=
f95d042 Merge branch 'really-hide' of https://github.com/pikzen/Shaarli into next
8b3c67f Merge remote-tracking branch 'Marsup/firefox-social' into next
d33c5d4 Add Firefox Social API to the tools. Fixes #101.
59c90f5 Properly hide all links
f5b0592 Display date as today if no articles published
569ffb5 doc: add demo to README fixes https://github.com/shaarli/Shaarli/issues/198
caee7ff change wording and variable names for "Hide public links" feature
0c45b01 Merge remote-tracking branch 'pikzen/disable-public' into next
5078492 Merge remote-tracking branch 'ArthurHoaro/localecharset' into next
c5db827 Merge branch 'pandoc' into next
1caf200 Merge commit '326ae54' into next
8fa1ebd Allow disabling all public links, fixes #188
da49603 #193 add UTF8 by default to autoLocale
6811469 doc: remove old mdwiki index.html
b84c913 doc: point footer link to local html documentation
a57a12e doc: sync doc/github-markdown.css from wiki
7a32b17 add local HTML documentation generated with 'make htmldoc'
82af78b use pandoc to generate local HTML documentation fixes https://github.com/shaarli/Shaarli/issues/178 run 'make htmldoc'
10070c3 doc: update documentation (sync from wiki)
f3e89f5 cleanup: makefile comments
8438a2e Fixes autoLocale function by trying several way to find a correct one. Fix https://github.com/shaarli/Shaarli/issues/184
326ae54 Fix missing permalink title when logged in
82cfe1f Merge pull request #183 from pikzen/fix-absolute-urls
b47f515 Display notes as absolute URLs
a5752e7 Fix bad merge commit Define date format in templates instead of index.php.
2f4ab7c update doc
d3b2b45 Display notes as absolute urls Fixes https://github.com/shaarli/Shaarli/issues/177 Merge commit '3ea318dad05954e2043d5bb2f8572b103d7c3930' into notes-absolute-url Conflicts:   index.php
3139a6c Fix php error in daily RSS
880cbf9 Fixes autoLocale function by trying several way to find a correct one.
bec1870 Define date format in templates instead of index.php.
3ea318d Display notes as absolute urls.

[virtualtam]

Agreed :)

What about adding intermediate milestones?
E.g. tag the current version as 0.1, and start using pseudo-SemVer to fill the holes till we reach 0.9 and 1.0:

• 0.1.z to 0.4.z for alpha,
• 0.5.z to 0.9.z for beta,
• x.y.z for stable releases ("true" SemVer).

[ArthurHoaro]

+1 for the release.

I don't know about version standards, but anything would be better than 0.0.45. :)

[nicolasdanelon]

+1 for the release too :)

[nodiscc]

Happy birthday shaarli/Shaarli and thanks everyone for keeping it flying

[virtualtam]

🍰 \o/ 🍰

[nodiscc]

I have updated/rewritten shaarchiver and audio/video archival are working perfectly!

If someone is able to help for the next step (downloading webpages in a logical way - calls to wget?), and other TODOs in bookmarks-fetcher.py (mostly catching and reporting errors), please let me know! Feedback welcome

[virtualtam]

I can help with CI stuff, dependency management and virtualenvs in Python 😈

Also, Shaarchiver could be integrated as a Shaarli plugin, to one-click archive media content :)

[nodiscc]

The tool is in a very early stage, but if you'd like to write a simple test, I'm all ok! Always happy to learn.

I like virtualenv but prefer to rely on my distro's package manager for dependencies.

Being written in Python it would need wsgi to run server-side (no PHP frontend running shell_exec plz) and a decent frontend to keep track of archival progress (it can take long, my last batch was about ~3h download - my backups directory is about 16GB, media only).

Being a tool for locally archiving files I don't know if it makes sense to run it server-side. You could always setup a cron job for periodic runs though.

[virtualtam]

Note: this is a draft, open to discussion -feel free to suggest a different/better versioning planning :)

Note II: future tags should be both annotated and GPG-signed -working on it

New milestones

The current major Works In Progress are, by descending order of priority:

• all bugfixes and minor improvements under review
• Plugin System: Plugin proposition #275 for the core + all plugin PRs (@nodiscc, @ArthurHoaro)
  • functional and in advanced review phase
  • reviewers and testers are welcome ;-)
• code refactoring: PageCache (no PR yet, WIP) (@virtualtam)
• local documentation: Documentation internal links #227, Doc: sync from Wiki, generate HTML #294 (@virtualtam)

Intermediate milestones could be added as follows:

• 0.3.1 - security fixes ([fix] FUD Full Path Disclosure #298, Fixes #299: prevent 404 on '?edit_link' while logged out #301, [...])
• 0.3.2 - improve local documentation
• 0.4.x - introduction and stabilization of the plugin system + code plugins
• 0.5.x - codebase refactoring + unit testing + common coding convention
• 0.6.x - template refactoring, W3C compliance
• [...]
• 0.9.x - Community fork branding (licenses, logos, visual identity...)
• 1.0.0 - Profit!

Past commits

Here's a suggestion for tagging past commits and switch to a new versioning scheme. This is a bit rough and artificial, but provides an overall idea of the progress that has been made lately :)

Please note that the displayed version will still be v0.0.45beta

v0.3.0

• ensure PHP 5.3 compatibility
• Travis: switch to the container-based infrastructure

462bfb1 Add Requirements section in README (link to wiki).
f22a494 Merge pull request #295 from Knah-Tsaeb/patch-1
caaae9b Merge pull request #289 from virtualtam/make-clean
bb2948c [fix]  #293
d0ce99e Makefile: do not call `clean` before `test`
2ac5938 Merge pull request #290 from virtualtam/travis-container
39d06fa Travis: use the container-based infrastructure
874f858 Merge pull request #271 from virtualtam/php53
d1e2f8e PHP: ensure 5.3 compatibility, refactor timezone utilities
5b0ebbc Merge pull request #257 from ArthurHoaro/tag-http-referer
775803a Prevent redirection loop everytime we rely on HTTP_REFERER:
1dcbe29 English mistake cf sebsauvage/Shaarli#221
6ac95d9 Fixes warning 'Undefined index: searchtags' while filtering by tags.
7bd3542 Merge pull request #262 from ArthurHoaro/dup-tags
781e8aa Avoid tag duplicates

v0.2.0

• start code refactoring
  • LinkDB
  • Utils
• introduce unitary tests and Travis builds
• move all settings to data/config.php

bba021d Merge pull request #268 from ArthurHoaro/dailrss-template
1b73f35 Merge pull request #269 from virtualtam/fix/read-config
f3b8f9f Include the whole <item> in dailyRSS
50c9a12 Fix: data/config.php was not imported
49ca756 Merge pull request #267 from virtualtam/linkdb/private-names
07b6fa7 LinkDB: prefix private members with an underscore
e92f1ba Merge pull request #255 from ArthurHoaro/config
dd484b9 All settings are now stored in config.php
7f1dfd1 Merge pull request #251 from virtualtam/linkdb/date-format
9186ab9 LinkDB::filterDay(): check input date format
46d83c2 Merge pull request #264 from ArthurHoaro/daily-nav
f3db377 Fixes #260: previous/next day links in daily
eee711c Merge pull request #254 from virtualtam/test/linkdb/datastore
0037fbe LinkDBTest: only check that the datastore is created and non-empty
fe4e883 doc: bump php requirement to php 5.4, fixes https://github.com/shaarli/Shaarli/issues/250
d72ae3d Merge remote-tracking branch 'ArthurHoaro/default-links'
2fbadc3 Merge remote-tracking branch 'virtualtam/linkdb/remove-globals'
da9b0e3 [doc] sync doc with latest wiki, build HTML
927a841 [doc] update CONTRIBUTING
eae648d duplicated id removed
41145f7 awesome.css restored. width bug fixed.
d257f25 Merge pull request #249 from fbartels/patch-1
ddfc400 Restore compatability with php 5.3
9c8752a LinkDB: do not access global variables
30e6f1c Fixes unit tests: checking datastore filesize instead of hash.
598376d Change fresh install default link
64bc92e move escape() and sanitizeLink() to application/Utils.php
eaefcba Merge remote-tracking branch 'ArthurHoaro/input-escape' into next
9f15ca9 LinkDB: add 'hidePublicLinks' parameter to the constructor
ae63027 add travis-ci.org build status to README
b6a88fa Add link to 'Running unit tests wiki page'
4c68c20 Merge remote-tracking branch 'nicolasdanelon/master' into next
38eb1e7 cursor pointer for label (ux improvement)
504a425 fix no javascript
c68da3f Page title if there is a single link Fixes #232
5f85fcd Working on shaarli/Shaarli#224
3d713bd Update awesomplete.css
e6cd88b filter input search responsive fixed (mobile)
0923a2b add tabindex 1/2 to search and tags fields
e883685 Merge remote-tracking branch 'origin/doc-contributing'
4a5827f Merge remote-tracking branch 'ArthurHoaro/daily-date' into next
adb1d6c Merge remote-tracking branch 'nicolasdanelon/master' into next
578a84b re-add readDb() missing from previous merge
38a0c25 Merge remote-tracking branch 'virtualtam/test/link-db' into next
0fe3641 Merge remote-tracking branch 'ArthurHoaro/search-tag-awesomplete' into next
7d338fa Merge remote-tracking branch 'virtualtam/travis' into next
25c4640 fix login desktop
f30aa97 login enhance for mobile
4de7144 Daily page: date format in template
ca74886 LinkDB: move to a proper file, add test coverage
3821b1e Create CONTIBUTING.md
a037ac6 Do not load links if they're hidden (also fix shaarli/Shaarli#202)
65d6251 Add awesomplete to tag search shaarli/Shaarli#49
13d07f9 Add Travis CI config

v0.1.0

• improve dates and locale handling
• improve note URLs
• add a local copy of the GitHub wiki

fcbecab7 split annoyingpatterns list on multpile lines, add new patterns for removal:  * utm_content=  * fb=  * xtor=
f95d042 Merge branch 'really-hide' of https://github.com/pikzen/Shaarli into next
8b3c67f Merge remote-tracking branch 'Marsup/firefox-social' into next
d33c5d4 Add Firefox Social API to the tools. Fixes #101.
59c90f5 Properly hide all links
5b0592 Display date as today if no articles published
569ffb5 doc: add demo to README fixes https://github.com/shaarli/Shaarli/issues/198
caee7ff change wording and variable names for "Hide public links" feature
0c45b01 Merge remote-tracking branch 'pikzen/disable-public' into next
5078492 Merge remote-tracking branch 'ArthurHoaro/localecharset' into next
c5db827 Merge branch 'pandoc' into next
1caf200 Merge commit '326ae54' into next
8fa1ebd Allow disabling all public links, fixes #188
da49603 #193 add UTF8 by default to autoLocale
6811469 doc: remove old mdwiki index.html
b84c913 doc: point footer link to local html documentation
a57a12e doc: sync doc/github-markdown.css from wiki
7a32b17 add local HTML documentation generated with 'make htmldoc'
82af78b use pandoc to generate local HTML documentation fixes https://github.com/shaarli/Shaarli/issues/178 run 'make htmldoc'
10070c3 doc: update documentation (sync from wiki)
f3e89f5 cleanup: makefile comments
8438a2e Fixes autoLocale function by trying several way to find a correct one. Fix https://github.com/shaarli/Shaarli/issues/184
326ae54 Fix missing permalink title when logged in
82cfe1f Merge pull request #183 from pikzen/fix-absolute-urls
b47f515 Display notes as absolute URLs
a5752e7 Fix bad merge commit Define date format in templates instead of index.php.
2f4ab7c update doc
d3b2b45 Display notes as absolute urls Fixes https://github.com/shaarli/Shaarli/issues/177 Merge commit '3ea318dad05954e2043d5bb2f8572b103d7c3930' into notes-absolute-url Conflicts:   index.php
3139a6c Fix php error in daily RSS
880cbf9 Fixes autoLocale function by trying several way to find a correct one.
bec1870 Define date format in templates instead of index.php.
3ea318d Display notes as absolute urls.

[nodiscc]

I agree about the new milestones.

About versioning, let's release 0.3.0 0.5.0 without intermediary versions, with the following release notes:

v0.5.0
 * move all settings to data/config.php
 * Fixes for locale handling, notes URLs, date handling, redirections, daily RSS, title display
 * Properly hide all links when `HIDE_PUBLIC_LINKS` option is set
 * Add Firefox Social API
 * More annoying URL patterns removal
 * Start code refactoring:  LinkDB, Utils
 * Remove duplicate tags for each link
 * Search/Filter by tag fieds can now be accessed quickly with the `Tab` key
 * Update documentation, demo at http://shaarlidemo.tuxfamily.org/

Is this ok? 0.3.0 is still > 0.0.45 and we don't have to create "artificial" releases/versions/tags.

[virtualtam]

Works for me, I'll take care of:

• bumping the version to 0.5.0
• creating a GPG-signed, annotated tag for v0.5.0
• creating a 0.5.0 milestone to put all solved/closed issues & PRs
• creating the future milestones: v0.5.1, v0.6.0... (basically, the suggested milestones, shifted by 0.2 :p)
• sorting issues & PRs
• adding a doc page for maintainers to create GPG-signed tags

[virtualtam]

GnuPG signature added to the wiki!

Should we archive this discussion thread and open a new one?

[nodiscc]

Nice work on the documentation, as always :)
Yes this thread is getting quite long! Let's keep it open so that it can be seen in the issues list.

Future discussion should go in #308

[virtualtam]

Closing this issue, as it's referenced in #308, the wiki and #353 - Releases / Roadmap