next »

[jelv1]

Is the version of phpmyadmin used by Plusnet under review?

Current Plusnet version: 2.7.0-pl2 (released 2005-12-27)

Latest release: 2.10.1 (released 2007-04-24)

Looking at http://www.phpmyadmin.net/home_page/security.php there seem to have been quite a few security issues in the meantime. Could these be a risk?

[petervaughan]

The same could be said of PHP - 4.3.10 is also old!

[mikeb]

Sorry, not in the least bit constructive but has to be said IMHO:

This incident has highlighted the importance of keeping systems as secure as possible. It is important to ensure that you always have the latest operating system updates and patches installed.

I take it that PN isn't taking it's own (generally speaking, good) advice then ? although I do realise that the comment is intended to refer to Windoze or other fundamental OS updates.  Are there any other ye olde versions of anything else still being used in anger and particularly long after any potential security issues would no doubt have been fairly widely publicised ?  What is the PN policy regarding applying updates and/or patches to the third party or open-source code that it uses ?

[MauriceB]

Raised as PUGIT Issue 311

[Matt_2k34]

I dont understand why we have to 'vote' for things to be Updated. im *Sick* of telling plusnet how to do their end of the deal, they should of been making sure everything was up to date, in the first place, i dont want to vote everytime theres a phpmyadmin or php etc. software update...

Surely this should be common practice ?

Sorry, not in the least bit constructive but has to be said IMHO:

neither is loosing an unaccountable amount of e-mails to persons sending spam ?

PlusNet is 'trying' to earn back some of the Image that it had 18 months ago, not keeping up to date isn't going to help, PN isnt the only ISP not keeping up to date though, Be* has been having problems recently, but Hey, theres no point being the 'best of a bad bunch' you gotta be head and shoulders above the rest - like before, and like PN have promised to be...

[xpcomputers]

What is needed is a target deadline to have installed all crucial patches and updates by. Something like 2 months or 28 days after release. Really urgent patches should be installed quicker, less important feature update could be given a longer timeframe.

The problem comes as soon as you lag a year behind the bleeding edge, it becomes a lot harder to catch up again.

There should be two stages of targets.

The first stage (say by 7 days after any release) would be the time needed to assess any new patch or update and make a decision about how urgent it is, and when it will be implemented by (taking into account workload, and work needed to carry out update).

The second deadline would be decided as part of the first stage but would consist of a choice (for example):
"within 14 days of release" for urgent.
"within 28 days of release" for semi urgent.
"within 90 days of release" for not urgent but important.
"within 6 months of release" for feature upgrades.

These targets should be published and measured upon.

The lengths of time I have picked are totally off the top of my head, so are probably completely wrong, but are used as an example to give the idea. It seems that the more often these things are kept up to date, the easier it is to stay ahead. As soon, as you are backed into a corner of not being able to keep up-to-date (like in the modified @Mail code), then it is impossible to keep patched and up to date.

The software should never be allowed to get more than 6 months behind the latest release otherwise it is easier to ignore what you haven't got, rather than implement it.

I hope this helps.

[chillypenguin]

I think the issue is compounded by the fact that PlusNet have about 14* developer posts open at present. (* Number is a few weeks old.)

They can clearly see the requirement to increase there development department, hence the gigantic investment. But are finding it difficult to recruit such a volume of skilled developers.

And I am guessing but this must have an impact on issues like keeping phpmyadmin up to date. As things have to be prioritised. And as the code has been customized for PlusNet to integrate into the portal, then every upgrade will have to be put back through development, to ensure that the new code is compatible.

Chilly

[MauriceB]

I dont understand why we have to 'vote' for things to be Updated. im *Sick* of telling plusnet how to do their end of the deal, they should of been making sure everything was up to date, in the first place, i dont want to vote everytime theres a phpmyadmin or php etc. software update...

Surely this should be common practice ?

You need to remember that PUGIT is a *joint* venture between PUG and PlusNet.  Voting on any issue gives PUG some view of the priority that the Users place on any Issue. This then gives PUG some leverage with PlusNet.  Similarly when PlusNet are reviewing code changes, the merit value assigned by users can (and does!) have some impact in the internal development meetings.

Hope this puts things into some perspective

[Matt_2k34]

Voting on any issue gives PUG some view of the priority that the Users place on any Issue. This then gives PUG some leverage with PlusNet.

Yes but what i'm saying is this is a no brainer, we shouldnt be having to tell PN this...

Say your buying a car... its like Do you want airbags ? 'just incase' ... its ridiculous.

[ianwild]

It is a no brainer - For a problem like this, people don't need to vote, but for an idea it does help us prioritise - We see hundreds of ideas every month and we can never hope to do them all.

The idea of voting on a problem should be more like the feature on our portal where you can say "This problem affects me".

I'll make sure there is a response on phpmyadmin first thing tomorrow.

Ian

[petervaughan]

and PHP, which seems to have been forgotten both here and in the PUGIT item.

[dan]

Is the version of phpmyadmin used by Plusnet under review?

Current Plusnet version: 2.7.0-pl2 (released 2005-12-27)

Latest release: 2.10.1 (released 2007-04-24)

Looking at http://www.phpmyadmin.net/home_page/security.php there seem to have been quite a few security issues in the meantime. Could these be a risk?

Thanks for this.  We had already got phpmyadmin on our priority list but we have now brought this forward having read your post.  We'll keep you informed during the day as to what we do.

Thanks again,

Dan Kirkland
Software Platform Manager

[bpullen]

Hi guys,

I'm about to post an emergency maintenance announcement. We'll be taking the platform offline to review the situation and formulate a potential upgrade plan/alternative.

[jelv1]

For anyone who needs to do administration of their database can I suggest they download MySQL Administrator or MySQL Query Browser from http://www.mysql.com/products/tools/

[dan]

For anyone who needs to do administration of their database can I suggest they download MySQL Administrator or MySQL Query Browser from http://www.mysql.com/products/tools/

We're currently looking at the patches that are required to phpmyadmin, but at the same time are looking at various alternative tools.  If anyone would like to make any recommendations then we'll try to look at those too.  Did people like phpmyadmin?  Do you want to use something else?  Please let us know.

Regards,

Dan Kirkland
Software Platform Manager