#5367 WordPress Cookie Authentication Vulnerability takes us back to when the modern password handling in WordPress was born, partially due to a vulnerability report at the time. More because we were ready for it. It’s great to read through and watch decisions being made as familiarity grew.
This is a smaller release in the grand scheme of things, though the first (!) as a new organization. The milestone has been ready for several weeks now. Thanks goes to Aaron Jorbin for prodding it along.
Quite a bit has been stable since v1.0, so we’re in a good spot to make a couple big changes in the next release including PHP 5.5.
From the changelog:
- Transition to Varying Vagrant Vagrants organization.
- Add a CONTRIBUTING document.
wp-clicalls in VVV core.
- Use a new global composer configuration.
zipas a package during provisioning.
- Introduce a helpful caveats section.
tcp_nodelayconfig in Nginx. Reasoning in 0cce79501.
As always, feel free to stop by and open an issue if there’s something you’d like to see!
Transparency prospers in a linked medium, for you can literally see the connections between the final draft’s claims and the ideas that informed it.
This is a very transformative moment for the Varying Vagrant Vagrants project.
About a week ago, I reached out to Jake with a proposal to move VVV from under the wing of 10up to an organization of its own. We’ve been cruising along for just over a year, have around 125 unique visitors on the repository a day, and have a nice regular community of contributors. We have received pull requests from just around 40 contributors (!!!) and the issues are constantly a lively place of discussion.
Jake immediately agreed and we were able to talk through the process and the future very quickly. 10up has been a gracious and excellent host for VVV this entire time—the farewell post is great—and I’m looking forward to future steps we can take as a community now that we’re on our own.
I’d like to think that the goal to bring Vagrant to the forefront of WordPress developers’ minds has been accomplished. Through VVV and other related projects, the use of a development environment that closely matches production has come a long way.
I do think that VVV is the best tool out there for contributing to WordPress core. We provide stable, trunk, and develop versions of WordPress and everything needed to run the Grunt build tools and PHPUnit unit tests.
With that in mind, I think we should be able to line up a few goals.
- Continue being the place for a WordPress core development environment. This primarily means that we stay on top of the tools that core introduces into the development flow. Providing an approachable way to use these tools and documentation will go a long way.
- Directly related to goal one, some of the advancements we make should be around testing multiple versions of everything. If we can make it easy to fire up a PHP 5.x environment and test Nginx or Apache with WordPress 3.x or 4.x, that would be amazing.
- VVV has an excellent method for auto site setups. Over time we’ve had some nice demand for a few that could help quite a bit. It would be great to see a couple that provide basic setups for WordPress multisite and WordPress under Apache rather than our default of Nginx.
- Bring other tools to the forefront of WordPress developers’ minds. It may be great to see versions of VVV that harness Salt, Puppet, or Chef rather than the bash scripting that we’ve forced upon the project so far. VVV has an opportunity to be a learning tool for all of us in exploring methods of testing, provisioning, and deployment.
So please chime in with any suggestions that you may have. I’d love to toss the keys to a few new repositories over to anybody that’s interested in building out new tools. Feel free to use the main VVV repository under the Varying Vagrant Vagrants organization to open an issue and discuss your thoughts. We can split things off as needed.
Over time we’ll get more organized and setup a more official forum for discussions as well as some contributing guidelines. I’m going to reach out to a few regular contributors and get them added as committers. We also need to spend some time with licensing to see if we can get away with GPL for everything or if another would be more applicable to the work that we’re doing.
That’s that. Thank you all for being so great. Here’s to the next year of VVV.
I was an early user of WordPress in the grand timeline of events.
Officially, my first long term installation was WordPress 1.5 in 2005. That site was a chronicle of my dad’s bicycle ride across the country and has been running continuously for about 9 years. It was even “0wn3d” at some point by hackers when I didn’t upgrade and I had some cleaning up to do.
The other day I upgraded this same installation from 3.4.1 to 3.8 and had no troubles at all. That made me happy.
I don’t remember giving much of a thought to contributing for many years. I created many various blogs using WordPress and hunted the Internet for things I could add.
It took me until 2009 to register for my first plugin while I joined the excitement around rssCloud. Joseph Scott beat me to it and I never actually populated the repo.
I like to think of this as the “They” period.
They released an update. They should include this feature. They make it easy to have a blog.
In 2011 I quit my 12 year career, we travelled around Europe a bit, and then landed in Portland. Without a job—and without knowing the first thing about freelancing—I decided that I should attend that year’s WordCamp.
Mostly because it was only $20 and lunch was included.
The addiction hit pretty hard once I got a sense of the community. For all the grief that unconference sessions can sometimes get, they were amazing for me.
We stood around in a group with Joey and discussed developer challenges and solutions. I started talking about deployment with Zack, a concept we’re still trying to solve today. I watched a fascinating Nacin explain WP Query to a room full of developers. I got lunch!
I quickly started in on my plugins. All about data portability, I made one for YouTube and for Instapaper. A fantastic automatic featured image post creator that the blackhat community LOVES. A way to set the posts per page value for any type of page view. I started following more of the WordPress community, absorbing all the information I could get.
You could call this the “Outsider” period.
I wasn’t necessarily referring to the WordPress project as “They” any longer, but I wasn’t entirely familiar with the goings on. While the community was absolutely approachable at WordCamp, things suddenly seem so different without faces in an online place where everybody else knows what they’re doing.
Hint… that last sentence couldn’t be less true.
Things changed quick as I was thrust into the world of WordPress full time.
My immediate charge was to build the new UniversalSports site from scratch over the next few months to be hosted on WordPress.com VIP. I learned so much during this period through building and failing and code reviewing and everything.
And the “We” period began.
“They” switched to “We” inside my head and I became a community member. I paid attention to dev chats for the most part. I read code. I planned out what WordCamps I wanted to attend and started thinking of topics to speak on.
While helping Helen troubleshoot an issue with one of her client sites, we stumbled on a mistyped character in some oEmbed code. I frantically created a ticket and a patch with her guidance, worried the entire time that all of the people who already know all the answers were going to come in and fix it before I had the chance.
But that doesn’t happen. There’s always a place to contribute. Nobody comes out to bite when you create a ticket, nobody slaps your code down. In fact, the community loves when a new face appears on Trac with any type of activity.
The patch was eventually committed and I felt amazing. On the contributors list for 3.4!
This is where the train starts moving. Once I was past that hurdle, a whole new world opened up. I wanted to contribute!
But finding a place still seemed so hard!
Becoming a Contributor.
I’m going to shift gears a bit, because this story is so long and there’s so much more to tell. The rest is a natural continuation summed up into what I think you should take away from this.
Types of patches in Jeremy’s perceived order of difficulty:
- In the process of developing X, I found this quick Y. This is what my first patch came from. While not working directly on WordPress core, something came up. When investigated, it turned out to be a bug. Once character patch, good to go. The best thing that can be done to create patches for WordPress core is to spend time in WordPress core.
- I want to fix a bug. There are many, many things in WordPress waiting to be fixed that only need attention. This involves finding a place you’re interested in and testing. If you can reproduce a reported issue, you’re more than half way to a solution.
- I want to introduce this enhancement. There isn’t a bug around this issue, but it’s something you think should be added. Open a ticket, make your case, stay on top of it, and be prepared to wait. Don’t avoid voicing an opinion. Don’t avoid creating a patch as a proof of concept.
- X is broken and needs to be overhauled. You’re an addict now. And in reality, this is a combination of the first 3 types. Be prepared for the long haul as this isn’t a one day deal. Commit to being involved with the conversation for months and years. In the process, you’ll come across plenty of the first 3 on this list to keep you in the release notes.
Of course, patches very much aren’t everything. I only lead with that because code is usually my focus. Commenting, testing, and sorting tickets make up the majority of work done when making progress as a community.
Types of Trac activity in Jeremy’s perceived order of difficulty:
- Comment. Go to Trac, find a ticket, and voice your thoughts. This can be a “+1″ or a “-1″ or an epic tale of how the extra padding on a button feels weird.
- Testing. Patches are only as good as the testing that was done on them. So many things often end up stuck only because more testing is needed. Go through the process of downloading and applying the patch to trunk. Ask for help if you need it. And test!
- Sorting. Over time, you’ll become more and more familiar with how Trac is organized. As things are created, they need to be filed with proper components and milestones and such. After commenting and participating you’ll wake up one day to find that you’ve been given Bug Gardener status. Now you can help in the due diligence of sorting tickets. Woot!
And one more list. No perceived order of difficulty.
- Cultural and language hurdles. Communication via text can be tough. It’s so hard to convey emotion and so easy to read into things that aren’t things at all. Read anything you come across as if it was said with a pleasant tone. Nuances in the English language are hard enough for native speakers and we’re a worldwide community!
- Uncommitted patches are not a waste of time. I would be surprised if the number of uncommitted patches on Trac doesn’t exceed the number of committed patches ten fold. Each one of these is progress toward a communal goal—make WordPress better. Submitting a patch and not having it accepted is not a waste of time.
- Embracing backward compatibility. WordPress is backward compatible and this can be tough. It’s often much easier to create a patch that solves “my problem” without having to worry about how it affects 20% of the Internet. We don’t have the luxury of tossing those in. From time to time a patch could be held back because there is no immediate approach that can guarantee existing sites don’t break. Submitting this patch was not a waste of time, even if a wait is required.
So that’s that. Jeremy’s path to becoming and guide to being a WordPress core contributor.
There’s a gaggle of friendly WordPress folk waiting in IRC and on Trac to help you jump in when you’re ready. Get on it!
I’ve been thinking a lot over the last many months on how to approach the use of varying URL structures in a single multisite installation of WordPress. Another conversation on Twitter tonight reminded me there are quite a few developers out there itching to improve the process. I’m going to attempt to convey my current thoughts here.
Your comment made me realize I need to stop calling it “domain mapping.” This wording stems from the fact that a top-level domain is “mapped” to an existing subdomain or existing subdirectory.
Multisite has historically been a choice between two options: Am I going to organize all of my sites with subdirectories or subdomains?
This is great if the structure of sites you’ll be maintaining on your network is planned this way. The wrench usually appears when an entirely new domain needs to be supported.
It’s at this point when a developer can turn to a plugin solution–likely WPMU Domain Mapping–to map this domain to an existing site in a subdirectory or subdomain structure.
- When a request for
http://newexample.comis received, load
- When a request for
http://newexample.comis received, load
Of course a more complex requirement may come up at some point that involves something more than just a new domain.
The solution required here is some sort of custom
sunrise.php file to help route requests combined with some process to store domain and path information for each site into the
wp_blogs table in the database. I’ll offer the sunrise we’ve started to use at WSU as an example.
This is where the true mapping happens, whether it’s done by WordPress core in
ms-settings.php, a sunrise file provided by a developer, or by the sunrise file provided by the WPMU Domain mapping plugin. A requested URL is parsed into a domain (host) and a path (subdirectory). This information is then checked against something, likely
wp_blogs, to determine what
$site_id should be used when loading WordPress.
So continues our unfortunate nomenclature.
$blog_id is telling WordPress what site to load. That site happens to belong to a network which is tied to
Anyhow. This is how we should think of the entire process:
- When a request for this domain and path is received, use this site’s information when loading WordPress.
Beyond a few sanity driven technical limitations, such as nested subdirectories, we shouldn’t care too much about that domain and path combination. Our primary concern when a request is received is whether or not that domain and path match an existing site in the database. If they do, then we can properly load all of the data associated with that site and it’s parent network.
There are a few additional caveats that will be related as we figure this out:
- Cookie management. If a user is a member of a single site, this should be no trouble. If a user is a member of sites that have different domains, then this becomes a harder issue to account for. One option is to require that user to login twice to access both sites. If we’re good, we can take care of both at once.
- Conflicts. When supporting a mix of domains and subdirectories, we’ll want to make sure that those subdirectories don’t conflict with other possible slugs created with content or by WordPress core. If
http://example.com/has a page slug of
howdy, we don’t want to allow the site
http://example.com/howdy/to be created.
- Allowed characters. A mixture of rules exists in WordPress core at the moment around user and site creation. We’ll want to confirm what characters we want to allow in domains and in paths when sites are created.
I’m not sure if this all helps us figure out what to call it, but I do think something like routing is more apropos than mapping. This is part of a routing process that takes pieces of a requested URL and determines what to output as a response.