CMSMS 2.0 Smarty Reversion
Posted: Sun Aug 23, 2015 7:01 pm
As some of you may have seen, the Dev Team have recently come to the conclusion that we must revert CMSMS 2.0 from Smarty 3.1.27 to Smarty 3.1.16 (the same hacked version of Smarty that is distributed with CMSMS 1.12).
Though we feel that this is unfortunate, as there are some significant improvements in the newer versions of Smarty, there are also significant bugs that we felt were show stoppers. Waiting for a revised Smarty version, and initiating another round of testing, didn't feel like the best option at this point.
As good open source citizens we have reported more than a few issues in Smarty (with full explanations and test cases) but rather than delay CMSMS 2.0 again, we felt it was better to proceed with a known-working version.
There are some security issues that were fixed in later versions of Smarty that will not be available. These issues should be of minimal risk as long as those submitting content can be trusted. Most of these security issues relate to the use of php inside Smarty templates, which we have largely disabled.
So what now? We are asking our valued beta testers and international communities to go through hopefully one last set of testing both fresh installs and upgraded websites, and to report any issues to us. At this time, only absolutely critical issues will be addressed. We will be voting on the release at the next Dev Team meeting in early September.
Thanks for your time and patience.
Though we feel that this is unfortunate, as there are some significant improvements in the newer versions of Smarty, there are also significant bugs that we felt were show stoppers. Waiting for a revised Smarty version, and initiating another round of testing, didn't feel like the best option at this point.
As good open source citizens we have reported more than a few issues in Smarty (with full explanations and test cases) but rather than delay CMSMS 2.0 again, we felt it was better to proceed with a known-working version.
There are some security issues that were fixed in later versions of Smarty that will not be available. These issues should be of minimal risk as long as those submitting content can be trusted. Most of these security issues relate to the use of php inside Smarty templates, which we have largely disabled.
So what now? We are asking our valued beta testers and international communities to go through hopefully one last set of testing both fresh installs and upgraded websites, and to report any issues to us. At this time, only absolutely critical issues will be addressed. We will be voting on the release at the next Dev Team meeting in early September.
Thanks for your time and patience.