Upgrade question

PaulYaro

Joined: 2009-04-04
Posts: 23

Posted: Sun, 2009-12-27 17:29

Hi,
I would like to ask my gallery gurus as alecmayers and floridave:
you always recommend to upgrade gallery installation if someone has install less then newest - for security reasons, etc.
However, some user have very customized galleries - very modified core, modules, many hacks, customized language files, etc., gallery working perfectly.
So, normal upgrade procedure will ruin these sites, some modules or themes will be completely usefull (even if modified with "local" folders). So, in result: newest version without previous functionality!
BUT - if gallery is used ONLY by admin (no external users, no registration, no comments, no external access), is it also so important to upgrade?
Paul

PS sorry for my poor english

alecmyers

Joined: 2006-08-01
Posts: 4342

Posted: Sun, 2009-12-27 18:19

Sounds like you're asking for permission not to upgrade... which of course you don't need - your installation, it can run whatever software you like.

But there are bug fixes (lots) in newer versions, as well as security fixes, and speaking personally I find it much harder to offer advice to people having problems with old versions - whatever the problem is it might have been fixed in the latest release so why should I waste my time even thinking about it? Also I don't have old versions of the source code to look at nor can I test how they work.

nivekiam

Joined: 2002-12-10
Posts: 16504

Posted: Mon, 2009-12-28 20:02

Yeah, basically older versions are not supported. Also, just because you're the only admin doesn't mean that some older version might not have some SQL injection exploit that hasn't been discovered. Which means admin or not someone might be able to hack your install. Now, I haven't heard of or seen an install of Gallery (any version) that's been hacked through an exploit within Gallery. Every hacked install I've seen has been due to poor security on the host and/or user's side.

using FTP (BIG NO-NO) -- Use SFTP

It's been proven that most sites are hacked by sniffed user names and passwords sent in the clean via FTP. Also make damn sure your computer is free of viruses and never use an untrusted machine (any machine you don't have full and total control over at all times) to log into your sites. Yes, that means even your father's computer (probably especially your father's computer)

using telnet (BIG NO-NO) -- Use SSH
using WordPress, not keeping this insecure piece of software up-to-date and secured (many tutorials out there for this). WP is fine, if you learn how to not just use it, but administer it and keep it up to date.

using some other software that hasn't been kept up-to-date and secured.

So, if you want to use an older version, it's up to you, but you're not going to get a lot of support if you run into problems. Personally, I'd grab the latest and do a diff (or use this if on Windows, http://scootersoftware.com/) to see the differences that have been made and try incorporating them into the latest code.

If by "older" you mean 2.2.6, that's probably fine (though there are not a lot of changes between 2.3, or 2.3.1 so upgrading should be easy), much older than that and I don't know about the security issues.

What do you mean "no external access"? If the site isn't public, and only available on your local network, probably not much to worry about in terms of security, however, support still won't be there most likely.
____________________________________________
Like Gallery? Like the support? Donate now!!! See G2 live here

PaulYaro

Joined: 2009-04-04
Posts: 23

Posted: Mon, 2009-12-28 23:37

Hi nivekiam,
thank you very, very much! Thats exactly what I asked. I do understand all important security rules and I do exactly what you explained.
I use very customized 2.2.4 gallery working excellent for over year, absolutely no troubles, so upgrading would only generate problems for me. Fortunately, your excellent forum gives tons of useful informations even for older versions like mine one.
Sorry for my poor english - "no external access" I mean there are no users except admin, no registration, comments, etc. Also, install runs on private host with over-normal security level.
So, sorry that I waste your time, but I see that there are houndreds of people having problems after upgrade, may be some will find your explains usefull as me.
Thanks for your work and EXCELLENT software!
Paul

PaulYaro Joined: 2009-04-04 Posts: 23	Posted: Sun, 2009-12-27 17:29
	Hi, I would like to ask my gallery gurus as alecmayers and floridave: you always recommend to upgrade gallery installation if someone has install less then newest - for security reasons, etc. However, some user have very customized galleries - very modified core, modules, many hacks, customized language files, etc., gallery working perfectly. So, normal upgrade procedure will ruin these sites, some modules or themes will be completely usefull (even if modified with "local" folders). So, in result: newest version without previous functionality! BUT - if gallery is used ONLY by admin (no external users, no registration, no comments, no external access), is it also so important to upgrade? Paul PS sorry for my poor english
	XUser login Username: * Password: * Create new account Request new password
alecmyers Joined: 2006-08-01 Posts: 4342	Posted: Sun, 2009-12-27 18:19
	Sounds like you're asking for permission not to upgrade... which of course you don't need - your installation, it can run whatever software you like. But there are bug fixes (lots) in newer versions, as well as security fixes, and speaking personally I find it much harder to offer advice to people having problems with old versions - whatever the problem is it might have been fixed in the latest release so why should I waste my time even thinking about it? Also I don't have old versions of the source code to look at nor can I test how they work.

nivekiam Joined: 2002-12-10 Posts: 16504	Posted: Mon, 2009-12-28 20:02
	Yeah, basically older versions are not supported. Also, just because you're the only admin doesn't mean that some older version might not have some SQL injection exploit that hasn't been discovered. Which means admin or not someone might be able to hack your install. Now, I haven't heard of or seen an install of Gallery (any version) that's been hacked through an exploit within Gallery. Every hacked install I've seen has been due to poor security on the host and/or user's side. using FTP (BIG NO-NO) -- Use SFTP It's been proven that most sites are hacked by sniffed user names and passwords sent in the clean via FTP. Also make damn sure your computer is free of viruses and never use an untrusted machine (any machine you don't have full and total control over at all times) to log into your sites. Yes, that means even your father's computer (probably especially your father's computer) using telnet (BIG NO-NO) -- Use SSH using WordPress, not keeping this insecure piece of software up-to-date and secured (many tutorials out there for this). WP is fine, if you learn how to not just use it, but administer it and keep it up to date. using some other software that hasn't been kept up-to-date and secured. So, if you want to use an older version, it's up to you, but you're not going to get a lot of support if you run into problems. Personally, I'd grab the latest and do a diff (or use this if on Windows, http://scootersoftware.com/) to see the differences that have been made and try incorporating them into the latest code. If by "older" you mean 2.2.6, that's probably fine (though there are not a lot of changes between 2.3, or 2.3.1 so upgrading should be easy), much older than that and I don't know about the security issues. What do you mean "no external access"? If the site isn't public, and only available on your local network, probably not much to worry about in terms of security, however, support still won't be there most likely. ____________________________________________ Like Gallery? Like the support? Donate now!!! See G2 live here

PaulYaro Joined: 2009-04-04 Posts: 23	Posted: Mon, 2009-12-28 23:37
	Hi nivekiam, thank you very, very much! Thats exactly what I asked. I do understand all important security rules and I do exactly what you explained. I use very customized 2.2.4 gallery working excellent for over year, absolutely no troubles, so upgrading would only generate problems for me. Fortunately, your excellent forum gives tons of useful informations even for older versions like mine one. Sorry for my poor english - "no external access" I mean there are no users except admin, no registration, comments, etc. Also, install runs on private host with over-normal security level. So, sorry that I waste your time, but I see that there are houndreds of people having problems after upgrade, may be some will find your explains usefull as me. Thanks for your work and EXCELLENT software! Paul

Upgrade question

XUser login