Zenphoto - The simpler media website CMSNews (Latest news) http://www.zenphoto.org Zenphoto is a standalone CMS for multimedia focused websites. Our focus lies on being easy to use and having all the features there when you need them (but out of the way if you do not.). en-US Thu, 24 Apr 2014 08:21:16 -0400 Thu, 24 Apr 2014 08:21:16 -0400 http://blogs.law.harvard.edu/tech/rss Zenphoto RSS Generator <![CDATA[One app to rule them all (Announcements, News)]]> http://www.zenphoto.org/news/one-app-to-rule-them-all zp-app-ad-final

This post is of course our annual April Fools Day joke :-)

You will shortly see the 1.4.6 release, which will be our last "traditional" server based application. Afterwards we will follow a new path: the next release of Zenphoto will be an app for Android and iOS. Although there will also be apps for Mac and Linux desktop systems (sorry, no Windows) we strongly believe that the mobile web is the future. Mobile usage on tiny screens is increasing a lot recently among our clients, and "apps" are the Next Big Thing in the world of tech, so it only makes sense.

Zenphoto will still be your number one media management tool for the web. There will still be a themable web front-end, but the backend will be all app. Since this app will be fully cloud powered, you don't need your own webspace or to store or backup photos. Instead the ZP app will rely solely on Dropbox, Box, or our own proprietary peer-to-peer storage solution, which will use all the phones running the app to store all your photos, encrypted of course.

But that is not all, via the ZP app you can use all sorts of online services from flickr via Google's Picasa to Twitter's twitpic. You will never need another image tool again! Of course for you to get the greatest use of this new App your phone will have to join the new Zenphoto peer-to-peer network. We don't plan to integrate a camera feature into the app at this time, although we are considering it.

You will understand that we cannot provide such a tool for free but it will be within the limits of normal app prices.

http://www.zenphoto.org/news/one-app-to-rule-them-all Tue, 01 Apr 2014 00:00:00 -0400
<![CDATA[Zenphoto 1.4.6 now in Beta (Announcements, News)]]> http://www.zenphoto.org/news/zenphoto-1.4.6-now-in-beta In preparation for the Zenphoto 1.4.6 release next week the 1.4.5 release stream has been officially capped. The master branch on GitHub is now the 1.4.6 beta release and the 1.4.6 GitHub branch has been removed.

http://www.zenphoto.org/news/zenphoto-1.4.6-now-in-beta Tue, 25 Mar 2014 05:42:22 -0400
<![CDATA[Zenphoto 1.4.6 dev build needs testers (Announcements, News)]]> http://www.zenphoto.org/news/zenphoto-1.4.6-dev-build-needs-testers We have placed the 1.4.5 release into a "critical fixes only" state so that we can concentrate on completing the 1.4.6 release development and stabilization. This means that we will fix only security issues or fatal crash problems should they occur.

Zenphoto 1.4.6 has not got a final release schedule, but we believe it will be available in a few months. While we do not recommend using 1.4.6 on a production site at this time, we would appreciate any testing efforts that our users can provide.

This is specially true for Theme and Plugin developers. We have made some efforts at "standardizing" a lot of the functions and object methods. This has resulted in a significant volume of change to the software. 

You should review the 1.4.6 release document for any change that might impact your development. Let us know about any issue you might find on our forum or even better on the issue tracker on GitHub

http://www.zenphoto.org/news/zenphoto-1.4.6-dev-build-needs-testers Sun, 26 Jan 2014 03:29:27 -0500
<![CDATA[Themes section updates (January 2014) (Announcements, News, Third party)]]> http://www.zenphoto.org/news/themes-section-updates-january-2014 Our contributor gjr released his new great them zpBase a few day ago. He sadly has abandoned all of his older themes and plugins now because of lacking time maintaining them. 

Therefore we moved copies of all his themes we had copies of to our unsupported GitHub repository being the archive of old abandoned ZP stuff. The themes zpFocus, zpMinimal and zpMasonry had been generally updated to work with Zenphoto 1.4.5 by acrylian a while ago. You can see the status of all other things on gjr's contribution page.

Also gone are all themes and plugins by contributor The Whole Live To Learn as the linked website appears to be gone. His flag_language_selector plugin is obsolete anyway as its functionality is already part of the official dynamic-locale plugin. We found copies of the themes and put those on the repository as well. Those are probably (well, for sure) not compatible anymore.

The sites of micheall and gdodinet seem also to be gone and so are some themes and plugins. We also added those theme copies we found to have to the archive. Micheall  fortunately has put some of his plugins on GitHub.

As always, we don't and can't provide support for these but may occasionally update themes to work with current Zenphoto versions. If t is not too much work.

If you read this and are the developer of these themes but just forgot to tell your new website address let us know via the obvious channels.

http://www.zenphoto.org/news/themes-section-updates-january-2014 Fri, 24 Jan 2014 14:05:00 -0500
<![CDATA[Zenphoto (Announcements, Changelog, News, Release, Security)]]> http://www.zenphoto.org/news/zenphoto- Zenphoto is a security and bugfix release. Multiple minor errors are corrected.

As usual we recommend all users upgrade for the latest updates and fixes. For more detailed info about the fixes please review the GitHub issues list.

http://www.zenphoto.org/news/zenphoto- Thu, 23 Jan 2014 18:06:40 -0500
<![CDATA[Theming tutorial in Polish (Third party) (News, Third party)]]> http://www.zenphoto.org/news/parts-of-our-theming-tutorial-in-polish We discovered these Polish translations or probably better adaptions of our theming tutorial:

http://www.zenphoto.org/news/parts-of-our-theming-tutorial-in-polish Tue, 21 Jan 2014 15:40:56 -0500
<![CDATA[Zenphoto (Announcements, Changelog, News, Release)]]> http://www.zenphoto.org/news/zenphoto- Zenphoto is a bugfix release. Multiple minor errors are corrected.

As usual we recommend all users upgrade for the latest updates and fixes. For more detailed info about the fixes please review the GitHub issues list.

http://www.zenphoto.org/news/zenphoto- Tue, 24 Dec 2013 18:31:31 -0500
<![CDATA[Zenphoto and the Security Community (Announcements, News, Security)]]> http://www.zenphoto.org/news/zenphoto-and-the-security-community The Zenphoto team typically works in conjunction with the Security Community to insure you, our users, can be confident in the environment we provide. The unfortunate nature of software is that bugs creep in. When some of those introduce security issues we are grateful to the Security Community for pointing them out to us.

We take any report seriously

A typical scenario is that a researcher will discover a potential flaw. He will develop an example exploit to verify his hypothesis, and then he will send a report to us describing his analysis and including the example exploit. This is proper scientific methodology consisting of a hypothesis and an experiment to validate it. The two are really integral components. A hypothesis without an experiment is simply speculation without substantiation.

We receive the report, verify that the problem still exists, and if so attempt to speedily correct the issue. The correction will always go into the current support build which you can download and install if you feel the need. Depending on the severity of the threat we may also make an immediate release as we know that users are more likely to install a release build than the support release. This deploys the fix to the maximum percent of our community. We also report back to the researcher the details of what release contains the fix and when it is to be generally available. We expect that the researcher report will include these details so that users reading it will know what action to take.

If the research was done on an earlier version of Zenphoto than the current the test case may not succeed on the current release. In this case we presume that the problem has been fixed as a side effect of other changes and so report to the researcher. We expect in this case that the researcher will verify the fix on the current release and so report in his publication.

Sometimes we disagree with the exploit. An example might be when the exploit requires that a logged in user enter contaminated data into a field on the administration pages. Our presumption is that site owners do not deliberately sabotage their sites. (As an aside, if this assumption is wrong there would typically be much simpler means for him to do so than the esoteric exploits we typically see.) What we do in this case will depend on the root analysis and the impact of any fix on Zenphoto usability.

Security and usability

Security and usability are typically tradeoffs. For instance, you can require strong passwords on your site. But this makes them harder to remember for the user so makes the site less useable. (Or in some circumstances less secure—when the user writes the password down on a post-it note attached to his display screen.) Other times the code needed to prevent the vulnerability can be costly and slow the system down. It was this that led to our removing the front-end editing capability from Zenphoto. We could have made it secure, but that would have placed a performance burden on all access to the site. We did not feel that the cost was justified.

From time to time we receive reports from “researchers” that do not conform to the norm set above. They may omit providing the test exploit or the test may be un-realistic (for instance presuming that the site owner will deliberately enter the exploiting text.) We still take these seriously if we can. If the description does not make sense to us we will request the exploit be updated to a rigorous test.

Reports with missing test cases

Our problem comes when the “researcher” (one legitimate researcher has shared with me the term the community uses for these--Application Security Specialists, or ASS for short) insists on his claim without providing supporting test cases. The typical statement might be “Well if this parameter is so-in-so there will be a security breach.” But that begs the question of if the parameter could ever in the real world have that value. For instance, if the claim is that it could happen with a Cross Site Reference Forgery (XSRF) then our reasonable response is that XSRF attacks are detected and prevented when the scripts load, so the code at issue will not get executed. To add code wherever there might be a bogus parameter without verification of the possibility of the parameter ever getting that far is irresponsible. It adds overhead for no benefit. It also detracts from the time we can spend making the enhancements our community desires. (Investigating these inadequately documented claims also saps our limited resources.)

We have observed one commonality of the “researchers” who seem unwilling to do thorough research of their claims. They all seem to work for firms who might benefit from instilling fear, uncertainty and doubt in software users. They usually provide a service that can help you “fix” your problems. Perhaps it is a security consultancy; perhaps it is a software analysis tool. It is really sad that these companies...

http://www.zenphoto.org/news/zenphoto-and-the-security-community Wed, 06 Nov 2013 11:39:50 -0500
<![CDATA[Zenphoto (Announcements, Changelog, News, Release)]]> http://www.zenphoto.org/news/zenphoto- This release fixes a critical issue in the Zenphoto involving storing characters with diacritical marks. You should immediately upgrade if you were using

http://www.zenphoto.org/news/zenphoto- Sun, 03 Nov 2013 19:38:17 -0500
<![CDATA[Zenphoto (Announcements, Changelog, News, Release)]]> http://www.zenphoto.org/news/zenphoto- Zenphoto is a bugfix release. Multiple minor errors are corrected.

As usual we recommend all users upgrade for the latest updates and fixes. For more detailed info about the fixes please review the GitHub issues:https://github.com/zenphoto/zenphoto/issues list.

http://www.zenphoto.org/news/zenphoto- Sat, 02 Nov 2013 00:00:00 -0400