2019 Lucee Release Schedule

#1

Hello again, Lucee-ers! (Will someone please end our search for an official nickname once and for all?!) Hope 2019 is off to a great start for everyone. It’s time to publish our 2019 release schedule, which will be the third year of planned sprints and regular releases for Lucee. But before I get to that, here’s a quick summary of what we’ve been up to at the beginning of 2019.

Starting in 2017, when I took on the first formal Product Manager role, those of us on the LAS board, along with the rest of the members, wanted to place a big emphasis on getting Lucee into a regular release cycle, including having a formal/published release calendar, and, of course, sticking to it! :thinking: We’ve done a solid job with this, shipping pretty much all of our releases on time (with the occasional delay of a week or two here or there), all the while packing in a metric ton of features and fixes for Lucee.

After two years of that approach, we certainly intend to keep pushing and improving, but as 2019 got underway, we realized we needed to put some focus on the organizational side of Lucee. Without that, there’s no Lucee! We decided to put development efforts on hold for January, and set aside that time instead for long-term, big-picture organizational planning. We have some exciting announcements on the way in the coming weeks, so keep an eye out for those.

Back to the release schedule! The re-organized schedule for 2018 worked exactly as we’d hoped. If you haven’t had a chance to read our reasoning for the change, take a quick peek here. Here’s an updated release timeline for 2019:

Next, here’s an update on Lucee 5.3.1. As we mentioned in the original post about the 5.3.1.87-RC, given how much development went into that build, we wanted to leave it in RC status for a longer period than normal (typically 1 full month). We’d intended to ship a final release at the end of 2018, along with a 5.3.2-RC, but this all got pushed back a bit by the organizational planning activities. During this extra-extended RC period :thinking::thinking:, we did in fact find some significant regressions, so today we’re announcing a second Release Candidate for 5.3.1, which is 5.3.1.94-RC, available for download and testing now. Here are the regressions addressed by the new RC build:

We will make 5.3.1.94 a final release in March, alongside kicking off the first official sprint of 2019, which will produce Lucee 5.3.2-RC at the beginning of April. From there, the schedule resumes as planned for the rest of 2019, including a goal of releasing Lucee 6 in Q4! (But that’s a topic unto itself, so nothing more about that here, other than to note that it’s on our schedule. Stay tuned later in the year for more on this next major release.)

There is still room in the March sprint, so if you haven’t already, please upvote/comment as always, and we’ll tackle your tickets as soon as possible.

Thanks for listening. Looking forward to making 2019 the best year ever for Lucee!

Patrick Quinn
Lucee Product Manager
Board Member

10 Likes
Announcing Lucee 5.3.1.102 (final)
Announcing Lucee 5.3.1.87-RC
2019 - March I Love Lucee
#2

Thanks for all the work you’ve put into this!

2 Likes
#3

this is one of the top voted issues which is quite straightforward and would be really good way to further lock down the security of the Lucee admin OOTB

Add SameSite-attribute to cfcookie
https://luceeserver.atlassian.net/browse/LDEV-1236

1 Like
#4

And thanks as well @bdw429s for all the great support you give to the community!

1 Like
#5

I’ve added this to my watch list, @Zac_Spitzer. It’s related to #412, which has a ton of votes/support. Hopefully we can knock out both at once.

#6

As for a Lucee nickname. What about Lucites?

1 Like
#7

I love it. I’ll declare it the de facto contest winner until further notice. :wink:

#8

There’s going to have to be another RC for 5.3.1 ?

Error debug after update to 5.3.1.94-RC
https://luceeserver.atlassian.net/browse/LDEV-2184

#9

errr… is 5.3.1 not released? It’s on the downloads page…

#10

Hi all. So me quick clarifying points here. As noted in this post, 5.3.1 was in RC #2 status until last night, when we pushed the final release (5.3.1.95). We’ll have a post about that later today. Meantime, I’m looking into some of the comments coming in today. @Zac_Spitzer - the bug you just created was for the RC (5.3.1.94) or the release (5.3.1.95)?

#11

I didn’t report that bug @w.wacker filed it at 6.30pm last night…

#12

Ah, my bad. Reading too many notifications too quickly. :wink: Anyway, I’ll keep an eye on it all today.

#13

Is there ever going to be an official release post about 5.3.1.95?

It would nice to include a list of the addressed issues since the RC, sort of like
https://luceeserver.atlassian.net/issues/?filter=-4&jql=fixVersion%20in%20(5.3.1.100%2C%205.3.1.101%2C%205.3.1.102%2C%205.3.1.96%2C%205.3.1.97%2C%205.3.1.98%2C%205.3.1.99)%20order%20by%20created%20DESC

(that only includes fixes which have been backported from 5.3.2)

#14

Hi Zac. Of course! We’ve been working on that for the past couple of weeks, actually. It’s been a really unusual release cycle, for a variety of reasons, but we’ve got a final build ready, along with a post detailing everything that has happened since RC 2 came out about a month ago. Should be ready today. Thanks for the prompt.

#15

Can you also add version 5.3.1.95 to jira?

#16

Yes, no ticket for that security patch (only the commit), so we’re circling back to ticket it, and attach the correct FixVersion(s). FYI, the 5.3.1.102 (final) announcement is coming out later today, and it will have a lot more info about all this.

1 Like
#17

@IamSigmund A bit of side commentary which you can take or ignore :slight_smile: I regards to the security “patch”, I disagree on principle that it is really a “patch” or even a “bug” for that matter. IMO it is a security-related enhancement which improves the long-standing default behaviors of file uploads such that they are now more secure-by-default. The difference may be trivial, but I believe Adobe did themselves a huge disservice in their messaging of their corresponding enhancement by by billing it as a critical 0-day exploit in the engine itself, which is was not. It’s a fantastic change for the security of the platform, but not a patch for any 0-day exploit. The only exploits existed in 3rd party app code which had not taken proper precautions.

2 Likes
#18

oh, just read up on that, allowing users to upload to a web accessible directory?

#19

Yes, that’s part of it. It’s been long heralded that your CF apps should never upload to a web accessible directly and should always verify the extension and types of uploaded files to ensure they are safe. The security improvements simply help weed out bad files in case the developers unscrupulously put an unfettered upload to a public dir.

#20

Yep, agreed @bdw429s. I was a bit miffed at some of the 0-day and similar commentary, too. IIRC, from the internal Lucee dev team discussion, we deemed it a “moderate” security risk, and definitely not 0-day.

2 Likes