shaarli / Shaarli

The personal, minimalist, super-fast, database free, bookmarking service - community repo
https://shaarli.readthedocs.io/
Other
3.44k stars 295 forks source link

[archived] General discussion #44

Closed nodiscc closed 9 years ago

nodiscc commented 10 years ago

General discussion about Shaarli, this fork, sharing interesting resources, whatever. Offtopic allowed.

https://github.com/shaarli/Shaarli/wiki

Salan54 commented 10 years ago

Hi, thanks for your work ! By default, links are opened in the same page/tab. Is there a way to open them in a new tab/page ? Thanks.

Bonjour et merci pour votre travail ! Par défaut, les liens s'ouvrent dans la même page/onglet. Y a-t-il un moyen pour qu'ils s'ouvrent systématiquement dans un nouvel onglet/page ? Merci.

nodiscc commented 10 years ago

@Salan54 bonne question. Je pense qu'on pourrait rajouter une option pour que les liens s'ouvrent avec target="_blank" (dans un nouvel onglet). J'ai un peu bossé sur Shaarli ces derniers jours et j'attends les commentaires des autres mainteneurs et des utilisateurs sur https://github.com/shaarli/Shaarli/pulls et https://github.com/shaarli/Shaarli/issues avant d'entreprendre autre chose.

nodiscc commented 10 years ago

http://myrepos.branchable.com/ great software if you manage multiple git repositories (myrepos package in debian). Run mr register in each git repository, go back to the parent directory and run mr fetch; mr status

e2jk commented 10 years ago

I am no fan of target="_blank", instead just use the middle click on your mouse (or press the left and right buttons simultaneously if you have a laptop). That way you control which pages you want to open in a separate tab (if you plan to just check out if that was the link you wanted, or want to open multiple links at once) or if you want to just continue with that specific page.

A couple of arguments about this topic: http://www.trilithium.com/johan/2005/03/target-blank/ http://www.nngroup.com/articles/the-top-ten-web-design-mistakes-of-1999/ (listed as one of the op 10 Web Design Mistakes of 1999) http://www.searchenginejournal.com/when-not-to-use-target_blank-link-attribute/19924/ (OK when "linking to PDF document" or "link to supplemental information")

nodiscc commented 10 years ago

@Salan54 In fact I think I agree with @e2jk , you'd better use middle-click, or "open in new tab", as it allows you to control what links you want to open in a new tab. After thinking about it, I hate sites that force new tabs. It breaks the back button and spaws a myriad of tabs.

forcing new windows to open is disrespectful and hostile

@e2jk your links were quite good :) Sold for me, we won't add this. @Salan54 Please read the links mentioned above, and if you really want to force new tabs (I think you don't), you can add target="_blank" to https://github.com/shaarli/Shaarli/blob/master/tpl/linklist.html#L43 on your install. But it will get erased if you upgrade.

Salan54 commented 10 years ago

J'ai lu avec beaucoup d'intérêt les liens indiqués par @e2jk. Je partage tout à fait sa position : il n'est pas souhaitable de forcer l'ouverture des liens dans un nouvel onglet depuis un site "standard". Mais Shaarli n'est pas un site "standard" mais un "annuaire de liens" et il me semble un peu extrême de vouloir appliquer ici la règle universelle. Certes, je sais ouvrir un lien dans un nouvel onglet en usant des facilités offertes par les navigateurs. C'est déjà plus difficile depuis un navigateur tablette (ex: Dolphin). Je travaille souvent avec "mon" Shaarli ouvert dans un onglet sur une sélection de liens que je veux parcourir les uns après les autres et pouvoir garder l'onglet Shaarli ouvert tandis que les liens cliqués s'ouvrent dans d'autres onglets est très pratique. J'ai d'ailleurs découvert que c'est le comportement adopté par Firefox 33 quand on "épingle" l'onglet Shaarli. Bref, OK pour adopter la règle "laissons l'utilisateur choisir d'ouvrir des onglets supplémentaires" pour les sites standards mais pas d'accord pour Shaarli. Ceci étant, je ne suis qu'un simple utilisateur et mon seul but en ouvrant le topique dans la catégorie "discussion" était de savoir s'il existait une méthode pour que les liens cliqués via Shaarli s'ouvrent dans un nouvel onglet : le "truc" indiqué par @nodiscc répond parfaitement à ma demande. Merci à vous deux. Sorry for the french message but my english is not good enough to express myself dans la langue de Shakespeare ;-)

ArthurHoaro commented 9 years ago

Hi there.

I'm quite new to this fork community and its goals, so I went through your issue/PR list. I'm a bit confused about themes, templates and plugins.

From what I understand :

While I understand the requirement, those features look poorly compatible between them. A theme is designed to be used with only one template, and every template needs at least one theme (its CSS + resources).

I suggest that themes should be placed inside one tpl directory (and those two would be merged).

About plugins, there is not a lot we can do the way they're made, except being well documented for templates creator.

And don't worry, I also know that's low priority. :water_buffalo:

nodiscc commented 9 years ago

@ArthurHoaro Good summary, thanks. Yes, we need to come up with a clean directory structure if we want to support third-party themes, templates and plugins. Themes and templates repos are currently experimental/unsupported, and serve the purpose of centralizing currently available ressources for Shaarli. Plugin support is not ready yet. They will need cleanup before they are actually usable. Your are right that the CSS files are template-specific. I'll post a directory/file structure proposal soon.

nodiscc commented 9 years ago

Regarding the directory structure change: I think we should get the plugin system working first. Please help reviewing https://github.com/shaarli/Shaarli/pull/52. This system makes use of raintpl includes. So the dir structure will be influenced by this.

nodiscc commented 9 years ago

I am forwarding a discussion from Debian's security mailing list.

Re: poor code quality in shaarli package, remove from Debian?
10 messages
Emilien Klein <emilien+debian@klein.st> 1 janvier 2015 03:52
À : Paul Wise <pabs@debian.org>
Cc : Debian Security <security@debian.org>, Georges Khaznadar <georgesk@debian.org>, Julien Voisin <julien.voisin@dustri.org>, nodiscc <nodiscc@gmail.com>
Adding nodiscc in CC, the main pusher of the community fork.

2014-12-31 21:20 GMT-05:00 Paul Wise <pabs@debian.org>:
> Hi folks,
>
> I was discussing the CVE issued for the shaarli package with the person
> who found the issues (Julien, CCed)

Can you link to that CVE?
I will reported this upstream (github) to make the original upstream
developer and the community fork developers aware of it.

>  and came to the conclusion that the
> code is terrible, upstream maintenance has stopped and the package
> should be removed from Debian entirely. Here is our IRC log:
>
> <jvoisin> I'm quite sure that no one should use shaarli anyway. It's not maintained, and the code is awful :/
> <pabs> do you think it should be removed from Debian?
> <jvoisin> https://github.com/sebsauvage/Shaarli/ Last commit one year ago, almost 100 issues, …
> <jvoisin> I think so, yes
> <jvoisin> https://github.com/sebsauvage/Shaarli/blob/master/index.php#L302
> <pabs> seems reasonably well maintained in Debian, so I would suggest filing a bug on the package itself about this
> <jvoisin> This is not even remotely funny.
> <pabs> it seems pointless but what would the downside be?
> <jvoisin> This is predictable
> <jvoisin> and https://github.com/sebsauvage/Shaarli/blob/master/index.php#L440 looks like an arbitrary redirect to me
> <jvoisin> Anyway, I don't care that much about this 2500LoC PHP script
> <pabs> there are several more instances of this in the code
> <jvoisin> yup

The version currently packaged in Debian is from the [hopefully
temporary] community fork [0], due to the inactivity on the side of
the original developer.
[0] https://github.com/shaarli/Shaarli

We are working with the original developer to get things moving again
[1], but he has indicated that he doesn't expect to be able to merge
the community fork before spring.
[1] https://github.com/sebsauvage/Shaarli/issues/191#issuecomment-68188141

The last "officially" released version is 0.0.41beta (don't ask about
the versioning scheme... community fork going to 1.0 soon), the
version in Debian called 0.0.42beta is the state as represented in
HEAD of the official repo, but the fork is already almost 70 commits
further, fixing bugs, merging pull requests made towards upstream.
There is activity, as the users of Shaarli do demand that. Hence my
original effort to package that in Debian.
Since a large number of changes were made around/after the Jessie
freeze, I am currently waiting for Jessie to be released to push for
the release of a new community version, and package that in Debian.

I would much rather have shaarli removed from Jessie for now, but kept
in unstable/testing so that we can include the latest fixes from the
community fork, and include a fix for the mentioned CVE.
Is that an acceptable solution, security-wise?

    +Emilien
Salvatore Bonaccorso <carnil@debian.org>    1 janvier 2015 08:18
À : Emilien Klein <emilien+debian@klein.st>
Cc : Paul Wise <pabs@debian.org>, Debian Security <security@debian.org>, Georges Khaznadar <georgesk@debian.org>, Julien Voisin <julien.voisin@dustri.org>, nodiscc <nodiscc@gmail.com>
Hi Emilien,

Replying only on the last part:

On Wed, Dec 31, 2014 at 09:52:19PM -0500, Emilien Klein wrote:
> I would much rather have shaarli removed from Jessie for now, but kept
> in unstable/testing so that we can include the latest fixes from the
> community fork, and include a fix for the mentioned CVE.
> Is that an acceptable solution, security-wise?

This sound reasonable yes. Could you fill an according removal from
testing bug against release.debian.org to have it removed jessie.

Regards,
Salvatore
Georges Khaznadar <georges.khaznadar@free.fr>   1 janvier 2015 19:50
À : Salvatore Bonaccorso <carnil@debian.org>
Cc : Emilien Klein <emilien+debian@klein.st>, Paul Wise <pabs@debian.org>, Debian Security <security@debian.org>, Julien Voisin <julien.voisin@dustri.org>, nodiscc <nodiscc@gmail.com>
I agree too.

By the way: I wish you a happy new year!
nodiscc <nodiscc@gmail.com> 1 janvier 2015 20:45
À : Georges Khaznadar <georges.khaznadar@free.fr>
Cc : Salvatore Bonaccorso <carnil@debian.org>, Emilien Klein <emilien+debian@klein.st>, Paul Wise <pabs@debian.org>, Debian Security <security@debian.org>, Julien Voisin <julien.voisin@dustri.org>
Hello everyone,
feel free to remove the shaarli package from Jessie if it doesn't meet expected quality.
Keeping it in unstable might be reasonable, if you think so.
I'd like to see the CVE mentioned for Shaarli earlier, I can't find it at https://security-tracker.debian.org/tracker/source-package/shaarli
I help maintaining the community fork at https://github.com/shaarli/Shaarli, so please report any bugs you can find in the issue tracker if appropriate, and we'll try to deal with them.

Thanks

Happy new year to you all !
Emilien Klein <emilien+debian@klein.st> 1 janvier 2015 22:46
À : Salvatore Bonaccorso <carnil@debian.org>
Cc : Paul Wise <pabs@debian.org>, Debian Security <security@debian.org>, Georges Khaznadar <georgesk@debian.org>, Julien Voisin <julien.voisin@dustri.org>, nodiscc <nodiscc@gmail.com>
2015-01-01 2:18 GMT-05:00 Salvatore Bonaccorso <carnil@debian.org>:
[Texte des messages précédents masqué]
Done: bug#774382 (note: might not be tagged appropriately?)
Thanks,
   +Emilien
Paul Wise <pabs@debian.org> 2 janvier 2015 01:52
À : nodiscc <nodiscc@gmail.com>
Cc : Georges Khaznadar <georges.khaznadar@free.fr>, Salvatore Bonaccorso <carnil@debian.org>, Emilien Klein <emilien+debian@klein.st>, Debian Security <security@debian.org>, Julien Voisin <julien.voisin@dustri.org>
On Thu, 2015-01-01 at 20:45 +0100, nodiscc wrote:

> I'd like to see the CVE mentioned for Shaarli earlier, I can't find it
> at https://security-tracker.debian.org/tracker/source-package/shaarli

It is listed in the Resolved section of that page, direct link:

https://security-tracker.debian.org/tracker/CVE-2013-7351

> I help maintaining the community fork at
> https://github.com/shaarli/Shaarli, so please report any bugs you can
> find in the issue tracker if appropriate, and we'll try to deal with
> them.

The chat log forwarded to you in an earlier message contains a few
issues, there are probably more though.

Personally I would recommend a rewrite using a web framework rather than
using raw PHP, you will avoid many of the issues straight away and it
will be far easier to add new features. I would also recommend using a
language other than PHP, eg Python+Django/Flask.

The OWASP community have documented many vulnerability classes, you
might want to have a look at their site:

https://www.owasp.org/

--
bye,
pabs

https://wiki.debian.org/PaulWise
nodiscc <nodiscc@gmail.com> 2 janvier 2015 19:35
À : Paul Wise <pabs@debian.org>
Cc : Georges Khaznadar <georges.khaznadar@free.fr>, Salvatore Bonaccorso <carnil@debian.org>, Emilien Klein <emilien+debian@klein.st>, Debian Security <security@debian.org>, Julien Voisin <julien.voisin@dustri.org>
>It is listed in the Resolved section of that page, direct link:
> https://security-tracker.debian.org/tracker/CVE-2013-7351

This vulnerability is currently fixed so there should be no particular problem with it, is there?

> The chat log forwarded to you in an earlier message contains a few
> issues, there are probably more though.

So far I see:

> <jvoisin> https://github.com/sebsauvage/Shaarli/blob/master/index.php#L302
> <jvoisin> This is not even remotely funny.
> <jvoisin> This is predictable

I fail to see in which way this is predictable. Do you mean possible collisions in SHA-1? Is mt_rand() itself predictable?
Keep in mind that there is a safeguard in place against bruteforce login attempts.
If you can suggest using something else, we will gladly change this.

> <jvoisin> and https://github.com/sebsauvage/Shaarli/blob/master/index.php#L440 looks like an arbitrary redirect to me

If you can think of a way this can be exploited for malicious purposes, please disclose it (either here or on the public bug tracker)
We will immediately start working on a fix and inform users about the issue.
By the way, I can't find a public archive of this discussion, is it available somwhere? It could provide valuable feedback.

> Personally I would recommend a rewrite using a web framework rather than
> using raw PHP, you will avoid many of the issues straight away and it
> will be far easier to add new features. I would also recommend using a
> language other than PHP, eg Python+Django/Flask.

We don't have the manpower for a rewrite now. We'd rather fix bugs that are reported to us, via the Github
issue tracker, or the Debian BTS.

> Anyway, I don't care that much about this 2500LoC PHP script"
Ugly code is ugly, and vulnerable code is vulnerable. The two are not to be confused.
Shaarli certainly falls in the first category.

As I said earlier, I think it IS ok to remove shaarli from Jessie as there is currently much work going on, but
in all cases please report bugs concerning actual security issues. OWASP good practices do not forbid using
PHP. They do warn about open redirects but AFAIK, https://www.owasp.org/index.php/Open_redirect can not lead to an exploit on Shaarli.
An Apache/PHP setup also has the advantage to be easier to deploy

You can see some recent commits at https://github.com/shaarli/Shaarli/commits/master
Current issues https://github.com/shaarli/Shaarli/issues?q=
This is the milestone for the next beta https://github.com/shaarli/Shaarli/milestones/0.9beta

Code contributions as well as documentation/discussion/reporting bugs is welcome

Thanks for your time working on Debian
Paul Wise <pabs@debian.org> 3 janvier 2015 01:20
À : nodiscc <nodiscc@gmail.com>
Cc : Georges Khaznadar <georges.khaznadar@free.fr>, Salvatore Bonaccorso <carnil@debian.org>, Emilien Klein <emilien+debian@klein.st>, Debian Security <security@debian.org>, Julien Voisin <julien.voisin@dustri.org>
On Fri, 2015-01-02 at 19:35 +0100, nodiscc wrote:

> This vulnerability is currently fixed so there should be no particular
> problem with it, is there?

Correct.

> I fail to see in which way this is predictable. Do you mean possible
> collisions in SHA-1? Is mt_rand() itself predictable?
> Keep in mind that there is a safeguard in place against bruteforce
> login attempts.
> If you can suggest using something else, we will gladly change this.

I'll let Julien clarify this.

> If you can think of a way this can be exploited for malicious
> purposes, please disclose it (either here or on the public bug
> tracker)

Sites with open redirect vulnerabilities are often used by spammers
which can result in domains getting marked as spammy in the various spam
DNSBLs.

> By the way, I can't find a public archive of this discussion, is it
> available somwhere? It could provide valuable feedback.

The discussion was just on an IRC channel so there are no public archives.

> As I said earlier, I think it IS ok to remove shaarli from Jessie

This has now happened:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774382#15
https://packages.qa.debian.org/s/shaarli/news/20150102T163914Z.html

> OWASP good practices do not forbid using PHP.

True, my aversion to PHP is due to having wrote some truely horrid and
vulnerable code a long time ago plus this article:

http://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/

I don't really want to get involved in auditing the codebase, but
searching the codebase for mt_rand shows that you are using mt_rand
salted SHA-1 for the password hashing. I would recommend switching to
the current best practice of using scrypt (or bcrypt).

http://pecl.php.net/package/scrypt

I'd also recommend not including the embedded code copies of jQuery,
qr-js/jsqrencode, jQuery UI, jQuery lazyload, RainTPL in the git
repository, they will only get out of date that way. I don't know how
things are done in the PHP world but probably there is a package manager
for PHP that users should use to install the dependencies?

In addition you are violating the GPL because you are distributing
qr.min.js without the source code for it (presumably qr.js).
[Texte des messages précédents masqué]
nodiscc <nodiscc@gmail.com> 11 janvier 2015 15:15
À : Paul Wise <pabs@debian.org>
Cc : Georges Khaznadar <georges.khaznadar@free.fr>, Salvatore Bonaccorso <carnil@debian.org>, Emilien Klein <emilien+debian@klein.st>, Debian Security <security@debian.org>, Julien Voisin <julien.voisin@dustri.org>
> searching the codebase for mt_rand shows that you are using mt_rand
> salted SHA-1 for the password hashing. I would recommend switching to
> the current best practice of using scrypt (or bcrypt).

Yes we should stay away from SHA-1
Thanks https://github.com/shaarli/Shaarli/issues/94

> http://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/

Thanks for the very good article, and true. Yes we should make shaarli smaller/cleaner; in progress https://github.com/shaarli/Shaarli/issues?q=label%3Acleanup+
A rewrite with flask would be good (but another project and different server config). Shaarli has the advantage of being already written and very simple to install.
We'll try to overcome problems with the platform

> not including the embedded code copies of jQuery,
> qr-js/jsqrencode, jQuery UI, jQuery lazyload, RainTPL in the git
> repository, they will only get out of date that way.

yes we should keep the libraries up-to date and versioned
(unstable has 1.7.2 vs 1.11 on jquery.com :/)
This was just done at https://github.com/shaarli/Shaarli/pull/99

There are PHP package managers (pear, pecl...) but we would need to include/depend on them.
Or the libraries need to be in debian repos (and other distributions)
Pear is also not-so-secure. PECL needs command line access, and is not packaged for debian.

> In addition you are violating the GPL because you are distributing
> qr.min.js without the source code for it (presumably qr.js).

aye sorry. https://github.com/shaarli/Shaarli/issues/96, this is fixed
(if a proper copyright/source notice is enough for GPL compliance, I think it is)

Is this ok if I copy this discussion to shaarli's bug tracker/general discussion?

Thanks for your help. More info is welcome
Paul Wise <pabs@debian.org> 12 janvier 2015 00:54
À : nodiscc <nodiscc@gmail.com>
Cc : Georges Khaznadar <georges.khaznadar@free.fr>, Salvatore Bonaccorso <carnil@debian.org>, Emilien Klein <emilien+debian@klein.st>, Debian Security <security@debian.org>, Julien Voisin <julien.voisin@dustri.org>
On Sun, 2015-01-11 at 15:15 +0100, nodiscc wrote:

> Thanks https://github.com/shaarli/Shaarli/issues/94

bcrypt is easily able to be differentiated from SHA-1 as it includes a
specific prefix, not sure how pikzen got that idea.

https://en.wikipedia.org/wiki/Bcrypt

> A rewrite with flask would be good (but another project and different
> server config). Shaarli has the advantage of being already written and
> very simple to install.

Please focus on the rewrite and try to get Shaarli users to migrate.

> yes we should keep the libraries up-to date and versioned

Please remove them from the git repository instead.

> (unstable has 1.7.2 vs 1.11 on jquery.com :/)

I expect after jessie is released the JavaScript team will be looking at
having multiple versions of jQuery in Debian, based on compatibility.

> There are PHP package managers (pear, pecl...) but we would need to
> include/depend on them.

Definitely don't include any third-party code, but do depend on them.
For people not using Linux distros or using Linux distros that don't
contain all the dependencies you can include a setup script.

> Or the libraries need to be in debian repos (and other distributions)

Yes they should be packaged for Debian instead:

https://wiki.debian.org/EmbeddedCodeCopies

> Pear is also not-so-secure.

Do you have any references about the Pear security issue? In Debian I
see we know about two minor issues in Pear:

https://security-tracker.debian.org/tracker/CVE-2014-5459
https://security-tracker.debian.org/tracker/CVE-2006-0931

> PECL needs command line access, and is not packaged for debian.

Why is command-line access a problem?

The php-pear Debian package contains the pecl command-line tool and
there are already various PECL modules in Debian, what is missing?

> aye sorry. https://github.com/shaarli/Shaarli/issues/96, this is fixed
> (if a proper copyright/source notice is enough for GPL compliance, I
> think it is)

That only adds the copyright/license information, it doesn't fix the GPL
compliance issue. Please re-read the GPL, especially GPLv3 section 6.

https://www.gnu.org/licenses/gpl.html

> Is this ok if I copy this discussion to shaarli's bug tracker/general
> discussion?

Fine by me.

So far:

d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source [...] If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements.

So I think we meet the GPL requirements. Will ask for more info on the mailing list (I can't find a world-viewable archive of this list), comments are welcome.

Edit: my reply to the mailing list:

Hello,

I have forwarded this discussion at
https://github.com/shaarli/Shaarli/issues/44#issuecomment-70526704
with some more questions about GPL compliance (I really think linking
to the source is enough)

About the rewrite, there's already a bookmark sharing web application,
written in python at
https://github.com/bookieio/Bookie
I'll let you judge the complexity/simplicity of this vs. 2500 lines of
(ugly) php

Have a nice day
e2jk commented 9 years ago

FYI I have created a Gitter chat room to discuss Shaarli. Have a look at https://gitter.im/shaarli/Shaarli I will add the "usual suspects" to the chat room as well.

nodiscc commented 9 years ago

v0.0.43beta released! Thanks to everyone involved.

nodiscc commented 9 years ago

I've registered a bountysource project for Shaarli. Anyone can now vote for issues there instead of adding +1s to the bug tracker. You can also place bounties (starting with $5 I think) on bugs; anyone that fixes a bug on which a bounty has been placed can claim it. The bountysource badge is displayed in the main README.

Sorting of plugin requests in https://github.com/shaarli/Shaarli/issues/14 is almost over. The current plugin system implementation is on the new-plugin-system branch. Pull requests to improve it welcome, even dirty/unfinished, we'll rebase and squash later. Authors of original plugin requests have been informed. Plugin requests that are of no immediate interest have been moved to https://github.com/shaarli/Shaarli/wiki/Ideas-for-plugins

I've started removing owners from the organization (people that have shown no sign of life since the fork). The remaining owners are @e2jk @sebsauvage @Sbgodin and myself. It think it's enough since we are active in maintaining the code/issues. @ArthurHoaro has write access to the templates repository.

I've started reorganizing the shaarli-themes repo to make it compatible with 0.0.43beta and clean the stylesheets. I think we'll not implement a theme selector for several reasons; continuing in https://github.com/shaarli/Shaarli/issues/22

ArthurHoaro commented 9 years ago

Maybe you can add the bountysource link in the readme.

EDIT: Uh nevermind. I was looking at my not updated fork repo.

nodiscc commented 9 years ago

@ArthurHoaro it's on top, next to to the gitter link

nodiscc commented 9 years ago

I think we could add some tag management/general organization tricks to the wiki, some have been discussed here https://github.com/shaarli/Shaarli/issues/146#issuecomment-77710432

nodiscc commented 9 years ago

I've managed to use my IM client (pidgin) to login to https://gitter.im/shaarli/Shaarli. It's not straightforward so here is how to do it:

nodiscc commented 9 years ago

Another bookmark sharing and management web app: https://github.com/plainmade/unmark / https://unmark.it/. Added to the wiki.

nodiscc commented 9 years ago

I've updated the milestones. Feedback welcome. 0.0.44beta will be released on Sunday after merging these patches.

ArthurHoaro commented 9 years ago

I think template support should be set before 1.0 milestone since it's an important change. Also I don't really see why #143 is in milestone 1.0 while most other minor (priority) improvements are in 1.1. But overall, that's great!

nodiscc commented 9 years ago

You're right. Edited milestones.

nodiscc commented 9 years ago

0.0.44beta released. Again, thanks to you all.

nodiscc commented 9 years ago

0.0.45beta released, fixes 2 small bugs.

alexisju commented 9 years ago

Dans le linklist, pour l'affichage de l'url d'une note, ce ne serait pas mieux que ce soit une url absolue qui soit affichée? Ca me pertube un peu de n'avoir qu'un morceau d'url affichée entre les balises et

nodiscc commented 9 years ago

On pourrait, oui. J'aime l'idée de n'afficher que des URLs absolues. On pourrait aussi passer ces URLs en absolues dans les exports HTML, ça réglerait peut être https://github.com/shaarli/Shaarli/issues/102

Par contre je pense qu'il faut un petit indicateur pour différencier visuellement les notes des liens, comme ou à côté de l'URL.

alexisju commented 9 years ago

Pour moi, c'est surtout une question d'affichage de l'url. Du point de vue de l'utilisateur ?uyhDa ça ne veut rien dire. Mais il faut faire attention à garder la portabilité des données (pour les exports, sauvergardes et migration). Si ce sont des url asbolues qui sont enregistrées, ça risque de pauser problème.

alexisju commented 9 years ago

Bug? Je remarque que le lien vers la doc ne se charge pas à tous les coups. Par exemple chez moi https://liens.effingo.be/doc/index.html#!Home.md ne fonctionne pas alors que https://effingo.be/liens/doc/index.html#!Home.md fonctionne

J'ai vu ça aussi sur d'autres sites également.

Par ailleurs, est-ce vraiment nécessaire d'inclure toute l'aide dans l'archive? Ca disperse l'information et rend ces infos plus difficiles à maintenir. Un lien vers le wiki ne serait pas suffisant dans les templates? Et dans l'archive, un fichier texte avec les infos utiles, des liens, mais quelque chose d'un peu plus "light" ?

A propos du wiki, toutes les images ne se chargent pas en ligne...

nodiscc commented 9 years ago

le lien vers la doc ne se charge pas à tous les coups

En effet; je ne sais pas pourquoi, c'est sûrement dû à mdwiki. La console de Firefox me renvoie Syntax error quelque part. Mdwiki fait le rendu du markdown en JS dans le navigateur, c'était pratique et rapide mais sans doute pas le plus propre. On peut utiliser pandoc à la place pour générer du HTML statique: pandoc -f markdown_github -t html5 -s -c "$(dirname $0)/github-markdown.css" -obasename $markdownfile .md.html "$markdownfile". Je rajouterai ça au Makefile.

est-ce vraiment nécessaire d'inclure toute l'aide dans l'archive? Ca disperse l'information

Non puisque l'aide en local est une simple copie du wiki. C'est plus simple que de maintenir une doc locale et le wiki. Just à maintenir le wiki et à lancer make doc de temps en temps. Par contre si qulqu'un veut se pencher sur le wiki pour séparer la doc utilisateur/admin/dévelopeur, pourquoi pas.

nodiscc commented 9 years ago

I've added (invited) @virtualtam and @ArthurHoaro as owners of the Shaarli organization on Github.

You guys have provided very high quality contributions to Shaarli and have been active recently, so now that e2jk is away I felt like this project needed more maintainers (I also have less time, and my own server is offline for some time so I can't test new stuff as quickly as before). No obligations at all. Feel free to push tested, cool and working features to the repo after discussing them like we always did, merge PRs and bug fixes, automate repo maintenance even more...

Merci encore pour votre aide, de la part de tous les utilisateurs de ce modeste fork. Cassez pas tout :) (jusqu'a présent c'est plutôt mes merges ratés qui ont posé problème :/ )

I'd appreciate if we could use GPG signed commits in the future. What do you think?

virtualtam commented 9 years ago

Thanks a lot @nodiscc for the invitation! I'll do my best to keep improving Shaarli, sanitize the code base, discuss issues and help reviewing PRs ;-)

use GPG signed commits

See this answer on StackOverflow, TL;DR:

ArthurHoaro commented 9 years ago

Thank you @nodiscc. I'll continue to contribute here as I've done in the past few months. :)

GPG signed commits

Not sure it is worth it, but I don't really know how it works.

nodiscc commented 9 years ago

Shaarli is now listed on Prism Break.

I don't have a problem with only signing tags and/or merge commits. Signed commits should not be a requirement for contributors (but it would be good that maintainers use them from time to time).

alexisju commented 9 years ago

Great! But I still thinking it can be confusing for users to call this repository as "the official" as long as Sebsauvage doesn't mention this project on his wiki and/or we dont mention clearly in the name or in in the logo this is the community version (cfr https://github.com/shaarli/Shaarli/issues/203).

nodiscc commented 9 years ago

The choice of linking to this repo on prism-break was not mine :) I think the p-b maintainers chose this fork because sebsauvage's repo is inactive for a long time. I don't think anyone working on this fork was involved in adding the project on prism-break, I discovered it by checking the Traffic tab on the repo stats page (refferers)

The README makes it clear that this project is a fork of the original, "official" Shaarli. Changes in branding (logo?) can come with the new default template work proposed on Gitter. If you want to make it clearer in the doc or README, a patch is welcome.

nodiscc commented 9 years ago

Another interesting project that lists Shaarli: https://github.com/Kickball/awesome-selfhosted

Contributions are welcome :)

alexisju commented 9 years ago

I wonder if a hashtag system would not be interesting. The idea is that, in the description, any word ahead of # is linked to ?searchtags=[theword]

But maybe there is a potential difficulty of compatibility with a markdown plugin...

ArthurHoaro commented 9 years ago

I like the idea. There is no conflict with Markdown: #hashtag - # title (space required).

nicolasdanelon commented 9 years ago

Sorry but... what's the difference between the current tag system (_?searchtags=cms_)

ArthurHoaro commented 9 years ago

We should discuss that in #278.

There is no difference, except it creates an automatic link when you write an #hashtag in the description.

nodiscc commented 9 years ago

Time for a new release? There has been a fair amount of changes since 0.0.45beta, including bug fixes.

$ git log --oneline master...v0.0.45beta
f22a494 Merge pull request #295 from Knah-Tsaeb/patch-1
caaae9b Merge pull request #289 from virtualtam/make-clean
bb2948c [fix]  #293
d0ce99e Makefile: do not call `clean` before `test`
2ac5938 Merge pull request #290 from virtualtam/travis-container
39d06fa Travis: use the container-based infrastructure
874f858 Merge pull request #271 from virtualtam/php53
d1e2f8e PHP: ensure 5.3 compatibility, refactor timezone utilities
5b0ebbc Merge pull request #257 from ArthurHoaro/tag-http-referer
775803a Prevent redirection loop everytime we rely on HTTP_REFERER:
1dcbe29 English mistake cf sebsauvage/Shaarli#221
6ac95d9 Fixes warning 'Undefined index: searchtags' while filtering by tags.
7bd3542 Merge pull request #262 from ArthurHoaro/dup-tags
781e8aa Avoid tag duplicates
bba021d Merge pull request #268 from ArthurHoaro/dailrss-template
1b73f35 Merge pull request #269 from virtualtam/fix/read-config
f3b8f9f Include the whole <item> in dailyRSS
50c9a12 Fix: data/config.php was not imported
49ca756 Merge pull request #267 from virtualtam/linkdb/private-names
07b6fa7 LinkDB: prefix private members with an underscore
e92f1ba Merge pull request #255 from ArthurHoaro/config
dd484b9 All settings are now stored in config.php
7f1dfd1 Merge pull request #251 from virtualtam/linkdb/date-format
9186ab9 LinkDB::filterDay(): check input date format
46d83c2 Merge pull request #264 from ArthurHoaro/daily-nav
f3db377 Fixes #260: previous/next day links in daily
eee711c Merge pull request #254 from virtualtam/test/linkdb/datastore
0037fbe LinkDBTest: only check that the datastore is created and non-empty
fe4e883 doc: bump php requirement to php 5.4, fixes https://github.com/shaarli/Shaarli/issues/250
d72ae3d Merge remote-tracking branch 'ArthurHoaro/default-links'
2fbadc3 Merge remote-tracking branch 'virtualtam/linkdb/remove-globals'
da9b0e3 [doc] sync doc with latest wiki, build HTML
927a841 [doc] update CONTRIBUTING
eae648d duplicated id removed
41145f7 awesome.css restored. width bug fixed.
d257f25 Merge pull request #249 from fbartels/patch-1
ddfc400 Restore compatability with php 5.3
9c8752a LinkDB: do not access global variables
30e6f1c Fixes unit tests: checking datastore filesize instead of hash.
598376d Change fresh install default link
64bc92e move escape() and sanitizeLink() to application/Utils.php
eaefcba Merge remote-tracking branch 'ArthurHoaro/input-escape' into next
9f15ca9 LinkDB: add 'hidePublicLinks' parameter to the constructor
ae63027 add travis-ci.org build status to README
b6a88fa Add link to 'Running unit tests wiki page'
4c68c20 Merge remote-tracking branch 'nicolasdanelon/master' into next
38eb1e7 cursor pointer for label (ux improvement)
504a425 fix no javascript
c68da3f Page title if there is a single link Fixes #232
5f85fcd Working on shaarli/Shaarli#224
3d713bd Update awesomplete.css
e6cd88b filter input search responsive fixed (mobile)
0923a2b add tabindex 1/2 to search and tags fields
e883685 Merge remote-tracking branch 'origin/doc-contributing'
4a5827f Merge remote-tracking branch 'ArthurHoaro/daily-date' into next
adb1d6c Merge remote-tracking branch 'nicolasdanelon/master' into next
578a84b re-add readDb() missing from previous merge
38a0c25 Merge remote-tracking branch 'virtualtam/test/link-db' into next
0fe3641 Merge remote-tracking branch 'ArthurHoaro/search-tag-awesomplete' into next
7d338fa Merge remote-tracking branch 'virtualtam/travis' into next
25c4640 fix login desktop
f30aa97 login enhance for mobile
4de7144 Daily page: date format in template
ca74886 LinkDB: move to a proper file, add test coverage
3821b1e Create CONTIBUTING.md
a037ac6 Do not load links if they're hidden (also fix shaarli/Shaarli#202)
65d6251 Add awesomplete to tag search shaarli/Shaarli#49
13d07f9 Add Travis CI config
cbecab7 split annoyingpatterns list on multpile lines, add new patterns for removal:  * utm_content=  * fb=  * xtor=
f95d042 Merge branch 'really-hide' of https://github.com/pikzen/Shaarli into next
8b3c67f Merge remote-tracking branch 'Marsup/firefox-social' into next
d33c5d4 Add Firefox Social API to the tools. Fixes #101.
59c90f5 Properly hide all links
f5b0592 Display date as today if no articles published
569ffb5 doc: add demo to README fixes https://github.com/shaarli/Shaarli/issues/198
caee7ff change wording and variable names for "Hide public links" feature
0c45b01 Merge remote-tracking branch 'pikzen/disable-public' into next
5078492 Merge remote-tracking branch 'ArthurHoaro/localecharset' into next
c5db827 Merge branch 'pandoc' into next
1caf200 Merge commit '326ae54' into next
8fa1ebd Allow disabling all public links, fixes #188
da49603 #193 add UTF8 by default to autoLocale
6811469 doc: remove old mdwiki index.html
b84c913 doc: point footer link to local html documentation
a57a12e doc: sync doc/github-markdown.css from wiki
7a32b17 add local HTML documentation generated with 'make htmldoc'
82af78b use pandoc to generate local HTML documentation fixes https://github.com/shaarli/Shaarli/issues/178 run 'make htmldoc'
10070c3 doc: update documentation (sync from wiki)
f3e89f5 cleanup: makefile comments
8438a2e Fixes autoLocale function by trying several way to find a correct one. Fix https://github.com/shaarli/Shaarli/issues/184
326ae54 Fix missing permalink title when logged in
82cfe1f Merge pull request #183 from pikzen/fix-absolute-urls
b47f515 Display notes as absolute URLs
a5752e7 Fix bad merge commit Define date format in templates instead of index.php.
2f4ab7c update doc
d3b2b45 Display notes as absolute urls Fixes https://github.com/shaarli/Shaarli/issues/177 Merge commit '3ea318dad05954e2043d5bb2f8572b103d7c3930' into notes-absolute-url Conflicts:   index.php
3139a6c Fix php error in daily RSS
880cbf9 Fixes autoLocale function by trying several way to find a correct one.
bec1870 Define date format in templates instead of index.php.
3ea318d Display notes as absolute urls.
virtualtam commented 9 years ago

Agreed :)

What about adding intermediate milestones? E.g. tag the current version as 0.1, and start using pseudo-SemVer to fill the holes till we reach 0.9 and 1.0:

ArthurHoaro commented 9 years ago

+1 for the release.

I don't know about version standards, but anything would be better than 0.0.45. :)

nicolasdanelon commented 9 years ago

+1 for the release too :)

nodiscc commented 9 years ago

Happy birthday shaarli/Shaarli and thanks everyone for keeping it flying

virtualtam commented 9 years ago

:cake: \o/ :cake:

nodiscc commented 9 years ago

I have updated/rewritten shaarchiver and audio/video archival are working perfectly!

If someone is able to help for the next step (downloading webpages in a logical way - calls to wget?), and other TODOs in bookmarks-fetcher.py (mostly catching and reporting errors), please let me know! Feedback welcome

virtualtam commented 9 years ago

I can help with CI stuff, dependency management and virtualenvs in Python :smiling_imp:

Also, Shaarchiver could be integrated as a Shaarli plugin, to one-click archive media content :)

nodiscc commented 9 years ago

The tool is in a very early stage, but if you'd like to write a simple test, I'm all ok! Always happy to learn.

I like virtualenv but prefer to rely on my distro's package manager for dependencies.

Being written in Python it would need wsgi to run server-side (no PHP frontend running shell_exec plz) and a decent frontend to keep track of archival progress (it can take long, my last batch was about ~3h download - my backups directory is about 16GB, media only).

Being a tool for locally archiving files I don't know if it makes sense to run it server-side. You could always setup a cron job for periodic runs though.

virtualtam commented 9 years ago

Note: this is a draft, open to discussion -feel free to suggest a different/better versioning planning :)

Note II: future tags should be both annotated and GPG-signed -working on it

New milestones

The current major Works In Progress are, by descending order of priority:

Intermediate milestones could be added as follows:

Past commits

Here's a suggestion for tagging past commits and switch to a new versioning scheme. This is a bit rough and artificial, but provides an overall idea of the progress that has been made lately :)

Please note that the displayed version will still be v0.0.45beta

v0.3.0

462bfb1 Add Requirements section in README (link to wiki).
f22a494 Merge pull request #295 from Knah-Tsaeb/patch-1
caaae9b Merge pull request #289 from virtualtam/make-clean
bb2948c [fix]  #293
d0ce99e Makefile: do not call `clean` before `test`
2ac5938 Merge pull request #290 from virtualtam/travis-container
39d06fa Travis: use the container-based infrastructure
874f858 Merge pull request #271 from virtualtam/php53
d1e2f8e PHP: ensure 5.3 compatibility, refactor timezone utilities
5b0ebbc Merge pull request #257 from ArthurHoaro/tag-http-referer
775803a Prevent redirection loop everytime we rely on HTTP_REFERER:
1dcbe29 English mistake cf sebsauvage/Shaarli#221
6ac95d9 Fixes warning 'Undefined index: searchtags' while filtering by tags.
7bd3542 Merge pull request #262 from ArthurHoaro/dup-tags
781e8aa Avoid tag duplicates

v0.2.0

bba021d Merge pull request #268 from ArthurHoaro/dailrss-template
1b73f35 Merge pull request #269 from virtualtam/fix/read-config
f3b8f9f Include the whole <item> in dailyRSS
50c9a12 Fix: data/config.php was not imported
49ca756 Merge pull request #267 from virtualtam/linkdb/private-names
07b6fa7 LinkDB: prefix private members with an underscore
e92f1ba Merge pull request #255 from ArthurHoaro/config
dd484b9 All settings are now stored in config.php
7f1dfd1 Merge pull request #251 from virtualtam/linkdb/date-format
9186ab9 LinkDB::filterDay(): check input date format
46d83c2 Merge pull request #264 from ArthurHoaro/daily-nav
f3db377 Fixes #260: previous/next day links in daily
eee711c Merge pull request #254 from virtualtam/test/linkdb/datastore
0037fbe LinkDBTest: only check that the datastore is created and non-empty
fe4e883 doc: bump php requirement to php 5.4, fixes https://github.com/shaarli/Shaarli/issues/250
d72ae3d Merge remote-tracking branch 'ArthurHoaro/default-links'
2fbadc3 Merge remote-tracking branch 'virtualtam/linkdb/remove-globals'
da9b0e3 [doc] sync doc with latest wiki, build HTML
927a841 [doc] update CONTRIBUTING
eae648d duplicated id removed
41145f7 awesome.css restored. width bug fixed.
d257f25 Merge pull request #249 from fbartels/patch-1
ddfc400 Restore compatability with php 5.3
9c8752a LinkDB: do not access global variables
30e6f1c Fixes unit tests: checking datastore filesize instead of hash.
598376d Change fresh install default link
64bc92e move escape() and sanitizeLink() to application/Utils.php
eaefcba Merge remote-tracking branch 'ArthurHoaro/input-escape' into next
9f15ca9 LinkDB: add 'hidePublicLinks' parameter to the constructor
ae63027 add travis-ci.org build status to README
b6a88fa Add link to 'Running unit tests wiki page'
4c68c20 Merge remote-tracking branch 'nicolasdanelon/master' into next
38eb1e7 cursor pointer for label (ux improvement)
504a425 fix no javascript
c68da3f Page title if there is a single link Fixes #232
5f85fcd Working on shaarli/Shaarli#224
3d713bd Update awesomplete.css
e6cd88b filter input search responsive fixed (mobile)
0923a2b add tabindex 1/2 to search and tags fields
e883685 Merge remote-tracking branch 'origin/doc-contributing'
4a5827f Merge remote-tracking branch 'ArthurHoaro/daily-date' into next
adb1d6c Merge remote-tracking branch 'nicolasdanelon/master' into next
578a84b re-add readDb() missing from previous merge
38a0c25 Merge remote-tracking branch 'virtualtam/test/link-db' into next
0fe3641 Merge remote-tracking branch 'ArthurHoaro/search-tag-awesomplete' into next
7d338fa Merge remote-tracking branch 'virtualtam/travis' into next
25c4640 fix login desktop
f30aa97 login enhance for mobile
4de7144 Daily page: date format in template
ca74886 LinkDB: move to a proper file, add test coverage
3821b1e Create CONTIBUTING.md
a037ac6 Do not load links if they're hidden (also fix shaarli/Shaarli#202)
65d6251 Add awesomplete to tag search shaarli/Shaarli#49
13d07f9 Add Travis CI config

v0.1.0

fcbecab7 split annoyingpatterns list on multpile lines, add new patterns for removal:  * utm_content=  * fb=  * xtor=
f95d042 Merge branch 'really-hide' of https://github.com/pikzen/Shaarli into next
8b3c67f Merge remote-tracking branch 'Marsup/firefox-social' into next
d33c5d4 Add Firefox Social API to the tools. Fixes #101.
59c90f5 Properly hide all links
5b0592 Display date as today if no articles published
569ffb5 doc: add demo to README fixes https://github.com/shaarli/Shaarli/issues/198
caee7ff change wording and variable names for "Hide public links" feature
0c45b01 Merge remote-tracking branch 'pikzen/disable-public' into next
5078492 Merge remote-tracking branch 'ArthurHoaro/localecharset' into next
c5db827 Merge branch 'pandoc' into next
1caf200 Merge commit '326ae54' into next
8fa1ebd Allow disabling all public links, fixes #188
da49603 #193 add UTF8 by default to autoLocale
6811469 doc: remove old mdwiki index.html
b84c913 doc: point footer link to local html documentation
a57a12e doc: sync doc/github-markdown.css from wiki
7a32b17 add local HTML documentation generated with 'make htmldoc'
82af78b use pandoc to generate local HTML documentation fixes https://github.com/shaarli/Shaarli/issues/178 run 'make htmldoc'
10070c3 doc: update documentation (sync from wiki)
f3e89f5 cleanup: makefile comments
8438a2e Fixes autoLocale function by trying several way to find a correct one. Fix https://github.com/shaarli/Shaarli/issues/184
326ae54 Fix missing permalink title when logged in
82cfe1f Merge pull request #183 from pikzen/fix-absolute-urls
b47f515 Display notes as absolute URLs
a5752e7 Fix bad merge commit Define date format in templates instead of index.php.
2f4ab7c update doc
d3b2b45 Display notes as absolute urls Fixes https://github.com/shaarli/Shaarli/issues/177 Merge commit '3ea318dad05954e2043d5bb2f8572b103d7c3930' into notes-absolute-url Conflicts:   index.php
3139a6c Fix php error in daily RSS
880cbf9 Fixes autoLocale function by trying several way to find a correct one.
bec1870 Define date format in templates instead of index.php.
3ea318d Display notes as absolute urls.
nodiscc commented 9 years ago

I agree about the new milestones.

About versioning, let's release 0.3.0 0.5.0 without intermediary versions, with the following release notes:

v0.5.0
 * move all settings to data/config.php
 * Fixes for locale handling, notes URLs, date handling, redirections, daily RSS, title display
 * Properly hide all links when `HIDE_PUBLIC_LINKS` option is set
 * Add Firefox Social API
 * More annoying URL patterns removal
 * Start code refactoring:  LinkDB, Utils
 * Remove duplicate tags for each link
 * Search/Filter by tag fieds can now be accessed quickly with the `Tab` key
 * Update documentation, demo at http://shaarlidemo.tuxfamily.org/

Is this ok? 0.3.0 is still > 0.0.45 and we don't have to create "artificial" releases/versions/tags.