How Joomla 1.5.6 came about

August 14th, 2008

As most of you know, a critical security vulnerability affecting all Joomla versions below (and including) 1.5.5 was discovered on Tuesday, August 12th 2008.  What most of you don’t know, is what went on behind the scenes that day.  A whole mass of people came together and immediately worked on all the tasks necessary to make 1.5.6 happen.   Experiencing this first hand was quite amazing…  Publishing a release is a process that normally has two weeks (and a team of people) devoted to it (for everything from selecting which remaining artifacts will be fixed, to translations, to clicking publish and everything in-between).  This all happened in a VERY short time.

Here’s an abridged breakdown of how 1.5.6 came to be…

15:50 EST

Bug Squad member Marijke Stuivenberg points the squad to a reported vulnerability in Joomla 1.5.5.

15:55 EST

Bug Squad members Jennifer Mariott, Elin Waring, and Marijke (along with development coordinator Wilco Jansen, OSM Vice President Rob Schley and myself) verify that the vulnerability exists and the report is valid.

15:56 EST

All available development Work Group members, Bug Squad members and Core Team members are notified of the issue.

Bug Squad confirms that 1.5’s SVN is stable and is ready for immediate release pending vulnerability fix.

Forum moderators are informed of and asked to remove references of this issue until release.

16:05 EST

Patch is generated and provided to Bug Squad for testing/confirmation of fix.

16:20 EST

Patch is confirmed to fix vulnerability.

Front page announcement is drafted.

16:30 EST

Patch is committed into SVN along with all preparations for release. 

Joomla 1.5 branch is frozen for release cycle.  Bug Squad begins testing sanity and operation of SVN.

16:46 EST

Security announcement (on is drafted.

17:20 EST

Front page announcement provided to translators.

Joomlacode prepared for release.

17:30 EST

Bug Squad confirms sanity of SVN and that all release preparations are in place.

Package generation begins. 

17:50 EST

Full download packages generated.

18:05 EST

Packages provided to Bug Squad for validation and testing.

18:30 EST

Bug Squad confirms package sanity, final steps before release are completed.

18:40 EST

Front Page article and Developer security report published. 

Full download packages released.

19:30 EST

All patch downloads tested and published.  Release cycle completed.


Total time from report of vulnerability to initial release: 2 hours 50 minutes

Total time from report of vulnerability to completion of release cycle completion: 3 hours 40 minutes

Total number of people directly involved: between 20 and 30