SemanticScuttle 0.96

After a pause of a bit more than three months since the last release, SemanticScuttle - your own social bookmark manager - has been released in version 0.96.0 and 0.96.1. Highlights in this release are support for external authentication, Zeroconf support, API fixes and extensions as well as a working workaround for the infamous www-directory problem on shared hosts.

Note that thanks to the open source nature of SemanticScuttle, the "social" bit can completely be removed. Your private bookmarks are really private when they are stored on a server you can trust!

External authentication

Especially in companies or organizations, almost no piece of software is used on its own. Mostly there is an existing software stack that new software needs to fit in, and often - and in the simplest form - this means integration in the central user database for authentication.

A user database may be a directory server that is accessible via LDAP, or a simple user/password table in a database somewhere on a central server. Or the company's IMAP server which knows all users anyway.

With the latest incarnation of SemanticScuttle, verifying a user against all of these - and many more - authentication services is possible, thanks to the usage of PEAR's Authentication package. SemanticScuttle has extensive documentation about the setup of external authentication in doc/authentication.txt.

Zeroconf support

Part of Zeroconf, formerly Bonjour, is a technology to automatically discover services on the local network. Plug in your laptop in a new environment, and with the right tools you instantly see the important services: SSH, FTP, HTTP, VNC and others.

An increasing number of tools make use of Zeroconf to enable configuration-less interfaces; a notably example is gmpc, the Gnome Music Player daemon. Instead of manually configuring each single MPD server on the network, gmpc automatically discovers all available ones via Avahi, the leading Zeroconf implementation for Linux. No need to search for IP addresses or port numbers - gmpc simply has a menu with all local MPD servers to select from.

Another example is Apple's Safari browser, which has a special bookmark folder listing all Zeroconf addresses for the HTTP protocol.

To assist you in providing bookmarks for all local users, SemanticScuttle supports generating Avahi service files: All bookmarks tagged with zeroconf (configurable of course) get exported into service files by scripts/avahi-export.php. The script should be run via a cron job.

... and a dead release

Apart from the new features described above, the usual assortment of bug fixes and small feature requests have found their way into the code - including a solution for the "www" problem that users without access to the server configuration had.

That fix apparently broke all of SemanticScuttle's API methods, leading to a dead-in-the-water release 0.96.0. One day later, I had to release version 0.96.1 fixing that issue (which by the way was a breeze thanks to the phing build-and-release script).

A security release in between

While hacking on the code in january, I became aware of some really serious security problems in the tagging code. Because the tag names coming with the HTTP GET headers were not being escaped when they were used in SQL queries, anyone could do anything with your database - without even being logged in.

I fixed the issues immediately in svn trunk and merged the fixes back into the 0.95 and even in the long dead 0.94 branch. Versions 0.94.2 and 0.95.2 were released on the same day. Secunia verified the problems and issued advisory #38228.

You see: We care about security. To make upgrades - especially security upgrades - easier, I plan to setup an own PEAR channel server that you can install SemanticScuttle from. An upgrade to a new version will be as easy as typing

$ pear upgrade sc/semanticscuttle

The future is bright!

Written by Christian Weiske.

Comments? Please send an e-mail. Or Reply or Like.