Latest from the umbraco blog

Now that Umbraco 5.0 is out there (with about 5000 downloads - thanks everyone!), we've worked on a small side-project to help us push forward over the coming months.

Our issue tracker for Umbraco 5, which we launched in December, is proving to be a popular hub of information and we're using it to not only keep a record of what issues people have found and fixed, but also which ones are being worked on, and their target release version.

Since this data is all in one place, Matt, Warren and I decided to build a really simple aggregation of some of that data in a form that we hope is easier to scan-read than going through YouTrack directly.

We've put up an early version at http://progress.umbraco.org/ for you to take a look at.

It's organised by "version" and takes information from the "Due in build" field inside YouTrack, and presents the assigned issues categorised by "Not Started", "In Progress" and "Completed" with a quick progress bar to give you an idea.

Not every issue in YouTrack is yet assigned to a particular release, and of course some issues will be left until future releases in the spirit of getting releases out early and often, so they might not show up on this page - but it's a great excuse to make your voice heard directly in YouTrack in the comments and votes for items that are important to you.

Next steps

We'd like to be able to use this information to help people gauge when an item is slated for inclusion in an upcoming update (be that a minor bug-fixing release, or one that contains new features).

Another big source of potential is that it could progress into a great tool that helps the many folks out there that would love to get involved on the Core team and start issuing pull requests, but aren't sure which items need focus.

This is preparing the ground for us to be able to put together some documentation not only for Umbraco 5 itself, but also some guides for contributing code to the core - and other pages like this that help people know what needs focus and when.

It's not just the Core that's open source

We think it'd be pretty cool to get the code for this up on a repository somewhere, and if people want to issue pull requests to add features or add a bit of style to even our Progress page, then awesome. We just need to jump through a couple of TeamCity hoops first, and I'll plug the code repository when that's done by updating this post and shouting out on Twitter.

Enjoy!

Yesterday we got informed that there' was an "Open Redirect Vulnerability" issue in Umbraco 4. We fixed it this morning. While we don't agree with the security consultants that it's a major issue, we do our best to fix reported security issues as fast as possible and have full disclosure.

Is this issue relevant for you?

The issue means that someone could make your editors click a link (in an e-mail or on a 3rd party website) pointing to the back office of your site, but then change where the editor would be redirected afterwards if they login. This will require that you run Umbraco with the back office fully open and that it's an active editor that logins into the site. For instance:
http://yoursite.com/umbraco/?redir=http://myevilsite.com

Once your editor have authenticated, they'd be redirected to the evil site. No data is shared with that evil site, but it could add a fake Umbraco login page and try to fake your editor to submit their credentials again. That way they could then jump to your website and login. All this would require a number of ifs and ifs, but the risk is real and may be important enough for you to upgrade…

How to upgrade

In a hurry, you can go download the 4.7.1.478 nightly which contains the fix. If you're running 4.7.1.1, all you need to do is to overwrite the "/bin/umbraco.dll" file. If running older versions, please refer to the upgrade guide.

4.7.1.2 next week

We'll be releasing an official 4.7.1.2 early next week.

Umbraco 5

This issue is present in Umbraco 5 as well and will be fixed for 5.0.1.

Questions?

Feel free to submit questions in the comments.

Today is a pretty big milestone for the Umbraco 5 team. It's the end of January 2012, we've had seven progressively stable preview builds over the past months, and now it's time to put a stake in the ground.

After a lot of hard work, late nights, and invaluable help from the community testing our many preview builds, we've hit our first production milestone.

Umbraco 5.0 RTM is on CodePlex!

Please do grab a copy - take two, if you like - it's free after all!

Thanks to you

This is a release build and includes all of the fixes from the RC3 which we put out there last Wednesday. Since that time, we've already had almost 1000 downloads, which has made us incredibly proud. From our testing and that of the reported issues, it's ready for you to build your next live website.

Features

This is called "version 5 of Umbraco", but it's important to remember the history of the v5 project. We always intended to respect the vibrant culture and history of the Umbraco CMS as it has gone so far, and make a product that was on a fresh & rewritten technology stack but enabling the same common goals.

Our target for "5-point-0" out of the box is the most commonly used features of 4.7. We have a lot of features in 5.0 that enable you to go into production for the vast majority of site builds, and we have taken an approach of getting the core features done first - and stable.

We are now going to be iterating quickly with new features as the months progress, so that we reach feature parity with 4.7 and move beyond that quickly. So, yes it's like a "1.0" in some senses, but it already has a tonne of features that we think make it a great CMS.

• Design and produce templates quickly using the excellent Razor syntax
• Access your content in those templates using an intuitive dynamic API for both querying and walking up and down your content structure
• Tailor content types with a variety of customisable fields, meaning you can focus on your content structure without a hard link to its layout
• Use multiple templates with pages so you can easily adjust to your site's needs, do A/B testing, cater for mobile handsets, or generate RSS feeds
• Have document types that inherit from one or more other types, making it simple to organise common fields for things like SEO that are shared across all of your articles
• Create, preview and publish content in a naturally organised way using folders that can automatically create your site navigation, if you like
• Create, preview and publish media and other types of assets
• Store those assets on your server or in the cloud
• Use a rich set of permissions to tailor backoffice access for your editing team
• Plug in your own existing data in a way that Umbraco natively understands, rather than the only option being to migrate everything under Umbraco's control
• Plug in your own backoffice editors, dashboards, and custom trees
• Expose the underlying MVC stack for mixing in your own application, controllers and views with the content-managed portion
• Share common pieces of functionality like Macros with your team
• Share your own data providers, common templates, handy helpers and more using NuGet packages
• Have those packages dynamically add configuration to a user's website so that uninstalling rolls back configuration seamlessly

There are many more, but you didn't come here for a list of bullet points - here's that download link again!

Documentation & help

In the next few weeks we'll be hard at work making tutorials, documentation and answering questions on the Our forums. Warren has already got off to a great start with some example Macros for common scenarios.

Here's to a bright future

5.0 is a great foundation for you to build on now, but we aren't stopping here. In the coming months we'll be focussing on adding great support for backoffice editing of your own membership data, and add some great APIs for reading and writing data to Hive in your own controllers and packages. We'll also be adding a few exotic things such as distributed caching and the like - if you have a feature idea, feel free to add it to our issue tracker and appeal for votes!

Performance

You might have seen the post I put up earlier this month about our approach to performance tuning as we approached RTM, and I also mentioned it in a recent uNews-letter. If not, or at least to put it here for posterity, here's a few of those figures.

I've been using the same content within each build of v5, and the same load script on my own development machine for each test run. It basically uses all 4 cores on my machine to both generate and serve the load from my local IIS.

To put those final figures into context, I re-ran the test against RTM with 1000 requests instead, and obtained around 2900rps.

This seems a steady improvement followed by an astronomical leap, what could it be?

It's a technique commonly referred to as "micro-caching". By default, the base controller that serves Umbraco 5 RTM requests caches the page output for 1 second. This technique sits on top of the existing steady improvements in the codebase, and provides the icing on the cake to help if your websites get a high peak load. So it's a setting that you might not notice in daily use (unless you're hitting refresh .. a lot), but your server will thank you if you get a sudden influx of traffic.

You can of course tweak this if you prefer; the setting is in configuration, and we'll be enabling more settings and handy "set it and forget it" defaults like this as we add features in the future.

Happy downloading!

To those of you who have followed us along the way, and to those who have helped us code and test, a massive thank you. And to those who will be helping us in the future, too. Have fun with Umbraco 5, and please do let us know what you think.

Here's that download link one more time.

All the best

Team 5