X-Cart forums

[carpeperdiem]

I just received my email a few minutes ago. They've known about this since 29-october. Lovely.

[eliot]

I'm still waiting for my email - I only heard about this because of websitecm's newsletter mentioned something about a recent security upgrade. (Many thanks to websitecm).

Anyway, what's not clear to me is are the diff files in a good state to use yet? I have a root install of x-cart 4.1.8 so if they are still hardcoded for /xcart dir then I guess not.

---

Are the developers of this product using automated tests? Do they have a dedicated QA team?

I'm assuming no, or if they are they have poor coverage. If they are, please start shipping the tests with the product so we can run them ourselves.

My day job is as a programmer specialising in unit, integration and end-to-end testing enterprise web applications. It surprises me in 2007, that a product as popular as this does not have proper automated test coverage.

Qualiteam, please advise us of your position on this topic and what you are doing to fix this.

I'm building phpunit and selenium tests as I make changes to my x-cart install, and I recommend others do this too.

In the end, I'd like to see qualiteam implement automated testing themselves, and have a continuous integration environment. I'm busy, but if you need help qualiteam, give me a shout and I will help where I can.

Here's an idea for any good OO PHP programmers that have the time:

- Build oo designed cart software with unit, integration, and end-to-end test coverage from the start
- Start simple with version 1.0, don't worry about competing with x-cart, you're looking to charge big and only sell to a few.
- Emphasise this is a *quality* and *tested* product.
- Charge $000s per install or for support - don't charge $00s, thats not your market.

[ambal]

Quote:

Originally Posted by carpeperdiem

I just received my email a few minutes ago. They've known about this since 29-october. Lovely.

I thought I explained that at http://forum.x-cart.com/showthread.php?p=192025#post192025

Anyway, here is more detailed explanation:

First of all we haven't announced to the entire world about this problem ***yet***. These forums are accessible by X-Cart users only who have at least one valid X-Cart license.

Our clients are the 1st after us who get information about the patch via private newsletter which is being sent by portions in order not to overload our servers.

Just imagine what would happen if tens thousands of X-Cart users tried to login into their HelpDesk accounts to download the patch at almost the same time. Servers would go down and nobody will be able to download the patch. Since we are sending the newsletter in portions no overload created and every X-Cart customer can login into their HelpDesk account and download the patch without any hassles.

[eliot]

Thanks for explaining that Alexander.

I think there needs to be more responsibility from Qualiteam over this. The excuse of our servers wouldn't handle the traffic is not good enough.

What will qualiteam do when there is a major security issue with an exploit in the public domain?

Waiting a week or more for the patch would not be good enough. It would be too late for many small businesses who get exploited in the mean time.


What are Qualiteam doing to fix this situation?

[shan]

Hi Ambal,

sounds like you need a better server then so that you can handle the traffic. I only see 15000 or so members in the forum and so at most have the whole lot sent out in a couple of days. Its not like every person with a licence is going to log in right away.

As for the latest update and security patch there seem to be a whole load of questions not being answered here.

It would be helpful if all these points were addressed. eg hard coding paths, upgrades not working very well, security patches containing non security related fixes.

Its disappointing to see this type of stuff going on these days. xcart and its team should be totaly on top of this type of thing by now.

[carpeperdiem]

Quote:

Originally Posted by ambal

You shouldn't worry about not getting the e-mail from us to the moment as you haven't got the e-mail YET. We send our newsletters in some portions usually in order not to create a huge overload impact on our servers like if we send them all at once. I am sure you'll get the e-mail in some time later.

Alexander,

With all the love and respect a forum mod can give you, there are times that X-Cart needs to bite the bullet and not do everything in-house. Sending 15,000 emails can be done in a day with a 3rd party email service. Yes, you'll pay for this, but for security exploits, I can't think of a better use of company funds. (well, a big party for your forum participants come to mind, but I would give that up for timely announcements of security exploits).

FYI, many companies have systems in place with outside vendors to deliver their messages on-time... for example, I received an email from Apple on October 26 announcing their new operating system. Every Apple customer received this email on October 26. That would be millions of emails. It can be done. 1-800-Flowers sent me an email that is time-stamped for a 48-hour sale. I would imagine that they sent this to more than 15,000. And since the content expires in 48 hours, if they can't send it to all their customers FAST, the value of the content is lost.

My point is that 15,000 emails is not going to kill you with an outside service. And if you need scalable server technology, there are experts lurking here...

Please don't make excuses. Many of us are pros running our own businesses as well as being the ecom guy. We find ways to do things, and we don't always do everything in-house. Thanks for trying to communicate with us... please, we do appreciate it, really, there is no other way to keep your customers happy - BUT when things go wrong, in my opinion it is better to acknowledge the error and fix it -- "not to overload our servers" to me is lame. Thanks for keeping the communication open.

Jeremy

[ambal]

Quote:

Originally Posted by shan

sounds like you need a better server then so that you can handle the traffic. I only see 15000 or so members in the forum and so at most have the whole lot sent out in a couple of days. Its not like every person with a licence is going to log in right away.

Though number of X-Cart users is bigger than number of X-Cart forums users since not every X-Cart user registers a forum account it should not be a big problem for our new servers which are going to be installed within a week. However, we couldn't wait till the new servers take place and sent the newsletter in portions in order not to overload current servers and in order to inform our clients in advance.

Even if we had the new servers in place now we would send the newsletter in portions as we shouldn't forget that not every X-Cart user has skills to apply the patch and there will be a considerable amount of people who will want us to apply the patch despite of any manual, readme file, etc. We should think about them as well.

Our experience shows that sending newsletters in portions is the best way in such situation even if information about the issue is available publicly.

Informing and helping tens thousands people worldwide is not that easy task as it may seem at 1st glance. We are doing our best but we have to remember about back side of any action we are thinking to take.

Quote:

Originally Posted by shan

As for the latest update and security patch there seem to be a whole load of questions not being answered here.

It would be helpful if all these points were addressed. eg hard coding paths, upgrades not working very well, security patches containing non security related fixes.

Its disappointing to see this type of stuff going on these days. xcart and its team should be totaly on top of this type of thing by now.

First of all we are not hiding our heads in sand in this situation. We are going to answer all the questions asked here. At the moment I can say you nothing as we are collecting information about each case posted here. Some guys try to upgrade or apply the patch on a heavily customized X-Cart or X-Cart powered by 3rd party add-ons which change some affected files. But there is a number of guys who cannot apply the patch on standard X-Cart even. Anyway, we need to see full picture before making any conclusion.

Give us some time and we'll get back to you with our answers.

[ambal]

2carpeperdiem

Jeremy, this is our next step. I mean using an external sending service (I am responsible for this in Qualiteam), but the 1st one - changing servers + remember about the number of online merchants using X-Cart and that we need to sleep a bit sometimes

[shan]

Dont get me wrong, I never said you were hiding your heads just that we should not be in this situation so far down the line with xcart and qualiteam. You are not a young company.

The main problem seems to come from releasing a patch or upgrade pack that is full of problems even on a fresh install (not that Ive tested it just from what Ive read here)

yes supporting many users is not a simple thing but you can cut down on the amount of support you give by making things work better in the first place. again not a simple task but something like a security patch should be an easy thing to do.

As for the problems of patching hundreds of clients sites.. If your getting paid for it then get some temporary staff in.

As developers many of us are in a similar situation to you and we are in part responsible for more then a single site so making sure that an upgrade or security fix is not going to bring down a clients site or cause extra headaches is paramount. We must be able to rely on you in situations like this.

My main reason for chipping in here is that I notice many seasoned xcart developers having issues and not your average jo just not understanding what a diff file is

Look forward to seeing what you find out.

[balinor]

All we are asking for is a set of .diff files for each version that actually WORK on a fresh install of X-Cart. We can handle manually patching stores that are highly custom, but the patches you issued the other day do not even work on a fresh install.