WordPress 5.2.3 RC 1

WordPress 5.2.3 Release Candidate 1 (RC1) is now available for testing! So please do – every test helps the build get closer to the final release!

You have two options for testing the WordPress 5.2.3 release candidate: try the WordPress Beta Tester plugin (you’ll want to select the point release nightlies option), or download the release candidate here (zip).

What’s in this release?

5.2.3 features 29 bug and regression fixes, with some to the block editor, accessibility, i18n, media, and administration.

Here’s the list:

  • #46899: Ensure that tables generated by the Settings API have no semantics
  • #47145: Feature Image dialog does not follow the dialog pattern
  • #47390: Improve accessibility of forms elements within some “form-table” forms
  • #47190: Twenty Seventeen: Native audio and video embeds have no focus state.
  • #47340: Twenty Nineteen: Revise Latest Posts block styles to support post content options.
  • #47414: Twenty Seventeen: Button block preview has extra spacing within button
  • #47543: Twenty Seventeen: buttons don’t change color on hover and focus
  • #47688: Color hex code in color picker displayed in RTL instead of LTR on RTL install (take 2)
  • #47693: customizer Color picker should get closed when click on color picker area.
  • #45739: Block Editor: $editor_styles bug.
  • #45935: A URL in do_block_editor_incompatible_meta_box function does not have classic-editor__forget parameter
  • #47604: Undefined variable: locked in wp-admin/edit-form-blocks.php
  • #47489: Emoji are substituted in preformatted blocks
  • #47079: Incorrect version for excerpt_allowed_blocks filter
  • #47538: Minor Verbiage Update – Switch ‘developer time’ for ‘a developer’
  • #46757: Media Trash: The Bulk Media options when in the Trash shouldn’t provide two primary buttons
  • #46758: Media Trash: Primary button(s) should be on the left
  • #47113: Media views: dismiss notice button is invisible
  • #47458: Fix tab sequence order in the Media attachment browser
  • #47502: Media modal bottom toolbar cuts-off content in Internet Explorer 11
  • #47687: Use alt tags for gallery images in editor
  • #38415: New Custom Link menu item has a wrong fallback label
  • #47723: Adding a custom link in nav-menus.php doesn’t trim whitespace
  • #47888: Adding a custom link in menu via Customize doesn’t trim whitespace.
  • #47561: Plugin: View details popup layout issue
  • #47835: PHP requirement always set to null for plugins
  • #47386: Fix headings hierarchy in the legacy Custom Background and Custom Header pages
  • #47603: My account toggle on admin bar not visible at high zoom levels
  • #47758: Font sizes on installation screen are too small

You can browse the full list of changes on Trac.

What’s next?

Committers: The dev-reviewed workflow (double-committer sign off) is now in effect. That means it takes two committers to approve any changes to the 5.2 branch.

Plus, we have a hard string freeze until the official 5.2.3 release, scheduled for Wednesday, September 4, 2019, 10:00 AM PDT

Happy testing!

#5-2, #5-2-3, #rc1, #releases

WordPress 5.2.2 RC 2

WordPress 5.2.2 Release Candidate 2 (RC2) is now available for testing! So please do – every test helps the build get closer to final release!

You have two options for testing the WordPress 5.2.2 release candidate: try the WordPress Beta Tester plugin (you’ll want to select the point release nightlies option), or you can download the release candidate here (zip).

What’s in this release?

5.2.2 features 13 bug and regression fixes, with some improvements to the block editor, accessibility, i18n, media and administration. Plus, this release adds a little bit of polish to the Site Health feature that made its debut in 5.2.

Here’s the list:

  • #45094: Dashboard elements don’t always have clear focus states, tab order
  • #46289: RTL Bug: wrong navigation arrows in media modal
  • #46749: Extra border is displaying at bottom of Help section in Firefox (Responsive : 778 * 841)
  • #46881: Site Health: improve the header elements horizontal centering
  • #46957: Site Health: Make site health page access be filterable
  • #46960: Site Health: Table design issue in small devices(iphone 5/SE).
  • #46997: Theme update links show in Customizer and don’t work
  • #47070: Recovery Mode Exit button not visible in responsive view
  • #47158: Merge similar strings introduced in WP 5.2
  • #47227: i18n: Merge similar translation strings – site health tabs
  • #47429: Editor: Update packages for WordPress 5.2.2
  • #47457: Fix the mediaelements player controls bar sizing
  • #47475: I18n: Merge similar strings and fix typo

You can browse the full list of changes on Trac.

What’s next?

Committers: The dev-reviewed workflow (double-committer signoff) is now in effect. That means it takes two committers to approve any changes to the 5.2 branch.

Plus, we have a hard string freeze until the official 5.2.2 release, scheduled for Tuesday, June 18 at 17:00 UTC.

Happy testing!

#5-2, #releases

Dev Chat Summary: June 12, 2019

Announcements

@marybaum graciously offered to help lead Dev Chat next week. While many folks will be at WCEU, there are many others that will not. The meeting shall go on! Thanks Mary!

WordPress 5.2.2 Updates

5.2.2 co-lead @marybaum mentioned that tomorrow the RC2 process will begin and the time was agreed to be 15:00 UTC. The following dates are the updated schedule for releases:

Release Candidate 2: Thursday, June 13, 2019, 15:00 UTC
Final Release: Tuesday, June 18, 2019

WordPress 5.3 Updates

@chanthaboune discussed timing for the release saying, “Folks with suggested major focuses have all gotten their best timing estimates to me and it’s shaping up to look pretty good. The focuses seem land-able by late Sept/early Oct, which leaves about a month before WCUS.”

Scope of 5.3 as it relates to the 9 Projects for the Year

@jeffpaul asked “Is the hope that 5.3 includes the final portions of release-related projects from Matt’s list of 9 projects for the year? Asked differently, what remains from that list that we should be aiming to include alongside 5.3?”

@chanthaboune mentioned that the block directory is currently awaiting design feedback. Next steps are to be determined and will be mentioned in a 5.3 update post.

@earnjam said the content registration features for themes seems a bit nebulous. In particular:

Porting all existing widgets to blocks.

Upgrading the widgets-editing areas in wp-admin/widgets.php and the Customizer to support blocks.

@aduth provided a very handy link on the current status of these features on the roadmap: https://github.com/WordPress/gutenberg/blob/master/docs/roadmap.md

Jeff asked a follow up question “Is of the remaining projects that are incomplete which (1) are near completion and just need some assistance or (2) are of the upmost priority to try and complete by the end of the year. Knowing the answers to those could help show folks the best places to swarm and help get projects to completion?” @chanthaboune offered to address this and the other roadmap items in a 5.3 update post after WCEU.

@clorith asked “Will this be the final release of the year, and how does that align with our plans to (possibly, depending on how 5.2 rolls along) update minimum requirements to PHP 7.x ?” This will also be addressed in the 5.3 update post Josepha offered to tackle after WCEU. @jorbin shared some great stats on the current state of PHP versions finding that “We are under 20% for below 5.6” which is a massive improvement!

Updates from component maintainers

Call for new maintainers of components:

There are a handful of components that are in need of a maintainer to watch over and nurture them:

@azaozz offered to be a maintainer of Script Loader and everyone cheered! Thank you Ozz! Discussion also took place on the collective noun for multiple Ozz, as it would be greatly appreciated to have more of them to help maintain some of the above components. 🙂

Please comment below this post if you are interested in any of the above components, or feel free to reach out to @chanthaboune if you’d rather volunteer privately.

General Announcements and Open Floor

Jonny Harris is working on a feature plugin that gives REST endpoints for menus. This is in preparation for upcoming navigation blocks, but it also serves as an excellent way of exposing menus to headless applications using WordPress. He would like some feedback on the plugin and would appreciate thoughts on considering this in the scope of 5.3. Please leave on this PR: https://github.com/WP-API/wp-api-menus-widgets-endpoints/pull/22

@presskopp mentioned a commented made here on the 5.3 call for tickets post. @chanthaboune mentioned that there is agreement and it is wrapped into the triage work from the 9 projects mentioned earlier in notes.

@bph asked, “There is a big knowledge gap that there is actually user documentation available for Gutenberg. Where would a discussion be placed best design/core-editor to surface the document within the block editor?” @aduth said that it was mentioned in a recent #core-editor chat and linked some action items from that chat here: https://wordpress.slack.com/archives/C02QB2JS7/p1558532425222200 Andrew proceeded to offer to help in creating a GitHub issues for this. @bph offered to make a post to discuss this further. More to come soon!

These notes were taken by @antpb and proofread by @chanthaboune.

#5-2-2, #5-3#devchat#summary

#5-2

WordPress 5.2.2 RC 1

WordPress 5.2.2 Release Candidate 1 (RC 1) is now available for testing! So please do – every test helps the build get closer to final release!

There are two ways to test the WordPress 5.2.2 release candidate: try the WordPress Beta Tester plugin (you’ll want to select the point release nightlies option), or you can download the release candidate here (zip).

What’s in this release?

5.2.2 features ten bug and regression fixes, like some improvements to the block editor, accessibility, i18n, media and administration. And adds a little bit of polish to the Site Health feature that made its debut in 5.2.

Here’s the full list:

  • #45094: Dashboard elements don’t always have clear focus states, tab order
  • #46289: RTL Bug: wrong navigation arrows in media modal
  • #46749: Extra border is displaying at bottom of Help section in Firefox (Responsive : 778 * 841)
  • #46957: Site Health: Make site health page access be filterable
  • #46960: Site Health: Table design issue in small devices(iphone 5/SE).
  • #47158: Merge similar strings introduced in WP 5.2
  • #47227: i18n: Merge similar translation strings – site health tabs
  • #47429: Editor: Update packages for WordPress 5.2.2
  • #47457: Fix the mediaelements player controls bar sizing
  • #47475: I18n: Merge similar strings and fix typo

You can browse the full list of changes on Trac.

What’s next?

Committers: The dev-reviewed workflow (double-committer signoff) is now in effect. That means it takes two committers to approve any changes to the 5.2 branch.

The official 5.2.2 release is scheduled for Tuesday, June 18.

Happy testing!

#5-2, #releases

Dev Chat Summary: 22 May

@chanthaboune served as the facilitator for discussion and many contributors were in attendance.

Announcements

Nothing major to announce this week. Tune in next!

5.2.1 Debrief

WordPress 5.2.1 released yesterday! For information on the release you may refer to the 5.2.1 blog post. Thanks to @desrosj and @earnjam for leading such a smooth release. As of now, there are no notable issues. If you are seeing any issues, please discuss in the comments below or create a new ticket at: https://core.trac.wordpress.org/.

5.2.2

There are a handful of tickets in the 5.2.2 milestone. A team is needed to help wrangle those tickets into a new release. Now is the time to volunteer for leading 5.2.2. This release would aim to be for a 2 week release cycle to clear up remaining tickets in the milestone. There were two volunteers to lead in chat today: @audrasjb and @justinahinon. Please volunteer in the comments below if you are also interested in leading or co-leading!

@aduth said there was mention of a few issues in #core-editor chat earlier today of Gutenberg bugs which would be nice to aim to include for the release: https://wordpress.slack.com/archives/C02QB2JS7/p1558530408162500

Major release (5.3)

Comments were closed today in the call for 5.3 tickets post. @chanthaboune will be pulling those together the submissions and do some outreach to maintainers that have not included items to the post as we prepare for the next major release. These tickets will inform what focuses this release will have.

Calls from component maintainers

@azaozz, is continuing to plan for some recommended changes and focuses for the Uploads and Media components.

@desrosj reminded us that the following components: General Component, Comments, Pings/Trackbacks, External Libraries, Filesystem API, Rewrite Rules, and Script Loader are all currently without any maintainers. If those parts of core interest you, feel free to reach out to @chanthaboune to get involved!

@karmatosed mentioned that there is an editor component triage on Friday at 17:00 UTC, @desrosj and @karmatosed will be running it in #core-editor and the triage will focus on trac tickets.

@johnbillion asked if there were any component maintainers looking for new maintainers of their components and @chanthaboune made the important reminder, “open source is designed to let people move in and out of volunteer positions as needed” If you are not comfortable saying in dev chat that you would like to make changes, please feel free to reach out privately to @chanthaboune or other co-maintainers.

Open Floor

There was an ask by @afragen to have a committer review https://core.trac.wordpress.org/ticket/46938 He also reminded us committers are not the only ones with valuable feedback. Please direct any thoughts about the issue to the ticket, even if you are not one. 🙂

#5-3, #5-2, #5-2-1, #devchat, #summary

Dev Chat Agenda: May 22

Below is the agenda for the weekly devchat meeting on Wednesday, May 22, 2019, 2000 UTC.

  • Announcements
  • 5.2.1 Debrief
  • 5.2.2 Planning
    • Call for release leads
  • 5.3
  • Calls from component maintainers
  • Open Floor

If you have anything to propose for the agenda or specific items related to those listed above, please leave a comment below.

This meeting is held in the #core channel in the Making WordPress Slack.

#agenda, #devchat

#5-3, #5-2, #5-2-1, #core

WordPress 5.2.1-RC2

WordPress 5.2.1-RC2 is now available for testing!

There are two ways to test the newest WordPress 5.2 release candidate: try the WordPress Beta Tester plugin (you’ll want to select the “point release nightlies” option), or you can download the release candidate here (zip).

What’s in this release?

In addition to the everything included in RC1, 5.2.1-RC2 fixes 3 issues discovered by those who tested RC1:

  • #47323 prevents a fatal error that occurs when upgrading to 5.2.1 from WordPress < 5.2.
  • #47304 fixes a regression that can affect the accuracy of <lastBuildDate> in feeds.
  • #47312 changes the string used on the About page for 5.2.1 to one that is already translated.

You can browse the full list of changes in 5.2.1 on Trac.

What’s next?

Committers: The dev-reviewed workflow (double committer sign-off) still applies when making any changes to the 5.2 branch.

The official 5.2.1 release is still scheduled for Tuesday, May 21.

Happy testing!

#5-2, #5-2-1, #releases

WordPress 5.2.1-RC1

WordPress 5.2.1-RC1 is now available for testing! But, your help is needed to test!

There are two ways to test the WordPress 5.2 release candidate: try the WordPress Beta Tester plugin (you’ll want to select the “point release nightlies” option), or you can download the release candidate here (zip).

What’s in this release?

5.2.1 contains 32 high priority bug fixes and regressions, improvements to the block editor, accessibility, i18n, and polishes the Site Health feature introduced in 5.2. Here are some changes of note:

  • #47180: An issue typing in the block editor while using a RTL language has been fixed.
  • #47186: An bug causing 32-bit systems to run out of memory when using sodium_compat was fixed.
  • #47189: The “Update your plugins” link in Site Health now links to the correct page in multisite installs.
  • #47185: An issue in wp_delete_file_from_directory() where files were not deleting on Windows systems has been fixed.
  • #47205: A bug was fixed where spaces could not be added in the Classic Editor after pressing shift+enter.
  • #47265: 2 fatal errors on the error protection page when a PHP error was encountered in a drop-in (such as advanced-cache.php) were fixed.
  • #47244: wp_targeted_link_rel() has been improved to prevent instances where single and double quotation marks were incorrectly staggered.
  • #47169: PHP/MySQL minimum version requirement checks now return proper error codes when requirements are not met in test environments.
  • #47177: The backwards compatibility of get_search_form() was improved.
  • #47297: The accuracy of the HTTP requests test in Site Health was improved.
  • #47229: TinyMCE has been updated to version 4.9.4.

You can browse the full list of changes on Trac.

What’s next?

Committers: The dev-reviewed workflow (double committer sign-off) should now be enforced when making any changes to the 5.2 branch.

The official 5.2.1 release is scheduled for Tuesday, May 21.

Happy testing!

#5-2, #5-2-1, #releases

Security in 5.2

Post originally written by Scott Arciszewski.

Protection Against Supply-Chain Attacks

Starting with WordPress 5.2, your website will remain secure even if the wordpress.org servers get hacked.

We are now cryptographically signing WordPress updates with a key that is held offline, and your website will verify these signatures before applying updates.

Signature Verification in WordPress 5.2

When your WordPress site installs an automatic update, from version 5.2 onwards it will first check for the existence of an x-content-signature header. If one isn’t provided by our update server, your WordPress site will instead query for a filenamehere.sig file and parse it.

The signatures were calculated using Ed25519 of the SHA384 hash of the file’s contents. The signature is then base64-encoded for safe transport, no matter how it’s delivered.

The signing keys used to release updates are managed by the WordPress.org core development team. The verification key for the initial release of WordPress 5.2 is fRPyrxb/MvVLbdsYi+OOEv4xc+Eqpsj+kkAS6gNOkI0= (expires April 1, 2021).

(For the sake of specificity: Signing key here means Ed25519 secret key, while verification key means Ed25519 public key.)

To verify an update file, your WordPress site will calculate the SHA384 hash of the update file and then verify the Ed25519 signature of this hash. If you’re running PHP 7.1 or older and have not installed the Sodium extension, the signature verification code is provided by sodium compat.

Our signature verification is implemented in the new verify_file_signature() function, inside wp-admin/includes/file.php.

Modern Cryptography for WordPress Plugins

The inclusion of sodium_compat on WordPress 5.2 means that plugin developers can start to migrate their custom cryptography code away from mcrypt (which was deprecated in PHP 7.1, and removed in PHP 7.2) and towards libsodium.

Example Functions

<?php
/**
 * @param string $message
 * @param string $key
 * @return string
 */
function wp_custom_encrypt( $message, $key )
{
    $nonce = random_bytes(24);
    return base64_encode(
        $nonce . sodium_crypto_aead_xchacha20poly1305_ietf_encrypt(
            $message,
            $nonce,
            $nonce,
            $key
        )
    );
}

/**
 * @param string $message
 * @param string $key
 * @return string
 */
function wp_custom_decrypt( $message, $key )
{
    $decoded = base64_decode($message);
    $nonce = substr($decoded, 0, 24);
    $ciphertext = substr($decoded, 24);
    return sodium_crypto_aead_xchacha20poly1305_ietf_decrypt(
        $ciphertext,
        $nonce,
        $nonce,
        $key
    );
}

How to Seamlessly and Securely Upgrade your Plugins to Use the New Cryptography APIs

If your plugin uses encryption provided by the abandoned mcrypt extension, there are two strategies for securely migrating your code to use libsodium.

Strategy 1: All Data Decryptable at Run-Time

If you can encrypt/decrypt arbitrary records, the most straightforward thing to do is to use mcrypt_decrypt() to obtain the plaintext, then re-encrypt your code using libsodium in one sitting.

Then remove the runtime code for handling mcrypt-encrypted messages.

<?php
// Do this in one sitting
$plaintext = mcrypt_decrypt( $mcryptCipher, $oldKey, $ciphertext, $mode, $iv );
$encrypted = wp_custom_encrypt( $plaintext, $newKey );

Strategy 2: Only Some Data Decryptable at Run-Time

If you can’t decrypt all records at once, the best thing to do is to immediately re-encrypt everything using sodium_crypto_secretbox() and then, at a later time, apply the mcrypt-flavored decryption routine (if it’s still encrypted).

<?php
/**
 * Migrate legacy ciphertext to libsodium
 * 
 * @param string $message
 * @param string $newKey
 * @return string
 */
function wp_migrate_encrypt( $message, $newKey )
{
    return wp_custom_encrypt(
        'legacy:' . base64_encode($message),
        $newKey
    );
}

/**
 * @param string $message
 * @param string $newKey
 * @param string $oldKey
 * @return string 
 */
function wp_migrate_decrypt( $message, $newKey, $oldKey )
{ 
    $plaintext = wp_custom_decrypt($message, $newKey);
    if ( substr($plaintext, 0, 7) === 'legacy:' ) {
        $decoded = base64_decode( substr($plaintext, 7) );
        if ( is_string($decoded) ) {
            // Now apply your mcrypt-based decryption code
            $plaintext = mcrypt_decrypt( $mcryptCipher, $oldKey, $decoded, $mode, $iv );

            // Call a re-encrypt routine here
        }
    }
    return $plaintext;
}

Avoid Opportunistic Upgrades

A common mistake some developers make is to try to do an “opportunistic” upgrade: Only perform the decrypt-then-re-encrypt routine on an as-needed basis. This is a disaster waiting to happen, and there is a lot of historical precedence to this.

Of particular note, Yahoo made this mistake, and as a result, had lots of MD5 password hashing lying around their database when they were breached, even though their active users had long since upgraded to bcrypt.

Detailed technical information about this new security feature, written by Paragon Initiative Enterprises (the cryptography team that developed it) are available here.

#5-2 #dev-notes

5.2 Retrospective

As we finish up one release and start looking forward to the next, I’d like to take the time to let people share their thoughts on how the 5.2 release process went. I have listed three questions I’d like feedback on below.

  • What should WordPress start doing as a part of the development process?
  • What should WordPress stop doing as a part of the development process?
  • What should WordPress continue doing as a part of the development process?

Please share your thoughts in the comments below! Remember when commenting to keep the discussion professional and focused on ways the process of creating WordPress is either already working great or can be improved.

#5-2, #retrospective