Archive for October, 2011
It’s been two weeks since we announced our recent funding and now its time to start talking about what comes next. We are working on an e-commerce analytics product as well as a service for recommendations and mailing lists.
Before we make these products available to all of our users we will be conducting a limited beta test. If you are interested in helping us with the testing please create a Spree account on our website and use the “Request Beta Access” button to submit your request. Currently beta testing is limited to those running Spree 0.60.x or higher.
We’re particularly excited about the analytics product (shown below) which is now ready for beta testing. We’ve been running it for a few days now on the Spree demo store and its been working pretty well. We’d like to get a few more people who are interested to help with the testing.
Eventually we hope to make the analytics product available on older versions of Spree as well. Of course you’re probably not running a really old version of Spree because you read the recent security announcements.
We’re also working on a very cool recommendations solution for Spree. We’ve partnered with a company that has significant expertise with this area and has a very cool “learning algorithm” with a proven track record. If you’re interested in this you should also request beta access now so we can contact you when we’re ready.
Finally, we have two major announcements to make later this week. Stay tuned.
Over the past several weeks there have been several important security updates to Rails as well as Spree. The most recent Spree security announcement describes a critical vulnerability that affects all but the very latest versions of Spree. All affected users are advised to upgrade immediately.
We have also implemented a new mechanism to inform Spree developers and store owners of potential security threats before they are announced on the mailing list. We have created an alerts feature that will perform an automated check against your version of Rails and Spree and inform you of any potential security problems. We believe this feature is so important that we’ve gone back and implemented it for previous versions of Spree as well.
Please consult the following list of scenarios to find out what the recommendations are for your particular version of Spree.
No action required.
No action required.
Its recommended that you update to 0.70.1. There are no known vulnerabilities with 0.70.0 but version 0.70.1 contains the new security alert mechansim to keep you informed of issues in the future.
It is recommended that you update to 0.60.4. The are no security issues with Spree itself but this version of Spree does use a version of Rails that is considered to be insecure. By updating this verison of Spree you will move to the more secure Rails 3.0.10.
0.60.0 – 0.60.2
It is recommended that you update to 0.60.4. These versions of Spree have a critical vulnerability and they are also using insecure versions of Rails.
0.50.0 – 0.50.3
It is recommended that you update to 0.50.4 at a minimum. This will address a critical vulnerability in Spree but will still leave possible issues with the version of Rails. You should consider updating to Spree 0.60.4 which will also address the Rails security issues by updating you to Rails 3.0.10.
0.40.0 – 0.40.3
It is recommended that you update to 0.40.4 at a minimum. This will address a critical vulnerability in Spree but will still leave possible issues with the version of Rails. You should consider updating to Spree 0.60.4 which will also address the Rails security issues by updating you to Rails 3.0.10.
0.30.0 – 0.30.1
It is recommended that you update to 0.30.2 at a minimum. This will address a critical vulnerability in Spree but will still leave possible issues with the version of Rails. You should consider updating to Spree 0.60.4 which will also address the Rails security issues by updating you to Rails 3.0.10.
0.11.0 – 0.11.2
It is recommended that you update to 0.11.3. This will address a critical vulnerability in Spree and will also address issues with older versions of Rails that contain security problems. After upgrading you will be moved to the more secure Rails 2.3.14.
Versions prior to 0.11.0
Recommended that you update to 0.11.3
Spree 0.70.1 is now officially released. There are two important changes in this release. The first change is a fix to the asset precompile stuff. If you’re running 0.70.0 you’ll want to upgrade because this will result in a performance increase.
The other major change is that we have introduced the concept of security and release alerts. You will now receive a notification in your control panel whenever there is a new release. This feature also allows us to notify you of important security announcements. The alerts can be dismissed once they’re read and you have the option to disable them entirely (not recommended.)
The Security Guide contains more information on alerts. You can also view the Github compare for a complete list of changes in this release.
We are happy to announce the formation of our new company, Spree Commerce Inc., which has participated in a $1.5M seed investment round lead by True Ventures. Also participating in the round were AOL Ventures and Sean Glass (a local angel.)
The Spree project began four years ago with a bold idea and a simple blog post. Over time we received contributions from more than 100 people and Spree was translated into over 30 languages making it one of the most popular open source projects on Github. During this time we also formed Rails Dog, a services company specializing in building highly customized Spree sites.
Rails Dog will continue to provide Spree consulting services but Spree is now ready to take the next step. Spree Commerce Inc. will continue the mission of building the most cutting edge and flexible e-commerce platform possible. We’re also excited about the opportunity we have to introduce Spree to a wider audience as well as to provide the additional services and support that our community has been asking for. We believe the future of e-commerce lies with open source and our new funding will allow us to get there faster. In the coming weeks and months you will hear a lot more about our plans as they unfold.
I’d also like to take a moment to personally address our awesome community, without whom this would not be possible. Spree has always been 100% open source and it will always remain that way. The licensing terms have not changed nor will they do so in the future. The license is intentionally permissive so that anyone can use Spree for
personal or commercial use. I’ve been involved in open source software for over 10 years now and I’m beyond convinced that it is the most efficient and rewarding way to create software. Spree has always been about everyone working together and “getting the job done.” There is no reason for that to change now.
Spree began its life as a commercially supported product (via paid consulting) – now we are just getting additional help from investors to accelerate our progress. We are thrilled to be working with True Ventures who has a long history of open source investments in companies such as Automattic (makers of Word Press) and Puppet Labs. We also have an awesome team of advisors: Dries Buytaert (creator of Drupal), Luke Kanies (creator of Puppet), Tom Preston-Werner (co-founder of Github), and James Lindenbaum (co-founder of Heroku.)
We look forward to writing the next chapter of the open source e-commerce story together with you.
Spree 0.70.0 is now officially released. The most important change with this release is that is is fully compatible with the brand new Rails 3.1.1 release. Please read the release notes for more information on what has changed and how to upgrade from previous versions.
Prior to today’s new release of Rails, there were significant problems with the asset pipeline and other features. These problems were severe enough to cause us to hold off on the new Spree release until they were addressed. Spree 0.70.0 represents another massive release (due mostly to the massive amount of change in Rails itself.) The Github compare shows this release to consist of a total of 356 commits by 36 different contributors and a whopping 1,093 files changed!
There have been signficant improvements to themes which now rely on Brian Quinn’s awesome deface library. Themes are also now available as engines which means they can be more easily shared with others. This is just the start of what he have planned for themes in Spree. You can expect more improvements in the near future.
New Extension Generator
This release contains a brand new extension generator. Once you’ve installed the new Spree gem you can use this generator to create extensions using the following command:
One of the most important advances in this new generator is that you can now easily run specs for extensions in their own standalone repository. You just need to create a test application (one time only) as a context before running your specs.
$ rake test_app
$ bundle exec rspec spec
One of the most important features of Rails 3.1.x is the asset pipeline. There have been many changes to Spree to support the asset pipeline (which are covered more thoroughly in the release notes.)
Unfortunately some of the Rails 3.1.x changes have introduced significant performance issues when running Spree in development mode. The good news is you can improve performance significantly by using a special precompile task.
$ bundle exec rake assets:precompile RAILS_ENV=development
WARNING: Using the precompile rake task in development will prevent any changes to asset files from being automatically included in when you reload the page. You must re-run the precompile task for changes to become available.
Rail’s also provides the following rake task that will delete the entire public/assets directory, this can be helpful to clear out development assets before committing.
It might also be worthwhile to include the public/assets directory in your .gitignore file.
We have just released Spree 0.60.2 which contains an important security fix. A vulnerability exists in the
ProductScope class that could allow for unauthenticated remote command execution. To put it simply, you should either upgrade immediately or add your own custom fix based on this commit.
Special thanks to joernchen of Phenoelit for discovering and reporting the problem through the appropriate channels(which is a private email to firstname.lastname@example.org.) Roman Smirnov (aka romul) provided the necessary fix.
The edge code has also been updated to include this fix. There are also a few other minor issues addressed in this release. See the Github compare view for the full details.
We are currently working on an improved solution for handling the reporting of security issues. We will be announcing a new initiative on this front in the near future.
We’re pleased to announce the launch of our brand new website! Its been several weeks in the making and last weekend we finally rolled it out to the general public. One of the major changes you’ll likely notice is that we have introduced several new paid products. This represents a great step forward as we can now offer commercial support (which comes included with all hosting plans.) Please feel free to use the contact forms on the website if you are interested and have any questions.
Spree will continue to remain 100% open source. We’re just providing support, hosting and payment processing options for those that require them. The members of the Spree core team will also continue to participate in the free “community support” (mailing list, IRC, etc.) but for those that want a higher level of support you now have a new option available to you.