David H Nebinger:

Third, regardless what people may believe, CE is really not suitable for direct internet usage. There just aren't enough releases in a quick enough cycle to address security issues.
...
EE is truly the only option for internet options. If you had EE, you could stay at the 6.1 release and get security updates and patches to deal with vulnerabilities.

Are you saying that CE is not fit for purpose?

Yes and no?

The general GAs languish a bit holding security fixes back until the platform stabilizes. Patches can be pulled earlier from the security team site and applied on your own, but you have to track them and keep up to date.

Personally I think EE is a better product for internet facing sites, but admittedly that is my opinion.

If you track the CST site and apply every patch they give you and stay as up to date as possible, you may be okay. If you're lazy or uncommitted, you're asking for trouble, just like the OP who got himself violated.

Are you saying that CE is not fit for purpose?

The community is probably Liferay's most valuable asset as they are testing the software and contributing in other ways to keep the portal in good health.

Here is a strategic issue that need to be addressed such as to give CE users incentives to use the postal software in real life situations. The way I see it is that if there is no community there would be no Liferay portal.

Paul

Hey Paul - when we release CE we believe it to be suitable for production use - otherwise we would not release it. It meets the needs of thousands of external-facing sites. This is a typical commercial open source arrangement and one we wholeheartedly believe in (it's in the company tagline and where the project started - EE didn't even exist until 2008). For companies that want extra professional support, legal protections, etc, they go with EE.

CE is not a "bait and switch" where we put buggy software out there in the hopes you use it, find issues, and are strong-armed into EE. Liferay started and continues to believe in open source and the power of our open source communities - if it did not, I would find a new job.

But as David says, you should not ignore updates from software vendors (Liferay or otherwise). We release a new CE every 6 months with fixes (most notably all security fixes, as well as other issues identified and/or fixed by our community) and in between the official releases our Community Security Team regularly releases patches for CE to fix flaws as we strongly believe in doing our best ethically to keep our software secure and keep production CE sites safe.

Of course Liferay (and every other software package) has bugs, and it's users like you who have found Liferay and use it in the "critical path" of business (i.e. production sites) that help us improve the software so that it is more useful, even for those with little or no money and cannot afford professional support. We love making slides with hundreds of logos of small companies and organizations that use Liferay every day and pay us nothing. It's literally baked into the company's DNA.