Hey all,
Thanks for your constructive input. I'd like to respond to several of the points mentioned:
Can someone help me understand why yesterday the GA2 release date on the roadmap page was listed as May 11th and now today it is showing as June 8th?:
Is it ever safe to rely on the date listed there?
We have struggled with supplying realistic due dates for this particular release, due to the number of interdependencies between Marketplace, Social Office 2.0, and Liferay Portal. For example,
LPS-26321 implements a Java SecurityManager for securing plugins, and has taken some time to implement properly. It's finally done (woo!) and we can press forward with the Liferay release and Marketplace. There are a few more like this. Even prior to this though, we have not always hit our release dates, and is something we intend to improve by keeping everyone informed about progress with more detail, and better notification when hit or miss our dates.
The date in JIRA is our target date but it's not set in stone so it is subject to change. We have a lot of dependencies for this release with Marketplace and Social Office. If you need predictability and SLAs then I'd suggest going with EE.
Even with EE subscriptions and the associated SLAs, it won't improve our ability to predict the future. Even if you had an EE subscription today, you still wouldn't have EE GA2 in hand.
So, it's not a tragedy to me now, but, is it possible to share some kind of up-to-date info about the releases (and/or major LR-Related events) to the Community, maybe just via Twitter or something, please?
Hope not appearing offensive about this kind of "Community Communication Enhancement Request" ;-)
There are many community members involved in the production of a release, and they don't always talk to each other, and that is something that must improve. Jorge Ferrer had an excellent idea many months ago -- a releases page that details which releases are current (with associated release notes pointers, upgrade information, etc), and which are "on the drawing board" -- with their current status, which is updated as often as necessary to keep everyone in the loop. That's going to be implemented very soon. I hope to have this in place next week.
My personal opinion is that it's better not to publicized a "target release" date that's going to change. It would be better if a date that is going to change be kept just internally.
I'm one of the people asking for release date, but it doesn't do me any good to have a date that's going to change so often. It's just better to hear that you've haven't really set it yet.
One of the results of the discussions regarding security issues is that we are going to do releases more often (along with associated patches for security issues for CE in the interim, see below). So, rather than one big date for one big release, we get to a point where we consistently do new releases every 3 months or so, at least giving you some amount of predictability.
The release date that was first given as sometimes in April may have been a bogus by a marketing team
to make users try to use a very buggy 6.1.0 and to switch to purchasing the EE version.
I strongly disagree with that -- we are not out to trick anyone into doing anything. Every single CE release is one that we feel can be used in production *at the time of its release*. We do not have 100% code coverage in our unit and integration tests, but that's very difficult to achieve with a large code base. And as humans, we make mistakes and miss things that we learn from and hopefully never repeat. And it is easy to look back and say that a particular release is too buggy, but that is not and never will be our intention.
I think it's just not me who feel a little bit disappointment because I believed that community involved bug squad and verifier programs were meant to help speed up community releases and I would be able to see and show others the output from the involvement.
Bug Squad was a *huge* help in uncovering usability and functional bugs in 6.1.0, so the team can be proud of its accomplishments in helping improve many of the features and usability aspects of 6.1. With the verifier program, the "output" is not as satisfying, but still results in the community having less bogus bugs to deal with. So those programs do produce fruit, some of it more visible and tasty than others.
While on the subject where is the "fix" for these serious security fixes I was promised
http://seclists.org/bugtraq/2012/May/81
http://seclists.org/bugtraq/2012/Apr/151
http://seclists.org/bugtraq/2012/Apr/149
It's almost criminal to not resolve these issues on the community edition
Liferay, like all other web-oriented software, can never claim to be 100% secure and free of security bugs like those above. Jelmer and others in the community have done an awesome job finding and informing Liferay of its shortcomings, and the community is very appreciative of their work. Liferay's growing popularity means there are more eyes looking at it, more people using it, and more people finding the "dirty laundry" bits. This is what open source is all about, right? In the past, we have relied on new CE releases to fix these issues, but spinning new releases takes a lot of effort on our part, due to the way the product is constructed. While that can and certainly should improve, we are taking steps in the community now by forming a new community security team which will begin creating CE patches for critical security fixes, while at the same time doing new releases more often. Details on this team and its charter will be made shortly.
As far as I am aware the release dates of all previous releases have slipped
As far as I am aware there has never been new community edition release just to fix a dangerous security vulnerability
As far as I am aware none of the community editions have been production ready.
Assuming that the new GA will somehow make the community edition production ready is just wishful thinking. If you are using Liferay in production you should just get the enterprise edition. This is the message he should be getting across to his manager.
Again, CE is not a "carrot" we dangle in front of prospective customers in the hopes that they try it, like it, find issues, call us, and we hit them up for money. For customers who do not want or need the added benefit of ready to use patches, support SLAs, indemnification, extra features, etc, we want them to use CE in production (and hundreds of thousands do), and we produce CE with that in mind. I, along with the rest of the company and community, want CE to be the best that it can be. CE sites make us no direct revenue, but Liferay has always been about more than revenue and the bottom line. Yes, CE has bugs. So does EE. So does every other piece of non-trivial software. Liferay is committed to producing quality open source software and has built its business around that.
I am thinking more along the lines of backporting fixes to the community edition and doing regular releases. Patches are all nice and dandy but most people just want to be able to download a zip file that works.
That's exactly what the Community Security Team will do, so you're in luck!
As I stated above, I can only conclude that the repeated release date of the CE version is intentional marketing to lure users like you to purchasing EE subscription.
Again, I strongly disagree with your conclusion. Using marketing as a tool to trick users into buying our software is unethical and strongly goes against all that Liferay stands for.
Unfortunately, I don't think the new release is going to be out in July. I've heard James say the same thing about it becoming available in few days few months back.
I think people at liferay.com are going to end up repenting for this sin about this later because people are not that dumb to believe them ever again.
We are experiencing the typical pains of a growing company and project. That's all. It's very common for this to happen, and there is no conspiracy afoot, I can assure you.
Juan, I don't think anybody is really complaining about the time it'll take to implement Marketplace but more about the practice about repeatly giving a release date and extending it over and over again. If developers at liferay.com really can't project how much resource and time it's going to require to develop a feature, they shouldn't be providing professional service (e.g. setting up and customizing liferay for customers) to customer sites. Why can't liferay.com just say that it's going to be available this fall h and if they got some time leftover after the implmenting Marketplace, fix more bugs until the announced release date?
We are going to do better at communicating information about the release cycle of Liferay. Unfortunately, it is difficult sometimes, especially when you have multiple releases depending on each other. In hindsight, that is probably not something we will repeat.
I like the way Artur Signell of Vaadin expressed a release delay like at: https://vaadin.com/blog/-/blogs/vaadin-7-alpha2-delayed: "We do not want to release a semi-broken *versionReferenceHere* that would disappoint most of you so we have taken the liberty of pushing the release date forward until we feel we have a second *versionReferenceHere* version that people can enjoy." Now that is art-ful communication.
With advertised 'anicipated' released dates the likes of Q1,Q2, Q3, Q4 of such and such a year, where if delayed there comes a communication like above - such might be help manage expectations.
Yep, that's a very good example. In the past, when we miss a release date, we as a company tend not to communicate, for fear of being wrong again. I think we can do better at informing the community of the current release status, and if there are any delays, a reasonable reason for it. This is something I intend to do going forward.
I understand the dependencies on Social Office, Marketplace, etc. These things happens. However, I see no reason GA2 can't be released without fixing all the dependencies for those products if they're not ready right now. Why not release GA2 on it's own and then when SO 2.0 and Marketplace are ready release GA3, GA4 to address the dependencies of those other products?
My 2 cents. I hope we can see some good come from this. If there's any way the community can help with this I would love to hear it. How can we improve communication?
We are learning from this experience, and you all have helped tremendously in this regard. We want the release out as quickly as possible, with the highest possible quality, so the work that you and others are doing in the community to help has been outstanding, and I hope that it continues.
Also, Liferay.com requested the community to help them to find bugs and verify them so the new release will be more bug free and can be released in a shorter time frame. Getting the "prize" is fun, but I'm sure that many community members got involved to see a more bug free software released in a short period of time. Liferay.com made community members "believe" what was untruth - intentional or not.
You've mentioned about Marketplace, but is the request to delay coming from Brian or Jorge or by Paul or Bryan?
The programs in our community certainly do result in less bugs and a shorter release cycle - every release done after bugsquad and the community verifier teams have done their work has had less bugs than if they did not do that work - so for that, everyone that was involved in those programs should be proud of the work they did and continue to do. We hold as a value and goal the ability to keep our release dates, regardless of CE or EE. No one is "requesting" that there be a delay -- we want the release out as quickly as possible, and with quality, but we will slip the date in order to meet that goal. What we have not done a good job at is communicating to you when a slippage occurs, and the reasons for it.
How conspiracy theory get started and rumors so ugly projects never recover from them start flying. If it can't be secured it's not even worth poking with a stick much less installing. Marketing may not understand that major security issues are the sort of thing that make people buy Sharepoint instead, just makes the entire product line look really, really bad. The company would probably be better served to kill off CE than release it like that.
Liferay is committed to producing secure products (both CE and EE), and we are taking steps to improve this even more through the newly formed Community Security Team. The "tl;dr" of this is that the team will make security patches for CE, keep the community informed of newly discovered vulnerabilities (and their workarounds and fixes), help to do more "full" CE releases more often, and educate developers internally and externally how to prevent such bugs in the first place.
In summary, we do not ever intend for CE to be a watered-down version of Liferay in the hopes that it results in an EE sale. The community should be proud of the innovations it has consistently driven into the project. Delays in releases are challenges that many growing companies face, and are never purposely done in order to drive sales of a "good" version, and such delays must be better communicated. We are serious about security, and are taking steps to improve this as stated earlier. I believe we can see the light at the end of the GA2 tunnel now, and my hope is that going forward the improvements will be dramatic and obvious, and you will continue to contribute to and champion Liferay and its benefits.
