As you may be aware by now, in addition to our professional security consulting services, we're developing a secure-by-default content management system called CMS Airship. CMS Airship is a Free Software product (though we do sell commercial licenses if you'd like to use Airship in non-free software; get in touch).
If you weren't aware, these articles will bring you up to speed:
- First beta release announcement and public introduction to CMS Airship
- The Cryptography Powering CMS Airship (password hashing, secure automatic updates)
- CMS Airship v1.0.0 - launch announcement
- On the (in)security of other open source PHP CMS Platforms (WordPress, Drupal, Joomla)
Charting the Course for CMS Airship Version 2
Unless we encounter unexpected delays, CMS Airship
1.5.0 shall both be released on January 6, 2017 -- the first Friday of the year.
These are the planned changes so far:
- The minimum PHP version for CMS Airship 2 will be PHP 7.1.
- We will be upgrading to Halite 3, which simplifies a lot of the cryptography APIs and defaults to Base64Url encoding.
Everything else is a blank slate. There are many feature requests for version 2.0.0 already.
The important thing to keep in mind is that, since we're increasing the major version, backwards compatibility breaks are on the table. If you don't like the way Airship looks or feels, or you think a feature should be implemented completely differently, let's have a discussion about that.
To be clear: Some suggestions (MySQL support) are on hold for technical reasons outside of our control (i.e. no
WITH RECURSIVE support). Some ideas (PHP 5 support, insecure code delivery, plaintext password storage) will be rejected outright due to conflicting with our goals.
But Airship exists to be a secure foundation for developers and companies to build upon. It doesn't make patch management difficult. You'll almost certainly never have to worry about an hours-old vulnerability leading to a data breach. You get all the security and performance benefits of modern cryptography -- including some cryptography protocols of our own design. (If we didn't have the security expertise on staff that we do, that sentence would send shivers down most cryptographers' spines.)
Even if our servers ever get hacked, your Airships will detect and reject any false update packages the criminal uploads. Can any other CMS make the same claim?
The Sky is Only the Beginning
As secure as Airship is, it's not some rigid and unusable monolith that no mere mortal can approach. It supports a flexible and powerful extension system. Any extensions you develop are also delivered securely to your users.
- Want to change the way your Airship looks or feels? Create a Motif.
- Want to create your own application on top of Airship's security? Create your own Cabin.
- Want to alter the behavior of an existing cabin (including the two that come with Airship)? Create a Gadget.
Regardless of the changes that lay in store for version 2, we're confident that CMS Airship is a solid product that developers will love to work with. To that end, we're going to be focusing our efforts in the coming months to developing a few incredibly useful and extensible Gadgets and Cabins. When they're ready for prime time, these Airship extensions will be free and open source.
We'll be making the appropriate announcements in due time. If you want to hear about it first, sign up for our quarterly newsletter.
We offer our sincerest thanks to everyone who has ever reported a bug, sent a patch, or told us how to greatly improve the user interface with a small CSS change over the majority of the past year on the IRC channels our team frequents. No open source software project can survive without a healthy community, and we're happy to be in the company of progressive software developers who believe in our mission to set tomorrow's PHP gold standard.