[5.1] TUF-based core updates

[SniperSister]

trafficstars

Summary of Changes

This pull requests changes the way how Joomla retrieves update information for Joomla core.

So far, the information about available updates has been retrieved using an XML file hosted on the Joomla.org CDN. Whatever information was written in that XML file was trusted and there was no way for a Joomla installation of that update XML actually is a legit file distributed by the project.

This makes the project vulnerable to supply chain attacks, where an attacker, once he gains access to the update XML file, might be able to distribute malicious update packages. The already implemented security measure of package hashes is no proper mitigation for that scenario as the package URL und the package hashes are stored in the same XML.

In order to succesfully mitigate such attacks, we would like to use "The Update Framework" (short "TUF") to the Joomla core updater. We are not going to introduce the general concepts of TUF in this PR as it's very extensively documented at https://theupdateframework.io/

The main changes in this PR are:

• Inclusion of the PHP-TUF client
• Inclusion of new library classes to connect the TUF client with the CMS
• Addition of a new service provider for the HTTP Factory, which allows us to mock it as a dependency in our unit tests
• Various changes to the existing Update and Updater classes to add TUF repos as a potential update source next to the existing XML mechanism
• An additional check in com_joomlaupdate to verify that the package version that shall be installed is actually the package version that users confirmed to install - that fixes an existing bug, where the re-retrieval of update information before the package download might cause a different version to be installed than the version that user saw on the update information page

Testing Instructions

Preparation steps

• Apply the patch
• Update the composer dependencies with composer install
• Execute the DB changes by navigating to System > Maintenance > Database and hit "Update Structure"

Scenario 1: successful retrieval of a legit core update via TUF

• Execute the preparation steps above if not done yet
• Execute the "valid production metadata" query from the test queries section below using a DB client of your choice
• Navigate to System > Update > Joomla
• Fetch the available updates by clicking "Check for Updates" in the toolbar
• Expected Result: Fetching succeeds, Message "Checked for updates.", no update being offered

Scenario 2: blocked retrieval of a malicious core update via TUF

• Execute the preparation steps above if not done yet
• Execute the "invalid test metadata" query from the test queries section below using a DB client of your choice
• Navigate to System > Update > Joomla
• Fetch the available updates by clicking "Check for Updates" in the toolbar
• Expected Result: The message "Update not possible because the offered update does not have enough signatures" is shown.

Scenario 3: successful retrieval of a core update via a custom XML server

• Execute the preparation steps above if not done yet
• Navigate to System > Update > Joomla, hit "Options"
• Set the Update Channel to "Custom" and use https://update.joomla.org/core/sts/list_sts.xml as an update URL
• Hit save & close
• Fetch the available updates by clicking "Check for Updates" in the toolbar
• Expected Result: Fetching succeeds, Message "Checked for updates.", no update being offered
• Switch the Update Channel back to Default

Scenario 4: successful retrieval of an extension update via the existing XML mechanisms

• Execute the preparation steps above if not done yet
• Execute the "valid production metadata" query from the test queries section below using a DB client of your choice
• Install an outdated version of an extension of choice that supports the Joomla updater
• Fetch and install the extension update
• Expected result: Fetching succeeds, update can be installed

Scenario 5: reinstall feature is available

• Execute the preparation steps above if not done yet
• Execute the "valid production metadata" query from the test queries section below using a DB client of your choice
• Open the file administrator/components/com_joomlaupdate/src/Model/UpdateModel.php and change line 119 from $updateURL = 'https://update.joomla.org/cms/'; to $updateURL = 'https://update.joomla.org/alpha/';
• Navigate to System > Update > Joomla
• Fetch the available updates by clicking "Check for Updates" in the toolbar
• Fetching succeeds, update to 5.1.100 being offered
• Modify the stored core update in the #__updates table and change the version from 5.1.100 to 5.1.0-alpha4-dev (or whatever your local 5.1.x version is)
• Expected: A screen that allows to reinstall the core files is shown:

Scenario 6: Constraint information is availabel

• Execute the preparation steps above if not done yet
• Execute the "valid production metadata" query from the test queries section below using a DB client of your choice
• Open the file administrator/components/com_joomlaupdate/src/Model/UpdateModel.php and change line 119 from $updateURL = 'https://update.joomla.org/cms/'; to $updateURL = 'https://update.joomla.org/alpha/';
• Navigate to System > Update > Joomla
• Fetch the available updates by clicking "Check for Updates" in the toolbar
• Fetching succeeds, update to 5.1.100 being offered
• Modify the file libraries/src/Updater/ConstraintChecker.php, line 149, replace if (!$result) { with if (!$result || true) { to simulate a failed php constraint
• Expected: A screen with information about the failed constraint is shown

Scenario 7: successful installation of a core update

• Execute the preparation steps above if not done yet
• Execute the "valid production metadata" query from the test queries section below using a DB client of your choice
• Open the file administrator/components/com_joomlaupdate/src/Model/UpdateModel.php and change line 119 from $updateURL = 'https://update.joomla.org/cms/'; to $updateURL = 'https://update.joomla.org/alpha/';
• Navigate to System > Update > Joomla
• Fetch the available updates by clicking "Check for Updates" in the toolbar
• Fetching succeeds, update to 5.1.100 being offered
• Expected result: Update to 5.1.100 can be performed

Test Queries

Valid production metadata - MySQL and MariaDB

DELETE FROM `#__tuf_metadata`;

INSERT INTO `#__tuf_metadata` (`id`, `update_site_id`, `root`, `targets`, `snapshot`, `timestamp`, `mirrors`) VALUES
(1, 1, '{"signed":{"_type":"root","spec_version":"1.0","version":4,"expires":"2025-03-02T16:38:55Z","keys":{"07eb082f367c034a95878687f6648aa76d93652b6ee73e58817053d89af6c44f":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"9b2af2d9b9727227735253d795bd27ea8f0e294a5f3603e822dc5052b44802b9"}},"1b1b1dd55b2c1c7258714cf1c1ae06f23e4607b28c762d016a9d81c48ffe5669":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"a18e5ebabc19d5d5984b601a292ece61ba3662ab2d071dc520da5bd4f8948799"}},"2dcaf3d0e552f150792f7c636d45429246dcfa34ac35b46a44f5c87cd17d457e":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"cb0a7a131961a20edea051d6dc2b091fb650bd399bd8514adb67b3c60db9f8f9"}},"31dd7c7290d664c9b88c0dead2697175293ea7df81b7f24153a37370fd3901c3":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"589d029a68b470deff1ca16dbf3eea6b5b3fcba0ae7bb52c468abc7fb058b2a2"}},"9e41a9d62d94c6a1c8a304f62c5bd72d84a9f286f27e8327cedeacb09e5156cc":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"6043c8bacc76ac5c9750f45454dd865c6ca1fc57d69e14cc192cfd420f6a66a9"}},"e2229942b0fc1e6d7f82adf258e5bdadac10046d1470b7ec459c9eb4e076026b":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"ad1950e117b29ebe7a38635a2e574123e07571e4f9a011783e053b5f15d2562a"}},"ecc851a051c8d6439331ff0a37c7727321fc39896a34f950f73638b8a7cb472e":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"5d451915bc2b93a0e4e4745bc6a8b292d58996d50e0fb66c78c7827152a65879"}}},"roles":{"root":{"keyids":["1b1b1dd55b2c1c7258714cf1c1ae06f23e4607b28c762d016a9d81c48ffe5669","2dcaf3d0e552f150792f7c636d45429246dcfa34ac35b46a44f5c87cd17d457e"],"threshold":1},"snapshot":{"keyids":["07eb082f367c034a95878687f6648aa76d93652b6ee73e58817053d89af6c44f","2dcaf3d0e552f150792f7c636d45429246dcfa34ac35b46a44f5c87cd17d457e","ecc851a051c8d6439331ff0a37c7727321fc39896a34f950f73638b8a7cb472e","e2229942b0fc1e6d7f82adf258e5bdadac10046d1470b7ec459c9eb4e076026b"],"threshold":1},"targets":{"keyids":["31dd7c7290d664c9b88c0dead2697175293ea7df81b7f24153a37370fd3901c3","ecc851a051c8d6439331ff0a37c7727321fc39896a34f950f73638b8a7cb472e","e2229942b0fc1e6d7f82adf258e5bdadac10046d1470b7ec459c9eb4e076026b"],"threshold":1},"timestamp":{"keyids":["9e41a9d62d94c6a1c8a304f62c5bd72d84a9f286f27e8327cedeacb09e5156cc"],"threshold":1}},"consistent_snapshot":true},"signatures":[{"keyid":"1b1b1dd55b2c1c7258714cf1c1ae06f23e4607b28c762d016a9d81c48ffe5669","sig":"1c8060aab4c5290dc398199d8f124701bd3f7d3fb47d688e3e61d20eeb90d6e387556ce680ba8db9b99f15332df64da349a03344f50ab4f1fe491efdf88f170c"}]}', NULL, NULL, NULL, NULL);

Valid production metadata - PostgreSQL

DELETE FROM "#__tuf_metadata";

INSERT INTO "#__tuf_metadata" ("id", "update_site_id", "root", "targets", "snapshot", "timestamp", "mirrors") VALUES
(1, 1, '{"signed":{"_type":"root","spec_version":"1.0","version":4,"expires":"2025-03-02T16:38:55Z","keys":{"07eb082f367c034a95878687f6648aa76d93652b6ee73e58817053d89af6c44f":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"9b2af2d9b9727227735253d795bd27ea8f0e294a5f3603e822dc5052b44802b9"}},"1b1b1dd55b2c1c7258714cf1c1ae06f23e4607b28c762d016a9d81c48ffe5669":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"a18e5ebabc19d5d5984b601a292ece61ba3662ab2d071dc520da5bd4f8948799"}},"2dcaf3d0e552f150792f7c636d45429246dcfa34ac35b46a44f5c87cd17d457e":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"cb0a7a131961a20edea051d6dc2b091fb650bd399bd8514adb67b3c60db9f8f9"}},"31dd7c7290d664c9b88c0dead2697175293ea7df81b7f24153a37370fd3901c3":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"589d029a68b470deff1ca16dbf3eea6b5b3fcba0ae7bb52c468abc7fb058b2a2"}},"9e41a9d62d94c6a1c8a304f62c5bd72d84a9f286f27e8327cedeacb09e5156cc":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"6043c8bacc76ac5c9750f45454dd865c6ca1fc57d69e14cc192cfd420f6a66a9"}},"e2229942b0fc1e6d7f82adf258e5bdadac10046d1470b7ec459c9eb4e076026b":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"ad1950e117b29ebe7a38635a2e574123e07571e4f9a011783e053b5f15d2562a"}},"ecc851a051c8d6439331ff0a37c7727321fc39896a34f950f73638b8a7cb472e":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"5d451915bc2b93a0e4e4745bc6a8b292d58996d50e0fb66c78c7827152a65879"}}},"roles":{"root":{"keyids":["1b1b1dd55b2c1c7258714cf1c1ae06f23e4607b28c762d016a9d81c48ffe5669","2dcaf3d0e552f150792f7c636d45429246dcfa34ac35b46a44f5c87cd17d457e"],"threshold":1},"snapshot":{"keyids":["07eb082f367c034a95878687f6648aa76d93652b6ee73e58817053d89af6c44f","2dcaf3d0e552f150792f7c636d45429246dcfa34ac35b46a44f5c87cd17d457e","ecc851a051c8d6439331ff0a37c7727321fc39896a34f950f73638b8a7cb472e","e2229942b0fc1e6d7f82adf258e5bdadac10046d1470b7ec459c9eb4e076026b"],"threshold":1},"targets":{"keyids":["31dd7c7290d664c9b88c0dead2697175293ea7df81b7f24153a37370fd3901c3","ecc851a051c8d6439331ff0a37c7727321fc39896a34f950f73638b8a7cb472e","e2229942b0fc1e6d7f82adf258e5bdadac10046d1470b7ec459c9eb4e076026b"],"threshold":1},"timestamp":{"keyids":["9e41a9d62d94c6a1c8a304f62c5bd72d84a9f286f27e8327cedeacb09e5156cc"],"threshold":1}},"consistent_snapshot":true},"signatures":[{"keyid":"1b1b1dd55b2c1c7258714cf1c1ae06f23e4607b28c762d016a9d81c48ffe5669","sig":"1c8060aab4c5290dc398199d8f124701bd3f7d3fb47d688e3e61d20eeb90d6e387556ce680ba8db9b99f15332df64da349a03344f50ab4f1fe491efdf88f170c"}]}', NULL, NULL, NULL, NULL);

Invalid test metadata - MySQL and MariaDB

DELETE FROM `#__tuf_metadata`;

INSERT INTO `#__tuf_metadata` (`id`, `update_site_id`, `root`, `targets`, `snapshot`, `timestamp`, `mirrors`) VALUES
(1, 1, '{"signed":{"_type":"root","spec_version":"1.0","version":1,"expires":"2028-12-06T15:31:52Z","keys":{"1689c5951cfc8a8cb4e3535c6ddc3f8d5c66e2effd4b7aae3506995f145da2a0":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"71c24873013b6f21aca791f45dcd9ddb5842a97bf72ac73c211742c2659a97ff"}},"696a7598c714e545bb8a3a4248d82bf4c66486d142e226c1e06601a14f4d939a":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"9fac963aac4e14f948a7c2d6b3fa2232f6cb5a08bf6a8b6100bc6e68b0683c1c"}},"70c4fb4ffe87b8d75559092c75bc038d587790bf2ecb9d8d6c6c0fae6705c750":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"d08225342af7a8075bf210bd62154567140a8e14d824743e58b8e7e64ee8ad0b"}},"92933ea840e57ad3db67c748d1a309c4a7d8be3f70d8bbbd3cff9c4cca3bcf7b":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"8d70ac7574e64f209bff3d7c1d8b8ab6e34cf4419dd09f0d222354dceee986d7"}},"f9854d7c61e9413f4d83678be7d50310cc9e062027746d8936ba4736e75224e9":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"b7a3d08989b5885d78e93425daacf3a71b0e190759e1a8633aa41bdb3ec3cd97"}}},"roles":{"root":{"keyids":["70c4fb4ffe87b8d75559092c75bc038d587790bf2ecb9d8d6c6c0fae6705c750"],"threshold":1},"snapshot":{"keyids":["f9854d7c61e9413f4d83678be7d50310cc9e062027746d8936ba4736e75224e9"],"threshold":1},"targets":{"keyids":["696a7598c714e545bb8a3a4248d82bf4c66486d142e226c1e06601a14f4d939a"],"threshold":1},"timestamp":{"keyids":["1689c5951cfc8a8cb4e3535c6ddc3f8d5c66e2effd4b7aae3506995f145da2a0","92933ea840e57ad3db67c748d1a309c4a7d8be3f70d8bbbd3cff9c4cca3bcf7b"],"threshold":1}},"consistent_snapshot":true},"signatures":[{"keyid":"70c4fb4ffe87b8d75559092c75bc038d587790bf2ecb9d8d6c6c0fae6705c750","sig":"52f8de5d8c0ac8c532a4e3c274b3e22cd2dca57a9f5d4094ccc1ded9966fb7064acc589ad564ba7ba04f7dfb42d8ccb803811b73551c60df4f9996c116967e00"}]}', NULL, NULL, NULL, NULL);

Invalid test metadata - PostgreSQL

DELETE FROM "#__tuf_metadata";

INSERT INTO "#__tuf_metadata" ("id", "update_site_id", "root", "targets", "snapshot", "timestamp", "mirrors") VALUES
(1, 1, '{"signed":{"_type":"root","spec_version":"1.0","version":1,"expires":"2028-12-06T15:31:52Z","keys":{"1689c5951cfc8a8cb4e3535c6ddc3f8d5c66e2effd4b7aae3506995f145da2a0":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"71c24873013b6f21aca791f45dcd9ddb5842a97bf72ac73c211742c2659a97ff"}},"696a7598c714e545bb8a3a4248d82bf4c66486d142e226c1e06601a14f4d939a":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"9fac963aac4e14f948a7c2d6b3fa2232f6cb5a08bf6a8b6100bc6e68b0683c1c"}},"70c4fb4ffe87b8d75559092c75bc038d587790bf2ecb9d8d6c6c0fae6705c750":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"d08225342af7a8075bf210bd62154567140a8e14d824743e58b8e7e64ee8ad0b"}},"92933ea840e57ad3db67c748d1a309c4a7d8be3f70d8bbbd3cff9c4cca3bcf7b":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"8d70ac7574e64f209bff3d7c1d8b8ab6e34cf4419dd09f0d222354dceee986d7"}},"f9854d7c61e9413f4d83678be7d50310cc9e062027746d8936ba4736e75224e9":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"b7a3d08989b5885d78e93425daacf3a71b0e190759e1a8633aa41bdb3ec3cd97"}}},"roles":{"root":{"keyids":["70c4fb4ffe87b8d75559092c75bc038d587790bf2ecb9d8d6c6c0fae6705c750"],"threshold":1},"snapshot":{"keyids":["f9854d7c61e9413f4d83678be7d50310cc9e062027746d8936ba4736e75224e9"],"threshold":1},"targets":{"keyids":["696a7598c714e545bb8a3a4248d82bf4c66486d142e226c1e06601a14f4d939a"],"threshold":1},"timestamp":{"keyids":["1689c5951cfc8a8cb4e3535c6ddc3f8d5c66e2effd4b7aae3506995f145da2a0","92933ea840e57ad3db67c748d1a309c4a7d8be3f70d8bbbd3cff9c4cca3bcf7b"],"threshold":1}},"consistent_snapshot":true},"signatures":[{"keyid":"70c4fb4ffe87b8d75559092c75bc038d587790bf2ecb9d8d6c6c0fae6705c750","sig":"52f8de5d8c0ac8c532a4e3c274b3e22cd2dca57a9f5d4094ccc1ded9966fb7064acc589ad564ba7ba04f7dfb42d8ccb803811b73551c60df4f9996c116967e00"}]}', NULL, NULL, NULL, NULL);

Link to documentations

Please select:

• [x] No documentation changes for docs.joomla.org needed
• [x] No documentation changes for manual.joomla.org needed
• [x] Link to internal documentation: https://internal.joomla.org/docs/production/update/infrastructure/expired-metadata

Kudos

This is not my personal work, a ton of people helped creating this feature and I would like to thank Harald, Benjamin, Niels, Martina, Hannes, Magnus, Tobias, Franciska, Timo, Stefan and Elias for their time and contributions!

[richard67]

Execute the DB changes by navigating to System > Maintenance > Database and hit "Update Structure"

@SniperSister This will only execute the DDL (data definition language) statements, i.e. here the CREATE TABLE, but not the DML (data manipulation language) statements, here the INSERT and UPDATE statements of the 5.1.0-2023-12-09.sql script. Therefore the later UPDATE statement in your testing instructions will not find any record for updating.

A better way to apply the PR is to use tzhe update package created by Drone (or the custom update URL of that). In this way the complete 5.1.0-2023-12-09.sql script will be run and not only the DDL.

[SniperSister]

Execute the DB changes by navigating to System > Maintenance > Database and hit "Update Structure"

@SniperSister This will only execute the DDL (data definition language) statements, i.e. here the CREATE TABLE, but not the DML (data manipulation language) statements, here the INSERT and UPDATE statements of the 5.1.0-2023-12-09.sql script. Therefore the later UPDATE statement in your testing instructions will not find any record for updating.

I've updated the PR description accordingly to use INSERT statements

[richard67]

@SniperSister As the newest update SQL in the 5.1-dev branch is "5.1.0-2024-01-04.sql", the files "5.1.0-2023-12-09.sql" in this PR need to be renamed to something newer, e.g. to "5.1.0-2024-02-12.sql", otherwise they won't run when updating a 5.1.0-alpha version.

[brianteeman]

Scenario 1

Expected

Currently no update available.

Actual

Check if an update is available.

Scenario 2

Expected

Update not possible because the offered update does not have enough signatures

Actual

Check if an update is available.

Scenario 3

Expected

Currently no update available.

Actual

Check if an update is available.

[brianteeman]

I have tested this item :red_circle: unsuccessfully on 5585d3276e8809d32cd10c0545d02c1259b1e9f8

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/42799.}

[alikon]

anyway not a pr for a minor release if we still follow SEMver

[SniperSister]

anyway not a pr for a minor release if we still follow SEMver

Why? It adds a new feature, the existing behavior remains unchanged.

[SniperSister]

@brianteeman thanks for testing! I've updated the test instructions to make the expected results more clear and also fixed the "invalid metadata" query in the description.

[brianteeman]

Scenario 1

Before PR

With PR

Comment

Losing the text change is not a good change and losing the ability to reinstall

[brianteeman]

Scenario 2

PHP Version 8.1.10 Web Server Apache/2.4.54 (Win64) OpenSSL/1.1.1q PHP/8.1.10

[SniperSister]

@brianteeman the notice in scenario 2 has been fixed.

Regarding scenario 1: I'm unable to reproduce the original screen in a vanilla 5.1-dev environment. Any hints? What updateserver is configured?

[richard67]

@SniperSister What will be shown when there is a valid update available but the server doesn’t meet the target version’s requirements for the PHP or database version? Does it show that, or does it just show up hat no update was found? I had made PR #42489 for that.

[brianteeman]

Regarding scenario 1: I'm unable to reproduce the original screen in a vanilla 5.1-dev environment. Any hints? What updateserver is configured?

This is the basic core functionality as created by @bembelimen here https://github.com/joomla/joomla-cms/pull/34754

Without it we lose the ablity to reupload the same version and to have useful messages

[SniperSister]

This is the basic core functionality as created by @bembelimen here https://github.com/joomla/joomla-cms/pull/34754

I'm not questioning that this is useful, I'm just wondering how you are able to reproduce the screen with a vanialla 5.1-dev installation as the current update servers don't offer an update matching the current dev branch and therefore the screen in question can't be generated.

[brianteeman]

~Not doing anything special. Clean checkout of 5.1 branch. Its the same behaviour on a live install of 5.0.2~

No ideas as I dont see it now

[SniperSister]

No ideas as I dont see it now

Ok, that matches my result! Will look into it with @bembelimen

[SniperSister]

@richard67 @brianteeman I've added test scenarios addressing the two cases that you have mentioned.

[HLeithner]

Checking for constrains and providing to the user works now.

Showing update but local failure works too:

After repairing the database the update shows the ready for update screen

[web54]

scenario 1 : when patch applied : error : The file marked for modification does not exist: composer.json i can not patch

[richard67]

scenario 1 : when patch applied : error : The file marked for modification does not exist: composer.json i can not patch

@web54 The PR has a conflict which needs to be resolved first. In addition, it might be that it's not possible to test it with the Patchtester component. It might need to use the update packages or custom update URL provided with the Download link at the bottom of this PR. But please wait with testing until GitHub doesn't show the conflicting files anymore at the bottom of the PR. Anyway thanks for your testing attempt.

[richard67]

@SniperSister Shall I resolve the conflicts or will you do?

[richard67]

@SniperSister ~~I think you've resolved the conflict in the model in the wrong way. You have reverted the changes from PR #42603 where the code comments for cases of switch statements were moved and where a default case was added.~~

Update: False alarm, all ok.

[Elfangor93]

I have tested this item :white_check_mark: successfully on 5585d3276e8809d32cd10c0545d02c1259b1e9f8

Thank you very much for your great effort! Tested on a Windows machine with php 8.1.13.

All described scenarios were successfully tested. After scenario 7 when the update was fully run through I get a php error stating that Resource 'Joomla\CMS\Http\HttpFactoryInterface' has not been registered with the container. But this shouldnt be caused by this PR. So I mark this as successful.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/42799.}

[SniperSister]

After scenario 7 when the update was fully run through I get a php error stating that Resource 'Joomla\CMS\Http\HttpFactoryInterface' has not been registered with the container.

That's indeed not related to the actual PR but to the fact that the 5.1.100 release is an older 5.1.x package which causes incompatibilites AFTER the update has been applied successfully.

[richard67]

@SniperSister It needs to rename the update SQL scripts from "5.1.0-2023-12-09.sql" to something newer than "5.1.0-2024-02-10.sql" as that is the newest one in the current 5.1-dev branch. Otherwise your scripts will not run then updating from 5.1.0-alpha4 to beta1. I suggest to use "5.1.0-2024-02-24.sql".

[degobbis]

I have tested this item :white_check_mark: successfully on 5585d3276e8809d32cd10c0545d02c1259b1e9f8

Tested all 7 scenarios successfully with php 8.2 and MariaDB 10.11

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/42799.}

[SniperSister]

Done @richard67

[richard67]

After the renaming of the update SQL scripts I've restored the previous test results as that change did not have any impact on the test result. But it would be good to get one test in addition which tests updating from 5.1.0-alpha4 or any older version down to 4.4.3 just to make sure we don't have any mistake in the update SQL.

[joomdonation]

Tested all the scenarios works as described but in PHP error logs, there are error messages below (I'm unsure if this is related to the change from this PR)

[24-Feb-2024 14:17:14 UTC] PHP Deprecated: Creation of dynamic property Joomla\CMS\Updater\Update::$jversion.full is deprecated in [ROOT]\libraries\src\Object\LegacyPropertyManagementTrait.php on line 135

[24-Feb-2024 14:17:15 UTC] PHP Deprecated: Creation of dynamic property Joomla\CMS\Updater\Update::$folder is deprecated in [ROOT]\libraries\src\Updater\Update.php on line 475

[SniperSister]

@joomdonation both notices are unrelated to this PR