Upgrade Button - Possible Window to Exploits


(Omni) #1

I’m sure that many of you recently received an e-mail stating:

A new version of Discourse is available.

Your version: 1.0.0
New version: 1.0.1

I went to upgrade and wound up with this:

Version 1.1.0.beta1 1.1.0.beta1 :slight_smile: Looks like you upgraded recently. Fantastic!

Yes, I understand that there are ways to upgrade manually, but I firmly believe that the simple 1-click upgrade button should not install an unstable version of Discourse.

If anything, there should be an option to install the latest stable and latest unstable version.
Either that, or the button should simply avoid the beta release altogether.


(cpradio) #2

Um… you have that ability. If you are seeing 1.1.0.beta1 you are subscribed to the tests-passed branch and not the stable branch.


(Omni) #3

Thanks for the valuable information.

The install came from the Official Discourse Docker Image.
I’m now curious as to why this image has defaulted to subscribe to the tests-passed branch.


(Jeff Atwood) #4

That is what we believe most people should be on.

Our tests-passed builds are quite stable, you’re using the latest one right now.


(Sam Saffron) #5

This is complicated from the web UI for a couple of reasons

  1. You can not move back to “stable” after being on “tests-passed” until the next major release
  2. The web runs in the container, it would have to reach out of the container to make that change

What we can do is link to all this information from the web UI so people are not surprised.