The Joomla 3.10.999 Project

Like it or not, agree or not, Joomla 3 series is now end of life, and in August 2023 will become end of support – this means that up until that date the Joomla Project “may” release a new version (Joomla 3.10.12) if a security issue is discovered of such magnitude that they believe it would be wise to update the world. It rarely happens.

As has happened for every major series that has hit its end of life, Phil Taylor has published, maintained and still maintains a project called the dot 999 version – effectively the very latest code from the latest release in the supported series, with any security patches required to keep your site secure, following the end of life/end of support dates of the Joomla series.

Most of these are community supplied patches that Phil himself worked on and are some of the most trusted projects, along with the community hosted mirror (goes back to Mambo days!) and core files service (Contains every single Joomla file ever released in an official release by the Joomla Project!)

The existing projects for Joomla 1.5.999 and Joomla 2.5.999 can be found at GitHub, the new Joomla 3.10.999 project is there too:

These projects are for reference only, and are to document and record the recommended (by Phil) changes to keep the sites MINIMALLY secure until you can upgrade.

They were and are never expected to be complete, fully forward compatible, kept up to date with the latest PHP versions released etc. There are no “custom update servers” to use these projects, they are provided as-is for grabbing the bits you need.

Let me be clear: The best way to keep your site up to date is NOT to use these projects, but to MIGRATE to Joomla 4 (the latest series of Joomla.)

Would you prefer to PAY for this kind of information?

The Joomla Project, for whatever reasons, despite telling the world that Joomla will be end of support in August 2023, has published a RFP (Basically asking the world to submit a tender) to provide another 18 months of “official” support for Joomla 3.

They are basically looking for a 3rd Party to undertake 18 months of providing ZERO to INFINITY number of security releases, with the only compensation to be made from a percentage of sales of subscriptions.

This could also mean that a user of Joomla 3 could “subscribe” and get ZERO to INFINITY releases as part of their subscription

This is also hugely mixed messaging at this point – after nearly 5 years of telling people Joomla 3 was coming to an end, the official project is trying to push the date by another 18 month – despite Toxic Teeman recently blasting community members for even raising this point (classic example of the toxicity of the Joomla Project)

And then the PRESIDENT OF OPEN SOURCE MATTERS, the top position in Joomla clearly stating, literally a month before this RFP:

That’s said and with knowing that in August Joomla 3 sites are not magically don’t work anymore we don’t want to extend the support for Joomla3.

Robert Deutz –

But now magically a month later the Joomla Project DOES want to extend the support – fully that.

History for Joomla 1 gave us just ONE and Joomla 2 gave us only TWO security issues after end of life – how much would you PAY to subscribe for only TWO releases? Not enough to make this commercially exciting for a 3rd Party Vendor they are seeking I bet. Especially as the information is available for free from other means.

Read the full proposal here

Let me make this clear: We shall not be applying. We shall be providing, as we have always done, the Joomla 3.10.999 project.

Extending end of life support is a bad idea, the line in the sand, the cut off has already been communicated for years – adding another 18 months on a “paid subscription basis” is plain wrong. If this had been proposed several years ago then it would have been more palatable.

The time to move your site to Joomla 4 is NOW (in fact you should have done it already!)

Some other issues I have with this RFP:

  1. 🚩The successful vendor is locked into a contract to provide security update packages for 18 months – even if there are no paid subscribers, thus no income to the vendor.
  2. 🚩The vendor needs to sell subscriptions to generate income – and a commission of that has to be paid back to the Joomla Project. There are no details on the split, and if the commission is on revenue or profit.
  3. 🚩There is no detail on the subscriptions. For example is it monthly/yearly/18 monthly? What if all the subscribers cancel after 8 months as they migrated to Joomla 4, the vendor is still legally required to provide the service for the full 18 months – at a loss.
  4. 🚩The vendor has to deal with taxes, accountancy, refunds, complaints, issues etc
  5. 🚩The contract prevents the vendor from adding any new features – this is a violation of the freedoms of the GPL License.
  6. 🚩The contract prevents the vendor from only releasing security releases – this is a violation of the freedoms of the GPL License.
  7. 🚩The contract prevents the vendor from releasing any new minor version – so what are the releases going to be called? Joomla 3.10.11+1 ?
  8. 🚩The contract commits the vendor to back port the Joomla 4 API into Joomla 3 – WTF! that in itself should be a red flag! Basically if Joomla 4 decides to change something, the vendor is bound by contract to make changes in Joomla 3 (but remember, they are also bound to NOT release a new minor version and only to make security releases… so catch 22 which puts them in violation of the terms of the agreement whichever way they choose!)
  9. 🚩”The awarded vendor shall not create a fork of Joomla” – this is a violation of the freedoms of the GPL License.
  10. 🚩Not to “continue to provide updates after the contract expiration date” – so despite having the most in-depth technical knowledge in the world over the 18 month period – the contract forbids you forever from providing any further updates/support after the contract end… so you have to just “forget” you care about the project and legally be not entitled to help others.
  11. 🚩I dont have a problem with people paying for subscriptions (duh) and other projects do this kind of thing, however Joomla has gone about this the wrong way as always.
  12. 🚩There is no details on what the current Joomla Security Strike Team will provide – will a security researcher tell the official project about a security issue only for the JSST to say “Thats Joomla 3 and not within our remit, report it to this other company” – and then expect the 3rd party company to research, identify, design a fix AND THEN RELEASE that patch? Or will the JSST be doing all the hard work and just passing the patch to be released on to the successful bidder? Who do you trust to ultimately research reported security issues?!

Furthermore, the application process is only open to those that have proven Joomla development experience, with proven experience in contributing to the Joomla Core Development – so really its not an open process, and is limited to a select few individuals – so the RFP is not really a transparent process, its a smoke screen, because the only people qualified to apply are limited.

Edit: Of course Joomla then decides to award this contract to dJumla – the company owned by the head of the Joomla Security Strike Team.. Conflict of interest there for sure eh? Incredible.