Page MenuHomePhabricator

Upgrade Matomo to latest upstream
Closed, ResolvedPublic


We shouldn't lag too much from upstream, a lot of security fixes are always added and is exposed to the Internet (even if behind CAS).

Event Timeline

razzi triaged this task as Medium priority.
razzi edited projects, added Analytics-Clusters; removed Analytics.
Ottomata updated the task description. (Show Details)
Ottomata added a subscriber: BTullis.
BTullis added a subscriber: RKemper.

Today Razzi and I looked into this. We upgraded to Matomo 3.14.1. However, and Matomo is not maintaining debian packages anymore beyond 3.14.1.

It'd likely be good to upgrade to Matomo 4+, but that will be more work than we are currently able to put towards it. We'll discuss as a team what to do. Resolving this task for now.

I think that we should open a separate task to fork in a separate gerrit repo and try to upgrade to 4.x in the future. Upstream often advertises medium to high security vulnerabilities (we are protected by CAS but it is still a UI in our network exposed to the public etc..) and it is really easy to forget about checking Matomo every now and then (I've done it in the past multiple times :D).

It would be a good Debian exercise for @razzi or anybody else that wants to work on packaging, and I can help in case DE is busy with other projects.