- May 3, 2015
- A message from the majority shareholder of The Railo Company
Dear Railo Community, Customers and Fans,
On behalf of 4F Technology Innovation BV (“4FTI”), majority owner of The Railo Company Ltd. (“TRC”), we would like to clear up the confusion that may have been created recently regarding the future of Railo.
We reflected long and hard before posting this, but we felt that it would be consistent with the mission, vision, and spirit of Railo to correct the public record.
We at 4FTI share the commitment to the future of CFML and, in large part, this commitment drove our initial decision to build TRC and to grow Railo. This is absolutely unchanged today.
When, back in 2012, 4FTI acquired its majority stake in TRC and became an investor in the company, it had 2 main objectives stemming from the fact that the 4FTI companies themselves are all long-time CFML development companies from across Europe:
- To ensure the future of CFML and
- To release a commercial version of the Railo platform
Together, working towards and achieving these objectives would make TRC a profitable, sustainable business for years to come.
Since our very public launch at CF.Objective 2012, Railo has successfully expanded its customer base, continued to innovate with new versions, launched a global partner program, and implemented development of a commercial platform. Over the last few years, all releases of Railo were released under the TRC brand. That recently stopped with Version 4.2, for reasons that we at 4FTI only recently came to learn: the launch of Lucee.
To be clear: we at 4FTI enthusiastically support the Lucee initiative’s principles and the use of Railo’s open source platform to build new and exciting products and solutions. This is precisely what we set out to do when we launched TRC. Indeed, the recent launch of Lucee is further proof that the rumors of CFML’s demise have been greatly exaggerated.
However, Lucee was founded by the same people who still own and operate Railo Technologies GmbH (“RT”), a part owner of TRC. And they used the Railo platform to do it.
As you might expect, RT sees no problem with any of this. We do.
Simply stated, TRC is the exclusive owner of all intellectual property of any kind whatsoever regarding Railo. This is not limited only to the Trademark as some have blogged, but this means all the technology, systems, logo's, the domains……in short, everything under the sun associated with the Railo platform is owned by TRC.
Here are the facts:
- TRC was established in 2012, with Gert Franz appointed Managing Director on Day 1, as a part of the investment arrangements and written agreements.
- Railo Technologies GmbH (“RT”), owned by Michael Offner-Streit and Tanja Stadelmann, and with Gert Franz as President of the Management, transferred all assets and intellectual property in the Railo Platform - in writing - in exchange for an ownership stake in TRC. So, for clarity, TRC became the sole controlling owner of all Railo intellectual property.
- Unfortunately, despite this obligation, RT did not transfer credentials (such as CMS and email system) to our company’s domain until very recently.
- RT and its shareholders also assumed very specific obligations and responsibilities regarding their role in TRC. Among other things, RT (including its owners and management) “cannot license the Railo Server or perform any services in connection with or related to the Railo Server for or on behalf of any third party except as expressly authorized by TRC”.
- In connection with the founding of Lucee and other RT business activities, no such authorization has been requested by or granted to RT or any of the “original” Railo people - not to Michael Offner-Streit, not to Gert Franz, not to any other person.
- Instead, the same people who today still own RT and, therefore, still own a part of TRC, used Railo without permission from TRC not only for their own business interests but also - and much to our surprise – for the founding of Lucee. We believe this to be an act of "Bad Faith" by RT and/or its shareholders.
- These same individuals were supposedly developing the commercial platform for TRC together with Railo 5 but were actually working on the launch of Lucee --- with functionalities now available through Lucee that were intended to be part of the commercial version of Railo, and which today belong to TRC.
What this means in a nutshell
The open source version of Railo is available to the world. But that world does not include RT or any of its principals, each of which owes very specific duties to TRC.
The idea that open source technology “can be forked by anyone”, as has been suggested in various blogs, is not correct. The companies and individuals who were and even today still are part owners of TRC, cannot simply “fork” the technology for their own purposes as they have done, compete "against" their own company (TRC), and simply ignore contracts that prevent them from doing so.
4FTI has made a significant investment of capital, time, and other resources to ensure the growth and success of Railo. Despite efforts over many months to untie these knots, we have been left no other choice but to protect our investment, the Railo brand and the Railo technology through litigation.
So, unfortunately, it is now up to the UK courts to settle these issues.
What this means for Lucee
Again, we support the spirit and intent of the Lucee initiative, although we fail to see the advantage of another CFML platform. However, the use and development of Railo to release what is now being “packaged” as Lucee 5 was not authorized by TRC and, therefore, remains the property of TRC.
For this reason, we are compelled to provide notice that any use of Railo by Lucee or by its membership may constitute an unlawful infringement of TRC’s intellectual property rights. We strongly urge you or your customers to request that Lucee and its founders warrant that nothing contained in any Lucee release is subject to claims from third parties including TRC and that all IP is free and clear to Lucee. We are confident that no such warranty can or will be provided.
All of these internal issues will take time to sort out and we will try to keep you updated throughout.
What this means for the future of Railo
What we can tell you now is this: Railo is alive and well! New customers continue to come online. Existing customers continue to add to the Railo platform. And development of a commercial version continues.
While we had hoped to release a new (and much talked about) version (Railo 5) last year, we - like you - now understand why that did not happen as planned. However, we remain undaunted and we are planning the future development and innovation of the Railo platform. And we have taken steps to do so.
If you want to help, let us know.
We welcome any questions you may have and, to the extent we can comment, we will. We hope this provides greater clarity regarding Railo and the path ahead.
Watch this space for further announcements.
4F Technology Innovation BV
- May 16, 2014
- Railo 4.2 Final release
- Some of you maybe already saw that we releases yesterday Railo 4.2 final (was about time!).We did this as part of our "Railo 4.2/5.0" presentation at cf.objective as a soft release.So ATM you can update in the Railo Admin, but there are no downloads available on our website yet,but this will follow soon.So what is Railo 4.2 about?Language/GeneralLet me start with the general and language improvements.Tags in Script
In addition to the already supported script tags in Railo, we add support for the syntax introduced with ACF11, so it's up to you to choose the syntax you like!
Example new Syntax:
Example existing and still supported syntax:Member function with LiteralsRailo allows to use member functions on literal structs/arrays
Example:Easy access for single characters in a string
browse/RAILO-2780Railo allows to use a string like a array.
Example:String member functionsRailo is supporting all string member function including list member functions
Example:We also added new member functions not supprted as regular functions
Example:CFML based FilesystemsRailo is supporting a lot of virtual filesystems for a long time (ram,s3,ftp,http,zip ...), all this Filesystems are implemented in Java,Railo now allows to write a virtual filesystem in CFML, so you can for example do a "dropbox" filesystem "simply" by implementing a specific component.Detailed information about this will follow soon ...Custom tag search in archivesRailo now can search Railo Archives recursive for custom tagsExtended or new Function/TagsRailo 4.2 also comes with a basked filled with new and extended Tags and Functionscachedwithin "request"
browse/RAILO-2718the attribute "cachedwithin" you have with the tag cffunction,cfquery,cfinclude allows to define "request" instead of a timespan.This way the result is cached for the current request.
Example:"cachedwithin" with tag cfincludewe added the attribute "cachedwithin" to the tag cfinclude, so now you can cache includes the same way you can queries and functions!cffunction "cachedwithin" improvedcffunction cachedwithin now also works with complex objects in the argument scope what was not possible before.QueryExecuteWe added the function QueryExecute, so now you have a additional way to do queries in scripthere you have some examples for it, detailed documentation will follow ...Iterator/Closure functions
Railo added a lot of new iterator/closure functions, i will not go into detail about the functionality of this functions, here just the list:arrayEvery,arrayMap,arrayReduc
e,arraySomestructEvery, structMap, structReduce,structSomelistEvery,listMap,listReduce, listSome,ListEach, extend listFilter (https://issues.jboss.org/ browse/RAILO-2994)
collectionReduce,collectionSom equeryEvery,queryMap,queryReduc e,querySome,queryEachOf course all this functions are available as member functions as well.All functions (expect ...reduce) supporting the "parallel" and "maxThreads" arguments, that allows to execute parallel execution!cfhttp cookie
browse/RAILO-2536The response from the tag <cfhttp> now contains a new key "cookie" that contains the cookies passed back as a query, so you no longer have to parse the cookie header yourself.cfdirectory/cffile createPathextended the tags cfdirectory/cffile with the attribute "createPath" to have influence on whatis happening when a parent directory not existsgetCanonicalPathadded function getCanonicalPath that cleans a given pathQueryRowDataadd function "queryRowData" to red a specific row from a querystructFind defaultextended the function structFind with a optional default valueCreateObject pathes3th argument of createObject("java",... can be a array instead of a string listCallStackGet output typeadded optional argument to the function callStackGet to get influence on the output type (text,hrtml,json)CfProcessingDirective preserveCaseadd attribute "preservecase" to the tag <cfprocessingdirective> to control the behavior with dot notation keys in a templateToBinary charsetadd new optional argument "charset" to function "toBinary"
it's useful to be able to lowecase an input string before calling UCFirst if ALL of the characters in the input string are UPPER case.
many times users input their names as: "SUSI SORGOLIS", in which case UCFirst does not do anything.
the proposed feature will correctly convert such an input string to "Susi Sorgolis", while preserving the case of the D in an input string like "Ronald McDonald"GetTickCount improvementhttps://issues.jboss.org/
Railo added support for shortcut for argument "unit"QueryNew improvementExtended QueryNew to allow populate the query directlySerializeJson charsetAdd argument charset to function SerializeJsonGetLocalHostIP improvementimprove function getLocalHostIPDateTimeFormat improvementEnhance function DateTimeFormat() to support ISO8601
browse/RAILO-2673DeserializeJson improvementThe function DeserializeJson keep order when deserialize a json structIsEmpty member functionAdd member function isEmptyAdministratorWe did also some improvements for the AdministratorDisable type checkingYou can now disable type checking in the Railo AdministratorMapping inspect "inherit"Railo now allows you to define "inherit" for inspect setting of a mapping to inherit the behavior defined for the context.Session/Client Storage definitionRailo now allows to define session/client storage in the Railo admin.Application.cfc/CFApplication TagRailo 4.2 brings a lot of new possible settings for the Application.cfc, settings only possible in the Railo Administrator in previous versions.This makes it easier for application developer to provide applications with specific environment needs to everybody.For every setting in the Railo Admin that is also possible in the Application.cfc as well, you see a the following hint "<?/>" in the admin, that shows you how to use in the Application.cfc.There is also a new page "Settings/Export" that shows you all settings possible in the Application.cfc that are possible in the Administrator.All the following settings are also available with the tag <cfapplication>.Tag attribute default valuesRailo allows you to define default values for attributes of all tags, including tags defined with extension.Example:cfapplication onMissingTemplateyou can define "onMissingTemplate" event listener with the tag <cfapplication> as well.Locale/TimeZoneRailo added support for this.locale and this.timezone to the Application.cfcExample:CharsetRailo added support to set charsets in the Application.cfcExample:Scope cascadingAllow to define the scope cascading behavior in the Application.cfc as follows:Request TimeoutRailo added the possibility to set the request timeout in the Application.cfc(also this.timeout is supported as alias, for compatibility to ACF)Exampe:GZip CompressionRailo added support for enable/disable gzip compression in Application.cfcExample:LoggingRailo 4.2 has a completely rewritten logging framework which is now using log4j instead of a custom one previously. In addition, in the Railo admin you now can inspect all logs created by Railo and you can control where log files are written and how the output looks like. Railo 4.2 dramatically improves performance for the existing loggingLog "cfcatch"Railo added a new attribute "exception" to the tag <cflog>, to make it possible to send exceptions (cfcatch) directly to a log.Example:Administrator FrontendThere is now a page in the Railo Administrator to manage all the log files used
Since you now can define several individual loggers in the Railo Administrator, by giving them a name, you can use every of these loggers defined in the extended attribute "log". So you can not only use "scheduler" and "application" but you can define your custom logger in the Administrator and use it within the attribute. This is similar to the way you use a datasource name.Example:ExceptionsRailo 4.2 improves the information you receive when an exception is raised. For example when you use a non-existing key in your code, Railo checks if there is a similar key available and informs about this key in the error message.Lock increase Exception messageWhen a lock severity is getting increased inside an inner lock from read to exclusive, an exception thrown indicating that it was not possible to acquire the lock. In this particular case it is helpful to know why the error occurred. So the exception is informing you that your request already performed read lock and you now try to acquire an exclusive lock.ORM Exceptions
- April 17, 2014
- Railo Server and the Heartbleed vulnerability
Recently there has been a lot of buzz around one of the largest vulnerabilities in SSL, the Heartbeat exploit. There have been questions from the CFML community whether or how Railo Server is affected by this security threat.
Railo Server is a servlet that runs on any servlet engine and therefore by itself (except perhaps for the libraries it uses) not potentially affected by the Heartbleed vulnerability.
Railo Server internal libraries
What libraries which deal with SSL does Railo internally use?
- Railo uses several libraries that are dealing with SSL. Amongst them there is one that makes use of OpenSSL. Some details.
- This library is called bcprov-jdk14.jar which is already several years old and therefore alone by this fact not affected by the Heartbleed bug.
- Next to that the library implements only the SSL client which is anyway not affected by the bug, even though there are issues on the client side as well (see links below).
- All other libraries Railo uses, use a different SSL library. In any event, these libraries provide an SSL client which anyway is not affected by the bug.
- Here are all libraries in the current Railo distributions that use some form of SSL:
Library name apache-commons-httpclient.jar apache-commons-sanselan.jar apache-jakarta-commons-fileupload.jar apache-jakarta-commons-httpclient.jar apache-jakarta-commons-net.jar apache-poi-ooxml-schemas.jar apache-poi.jar bcprov-jdk14.jar flex-messaging-proxy.jar h2.jar javaparser.jar jencrypt.jar jfreechart.jar jpedal_gpl.jar jtds.jar microsoft-sqljdbc.jar ojdbc14.jar PDFRenderer.jar postgresql.jar sun-jai_core.jar sun-mail.jar xdb.jar
- Our research revealed that the "tcnative" library is the only piece of Tomcat that is potentially affected as it is the only piece of Tomcat that uses an OpenSSL implementation of SSL.
- Java's implementation of SSL (JSSE) is not vulnerable. The Railo Tomcat installers don’t do anything with tcnative since most users will use Apache, nginx or IIS to serve up SSL
- Unless you have specifically compiled tcnative for your system, your instances are safe from a Railo/Tomcat point of view.
- Jetty uses JSSE as well, so it's not effected either.
So from a Railo perspective you are safe, if you use our official downloads for your system installation. If however you have built your own system ontop of Tomcat and Apache, nginx etc, you need to follow the different procedures in order to protect your system. There are several different tools out there in order to test and update your systems. The main heartbleed site contains a list of them.
- Railo uses several libraries that are dealing with SSL. Amongst them there is one that makes use of OpenSSL. Some details.