Making more of a fuss about critical security updates

The notification of 3.8.0 just said “There is a new version of Matomo available for update. You can update to version 3.8.0 automatically or download the package and etc etc”.

The changelog said “We are proud to announce Matomo 3.8.0: a new release of Matomo Analytics. There are a lot of improvements in Security, Performance and Usability and we’re proud to share with you our best Matomo release ever” and then went on to talk about brute force protection…

… something I was already doing via the LoginFailLog plugin combined with fail2ban on the server …

… and it’s only if I hit PgDn three times that I see that “This release is rated critical.”

I can see that this isn’t new: there’s a post in Support & Bugs complaining that the 1.8 update was, very quietly, a critical security update.

Critical security updates should have this mentioned very prominently in the notifications, not hidden away in the middle of a changelog I suspect a low proportion of users read.

Today’s “Matomo Analytics Community Survey + Matomo 3.8.0 release” email didn’t make a fuss about this.

It did say, in the second section, “We’re delighted to announce Matomo 3.8.0 is now available. There are a lot of improvements in security, performance and usability and we’re proud to share with you one of our biggest Matomo releases ever”, but that’s not saying CRITICAL SECURITY RELEASE in large letters at the top either.

Especially when the next bit says

"Updates include:

Two Factor Authentication (2FA) feature
Ability to display a different time period for evolution graphs
The Transitions report has been added to the main Behaviour menu"

… and not CRITICAL SECURITY CROSS-SITE SCRIPTING BUG fixed.

You could easily be left with the impression that the ‘security’ aspect was just the addition of 2FA.