We've been promising this one for awhile, but today we deliver. We have released a public bug tracker for ColdFusion and ColdFusion Builder. Now you can track both your bug reports and enhancement requests. You will also be able to vote for other people's bugs (or drum up support for yours.)

These will probably not be the final URLs for these trackers, but they'll work in the meantime.

• ColdFusion 9
• ColdFusion Builder

We'd also like to thank the following developers for working so hard on it:

• Raymond Camden - http://www.coldfusionjedi.com/
• Brian Rinaldi - http://www.remotesynthesis.com/
• Anirudh Sasikumar - http://anirudhs.chaosnet.org/
• Sujit Reddy G - http://sujitreddyg.wordpress.com/

So the ColdFusion 9 public beta has been released, and now everyone can play with it. I'm excited to hear what the community as a whole has to say about it. One of my favorite features is ORM or Object Relational Mapping.

As I've been traveling around for the user group tour, I've heard a few questions about it, and I wanted to share these thoughts.

Are you forcing us to use ORM?

Absolutely not - cfquery and its related tags aren't going away. ColdFusion is about making what you want to do easy. If you want to work with queries, work with queries--we've made it pretty easy, as I've said before. But a number of customers wanted to work with databases in an easier, object-oriented way. A lot of developer effort has gone into doing that with various ColdFusion Open Source projects. It makes sense then that we would strive to make this easy too. That's "too" as in "also," or "additionally," or "alternatively." Or in other words, if you think ORM might have value, use it; if not, keep working the way that works for you because you are not required to use it.

In fact, we were actually able to expand the features of cfquery when we added ORM. In order to use ORM you have to add a datasource to the This scope in your application.cfc. Well when you do that, any cfquery in that application without a datasource tag will use the application.datasource. Very cool.

Why do I have to set all of these properties? Can't ColdFusion just look at the database and create an ORM object?

Yes it can. If you leave your CFC blank, ColdFusion will just map the table that you are pointing to, no questions asked. However, if you want to set any properties manually, you'll have to set them all. So it's good for simple prototyping, but if you need to do something more complex, you have to do the work yourself.

Why doesn't ORM return ColdFusion queries?

Objects and tables don't always match up. Queries are really good for exposing the results of a Select statement, but they aren't designed to handle complex sets of data. (Which is different from saying they cannot handle results of complex SQL Select statements, because they can.)

Sometimes you've got complex relationships; sometimes you have tables that are set up for one purpose, but used for another; and sometimes you have multiple tables that really should be one object. Queries can certainly accommodate this, but ORM can often do it in a way that makes you more productive. What would be multiple queries that you have to manage and loop through to display using queries, becomes one object in ORM.

Now add to it that you can add business logic to these objects, things like calculations, display formatting, and combined properties... and ORM shows itself to be much more valuable than just another way of handling data.

Okay, and let's say you REEEAAAAALLLLY want a query. Okay, you can run a function named EntityToQuery that will convert the results of an ORM operation to a query. (Provided that it's a simple object, with no relationships or other funny business.) (Not valid in Australia, for people named Mark, with or without marsupial pouches.)

Where can I find out more about ORM in ColdFusion 9?

There are a few good blog posts and articles on the subject:

• Ben Forta's ORM - Rethinking ColdFusion Database Integration
• Mark Mandel's Introducing ORM in Adobe ColdFusion 9 beta
• What ColdFusion 9's ORM means for your development

I'll try to add them as I see them.

That's right, as of 12:01 EDT am Monday July 13^th ColdFusion 9 (Centaur) and ColdFusion Builder (Bolt) are available for public beta testing.

Please check them out at Adobe Labs.

Also I'm doing a presentation for the Online ColdFusion Meetup today. Obviously, since we've released the beta bits, I can talk about any feature of it publicly now. So come with questions, and an eye to see as much as I can fit into two hours.

Just in case you haven't seen it on Ray's Blog, or Ben's Blog, there is a patch and procedure to fix the FCKEditor ColdFusion 8 security bug.

I'm doing a special session of Charlie Arehart's Online ColdFusion Meetup this coming Monday. The idea is to do consolidate all of the information that we've been giving out about Centaur and Bolt during the User Group Tour, and perhaps go a little further.

Anyway, it's online, at 12:00 PM EDT Monday July 13.

Hope you can make it.

I've been working on a class for some of our higher education community members. I take the class from an Illustrator comp, through Flash Catalyst, then Flash Builder, and Flex to a Flex Application, then on to an AIR application. Because I'm starting in Catalyst, when I get to the AIR application I don't really want to use AIR's chrome. Rather, I'd like to go chromeless and let the UI handle things like closing the application and whatnot.

I found a good tutorial on doing chromeless AIR applications. But no matter what I tried, I couldn't get rid of this big blank whitespace in my application, despite following the directions to the letter.

After a lot of trial and error it turns out that the old way of making the Application background disappear using CSS (step 6 in the article) doesn't work with the new component model. Instead you have to use a custom skin on the WindowedApplication tag.

The following skin works for me. I'm by no means an expert at this skinning stuff yet, but it gets the job done.

Now let me make it clear. There may be another way to do this. There may be a better way of doing it. It's also possible that this is the flat out wrong way to do it. But when I searched for this, I got nothing. So I figured, I could at least help somebody just get the job done, and worry about "the right way" later.

A couple people have told me they had no idea how to report a security issue in ColdFusion. So I figured I would clear it up.

Normally when you have an enhancement request or a bug report, we direct you to the "Go/Wish" page. This is the page for all Adobe products. You choose ColdFusion from the product list and enter your request, which is then emailed out to the product team. (Soon there will be a more public version of this available for just ColdFusion.)

However, if you have a security issue, it makes more sense to report it to the Product Security Incident Response Team. Then the process is a little different. There is a lot more back and forth communication. The actual process is documented publicly. In any case there are two ways to report it:

• Fill out a Security Issue Report
• Or send an email to PSIRT@adobe.com

A number of questions have emerged from the ColdFusion community about the recent FCKEditor security vulnerability in ColdFusion. Hopefully this fills in more information for you.

Before I get into it though, let me just say that this isn't an attempt to excuse the problems you've had. We know that you had a crappy week last week (or this week), and regret it. We do need to review what happened, and determine if we could have done this better. Personally, in hindsight, there's one decision we should have gone another way on: we should have released the workaround sooner.

Is it true that Adobe had a fix for months and sat on it?

No, the issue was reported to us 7 weeks before exploits hit last week.

The workaround was pretty easy, why did it take you six weeks to come up with?

In this case, the issue was reported by a customer. The customer was not satisfied with just a workaround for several reasons including concern that we were not actually fixing the correct problem. (This concern ended up being true.) Additionally, our security people were also not entirely convinced that the workaround was entirely the right solution. (Although, I need to state here that the workaround that is now circulating does close the security hole.)

For those reasons, a hotfix was the preferred solution. A hotfix takes more time to create. We had to create the hotfix, then test it to make sure it didn't break anything, and then provide it to the customer for their approval. We also had to communicate with the FCKEditor folks, to insure that we were correct in understanding their code. In short in addition to testing there was a lot of communication between many groups, and that burned up the time.

Now let me be clear here, I'm not casting blame on to the customer or any third party. Communication takes time, and in this case it took a fair amount of time. If you want to know more about this process it's publicly documented on the PSIRT blog.

Why didn't Adobe say anything at that time - the workaround was found pretty quickly?

If we acknowledged the security vulnerability and released the workaround we'd be leaving the reporting client in a lurch. There would be public knowledge of a vulnerability, but no acceptable solution for our customer (as they required the hotfix solution.) We made the call to make the fixes privately and announce when we had a solution we were confident in.

In this case it ended up biting us and you. We now know we should have released the workaround as soon as we knew about it.

But honestly I'm personally torn. On one hand, we should have told you guys sooner, as evidenced by the public exploits. On the other hand, we weren't arbitrarily holding it back, or idly sitting around - the security group was trying to get a proper fix out before an attack occurred. I think we just got some bad luck.

I'm sure you have opinions on this. Feel free to let me have it in the comments.

Did the Adobe shutdown exacerbate this issue?

The security response process was already in progress. Our teams that work on patches were not off that week, so the actual fix was not delayed. The Adobe Security team responded within a day of the reported problem. So I'm not sure the shutdown had a large effect on our official responses.

If you have other questions, please feel free to ask them in the comments.