RFC: new forum software specifications

[theymos]

theymos, other than the plug-ins and addons that are being used right now that wouldn't work with the update, is there any reason why the board hasn't been updated to the newest release? It has been out for over 3 weeks now and would at least be a hold over until a new system is made/chosen.

This version is still supported. 2.x is not more secure, so moving to it would be a waste of time.

[1713966964]

1713966964

[1713966964]

1713966964

[1713966964]

1713966964

[1713966964]

1713966964

[1713966964]

1713966964

[ShadowOfHarbringer]

theymos, other than the plug-ins and addons that are being used right now that wouldn't work with the update, is there any reason why the board hasn't been updated to the newest release? It has been out for over 3 weeks now and would at least be a hold over until a new system is made/chosen.

This version is still supported. 2.x is not more secure, so moving to it would be a waste of time.

Theymos, I say stay with the SMF 1.x, hire a PHP security expert to harden it properly, and build on top of it. That maybe the fastest & most effective solution to current situation.

Of course, PHPBB, vBulletin and IPB are much more powerful and have many more plugins avaiable, but this one is not that bad, if you fix all the security problems. Talking perfomance, using dedicated well-written caching you can probably achieve similiar speed in any of the forum systems.

[talpan]

theymos, other than the plug-ins and addons that are being used right now that wouldn't work with the update, is there any reason why the board hasn't been updated to the newest release? It has been out for over 3 weeks now and would at least be a hold over until a new system is made/chosen.

This version is still supported. 2.x is not more secure, so moving to it would be a waste of time.

Theymos, I say stay with the SMF 1.x, hire a PHP security expert to harden it properly, and build on top of it. That maybe the fastest & most effective solution to current situation.

Of course, PHPBB, vBulletin and IPB are much more powerful and have many more plugins avaiable, but this one is not that bad, if you fix all the security problems. Talking perfomance, using dedicated well-written caching you can probably achieve similiar speed in any of the forum systems.

+1

In general speaking: the latest SMF is the most secure forum in existens.
I really don't want to know how many zero-day exploits are out there for other forums.

SMF itself is well written, has a lot of good features, not to much like other software.
And it's very easy to extend it via SSI.php.

I see no reason to switch to another forum.

[ShadowOfHarbringer]

theymos, other than the plug-ins and addons that are being used right now that wouldn't work with the update, is there any reason why the board hasn't been updated to the newest release? It has been out for over 3 weeks now and would at least be a hold over until a new system is made/chosen.

This version is still supported. 2.x is not more secure, so moving to it would be a waste of time.

Theymos, I say stay with the SMF 1.x, hire a PHP security expert to harden it properly, and build on top of it. That maybe the fastest & most effective solution to current situation.

Of course, PHPBB, vBulletin and IPB are much more powerful and have many more plugins avaiable, but this one is not that bad, if you fix all the security problems. Talking perfomance, using dedicated well-written caching you can probably achieve similiar speed in any of the forum systems.

+1

In general speaking: the latest SMF is the most secure forum in existens.
I really don't want to know how many zero-day exploits are out there for other forums.

Of course you are not aware that Bitcoin Forums has been quite recently hacked, and it was SMF's fault ?

I wouldn't say that SMF is any more secure than other forums. I have had default PHPBB 2.x & 3.x installations on my sites for years, and guess what - no hacks at all.

So be careful when you post such bold claims next time.

[Gerken]

He said the latest version, the forum hadn't been updated when the compromise happened.

[error]

He said the latest version, the forum hadn't been updated when the compromise happened.

You realize that SMF put out an update fixing the vulnerability, only AFTER the hack?

[ShadowOfHarbringer]

He said the latest version, the forum hadn't been updated when the compromise happened.

You are wrong, SMF 1.x is still supported, so it was the latest version.

[TiagoTiago]

How often do zeroday exploits get used to attack other forum backends and how fast are their developers at providing a fix after that?

[bosschair]

So we should add this to the spec for the new forum software:

• No zero-day exploits and/or architecture which makes it easy and fast to patch such exploits

[cruikshank]

You are wrong, SMF 1.x is still supported, so it was the latest version.

Um, just because something is still supported, doesn't make it the latest version. That would be like calling XP the latest version of Windows.

[TiagoTiago]

So we should add this to the spec for the new forum software:

• No zero-day exploits and/or architecture which makes it easy and fast to patch such exploits

Didn't they fix the forum in not much more than a day or so?

Anyway, you can never know whether you don't have a zero-day or if you just haven't found it yet.

[ShadowOfHarbringer]

You are wrong, SMF 1.x is still supported, so it was the latest version.

Um, just because something is still supported, doesn't make it the latest version. That would be like calling XP the latest version of Windows.

To be precise, if something is supported, then that means all security vulnerabilities should be fixed.
So it is the latest, in the terms of being most patched, version from 1.x branch.

And Microsoft is a very bad example of how to fix security vulnerabilities, that company is fucked up beyond compare.

[cruikshank]

The example didn't have anything at all do at all with MS's vulnerabilities.

[ShadowOfHarbringer]

The example didn't have anything at all do at all with MS's vulnerabilities.

Yes it has, because you gave WinXp as an example.
WinXP is not a good example of how to call something "supported" or not.

Microsofty-supported != generally-supported.

[TiagoTiago]

Just the other day i received like more than 10 security updates on my WinXP install...

[BadBear]

Just the other day i received like more than 10 security updates on my WinXP install...

How many times did you have to restart?   

[Raoul Duke]

This thread is pure lulz... 500BTC/$2000(at current prices) to develop a full fledged forum software...

yeah, right... 

Or you get someone to do it and it will be utter crap.

Why do people around here want to reinvent the wheel is something i always wondered.

On the other hand, if what you want is end up with something like http://bitcoinweekly.com/ ok, code it from scratch...

[bosschair]

On the other hand, if what you want is end up with something like http://bitcoinweekly.com/ ok, code it from scratch...

What's wrong with bitcoinweekly.com?  Not enough bells and whistles for you?  The only difference between that site and one you'd think was fabulously web-2.0 is a bit of CSS.

[talpan]

Why do people around here want to reinvent the wheel is something i always wondered.

[Raoul Duke]

On the other hand, if what you want is end up with something like http://bitcoinweekly.com/ ok, code it from scratch...

What's wrong with bitcoinweekly.com?  Not enough bells and whistles for you?  The only difference between that site and one you'd think was fabulously web-2.0 is a bit of CSS.

No, I was talking in the sense of re-inventing the wheel... And don't say it's only CSS that's missing. For someone who tries to be a weekly "magazine" of some sort I'm sure that there are a lot of features missing in the backend and frontend.