Navigation may technically be possible if one removes the CSS from a phpBB3 board, but teleportation is technically possible as well.Erik Frèrejean wrote:There is however one massive difference, If I turn off CSS I can still navigate the site and use it . If I turn off javascript on a javascript powered site I can't use it. You might chose that, you require javascript on your own site but enforcing it in the package would cause problems. We can't expect that every single phpBB user has javascript enabled.DionDesigns wrote:I heard the exact same thing back in the mid-90s, except you would need to substitute "CSS" for "javascript". And it seems to me that the same thing was being said in the mid-80s, but in that case you would need to substitute "GUI" for "javascript". Change can sometimes be difficult, but it's time to embrace the new millennium.
I think it's a may be a little more than .05%, and I'm only showing one way to do it.NoScript Featured
The best security you can get in a web browser!
Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks.
Rated 5 out of 5 stars (1,058) 2,183,573 users
i don't think that we have ever compared phpBB to other forum software purely by number of features. Some people will want things that phpBB does not have, which is why we are an open source project and encourage customisation and community development. I can also understand that some people do not wish to edit source code, which is why 3.1 adds properly-done hooks. I can also understand that some people will find other forum software better fitting for their needs, in which case they should use it instead.Son of a Beach wrote:The features that myBB lacks that phpBB has are few, and are not essential to me
We've never claimed that phpBB is "perfect" or "flawless", but unless you have a vulnerability to report, please don't make it sound like one is coming any day now. Security audits only provide suggestions to make the software more secure than it was before the security audit, nothing more. vBulletin had tremendously more resources than phpBB and nevertheless has nowhere near the same security record, solidifying the point. It takes much more than a security audit to end up with a record like the one phpBB3 has.Son of a Beach wrote:phpBB 3.x has a very good security record so far. But no system is perfect. I don't consider any system to be flawless. But again, if the merged with another project, they could get a similar security audit done there, and apply the lessons learnt, and the new system should end up just as secure.
A well-researched list or a case study in an Internet "discussion" forum? Surely you jest.Marshalrusty wrote:Call me naive, but from the title of the topic, I had expected a bit more... substance. Perhaps some well-researched list of pros and cons or a case study of another pair of relateable projects that merged, with an overall positive outcome. What I instead see is an opinion based on assumptions and supported with generalizations.
I know, but maybe that's his point -- other people do. In fact, the Devil's Advocate might argue that you don't compare features because you'd lose.Marshalrusty wrote:For example, here are both:i don't think that we have ever compared phpBB to other forum software purely by number of features.Son of a Beach wrote:The features that myBB lacks that phpBB has are few, and are not essential to me
I think that you're nitpicking here. He didn't say that phpBB was perfect or flawless, nor did that quote imply that a security problem was just around the corner. It was a correct statement that almost any complex system can have flaws. And, of course, those flaws could be discovered at any time -- that's what "zero-day" problems are all about.Marshalrusty wrote:We've never claimed that phpBB is "perfect" or "flawless", but unless you have a vulnerability to report, please don't make it sound like one is coming any day now.Son of a Beach wrote:phpBB 3.x has a very good security record so far. But no system is perfect. I don't consider any system to be flawless. But again, if the merged with another project, they could get a similar security audit done there, and apply the lessons learnt, and the new system should end up just as secure.
Sure because even finding an exploit would still be a "suggestion" -- they can't force the development team to fix it. The development team would still have to implement the suggestion. That doesn't mean that an audit is worthless, though.Marshalrusty wrote:Security audits only provide suggestions to make the software more secure than it was before the security audit, nothing more.
Do you know if vBulletin has had a security audit? I agree that an audit is worthless if you don't act upon it, and that security has to be thought about during development, but if vBulletin never had one, that could be part of the problem.Marshalrusty wrote:vBulletin had tremendously more resources than phpBB and nevertheless has nowhere near the same security record, solidifying the point. It takes much more than a security audit to end up with a record like the one phpBB3 has.
What are the goals of phpBB (both short-term and long-term), not from a feature/development point of view, but at a higher level. And, given that, why wouldn't merging with myBB (or some other project) be for the best?So what are the goals of phpBB? If it is to provide the best free open source forums software, then perhaps the most efficient way to do this is actually to combine resources and knowledge with another project which is developing at a more acceptable rate, and which already has a good plugins system in place.
I doubt that vBulletin will have had an external audit like phpBB had, because they've got built in security people.Do you know if vBulletin has had a security audit? I agree that an audit is worthless if you don't act upon it, and that security has to be thought about during development, but if vBulletin never had one, that could be part of the problem.
Well, Highway of Life and I created a poorly-researched feature comparison page for the website (a la forummatrix) upon the completion of 3.0. One of the points we were sure to emphasize was phpBB's lack of a quick replyMarshalrusty wrote: i don't think that we have ever compared phpBB to other forum software purely by number of features.
Correct me if I'm wrong, but that essentially makes this topic purely self-serving.Pony99CA wrote:A well-researched list or a case study in an Internet "discussion" forum? Surely you jest.
The original post was just one person's opinion. As he said, he didn't realistically expect that it would be acted upon.
The devil's advocate should contribute some patches to the codebasePony99CA wrote:I know, but maybe that's his point -- other people do. In fact, the Devil's Advocate might argue that you don't compare features because you'd lose.
There's no question that any system can have flaws, but throwing this statement out as a shield just creates a universal false equivalency. All software is not equally secure and I look at the final product and its comprehensive security record (quantities, severities, time passed, popularity of the product, etc.) as the primary predictor of what is likely to come.Pony99CA wrote:I think that you're nitpicking here. He didn't say that phpBB was perfect or flawless, nor did that quote imply that a security problem was just around the corner. It was a correct statement that almost any complex system can have flaws. And, of course, those flaws could be discovered at any time -- that's what "zero-day" problems are all about.
Again, I would have attacked that part by asking why they haven't had a security audit done already (if they in fact haven't) or (if they have) why their developers haven't taken those lessons heart.
That is not what I meant. A security audit analyzes finished code and produces a list of concerns. The process is akin to repairing the foundation of a building after it has already been built. At that stage, you can fix what is obviously broken, but there's no going back to the beginning and doing the thing properly.Pony99CA wrote:Sure because even finding an exploit would still be a "suggestion" -- they can't force the development team to fix it. The development team would still have to implement the suggestion. That doesn't mean that an audit is worthless, though.Marshalrusty wrote:Security audits only provide suggestions to make the software more secure than it was before the security audit, nothing more.
I am not familiar with vBulletin's security process, but an external audit is not an inherent requirement for achieving a high level of security. Unless I am very much mistaken, phpBB3's security audit did not reveal any XSS or remote code execution vulnerabilities, for example. It did, however, provide a great deal of recommendations, some of which dealt in areas that might have been used in conjunction with each other or with code added at a later time or with code added by MODs or some incorrectly configured servers or any number of other hypothetical scenarios that we covered "just in case".Pony99CA wrote:Do you know if vBulletin has had a security audit? I agree that an audit is worthless if you don't act upon it, and that security has to be thought about during development, but if vBulletin never had one, that could be part of the problem.
I guess I'll take this opportunity to mention that the project is jointly overseen by members of the Management Team, who represent team members, who further stand for the community at large. Most of the important decisions are heavily influenced by the forces of the community and are therefore mostly a formality. I do, however, maintain full authority to change my avatar at will.Pony99CA wrote:In fact, as you're the head honcho basically, how about answering what I consider the most important question that he asked:
Oleg addressed these points on the second page. Being an opensource project, the goals of the software are actively evaluated and reevaluated by the community, as was clearly demonstrated by the reversal of the decision to drop support for subsilver2 (which was even mentioned in this topic). Our goals are to continue facilitating a system by which the community can determine phpBB's direction (see: [3.1/Ascraeus] RFCs & Patches Forum on area51).Pony99CA wrote:What are the goals of phpBB (both short-term and long-term), not from a feature/development point of view, but at a higher level. And, given that, why wouldn't merging with myBB (or some other project) be for the best?So what are the goals of phpBB? If it is to provide the best free open source forums software, then perhaps the most efficient way to do this is actually to combine resources and knowledge with another project which is developing at a more acceptable rate, and which already has a good plugins system in place.
We agree. There is active work via multiple channels being done to improve release times and rectify resource limitations both in the short and long term. Of course, the community is keenly positioned to assist with both.Pony99CA wrote:And, just for the record, I have no major complaints with phpBB as it exists today and plan to keep using it. I do wish that it had some additional features, though. As I argued in the locked topic, more frequent feature releases are what keep the project looking alive and vibrant.
I believe that all the changes marked [Sec] here are things found by the audit: http://www.phpbb.com/support/documents. ... n=3#v30rc5Unless I am very much mistaken, phpBB3's security audit did not reveal any XSS or remote code execution vulnerabilities, for example.
I was deliberately using generalisations and not a whole lot of specific substance. Although I've clearly made a choice of other forum software, I wanted to avoid talking about any specific other forums software too much (except when other people brought it up). In particular, I did not want this topic to be a feature comparison topic.Marshalrusty wrote:Call me naive, but from the title of the topic, I had expected a bit more... substance. Perhaps some well-researched list of pros and cons or a case study of another pair of relateable projects that merged, with an overall positive outcome. What I instead see is an opinion based on assumptions and supported with generalizations... (snip)