Page 4 of 8

Re: The Best Thing that phpBB Can Do: Merge

Posted: Fri Apr 06, 2012 11:18 am
by Marc
@Son of a Beach: What you mean is actually an acquisition.

A merger is when two companies (in this case myBB & phpBB) form a new company out of the two companies which means that company A and company B become company C. In your scenario this would mean there would be some new forum software.

An acquisition is basically when two companies "merge" into one of those two companies.

Then again, if you wish to use myBB then do so. If you want some of phpBB's features in myBB then ask the myBB people. Everything else you are discussing has already been discussed. I don't like topics like this one because from my point of view they are just a way of advertising the "new" forum software some user uses.

Re: The Best Thing that phpBB Can Do: Merge

Posted: Fri Apr 06, 2012 2:48 pm
by tbackoff
I just want to point out that we do not want another "phpBB Falling Behind" topic. Please keep the discussions to just that - discussions and not insults or flame wars. If posts start getting insulting or flame wars start, this topic will be locked.

Re: The Best Thing that phpBB Can Do: Merge

Posted: Fri Apr 06, 2012 6:13 pm
by DionDesigns
(This tangent probably belongs in its own topic, starting with this post.)
Erik Frèrejean wrote:
DionDesigns wrote:I heard the exact same thing back in the mid-90s, except you would need to substitute "CSS" for "javascript". And it seems to me that the same thing was being said in the mid-80s, but in that case you would need to substitute "GUI" for "javascript". Change can sometimes be difficult, but it's time to embrace the new millennium. ;)
There is however one massive difference, If I turn off CSS I can still navigate the site and use it ;). If I turn off javascript on a javascript powered site I can't use it. You might chose that, you require javascript on your own site but enforcing it in the package would cause problems. We can't expect that every single phpBB user has javascript enabled.
Navigation may technically be possible if one removes the CSS from a phpBB3 board, but teleportation is technically possible as well. ;)

Your last sentence (boldfaced by me for effect) is the crux of the problem. Attempting to placate everyone will inevitably result in little to nothing getting done, and that's true whether we're talking about software development or running a government. I'd be surprised if more than a half-percent of phpBB3 users are completely turning off javascript. I suspect a significantly larger percentage of people have grown tired of the look/feel of phpBB3. Shouldn't one develop for the majority?

A point is soon coming that these attempts to develop for the 0.5% will cause phpBB3 to not have a 99.5%. It's time to leave the 0.5% behind and move on.

Re: The Best Thing that phpBB Can Do: Merge

Posted: Fri Apr 06, 2012 6:14 pm
by chAos
I don't think you should worry about javascript being turned off in the Facebook era (though still graceful fallback). Conversely, phpBB (and other forums) aren't built upon JS to the level Facebook is so it's not necessary.

Re: The Best Thing that phpBB Can Do: Merge

Posted: Fri Apr 06, 2012 9:53 pm
by CaNNon_
NoScript Featured

The best security you can get in a web browser!
Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks.
Rated 5 out of 5 stars (1,058) 2,183,573 users
I think it's a may be a little more than .05%, and I'm only showing one way to do it.
Thing is if I like the site I'll give it script permissions but if I can't see it, I'm going to move on to the next hit in google.

You can't compare it to css, exploits are very real in this case and can be proven just by posting a url.

Re: The Best Thing that phpBB Can Do: Merge

Posted: Sun Apr 08, 2012 12:09 am
by _ollie_
Well, it has certainly been a while since I've posted here..but I want to say a little something so sorry for bumping this up - I know a day has passed :)

I've used phpBB for several years and look forward to continuing to do so.
In my view the best thing phpBB can do is keep up the good work they have done so far.
I believe in choice, so it seems reasonable to me that people have a choice in the type of forum that they wish to use - if that is phpBB great, if not, well, there are plenty of other options out there.

<3 phpBB <3

Re: The Best Thing that phpBB Can Do: Merge

Posted: Sun Apr 08, 2012 10:53 am
by Marshalrusty
Call me naive, but from the title of the topic, I had expected a bit more... substance. Perhaps some well-researched list of pros and cons or a case study of another pair of relateable projects that merged, with an overall positive outcome. What I instead see is an opinion based on assumptions and supported with generalizations.

For example, here are both:
Son of a Beach wrote:The features that myBB lacks that phpBB has are few, and are not essential to me
i don't think that we have ever compared phpBB to other forum software purely by number of features. Some people will want things that phpBB does not have, which is why we are an open source project and encourage customisation and community development. I can also understand that some people do not wish to edit source code, which is why 3.1 adds properly-done hooks. I can also understand that some people will find other forum software better fitting for their needs, in which case they should use it instead.
Son of a Beach wrote:phpBB 3.x has a very good security record so far. But no system is perfect. I don't consider any system to be flawless. But again, if the merged with another project, they could get a similar security audit done there, and apply the lessons learnt, and the new system should end up just as secure.
We've never claimed that phpBB is "perfect" or "flawless", but unless you have a vulnerability to report, please don't make it sound like one is coming any day now. Security audits only provide suggestions to make the software more secure than it was before the security audit, nothing more. vBulletin had tremendously more resources than phpBB and nevertheless has nowhere near the same security record, solidifying the point. It takes much more than a security audit to end up with a record like the one phpBB3 has.


All in all, this topic might as well have been about how Microsoft should merge with Apple, for virtually all of the same reasons you specified.

Re: The Best Thing that phpBB Can Do: Merge

Posted: Sun Apr 08, 2012 9:52 pm
by Pony99CA
Marshalrusty wrote:Call me naive, but from the title of the topic, I had expected a bit more... substance. Perhaps some well-researched list of pros and cons or a case study of another pair of relateable projects that merged, with an overall positive outcome. What I instead see is an opinion based on assumptions and supported with generalizations.
A well-researched list or a case study in an Internet "discussion" forum? Surely you jest. :D

The original post was just one person's opinion. As he said, he didn't realistically expect that it would be acted upon.
Marshalrusty wrote:For example, here are both:
Son of a Beach wrote:The features that myBB lacks that phpBB has are few, and are not essential to me
i don't think that we have ever compared phpBB to other forum software purely by number of features.
I know, but maybe that's his point -- other people do. In fact, the Devil's Advocate might argue that you don't compare features because you'd lose. :shock:

Personally, I would have attacked the statement by saying that other people might find those "few" features essential. Different people have different needs. I would have also called him out for not giving a list of "essential" features that myBB had that phpBB was lacking (beyond the plug-in system and a better warning/banning system -- the latter of which isn't "essential" to me as I'm the only moderator/admin of my board).
Marshalrusty wrote:
Son of a Beach wrote:phpBB 3.x has a very good security record so far. But no system is perfect. I don't consider any system to be flawless. But again, if the merged with another project, they could get a similar security audit done there, and apply the lessons learnt, and the new system should end up just as secure.
We've never claimed that phpBB is "perfect" or "flawless", but unless you have a vulnerability to report, please don't make it sound like one is coming any day now.
I think that you're nitpicking here. He didn't say that phpBB was perfect or flawless, nor did that quote imply that a security problem was just around the corner. It was a correct statement that almost any complex system can have flaws. And, of course, those flaws could be discovered at any time -- that's what "zero-day" problems are all about.

Again, I would have attacked that part by asking why they haven't had a security audit done already (if they in fact haven't) or (if they have) why their developers haven't taken those lessons heart.
Marshalrusty wrote:Security audits only provide suggestions to make the software more secure than it was before the security audit, nothing more.
Sure because even finding an exploit would still be a "suggestion" -- they can't force the development team to fix it. :) The development team would still have to implement the suggestion. That doesn't mean that an audit is worthless, though.
Marshalrusty wrote:vBulletin had tremendously more resources than phpBB and nevertheless has nowhere near the same security record, solidifying the point. It takes much more than a security audit to end up with a record like the one phpBB3 has.
Do you know if vBulletin has had a security audit? I agree that an audit is worthless if you don't act upon it, and that security has to be thought about during development, but if vBulletin never had one, that could be part of the problem.

In fact, as you're the head honcho basically, how about answering what I consider the most important question that he asked:
So what are the goals of phpBB? If it is to provide the best free open source forums software, then perhaps the most efficient way to do this is actually to combine resources and knowledge with another project which is developing at a more acceptable rate, and which already has a good plugins system in place.
What are the goals of phpBB (both short-term and long-term), not from a feature/development point of view, but at a higher level. And, given that, why wouldn't merging with myBB (or some other project) be for the best?

You can attack individual pieces of his argument all that you want, but if you can't answer those, you haven't really refuted the basic thesis.

And, just for the record, I have no major complaints with phpBB as it exists today and plan to keep using it. I do wish that it had some additional features, though. :) As I argued in the locked topic, more frequent feature releases are what keep the project looking alive and vibrant.

Steve

Re: The Best Thing that phpBB Can Do: Merge

Posted: Sun Apr 08, 2012 10:15 pm
by callumacrae
Do you know if vBulletin has had a security audit? I agree that an audit is worthless if you don't act upon it, and that security has to be thought about during development, but if vBulletin never had one, that could be part of the problem.
I doubt that vBulletin will have had an external audit like phpBB had, because they've got built in security people.

Re: The Best Thing that phpBB Can Do: Merge

Posted: Mon Apr 09, 2012 2:27 am
by A_Jelly_Doughnut
Marshalrusty wrote: i don't think that we have ever compared phpBB to other forum software purely by number of features.
Well, Highway of Life and I created a poorly-researched feature comparison page for the website (a la forummatrix) upon the completion of 3.0. One of the points we were sure to emphasize was phpBB's lack of a quick reply :lol:

I'm afraid that other than archival tidbit, I have little to add to the merging discussion that hasn't already been brought up.

Personally, I feel that the best thing that's happened to phpBB recently is its GSOC approval and particularly the recently-announced number of applicants.

Re: The Best Thing that phpBB Can Do: Merge

Posted: Mon Apr 09, 2012 6:26 am
by Marshalrusty
Pony99CA wrote:A well-researched list or a case study in an Internet "discussion" forum? Surely you jest. :D

The original post was just one person's opinion. As he said, he didn't realistically expect that it would be acted upon.
Correct me if I'm wrong, but that essentially makes this topic purely self-serving.
Pony99CA wrote:I know, but maybe that's his point -- other people do. In fact, the Devil's Advocate might argue that you don't compare features because you'd lose. :shock:
The devil's advocate should contribute some patches to the codebase ;)
Pony99CA wrote:I think that you're nitpicking here. He didn't say that phpBB was perfect or flawless, nor did that quote imply that a security problem was just around the corner. It was a correct statement that almost any complex system can have flaws. And, of course, those flaws could be discovered at any time -- that's what "zero-day" problems are all about.

Again, I would have attacked that part by asking why they haven't had a security audit done already (if they in fact haven't) or (if they have) why their developers haven't taken those lessons heart.
There's no question that any system can have flaws, but throwing this statement out as a shield just creates a universal false equivalency. All software is not equally secure and I look at the final product and its comprehensive security record (quantities, severities, time passed, popularity of the product, etc.) as the primary predictor of what is likely to come.
Pony99CA wrote:
Marshalrusty wrote:Security audits only provide suggestions to make the software more secure than it was before the security audit, nothing more.
Sure because even finding an exploit would still be a "suggestion" -- they can't force the development team to fix it. :) The development team would still have to implement the suggestion. That doesn't mean that an audit is worthless, though.
That is not what I meant. A security audit analyzes finished code and produces a list of concerns. The process is akin to repairing the foundation of a building after it has already been built. At that stage, you can fix what is obviously broken, but there's no going back to the beginning and doing the thing properly.

Imagine that phpBB3 did not use a request_var() function, requiring all input to be entirely sanitized in place. It is possible to do this without adding any vulnerabilities to the code, but a single oversight anywhere would result in a hole. A security audit would hopefully find any oversights, but we're now talking about hundreds of additional points that require detailed verification. This was a problem in phpBB2 and remains an active issue in much commonly used software. Security audits are just the last step, and certainly not the key.
Pony99CA wrote:Do you know if vBulletin has had a security audit? I agree that an audit is worthless if you don't act upon it, and that security has to be thought about during development, but if vBulletin never had one, that could be part of the problem.
I am not familiar with vBulletin's security process, but an external audit is not an inherent requirement for achieving a high level of security. Unless I am very much mistaken, phpBB3's security audit did not reveal any XSS or remote code execution vulnerabilities, for example. It did, however, provide a great deal of recommendations, some of which dealt in areas that might have been used in conjunction with each other or with code added at a later time or with code added by MODs or some incorrectly configured servers or any number of other hypothetical scenarios that we covered "just in case".
Pony99CA wrote:In fact, as you're the head honcho basically, how about answering what I consider the most important question that he asked:
I guess I'll take this opportunity to mention that the project is jointly overseen by members of the Management Team, who represent team members, who further stand for the community at large. Most of the important decisions are heavily influenced by the forces of the community and are therefore mostly a formality. I do, however, maintain full authority to change my avatar at will.
Pony99CA wrote:
So what are the goals of phpBB? If it is to provide the best free open source forums software, then perhaps the most efficient way to do this is actually to combine resources and knowledge with another project which is developing at a more acceptable rate, and which already has a good plugins system in place.
What are the goals of phpBB (both short-term and long-term), not from a feature/development point of view, but at a higher level. And, given that, why wouldn't merging with myBB (or some other project) be for the best?
Oleg addressed these points on the second page. Being an opensource project, the goals of the software are actively evaluated and reevaluated by the community, as was clearly demonstrated by the reversal of the decision to drop support for subsilver2 (which was even mentioned in this topic). Our goals are to continue facilitating a system by which the community can determine phpBB's direction (see: [3.1/Ascraeus] RFCs & Patches Forum on area51).
Pony99CA wrote:And, just for the record, I have no major complaints with phpBB as it exists today and plan to keep using it. I do wish that it had some additional features, though. :) As I argued in the locked topic, more frequent feature releases are what keep the project looking alive and vibrant.
We agree. There is active work via multiple channels being done to improve release times and rectify resource limitations both in the short and long term. Of course, the community is keenly positioned to assist with both.

Re: The Best Thing that phpBB Can Do: Merge

Posted: Mon Apr 09, 2012 6:48 am
by Elias
Very, very well said.

Re: The Best Thing that phpBB Can Do: Merge

Posted: Mon Apr 09, 2012 6:53 am
by callumacrae
Unless I am very much mistaken, phpBB3's security audit did not reveal any XSS or remote code execution vulnerabilities, for example.
I believe that all the changes marked [Sec] here are things found by the audit: http://www.phpbb.com/support/documents. ... n=3#v30rc5

Re: The Best Thing that phpBB Can Do: Merge

Posted: Mon Apr 09, 2012 8:07 am
by Son of a Beach
It's good to see that there has been some reasonable discussion continuing here (as well as some dull repetition of points that I'll continue to ignore).

Firstly, I want to say that I'm sorry for any offense I've caused people here. I did expect to ruffle feathers, as it is a controversial thing to post. However, I've clearly hit a raw nerve with a lot of people judging by some of the rather emotional responses.
Marshalrusty wrote:Call me naive, but from the title of the topic, I had expected a bit more... substance. Perhaps some well-researched list of pros and cons or a case study of another pair of relateable projects that merged, with an overall positive outcome. What I instead see is an opinion based on assumptions and supported with generalizations... (snip)
I was deliberately using generalisations and not a whole lot of specific substance. Although I've clearly made a choice of other forum software, I wanted to avoid talking about any specific other forums software too much (except when other people brought it up). In particular, I did not want this topic to be a feature comparison topic.

What I was really interested in was the overall focus of phpBB. As a user and occasional visitor to these forums, it's easy to get the impression that phpBB's focus is on phpBB. Personally, I think their focus should be on their users.

Even to the extent that if the best interests of their users was for something other than phpBB.

Re: The Best Thing that phpBB Can Do: Merge

Posted: Mon Apr 09, 2012 11:47 am
by uuiiuu
i dont agree with you at all
mybb is very low quality system, it has some extra importent features, but it dosnt have good styles, it is very prehistoric, the system is not secure like phpBB
phpbb could add all the extra features that myBB has without this merge