Discuss: phpBB 3.2.6 Release

Post by **Marc** » Mon Apr 29, 2019 8:58 am

Please discuss the announcement here.

As a reminder, please do not post support requests here but rather use the Support Forum.

wolfbeast · Post by **wolfbeast** » Mon Apr 29, 2019 10:21 am

the removal of the functionality to download database backups

I really don't think this is a good move. It's the prime way for admins to make off-site db backups from the web interface; you should at least keep the option to do this (enabled e.g. through config.php or so). This kind of "hardening" is trying to mitigate poor administration or staff organization; that shouldn't be phpBB's task. Board operators should instead make sure they have 1 or maybe 2 admins at most that have that level of access, and enforce proper security practices for those accounts.

Meis2M · Post by **Meis2M** » Mon Apr 29, 2019 10:27 am

good news

abdu7maan · Post by **abdu7maan** » Mon Apr 29, 2019 10:44 am

The exaggeration in increasing the protection of the script makes the program futile and impractical.
It is supposed to be developed like what happened in vbulletin5 and xenforo2

Post by **Mick** » Mon Apr 29, 2019 11:22 am

As you may have noticed this isn’t VB or Xenforo, phpBB is a totally different entity. It makes no sense to keep harping on about other board software and how much better than phpBB it is, the choice to use any of them is down to you.

antier · Post by **antier** » Mon Apr 29, 2019 11:46 am

As everyone knows, the best is the enemy of good.

This is, in my opinion, very clearly the case with this update.

abdu7maan · Post by **abdu7maan** » Mon Apr 29, 2019 12:26 pm

Mick wrote: ↑
Mon Apr 29, 2019 11:22 am
As you may have noticed this isn’t VB or Xenforo, phpBB is a totally different entity. It makes no sense to keep harping on about other board software and how much better than phpBB it is, the choice to use any of them is down to you.

I am not talking about what is the best or the worst.
We are talking about development.
The topic does not concern me or you as you think.

Post by **Crizzo** » Mon Apr 29, 2019 12:30 pm

wolfbeast wrote: ↑
Mon Apr 29, 2019 10:21 am

the removal of the functionality to download database backups
I really don't think this is a good move. It's the prime way for admins to make off-site db backups from the web interface; you should at least keep the option to do this (enabled e.g. through config.php or so). This kind of "hardening" is trying to mitigate poor administration or staff organization; that shouldn't be phpBB's task. Board operators should instead make sure they have 1 or maybe 2 admins at most that have that level of access, and enforce proper security practices for those accounts.

But what is the problem, that you need one more step to download the backup then from the store/ folder?

</Solidjeuh> · Post by **</Solidjeuh>** » Mon Apr 29, 2019 12:33 pm

Update complete on 2 boards. All good!

Heo32 · Post by **Heo32** » Mon Apr 29, 2019 12:41 pm

I'm happy with the change in backup functionality. Know that it was done with good intentions. Having proactive security is always better than being reactive. That's what makes phpBB stand out over other solutions. Being one step ahead is key to avoiding a potential compromised situation.

The update went well for me and everything seems to be working.

Thank you to everyone that made this release a possibility!

EA117 · Post by **EA117** » Mon Apr 29, 2019 1:49 pm

Possibly an extra reason to make sure you're using a phpBB 3.2.6-compatible style before deploying the update:
viewtopic.php?f=556&t=2509981&p=15243246

invenio · Post by **invenio** » Mon Apr 29, 2019 6:35 pm

Glad to see a new version out.

As a non-IT person. Can somebody explain what the security advantage is without being able to download the database from ACP? If you have admin privileges, you can do whatever you want to the board (ie read any posts, delete anything, etc.)? I was using this to backup my board database and just don't understand the security issue. Not criticizing, I just don't understand it.

</Solidjeuh> · Post by **</Solidjeuh>** » Mon Apr 29, 2019 6:43 pm

invenio wrote: ↑
Mon Apr 29, 2019 6:35 pm
Glad to see a new version out.

As a non-IT person. Can somebody explain what the security advantage is without being able to download the database from ACP? If you have admin privileges, you can do whatever you want to the board (ie read any posts, delete anything, etc.)? I was using this to backup my board database and just don't understand the security issue. Not criticizing, I just don't understand it.

You can still backup the database via ACP, just not download it anymore via ACP. So when a hacker get access to your admin/founder account, he cannot download/steal the database. And that's where the most important information is being stored. You can now simply download it from the /store folder.

invenio · Post by **invenio** » Mon Apr 29, 2019 7:02 pm

Oh, I see. So it's not access to the database that was restricted from the ACP, merely the placement of that archived database.

Joyce&Luna · Post by **Joyce&Luna** » Mon Apr 29, 2019 7:24 pm

Hi

Are code changes necessary from 3.2.6 RC1 to 3.2.6?

advertisements