Why oh why

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Suggested Hosts
Tread
Registered User
Posts: 39
Joined: Thu Nov 14, 2019 9:52 pm

Re: Why oh why

Post by Tread »

Hosts keep database and file back ups so as i said no one can really do any thing its plain and simple and easy to install a back up.
User avatar
P_I
Registered User
Posts: 1199
Joined: Tue Mar 01, 2011 8:35 pm
Location: Staying home - Calgary
Contact:

Re: Why oh why

Post by P_I »

Tread wrote:
Sat Jun 20, 2020 1:55 pm
Hosts keep database and file back ups so as i said no one can really do any thing its plain and simple and easy to install a back up.
In theory yes.

But based on the number of update/upgrade support topics where the person requesting help and admitting that despite clear instructions in the first few steps of the procedure to make a database and files backup they don't have an up-to-date backup to fall back on when things go wrong then I'd suggest that practice doesn't match theory.
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3789
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Why oh why

Post by thecoalman »

Tread wrote:
Sat Jun 20, 2020 1:55 pm
Hosts keep database and file back ups so as i said no one can really do any thing its plain and simple and easy to install a back up.
Being able to restore a backup is only the tip of the iceberg. As far as the backup keep in mind any hack that corrupted data before the backup will be reflected in the backup. While on the topic if you ar relying on backup from your host those backups can be days or even weeks old. Contact them for details of what they are backing up and when.

Most people hacking sites aren't interested in alerting the site owner to their activity. They are looking to poach associated username/passwords/email addresses. Other things may include running bit coin miners, serving malware or part of bot net to attack other sites. A rogue extension can do almost anything and would only be limited by server config.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
RMcGirr83
Recognised Extension Developer
Posts: 21161
Joined: Wed Jun 22, 2005 4:33 pm
Location: Your display
Name: Rich McGirr

Re: Why oh why

Post by RMcGirr83 »

FWIW, I just read this in another extension discussion topic by the extension author
Updates can be found in the github repo and I will probably not go through the extension validation process of phpbb again as it has been very time consuming.
In times of change, learners inherit the earth, while the learned find themselves beautifully equipped to deal with a world that no longer exists - Eric Hoffer
Former Modifications/Extensions Team Member | My extensions | My extensions are updated regularly on github
Appreciate the extensions/mods/support then buy me a beer
All requests for support via PM will be ignored
User avatar
Tastenplayer
Registered User
Posts: 719
Joined: Thu Jul 03, 2014 9:20 pm
Location: Switzerland
Name: Jutta Koliofotis
Contact:

Re: Why oh why

Post by Tastenplayer »

Even if a non-validated extension appears to be smart, good, and error-free, it can cause interference and even major errors when used with other extensions. This has already happened to me with such an extension.
It can also happen that if you don't want this extension anymore, a lot of leftovers remain in the DB when uninstalling it. Later this can cause problems or even errors. This has already happened to me too.

Therefore install non-validated extensions with reservation and only if extensively tested in a TB.
Furthermore only from creators, where you can be sure, that they know something about the matter.

There is a reason why some extensions are rejected in the validation.
Some of them would probably not meet the validation requirements / regulations, but work without problems.
But you have to look for yourself - INSTALLATION AND USE AT YOUR OWN RISK!

My experience: Whoever contributes the least to phpBB - has the most to complain about! :twisted: :shock:
I'm mystified why an extension developer would get to the RC status and then not push onwards to get the extension validated and released, but unfortunately that seems to be a very common case.
Is often like with my styles. You don't want to put everything into the phpBB database. Even if they would pass through a validation without problems.
More of my styles you can find in my phpBB Style Board & More My styles -3.2.10-RC2
Be the best version of yourself rather than a bad copy of someone else!
Excuse me for my English, but I learned the language by speaking to people and not at school.
User avatar
BarneyC
Registered User
Posts: 21
Joined: Sun Jun 21, 2020 2:41 pm

Re: Why oh why

Post by BarneyC »

david63 wrote:
Fri Jun 19, 2020 2:07 pm
Tread wrote:
Fri Jun 19, 2020 1:46 pm
To be fair no one can really take/steal a board
All extension developers will have total access to your database and an unscrupulous developer could, in theory, extract that data without you knowing about it. They could also "steal" usernames and passwords and use then to then access the ACP. They can also access email addresses and could totally destroy your board (that's easy as most developers will have done it at some point when creating an extension) and as we know many users do not backup their board(s).
I think you have to use your head in these cases; a brand new extension should be looked at with skepticism; something that's been out a year with 100s of downloads has probably been scrutinized by someone who knows php. If you're not a programmer and you're just blindly installing extensions, then yes, be careful. If you know php then just be sure to go through the code before installing it. It's difficult to get away with an exploit in open source code for very long; as someone will find it in short order
User avatar
Mick
Support Team Member
Support Team Member
Posts: 22560
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: Why oh why

Post by Mick »

What happens if everybody waits a year?
"The more connected we get the more alone we become" - Kyle Broflovski©
User avatar
david63
Registered User
Posts: 17976
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Contact:

Re: Why oh why

Post by david63 »

Mick wrote:
Sun Jun 28, 2020 5:12 pm
What happens if everybody waits a year?
It is 2021 :o
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored
User avatar
AmigoJack
Registered User
Posts: 5745
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Why oh why

Post by AmigoJack »

david63 wrote:
Sun Jun 28, 2020 5:49 pm
It is 2021
You're stupid: if several people wait then those can split the year. If "everybody" waits then 1 year should be easily done in a few weeks or even days. :roll:
BarneyC wrote:
Sun Jun 28, 2020 3:53 pm
It's difficult to get away with an exploit in open source code for very long; as someone will find it in short order
That's merely a wish and far from being a fact. OpenSSL's Heartbleed, LibTIFF, the Webmin disaster... The code must be audited and understood to actually find bugs, if not threats. But there's nowhere the guarantee anybody does. Not to speak of many. Millions may use it and every single one says "if there'd be a problem someone would have found out already". As of today most software is just a remix of existing frameworks and libraries (phpBB itself is dependent on other projects) and they include open source because they "need" to, not because they made sure it's robust code. Open source is great, but unrelated to trust.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.
User avatar
david63
Registered User
Posts: 17976
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Contact:

Re: Why oh why

Post by david63 »

AmigoJack wrote:
Mon Jun 29, 2020 12:08 am
You're stupid:
Obviously sarcasm is lost on you :roll:
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored
User avatar
RMcGirr83
Recognised Extension Developer
Posts: 21161
Joined: Wed Jun 22, 2005 4:33 pm
Location: Your display
Name: Rich McGirr

Re: Why oh why

Post by RMcGirr83 »

david63 wrote:
Mon Jun 29, 2020 6:58 am
Obviously sarcasm is lost on you :roll:
Forrest Gump's momma was right. ;)
In times of change, learners inherit the earth, while the learned find themselves beautifully equipped to deal with a world that no longer exists - Eric Hoffer
Former Modifications/Extensions Team Member | My extensions | My extensions are updated regularly on github
Appreciate the extensions/mods/support then buy me a beer
All requests for support via PM will be ignored
User avatar
warmweer
Jr. Extension Validator
Posts: 4821
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Bel ... gium

Re: Why oh why

Post by warmweer »

david63 wrote:
Sun Jun 28, 2020 5:49 pm
It is 2021 :o
I chuckled when I read that. :D
Spelling is freeware, which means you can use it for free.
On the other hand, it is not open source, which means you cannot change it or publish it in a modified form.
User avatar
BarneyC
Registered User
Posts: 21
Joined: Sun Jun 21, 2020 2:41 pm

Re: Why oh why

Post by BarneyC »

That's merely a wish and far from being a fact. OpenSSL's Heartbleed, LibTIFF, the Webmin disaster... The code must be audited and understood to actually find bugs, if not threats. But there's nowhere the guarantee anybody does. Not to speak of many. Millions may use it and every single one says "if there'd be a problem someone would have found out already". As of today most software is just a remix of existing frameworks and libraries (phpBB itself is dependent on other projects) and they include open source because they "need" to, not because they made sure it's robust code. Open source is great, but unrelated to trust.
I think the notion that openssl and webmin (1000s of files) and a PHPBB3 extension, which is usually a couple of small files are similar is a pretty ridiculous case to try to make. One not even worthy of debate.

I should have further qualified the idea for those who couldn't grasp the context of the subject at hand. My bad.
User avatar
Talk19Zehn
Registered User
Posts: 530
Joined: Tue Aug 09, 2011 1:10 pm
Contact:

Re: Why oh why

Post by Talk19Zehn »

Hello, it is wonderful that someone mentioned Acyd Burn (Meik Sievertsen). What I think will be forgotten is that for many years, excellent developments by participating developers and / or team members have taken place in numerous countries.
thecoalman wrote:
Thu Jun 18, 2020 10:36 pm
Time for some history.

...(...)...
One focus of the lead developer AcydBurn for the original phpBB3 was security which lead to three things. First they went back and fixed many problems in phpBB2 while phpBB3 was still under development. Second phpBB3 has outstanding track record for security because of that focus. Lastly they implemented validation of mods which are now called extensions. This helps insure their security, helps prevent any unforeseen issues with support and going forward with updates/upgrades.
...(...)...
These lists of developer names are endless. You are free to publish your skills in other places.

The mere thought or statement that those developers who still work with PHP and phpBB and produce less security than the validated ones that are offered in the CDB on phpBB.com ....
Thoughts are free.

In my opinion, inserting errors or malicious code and / or gaps is never a deliberate act.

Errors, malicious code and / or gaps could often only be discovered months / years later. This is also the case with the system versions of phpBB. Security updates were released in due course.

Validation:
A secured number of high-level developer staff can help to limit the time factor. Realizing personnel management is probably not easy to solve at all.

Regards :)

Edit: Spelling
Last edited by Talk19Zehn on Tue Jun 30, 2020 2:15 pm, edited 2 times in total.
User avatar
david63
Registered User
Posts: 17976
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Contact:

Re: Why oh why

Post by david63 »

BarneyC wrote:
Mon Jun 29, 2020 5:11 pm
a PHPBB3 extension, which is usually a couple of small files
Where do you get that notion? There are many extensions with over 100 files in them.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored
Locked

Return to “phpBB Discussion”