Thoughts about replacing vBullettin with another forum solution?

[jman]

Quote:

Originally Posted by meynaf

Don't have me started on security of old things

Exactly:

https://web.archive.org/web/20240715...emonamiga.com/

[RCK]

For me, EAB should stay as it, with the old vb3 engine, because of the speed, nostalgia, and amiga compatible
I don't care about mobile skin, double authentication, etc. but we have to be "findable" by search engine to not be useless.

Now, if we want to keep abime.net server secure, I have to keep kernel and linux packages up to date, because this server is online 24/24.
This means PHP versions are always growing (EAB is running on php 7.x, but php 8.x will be soon live, etc.)

So I will do the maximum to patch the php code and let it work with the latest PHP version.
But maybe one day it won't be possible anymore, and if it happens, I will be forced to make a poll to choose between security (new forum engine) or unsecure EAB.
Hopefully it won't happen soon

[meynaf]

Updates have their own issues, look at what happened with CrowdStrike.

[gimbal]

CrowdStrike hooks into kernel space, that is a whole different level of update disaster. But what would be even worse is if they would stop pushing those updates.

[modrobert]

Quote:

Originally Posted by RCK

For me, EAB should stay as it, with the old vb3 engine, because of the speed, nostalgia, and amiga compatible
I don't care about mobile skin, double authentication, etc. but we have to be "findable" by search engine to not be useless.

Now, if we want to keep abime.net server secure, I have to keep kernel and linux packages up to date, because this server is online 24/24.
This means PHP versions are always growing (EAB is running on php 7.x, but php 8.x will be soon live, etc.)

So I will do the maximum to patch the php code and let it work with the latest PHP version.
But maybe one day it won't be possible anymore, and if it happens, I will be forced to make a poll to choose between security (new forum engine) or unsecure EAB.
Hopefully it won't happen soon

From experience, being familiar enough with the PHP code to patch it increases the security a lot, and I like your plan.

Quote:

Originally Posted by meynaf

And if for whatever reason you don't have a mobile phone at all (or an ancient model), you're stuck.
The only effects of 2FA is to block legitimate actions and collect personal data with the excuse of security.
If EAB starts doing that too, I will leave permanently.

I think 2FA (MFA in general) improves the security theoretically, but the price is high in practice, definitely too high for certain situations. In most cases you are required to use an app running on your smartphone (aka "ankle monitor") which is constantly monitoring your position and listening in as needed. Suddenly it becomes a matter of who you will trust (best case the phone manufacturer holding the cryptographic keys and the government with access to them), not about maximizing security.

A working compromise for me is to never forget what the smartphone is, "an ankle monitor for the modern world", and leave it behind in certain situations.

Quote:

Originally Posted by jman

Speaking about security, I feel it's less secure using an unsupported version of vBullettin (3.8.x has reached End Of Life in 2017, see announcement) and the obsolete and unsupported PHP stack that it has to use.

In my experience, it's better to know the PHP code you are running and being able to patch it. Let me give you an example which is completely made up regarding the security flaw, just for the sake of explaining.

In vBulletin you have the "?p=123" parameter which takes you to post 123 in this case. Let's say a security flaw is reported where someone manages to inject an SQL string into this "p" parameter which does some nasty query on your database.

The bug is disclosed in public and an official patch is released which changes the SQL query to be quoted differently in the PHP code.

Solution 1 (following guidance, not knowing the code):
You apply this patch by updating, and feel good about yourself.

Solution 2 (thinking yourself, knowing the code):
You quickly realize that the "p" parameter should never accept anything except integers, since you know the code, you add code which check if "p" brings an integer, if not you reject the parameter and give http error "403".

"Solution 1" will fix the bug for the specific attack used to compromise the "p" parameter, while "Solution 2" will future proof your code by preventing any SQL injection attacks regarding the "p" parameter ever again. As an added bonus the quick http error "403" exit in your code prevents DDOS attacks unintentionally created by hoards of bots trying to exploit the announced bug. Also, "Solution 2" lets you patch code which isn't officially supported anymore.

[meynaf]

Quote:

Originally Posted by gimbal

But what would be even worse is if they would stop pushing those updates.

Why would it ? I can't think of a single example of comparable catastrophic result because some update hasn't been made.

[AestheticDebris]

Quote:

Originally Posted by meynaf

Why would it ? I can't think of a single example of comparable catastrophic result because some update hasn't been made.

SQL Slammer springs to mind. Although there have certainly been plenty of cases of old software with known vulnerabilities being exploited.

[meynaf]

Quote:

Originally Posted by AestheticDebris

SQL Slammer springs to mind. Although there have certainly been plenty of cases of old software with known vulnerabilities being exploited.

Ok then.
Nevertheless the situation is slightly different. Pushing updates all the time isn't exactly the same as an emergency fix. Was CrowdStrike update a security fix or did it contain a shitload of other things (especially that users didn't want) ?

[Thomas Richter]

The forum software is probably a bit outdated, but working. But what really annoys me is the forum structure, or the lack of it. There are too many subforums, and some seem to be quite pointless and should probably be retired. Do we really need:

support.WinFellow
support.OtherUAE
support.FS-UAE

as independent top-level forums instead of just one (emulators of all kind).

support.Games
support.Demos
support.Apps

Why is this not just "software"? Why are here subforums required?

support.Amiga Forever
support.Amix

Is this really popular enough to justify subforums?

Why is "requests" a separate group of it itself? Wouldn't it be better to just host requests under the software or hardware forum where features are requested?

Games images which need to be WHDified: Why is this a separate forum? Probably goes into a generic "games" forum?

Why does "HOL" require an entire group? Would one be not be enough? Same for ARM.

Why does a group "Projects" even exist, and what makes a "Project" important enough to appear here?
Create a single entry "Projects", and there create a hierarchy, but there are even projects I never heard (or care about), but why does this take so much screen estate? This is hard to navigate. Create a hierarchy, put the projects there, and allow also other projects to appear there.

I believe restructuring eab would be much more beneficial than updating the software. Cut the number of subforums down, seriously so. This would help a lot to navigate.

[alexh]

Quote:

Originally Posted by Thomas Richter

There are too many subforums, and some seem to be quite pointless and should probably be retired. Do we really need [snip] as independent top-level forums?

No but I would like to keep them as sub-forums under Emulation. WinUAE, FS-UAE and other UAE are distinct topics.

Quote:

Originally Posted by Thomas Richter

support.Games
support.Demos
support.Apps

Why is this not just "software"? Why are here subforums required?

Why not? I can't help with Games or Demos but I'll be able to help with apps so I don't read the other two.

Quote:

Originally Posted by Thomas Richter

support.Amix
Is this really popular enough to justify subforums?

It's unusual enough to require specialist help and grouping these help requests together almost certainly makes Amix more useable than it was in the past.

Quote:

Originally Posted by Thomas Richter

Why does "HOL" require an entire group? Would one be not be enough?

Because the maintainer of HOL is extremely active and wanted what he wanted.

Quote:

Originally Posted by Thomas Richter

Why does a group "Projects" even exist, and what makes a "Project" important enough to appear here?

Why not? The author has presumably asked or there was enough traffic to warrant it.

I think you and I use EAB in quite a different way, I only browse the Forum front page when I want to post something, to work out where to post. I normally just log-in, click on "show unread posts", catch up and then mark everything read.

[Thomas Richter]

Quote:

Originally Posted by alexh

No but I would like to keep them as sub-forums under Emulation. WinUAE, FS-UAE and other UAE are distinct topics.

Why? And what makes them important enough to justify the screen estate? Or put differently, why is there no "Project AmigaOs 3.2" or no "Project P96"?

Quote:

Originally Posted by alexh

Why not? I can't help with Games or Demos but I'll be able to help with apps so I don't read the other two.

I can't help with "Demos" either, but I can help with P96, so why is there no "P96 Project"?


Don't get me wrong. I'm not requesting one - but my point is that there are already too many "oh, this might be important" lines on the top level that I'm feeling lost, and yes, I believe "Emulation" is good enough to cover multiple emulators, and they are similar enough such that when reading through the topics, you might find relevant answers.

Quote:

Originally Posted by alexh

Because the maintainer of HOL is extremely active and wanted what he wanted.

Oh, I'm also extremely active, should I get a forum? (-;

Quote:

Originally Posted by alexh

Why not? The author has presumably asked or there was enough traffic to warrant it.

The "why not" is because every topic you add makes it harder to navigate. Or, in Amiga terms - Read the RKRM User Style Interface Guide: A menu or a cycle gadget should be cut down to the minimum number of entries needed. Don't overload the user with choices. The people that wrote that had a good point, really.

Quote:

Originally Posted by alexh

I think you and I use EAB in quite a different way, I only browse the Forum front page when I want to post something, to work out where to post. I normally just log-in, click on "show unread posts", catch up and then mark everything read.

Surely, but your experience wouldn't be lost if the number of topics would be cut down dramatically, though it would improve my browsing experience extremely if topics had clear hierarchy (-; Or put it even more differently, look how other forums are organized. Not everything is bad over there in a1k.org.


This said, I thank eab for the service, and I'm glad it exists, but that doesn't mean that it could not be improved by giving it a better structure.

[alexh]

Quote:

Originally Posted by Thomas Richter

Why? And what makes them important enough to justify the screen estate?

Because they were interesting and someone requested them?

Quote:

Originally Posted by Thomas Richter

Or put differently, why is there no "Project AmigaOs 3.2" or no "Project P96"?

Because no-one ever asked?

Quote:

Originally Posted by Thomas Richter

I can't help with "Demos" either, but I can help with P96, so why is there no "P96 Project"?

Because the forum to use for P96 issues is the Individual Computers forum? Because no-one ever asked for one?

Quote:

Originally Posted by Thomas Richter

my point is that there are already too many "oh, this might be important" lines on the top level that I'm feeling lost, and yes, I believe "Emulation" is good enough to cover multiple emulators

Someone else disagreed and they had more influence of EAB than yourself (or I)?

Quote:

Originally Posted by Thomas Richter

The "why not" is because every topic you add makes it harder to navigate.

I disagree. The basic forum style is easy to understand. You know that topics are listed vertically. To get to one you are interested in you just scroll down. The number of listings is irrelevant unless it becomes tedious (which it isn't at the moment, 5 scrolls of the mouse wheel encompasses everything).

Quote:

Originally Posted by Thomas Richter

Or, in Amiga terms - Read the RKRM User Style Interface Guide

Or go further back, Jackson Structured programming. One function for one function.

Quote:

Originally Posted by Thomas Richter

Or put it even more differently, look how other forums are organized. Not everything is bad over there in a1k.org.

I hate a1k.org forum organisation. You can never find anything without search because it is not organised enough and to search you need to be able to use either language agnostic search terms or learn German to be able to know what search terms to use. I regularly want to refer to a thread I saw several months ago about X but I can't find it because it's mixed in with countless other threads and I don't know the search terms to use to find it. This could be a language thing rather than an organisational thing though. Or they have a very bad search

Quote:

Originally Posted by Thomas Richter

This said, I thank eab for the service, and I'm glad it exists, but that doesn't mean that it could not be improved by giving it a better structure.

Certainly couldn't hurt giving it a go.

[TCD]

Quote:

Originally Posted by Thomas Richter

I can't help with "Demos" either, but I can help with P96, so why is there no "P96 Project"?

Because you never asked for it. 'Project' subforums are created on request by the project maintainer.

Some inactive projects/subforums should be removed/archived/merged in my opinion. I'll ask RCK what he thinks about it and then it will take some time to decide on which ones will be affected.

[dreadnought]

I agree that the front page could do with a bit of reorganising. I also mostly just use "show unread posts" and seldom visit the front, but when I do and try to find something there, it can be somewhat confusing.

[malko]

I would appreciate if the "OffTopic" sections (new posts) could be again accessed without the need of being logged in.

[Karlos]

The forum is OK as is, if you ask me, sans any direct incompatibilities with PHP8 assuming that's the intended upgrade path.

However, I would advocate hardening of the software. I've seen vb code before and it isn't pretty, so what I'd suggest:

Do a permissions validation so that all the directories are locked down to just the appropriate user with just the minimum require permissions.

Ensure there are some HTTP server mods to scrub out things like SQL injection.

Make sure PHP configured to never output error information.

Implementing an input screen. This is one that requires some bare minimum coding but the idea is pretty simple. You create an include file to be included at the head of each HTTP accessible page that a guest can access. This should define code that completely scrubs out the php superglobals except for a set you define just before including it. It should be a simple array structure that specifies the expected parameter name, which collection it is expected to arrive in (e.g. POST, GET, COOKIE, etc) and what it's basic data type/format requirements are. You will need to define that on a per page basis before inclusion.

The screen will capture only those, empty the rest and reinject the captured values, having validated/sanitised them.

I had to do something similar to this a long time ago for a crotchety old bespoke system that was apparently written by someone with no cognisance of good practise and there wasn't time to completely replace it.

[AmigaFriend]

I like the forum as it is. It's simple to navigate, friendly to the eye and above all, works really well.

When I use other forum software, I don't feel as at home as working with vBulletin.

[hitm4n]

I too like this forum, as old as it is. Its fast, simple to navigate, "mark forums read" is super quick (other forums i go to it takes forever to tell me "forums are now marked as read".) Its simple too. I hope it can stay as long as possible, but also see the need for security and updates just may not be possible after a while.

Maybe theres a modern vbulletin3 style alternative now?