PHPBB3 comparisons inaccurate?

Started by TestMonkey, December 13, 2007, 01:49:06 PM

Previous topic - Next topic

karlbenson

#20
Then you've never been hacked.
I've been member/moderator/admin on over half a dozen or more PHPBB sites over the last 5 years, every single one of which has been brought down by widely posted exploits in the core phpbb at least once, forcing to revert to backup.

Thats my experience.  But ask anyone, PHPBB has a reputation for being insecure.

18 months with SMF, not once.

Ol' Wombat

Quote from: NeoThermic on December 13, 2007, 09:36:09 PM
.....

I take exception to that. phpBB 3.0 has had a fully paid professional audit.

NeoThermic

what exactly does that mean?

NeoThermic

Quote from: Ol' Wombat on December 13, 2007, 09:46:03 PM
Quote from: NeoThermic on December 13, 2007, 09:36:09 PM
.....

I take exception to that. phpBB 3.0 has had a fully paid professional audit.

NeoThermic

what exactly does that mean?

It means that a security professional who gets paid to test for exploits in systems by white-boxing the code (i.e. they have the full source infront of them) looks though and sees if exploits can be done. The result of the audit is a report which details anything found. Developers can use the report given to fix anything as required.

This means that out of the box, 3.0 is *very* secure. I'd be surprised to see any exploits for it soon. If you wish to know what was fixed, hxxp:www.phpbb.com/support/documents.php?mode=changelog&version=3#v30rc5 [nonactive] are the result of the audit.

NeoThermic

Highway of Life

Quote from: shadow82x on December 13, 2007, 08:48:21 PMI don't see anything wrong with that. Why not have a solid, stable product? The fact that they wanted the software flawless should not be an issue.
Yes, unfortunately it took longer than normal. Actually, it was 5 years, though it wasn't a revision, but a major version. :)
We'll be building on this codebase though, it's quite solid so hopefully the *revisions* will not be long and involved. Our main goal was not to set a release date, but try to get it as stable and secure as possible prior to the release, this is one reason it took a long time, but certainly not the only reason. The mid-way rewrite probably hurt the time factor the most.

Quote from: JayBachatero on December 13, 2007, 08:53:55 PMBTW:  Congrats on the release :).
Thanks. We're all looking forward to a little sleep after this. :D

Quote from: Gazmanafc on December 13, 2007, 09:11:44 PMHighway of Life,

I'll take a proper look through and see what else I can find.

Limit username Chars
This is set to 60 everywhere, so that's what you're referring to then you might wanna change that to yes, though, I think it could be actually made a setting in SMF 2.0.
Cool, thanks so much for taking the time to do that. I really appreciate it.
Is the 60 char limit adjustable or static?

QuotePost Drafts
Does "Preview" count? :P
Drafts are actually different than preview. You can save a draft of a post or private message for later use. For example, you might be typing up a post, and have to leave and go do something, so you would simply hit the "save" button and it saves the draft to your profile. You can then view each draft individually and also load them up into a new reply or private message.

QuoteForum Rules
User Agreement?
The Forum rules are basically like forum description, in that each individual forum can be assigned its own set of forum rules. This forum rules can be displayed right under the header whenever you are viewing that forum.
e.g.: hxxp:myskitch.com/highwayoflife/forum_rules-20071213-204139.jpg [nonactive]

QuoteSubscribe to ForumsThat is doable. Click Notify when inside a board, and Current Board Notifications section in the "Notifications" section of your profile.
Cool, will add that to the list. So you can do notifications for both forums as well as topics?
Saw the notify on this topic, nice. :) 

QuoteManage AttachmentsThis should be changed to yes. Admin > Attachments and Avatars in 1.1, for all. 2.0 refines the attachments more to each user.
K, Admin manage in 1.1, user + admin manage in 2.0.

QuoteGroup-based Memberlist Display
Admin > Membergroups > [MEMBERGROUP]
Erm, little different, probably could use some additional clarity as well... sometimes its hard to compact a complete feature description into a small line of text. :)
In phpBB3, you can click on a group and it will show you all the users in that group in the memberlist on the user-facing side. i.e. not only in the Admin panel.

QuoteLocalised Moderator LogsYes, but it has to be turned on in the Admin Center. Admin > Features and Options > Log moderation actions. Then Admin > Moderator Logs to view them.
K, will change that.

QuotePost Details
What sort of details?
Shows IP for the Poster, will also show Other users posting from this IP, IP addresses this user has posted from, and a Whois Lookup on each IP. You can also change the Post Author or edit the post (if permissions allow) through the post details.

QuoteMove Multiple Topics
You'll need to turn this on in your profile. Profile > Look and Layout Preferences > Show quick-moderation on message index as > Checkboxes and some dropdowns and checkboxes allow you to move, delete, sticky and merge multiple topics at once.
Cool, will change that as well.

QuoteManage BansThese are admin actions only, I don't know why they would be in the Mod CP in the first place IMO. But at any rate, you can use permissions to allow any membergroup you choose to ban other users.
K... I'll make sure they are in the ACP section, phpBB3 has a ban management in both the MCP and ACP, both permission controlled of course.

QuoteCustomise/Edit Imagesets
They're editable in a Graphics Editor. :P
Hmm... how do you mean?
In phpBB3, you can edit which image you want to appear where, for example, you want to change the logo, you would just choose a different image from that directory in the popup menu. Or the "Forum with SubForums" Image, as another example.
It doesn't relate to actually editing the images themselves. :D

QuoteInstant MessagingWhat about the MSN/YIM/ICQ/AIM fields in the profile and the PM system?
This could probably use more clarity as well. phpBB3 supports instant messaging through the phpBB3 system using Jabber, aside from just having the MSN/AIM/YIM/ICQ etc in the profiles. For example, it will instant message you of a topic reply notification if you have that option turned on in your user preferences.

QuoteConvertor WizardWe do have a converter wizard, it's convert.php and is available in all the converter packages on the download page.
K, I'll add that.

Again, thanks for going through all those, hopefully the above provides a bit more clarity for those as well, but it helps a lot to get an outsider opinion, since it gives the perspective of not being as familiar with the features.

Quote from: Oldiesmann on December 13, 2007, 09:13:13 PMIn the case of "Forum rules", "Forum" is what we call a "board", so no, SMF doesn't have that.
Same here, actually phpBB3 has forum specific rules, but it doesn't have an actual "Board rules" page per sé.
- Highway of Life
Founder of hxxp:startrekguide.com [nonactive]
Programming Instructor

weightman

Good thread. Nice to see discussion between the two leading open-source forum software communities, especially in such a respectful fashion. I like SMF better, thats why I converted to SMF from phpbb. Competition is good, it makes for better software all the way around, just as it does in sport.

Still, I think SMF is ahead right now by far, and I am not looking backward. Lets compare SMF 2 to phppBB 3, and then decide. And if there is a way to work together, I think that would be preferable personally.

Amacythe

We don't appreciate flaming other software.  If we have to belittle the efforts of the other organizations for any reason, it doesn't help our own community but makes our group seem petty and childish.

I won't delete the first few posts, but in the future, please remember to curb the temptation to stand on the rooftops and scream about how great SMF really is (even though we already know the truth ;) )

HoTmetal

Quote from: Ol' Wombat on December 13, 2007, 08:25:43 PM
taking 3 years for a revision? - is like walking a dead :)


Remember, phpBB, like us (and other projects) are run by volunteers.
Team members come and go depending on real life demands.
Putting out a product such as a forum take tons of man hours to
design, debug, and test and isn't an easy task.

While everyone is entitled to their own opinion, please keep in mind
the views and the thoughts of others, and more importantly SMF's core values.
( I'm not directing this @ you Wombat, but to this post in general. )
Quote#
Friendly Competition

We exist in a competitive world, with many other alternative software titles. We will persevere in this arena through quality and respect, not through antagonism and hate. We will support competitors and treat them as we would have them treat us. We will not insult, disparage or in any other way teardown other projects, businesses or organizations.

metallica48423

Karl, while we recognize that phpbb might have had problems in the past, we really push to respect everyone's efforts.

In this as well, we harbor no ill will towards them in response to their comparison list, given it might be exclusionary of a few things, but, that is their thing and its neither here nor there. 

To address everyone else: I don't want this to turn into a flame phpbb3 over this dedication thread because they have come a long way since phpbb2.  Its been pretty good overall so far.

This is their day to celebrate their hard work over the past few years. So keep it friendly and respectful or i will have to lock this thread.
Justin O'Leary
Ex-Project Manager
Ex-Lead Support Specialist

QuoteMicrosoft wants us to "Imagine life without walls"...
I say, "If there are no walls, who needs Windows?"


Useful Links:
Online Manual!
How to Help us Help you
Search
Settings Repair Tool

Douglas

#28
Quote from: Highway of Life
QuoteGroup-based Memberlist Display
Admin > Membergroups > [MEMBERGROUP]
Erm, little different, probably could use some additional clarity as well... sometimes its hard to compact a complete feature description into a small line of text. :)
In phpBB3, you can click on a group and it will show you all the users in that group in the memberlist on the user-facing side. i.e. not only in the Admin panel.
The same is in under ADMIN > Member Groups > It'll show you a hyperlinked number, you click on that, there's your grouped members.  :)

Quote from: Highway of Life
QuotePost Details
What sort of details?
Shows IP for the Poster, will also show Other users posting from this IP, IP addresses this user has posted from, and a Whois Lookup on each IP. You can also change the Post Author or edit the post (if permissions allow) through the post details.
We actually have that information, though it's expanded considerably.  You can click on an IP address at the lower right of each post and it'll show the majority of that information, as well as any error messages (actual errors or ban logs), plus other users possibly in the same range.  The "Change Post Author" thing isn't on SMF.

There's also editing a post via AJAX (no page reloads needed) or actual edits.
Doug Hazard
* Full Stack (Web) Developer for The Catholic Diocese of Richmond
(20+ Diocesan sites, 130+ Church sites & 24 School sites)
* Sports Photographer and Media Personality
* CFB Historian
* Tech Admin for one 1M+ post, one 2M+ post and one 10M+ post sites (last two are powered by multiple servers)
* WordPress Developer (Junkie / Guru / Maven / whatever)

Gary

Quote from: Highway of Life on December 13, 2007, 10:01:02 PMOur main goal was not to set a release date, but try to get it as stable and secure as possible prior to the release
You're not the only ones who think like that. phpBB and SMF are similar in that aspect as we don't like to set release dates either. I listened to your podcast, we have the same "It'll be released when it's released" philosophy.

QuoteIs the 60 char limit adjustable or static?
It's static. Though like I said, I think it should be adjustable in SMF 2.0, and I'll probably post it in the team boards not long after this post. :P

QuoteCool, will add that to the list. So you can do notifications for both forums as well as topics?
Saw the notify on this topic, nice. :)
Indeed, you can set notifications on both Topics and Boards.

QuoteErm, little different, probably could use some additional clarity as well... sometimes its hard to compact a complete feature description into a small line of text. :)
In phpBB3, you can click on a group and it will show you all the users in that group in the memberlist on the user-facing side. i.e. not only in the Admin panel.
In that case, no we don't have that, at least not to regular users, unless you're sorting the memberlist by membergroup. But that'll display all of the users still but group them all by their membergroup. In 2.0 though, we do have a Membergroup Legend which will function similar to how phpBB 3's does.

QuoteShows IP for the Poster, will also show Other users posting from this IP, IP addresses this user has posted from, and a Whois Lookup on each IP.
This we have by going to a Users Profile then "Track IP", you can also see Error Messages by the User, the IP that user has used, Members in close range of all of the IPs used by that member, and the most recent IP. The "Show Permissions" link in the profile will show you all the permissions that user has.

QuoteIn phpBB3, you can edit which image you want to appear where, for example, you want to change the logo, you would just choose a different image from that directory in the popup menu. Or the "Forum with SubForums" Image, as another example.
It doesn’t relate to actually editing the images themselves. :D
Heh. In that case, we allow users to change the logo URL in the admin center (Admin > Current Theme), but that's usually what most themes do (logo only) but there are some themes that will allow you to change other images as well via that panel. (I.e Themes can add new settings for that section that wouldn't be there for the default theme)

QuoteThis could probably use more clarity as well. phpBB3 supports instant messaging through the phpBB3 system using Jabber, aside from just having the MSN/AIM/YIM/ICQ etc in the profiles. For example, it will instant message you of a topic reply notification if you have that option turned on in your user preferences.
In that case, nah, we don't have any of that.
Gary M. Gadsdon
Do NOT PM me unless I say so
War of the Simpsons
Bongo Comics Fan Forum
Youtube Let's Plays

^ YT is changing monetisation policy, help reach 1000 sub threshold.

Ol' Wombat

Quote from: NeoThermic on December 13, 2007, 09:52:17 PM
..

It means that a security professional who gets paid to test for exploits...

I figured that already but who exactly is that professional? - shy of naming?

Highway of Life

#31
Quote from: Tippmaster on December 13, 2007, 09:20:24 PM
A chart means nothing. All someone has to do is test install both...and it will be clear which one they should use..
In the end, a chart should not be the deciding factor, but it's an excellent place to start when a user is looking for a bulletin board software to choose from. Sure there are sites like forummatrix, but they list very generic features, we wanted to get a lot more detailed with each feature.
Quotei mean honestly. It's time for phpbb retirement.
Thanks, I appreciate the compliment. ::)

QuoteAs for the inaccuracy of the chart itself, it's obviously biased, but all companies do that. They are just trying to make their product look like it still compares to any of the other three mentioned, which is not a big deal.
Well, it's going to have a degree of biasses, it's the features that we are comparing, we are intimately familiar with phpBB3, whereas we are not as familiar with others like SMF, which is why I'm here. If it was truly intentionally biased, I wouldn't be here asking questions to try and improve the accuracy of the list. We attempted to pull a list off of this site, but couldn't find any. Likewise, Prior to making the list, if an SMF staff member tried to find all the features of phpBB3, they would have been at an equal disadvantage.


I'm very happy to hear and see that SMF takes Security top priority, but you should know that it is unwise to speak of what you do not know.
SMF 1.1 was not developed 5 years ago, phpBB2 was, phpBB was an infant back then and no, they didn't take Security seriously in the beginning. 5 years ago, the internet was a much friendlier place, unfortunately, phpBB3 came 2 years late.
Ever since the major security issue of phpBB 2.0.10, The phpBB Teams have made an incredible effort to make Security their number one priority, and ever since then, it has been. Since the internal code security inspection that produced phpBB 2.0.18, phpBB2 did not have anymore major security vulnerabilities, and the rest of the updates to the 2.0.22 point were made on stability and bug fixes. As a testament to the security of even phpBB2 since then, 2.0.22 has been released for ever a year, with no reported security vulnerabilities or problems. On the flip side, phpBB3 was developed from the ground up with security in mind first, and usability and features second. As you should now know, phpBB3 is a completely different codebase than phpBB2, a complete re-write, which broke backward compatibility with 2.0.x and thus went from 2.2 to 3.0 as a completely new version.

If the phpBB Teams did not consider PHP a top priority, they would not have paid to have the External Security Audit performed by SektionEins. and Stefan Esser, who happens to be one of the foremost experts on PHP Security.
Stefan personally oversaw the Code Audit of phpBB3 and approved it, giving the phpBB Teams some additional steps to take for added security measures. Since phpBB3 has entered Release Candidate stage, it has been acclaimed by many PHP Security experts as having major improvements and holding it up as an example to other PHP Applications in the areas of Security.
No, this didn't happen with phpBB2, but this is phpBB3 we are talking about... the new release.

If you're going to make statements like this, you better be able to back them up. I noted that you said phpBB3 is guaranteed to get hacked. I would like to inform you that tens of thousands of boards were running on phpBB3 RC, and not a single one was hacked, and unless you can prove otherwise, you should retract your statement.
- Highway of Life
Founder of hxxp:startrekguide.com [nonactive]
Programming Instructor

karlbenson

#32
A paid professional audit can vary quite widely which can mean the cost/detail/effectiveness/quality of the audit can vary.

It can be done by a human and/or computer
Analyzing exploits just on the source (with option to combine with known bugs issues that may occur with certain versions of PHP and/or mysql). eg php4.4.1 may have a specific issue with php function 'x' that could be exploited.
The company employed
The level/experience of the security professional
The time alotted

It is also usually customary to stamp the auditors information when referring to a paid audit with a date / version
eg
Performed by PaidSecurityAudit Corp. 28-10-2007 3.0RC2



Re: BlackMage comments and directed towards NeoThermic
Indeed, the last thing I would ever seek to do (for lack of a better word) cause a flame war about the competition.

My comments so far in this topic are entirely based on personal experience over many years and many installations. (and as such I would feel justified in airing them). [I would also make clear, the inaccuracy of the comparison list did NOT bore out my comments].

If final PHPBB3 resolves all the fundamental issues with previous RC releases then fair do.
But trust is easy to lose, almost impossible to win back.

IchBin™

Highway of life, thanks for posting. Its good to read all this stuff to be able to see a good comparison in some features. As always, competition is good. And from the looks of it, you guys have something good going on with this release. Congrats, and good luck in the future. Look out for SMF 2.0. >:D
IchBin™        TinyPortal

Highway of Life

Quote from: weightman on December 13, 2007, 10:02:54 PM
Good thread. Nice to see discussion between the two leading open-source forum software communities, especially in such a respectful fashion. I like SMF better, thats why I converted to SMF from phpbb. Competition is good, it makes for better software all the way around, just as it does in sport.
Certainly. :)

QuoteStill, I think SMF is ahead right now by far, and I am not looking backward. Lets compare SMF 2 to phppBB 3, and then decide. And if there is a way to work together, I think that would be preferable personally.
Everybody has their own likes and dislikes, as someone famous once said "Nothing is so good, that somebody, somewhere, will not like it" and of course, is true with Software, it can never be absolutely perfect, programmers know there is no such thing, though users expect it. :)

I don't know the status of SMF 2, is it released already?

Quote from: BlackMage on December 13, 2007, 10:06:02 PM
Karl, while we recognize that phpbb might have had problems in the past, we really push to respect everyone's efforts.

In this as well, we harbor no ill will towards them in response to their comparison list, given it might be exclusionary of a few things, but, that is their thing and its neither here nor there. 

To address everyone else: I don't want this to turn into a flame phpbb3 over this dedication thread because they have come a long way since phpbb2.  Its been pretty good overall so far.

This is their day to celebrate their hard work over the past few years. So keep it friendly and respectful or i will have to lock this thread.
Thanks for the kind words.
Our goal is certainly not to make the list an exclusionary list, which is why I'm here, so I'm certainly open to any corrections you guys have about it. :)

This topic kinda reminds me of the Car Insurance Commercials we see all the time, each competitor posting how much you can save over the other company. Funny how you always get the best deal depending on which site you are visiting.

However, unlike Insurance companies, there is no Corporate Greed involved here, there is no money to be made. Only friendly competition, which is why I'm posting in here today, to try and bridge the understanding for both teams. :)
- Highway of Life
Founder of hxxp:startrekguide.com [nonactive]
Programming Instructor

NeoThermic

#35
Quote from: karlbenson on December 13, 2007, 10:23:52 PM
A paid professional audit can vary quite widely which can mean the cost/detail/effectiveness/quality of the audit can vary.

It can be done by a human and/or computer
Analyzing exploits just on the source (with option to combine with known bugs issues that may occur with certain versions of PHP and/or mysql). eg php4.4.1 may have a specific issue with php function 'x' that could be exploited.
The company employed
The level/experience of the security professional
The time alotted

It is also usually customary to stamp the auditors information when referring to a paid audit with a date / version
eg
Performed by PaidSecurityAudit Corp. 28-10-2007 3.0RC2

Sure. It was done by hxxp:www.sektioneins.de/content/en.4004.24.28502.content2.html [nonactive] (to be pedantic, by Stefan Esser himself). It was done on the 15.10.07, with a copy of RC5, which resulted in the RC6/7 release.

If the name Stefan Esser didn't ring any bells, he's the guy who used to run the security for PHP itself. He then started up the hxxp:www.hardened-php.net [nonactive]. I'm of the opinion that you couldn't choose anyone better for the task.

NeoThermic

Thantos

Quote from: Highway of Life on December 13, 2007, 10:32:13 PM
as someone famous once said "Nothing is so good, that somebody, somewhere, will not like it"
Ohh I like that or do I dislike it? >:D

Quote
I don't know the status of SMF 2, is it released already?
SMF 2 is still in Beta status and has only been released to charter members.

Douglas

#37
Quote from: Highway of LifeI don't know the status of SMF 2, is it released already?
Nope... I'm waiting for the next beta myself (no ETA as of yet)... got a few forums to upgrade at that point (from the 1.x series).

Quote from: Highway of LifeHowever, unlike Insurance companies, there is no Corporate Greed involved here, there is no money to be made. Only friendly competition, which is why I'm posting in here today, to try and bridge the understanding for both teams. :)
Nothing more than bragging rights!  ::laughs::  (and no, I'm not a fan of phpBB... I'm what you would call an SMF Purist) Both of the phpBB reps here have handled themselves with grace, dignity and class.  Let's not disrespect them, folks, and return the favors in kind.
Doug Hazard
* Full Stack (Web) Developer for The Catholic Diocese of Richmond
(20+ Diocesan sites, 130+ Church sites & 24 School sites)
* Sports Photographer and Media Personality
* CFB Historian
* Tech Admin for one 1M+ post, one 2M+ post and one 10M+ post sites (last two are powered by multiple servers)
* WordPress Developer (Junkie / Guru / Maven / whatever)

Gary

Quote from: Highway of Life on December 13, 2007, 10:32:13 PM
I don’t know the status of SMF 2, is it released already?
Released to Charter Members yes, There's a couple of topics about the status of 2.0 in the Developers Blog. Of course we're only on Beta 1.1 so there's still plenty of work to be done on it. Dang Thantos beat me to it but I cant be bothered to edit my post :P Besides mine kinda states some more useful info ;)

Quote from: Highway of Life on December 13, 2007, 10:32:13 PM
Only friendly competition, which is why I’m posting in here today, to try and bridge the understanding for both teams. :)
Indeed, we may produce different softwares but that doesn't mean that we cant talk to each other like friends. :)
Gary M. Gadsdon
Do NOT PM me unless I say so
War of the Simpsons
Bongo Comics Fan Forum
Youtube Let's Plays

^ YT is changing monetisation policy, help reach 1000 sub threshold.

weightman

Highway of life,

You have acquitted yourself well. I stand by my earlier statement that competition is good and all will benefit as a result of it. Still, I think a comparison is really only valid between SMF2 and phpbb 3 since SMF 2 is due out, most likely, in the next couple/few months. Then, a team effort to develop a feature comparison listing would be very cool. And, both can implement/copy the best of each other's work. And the cycle of development continues. Even preferable to that, would be a merging of both projects as I am sure both communities have things to offer.

Still, I am loyal to SMF as I feel it has been extremely supportive to my efforts and the software is more intuitive than the phpbb 2 series I used to run. But, I am not closed minded and will do some testing of phpbb 3.

Thanks for posting. It might be time to retire.

Advertisement: