SMF 1.1.13, SMF 2.0 RC4 Security Patch, and SMF 2.0 Release Candidate 5

Started by Norv, February 11, 2011, 03:16:35 PM

Previous topic - Next topic

Aleksi "Lex" Kilpinen

Quote from: AmaZulu on February 12, 2011, 12:10:38 AM
I've been using version 1.1 for about 5 years now. By next month I will be using IP.Board and giving them $$$ for the privilege. I wish I could stay with SMF and contribute the money here, but RC5?

Come on. It's just software, not the goddamn declaration of independence. >:(
If you are using 1.1, why are you worried about 2.0? 1.1 is still maintained, and works just fine, and we are not too long from 2.0 final either.
Quote from: FfdG on February 11, 2011, 09:06:48 PM
Quote from: IchBin™ on February 11, 2011, 08:36:03 PM
Care to look in the changelog? What sucks about a security update? And even if you couldn't find any info on that at this site, what's so hard about running a diff?
Vice versa. What's so hard in bundling a set of files? I don't want more than 1000 files, Smileys, unchanged Themes and periodically changed empty lines before EOF. Diff is nice but I still have to build my own patch.
You don't want to hassle with RC updates, but have _chosen_ to use RC versions - Tough luck.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

AmaZulu

There are several features that are in 2.0 that I really need to use and cannot wait for any longer. I won't use RC software on my site. Too risky.

I have found that IPB has all the features I need and will definitely see my community grow.

BTW, there seems to be serious problems with spam registrations on SMF 1.1.*. Nearly every person I know using it has been flooded with them in the past few months. This should be a major priority for SMF.

impreza

Everything nice to have updated - done by hand. Thank you for the updates
Portal ToTemat.pl - treści w postaci artykułów i filmów tematycznych.

sharks

Quote from: AmaZulu on February 12, 2011, 12:10:38 AM
I've been using version 1.1 for about 5 years now. By next month I will be using IP.Board and giving them $$$ for the privilege. I wish I could stay with SMF and contribute the money here, but RC5?

Come on. It's just software, not the goddamn declaration of independence. >:(

LOL. So many people think alike in these hard times for SMF users... When 2.0 finally comes out, i guess the few left will probably just go "meh" and move on. :D In fact, i've just been to IPB a few days ago and inquired about their licence and the conversion process from SMF. IPB is my best option as well.

Let's be honest, RC5 is just another way of stalling the whole thing until the end of 2011 or 2012.

Robert.


Aleksi "Lex" Kilpinen

Quote from: sharks on February 12, 2011, 03:44:07 AM
Let's be honest, RC5 is just another way of stalling the whole thing until the end of 2011 or 2012.
No it's not - It was a must do release, and Final just could not have been release just yet.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF


Antechinus

Quote from: sharks on February 12, 2011, 03:44:07 AMLet's be honest, RC5 is just another way of stalling the whole thing until the end of 2011 or 2012.

No, it is very definitely not that. Far from it.

青山 素子

Quote from: AmaZulu on February 12, 2011, 03:26:25 AM
BTW, there seems to be serious problems with spam registrations on SMF 1.1.*. Nearly every person I know using it has been flooded with them in the past few months. This should be a major priority for SMF.

There are spammer problems with nearly every platform. It's an economic issue, not a technological one. Right now, you can hire humans to solve 1000 image verification puzzles for $1 US. If you use only the built-in protection of the platform, you'll run into problems because a widely-used platform will be targeted for mass automated attacks. Using this human backing, even good services like reCAPTCHA become useless as you have actual humans solving them and allowing spammers to bypass your protections.

The only way to avoid spam is to combine custom technological measures with human monitoring. You have to make your site uneconomical as a target. Using a combination of reCAPTCHA (blocks older automated tools that only work on the default verification), custom question/answer items (standard in 2.0, modification for 1.1), and http:BL, I've had spam registrations and comments drop on my forums from a flood (only the SMF verification) to a handful a week (implemented reCAPTCHA and question/answer) to one or two a month (added http:BL for SMF). Those few are actual humans and there is no real protection against that other than monitoring.


Quote from: sharks on February 12, 2011, 03:44:07 AM
Let's be honest, RC5 is just another way of stalling the whole thing until the end of 2011 or 2012.

Not really. It's a stop-gap because the team has decided to tie the release of the software with a political process that began very late in the development cycle. It's ******ing stupid, but it's what they decided. If this wasn't the case, it is likely that RC5 would have been an actual gold release. Instead, they further alienate what little passionate community members they have with total bull******.

I would have just released 2.0 under the old license and then made a point release under a new license when the license work was complete rather than let the popularity languish and seed doubt of viability of the project. It wouldn't be too difficult to also re-release the older points with the new license at a later time if they really wanted to.

Instead, the software is being held hostage to legal antics from a last-minute decision. Typical.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Antechinus


sharks

From the admin panel of my SMF 1.1.12, i see this mini-bug:

SMF 1.1.13, 2.0 RC4 security patch and SMF 2.0 RC5 released on November 01, 2010, 12:14:21 PM

SMF 2.0 RC4 and SMF 1.1.12 released on November 01, 2010, 12:14:21 PM

Note that the date for the current release is the same as the previous release.

Mari-chi

Congrats on the release. :3

Decided to install the security patch first before I decide whether I want to to an upgrade to RC5 or not... It's going to be a major headache. T_T

b4pjoe

Quote from: Antechinus on February 12, 2011, 04:20:54 AM
And that is about as accurate as Shark's guess. :)

Maybe you (or anyone in the know) could enlighten everyone with the real truth then? If you don't want all these theories bandied about maybe some real facts might quell some of the unrest.

sharks

Quote from: joec88 on February 12, 2011, 04:46:06 AM
Quote from: Antechinus on February 12, 2011, 04:20:54 AM
And that is about as accurate as Shark's guess. :)

Maybe you (or anyone in the know) could enlighten everyone with the real truth then? If you don't want all these theories bandied about maybe some real facts might quell some of the unrest.
Let me know when you get a proper answer to that. I could use some enlightenment on what is really going on with SMF myself.
I wouldn't be surprised if all that mess just translated into a paid forked venture, since the SMF team is so historically unstable.

Some of the team members are saying:
Quote from: LexArma on February 12, 2011, 03:46:01 AM
No it's not - It was a must do release, and Final just could not have been release just yet.

Others are saying:
Quote from: Labradoodle-360 on February 11, 2011, 04:23:46 PM
Uhm no? SMF 2.0 RC5 is basically 2.0 final

And some are even running away...
Quote from: Dismal Shadow on February 11, 2011, 10:15:39 PM
* Dismal Shadow foresee RC6...

* Dismal Shadow runs away

LOL. Seriously, WTF?

AmaZulu

Quote from: 青山 素子 on February 12, 2011, 04:03:03 AM

There are spammer problems with nearly every platform. It's an economic issue, not a technological one. Right now, you can hire humans to solve 1000 image verification puzzles for $1 US. If you use only the built-in protection of the platform, you'll run into problems because a widely-used platform will be targeted for mass automated attacks. Using this human backing, even good services like reCAPTCHA become useless as you have actual humans solving them and allowing spammers to bypass your protections.

The only way to avoid spam is to combine custom technological measures with human monitoring. You have to make your site uneconomical as a target. Using a combination of reCAPTCHA (blocks older automated tools that only work on the default verification), custom question/answer items (standard in 2.0, modification for 1.1), and http:BL, I've had spam registrations and comments drop on my forums from a flood (only the SMF verification) to a handful a week (implemented reCAPTCHA and question/answer) to one or two a month (added http:BL for SMF). Those few are actual humans and there is no real protection against that other than monitoring.

Not really. It's a stop-gap because the team has decided to tie the release of the software with a political process that began very late in the development cycle. It's ******ing stupid, but it's what they decided. If this wasn't the case, it is likely that RC5 would have been an actual gold release. Instead, they further alienate what little passionate community members they have with total bull******.

I would have just released 2.0 under the old license and then made a point release under a new license when the license work was complete rather than let the popularity languish and seed doubt of viability of the project. It wouldn't be too difficult to also re-release the older points with the new license at a later time if they really wanted to.

Instead, the software is being held hostage to legal antics from a last-minute decision. Typical.

My team and I are now approving all registrations manually. However, in my investigations with IPB I see that they have a service to help build a database of IP's and ranges used by spammers. Eventually they'll run out of IP's (we hope :)).

Personally I think it's a crying shame that something so banal as a license change is going to chase so many users away from what was a great piece of software.

FWIW I'd still like to thank those members of the development team who have helped make this software. It's changed my life for the better. But, I have to move on. I can't be waylaid indefinitely and there are many of us who share the same disappointment that you couldn't release a stable 2.0 at least a year ago already.

NanoSector

Quote from: Mari-chi on February 12, 2011, 04:27:19 AM
Congrats on the release. :3

Decided to install the security patch first before I decide whether I want to to an upgrade to RC5 or not... It's going to be a major headache. T_T
Upgrading seriously is no headache.

I did it now on two forums and everything was done smoothly.
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

sharks

Quote from: Simple Series team on February 12, 2011, 05:46:02 AM
Quote from: Mari-chi on February 12, 2011, 04:27:19 AM
Congrats on the release. :3

Decided to install the security patch first before I decide whether I want to to an upgrade to RC5 or not... It's going to be a major headache. T_T
Upgrading seriously is no headache.

I did it now on two forums and everything was done smoothly.

Upgrading to yet another RC is no hassle, unless you are using custom themes, modifications and have made manual edits or personal tweaks to your RC4 forums... which pretty much makes upgrading a real PITA, as it is an unnecessary loss of time and energy for admins, since 2.0 final will require as much work when it's released.
My SMF forums will stay freezed at RC4 until 2.0 final is released, or until i move out of this endless and hopeless loop completely, and convert to IPB.

NanoSector

Quote from: sharks on February 12, 2011, 05:54:00 AM
Quote from: Simple Series team on February 12, 2011, 05:46:02 AM
Quote from: Mari-chi on February 12, 2011, 04:27:19 AM
Congrats on the release. :3

Decided to install the security patch first before I decide whether I want to to an upgrade to RC5 or not... It's going to be a major headache. T_T
Upgrading seriously is no headache.

I did it now on two forums and everything was done smoothly.

Upgrading to yet another RC is no hassle, unless you are using custom themes, modifications and have made manual edits or personal tweaks to your RC4 forums... which pretty much makes upgrading a real PITA, as it is an unnecessary loss of time and energy for admins, since 2.0 final will require as much work when it's released.
Old themes (from RC3) were still compatible with RC5 when I upgraded. This will not apply to all themes, though.

Mods need to be reinstalled but no loss of data. Luckily (else my site would have a BIIG problem if Adk Portal has lost it's data).
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

[SiNaN]

For those who find it difficult to do a large upgrade; there is the RC4 security patch you can use, which only includes the security fixes.

For those who are confused because of various theories; the ones with the team badges would know the best.
Former SMF Core Developer | My Mods | SimplePortal

Advertisement: