Some updates on SMF 2.1

Night09 · January 26, 2015, 06:23:05 PM

Quote from: SoLoGHoST on January 26, 2015, 04:13:08 PM
I completely disabled Registration for almost an Entire Month now at the Dream Portal site, that runs SMF (And yes, still getting Spam, but I suppose from Bots that have joined over a month ago). Reasons, were I had over 100 spam bots posting all kinds of things. Having installed a mod, Stop Forum Spam, did help a lot, however, crazy as it is now almost at 1 Million Spam bots blocked, in approx. 6 months that I have had it installed. Also, there are still spam bots getting through, as I had to delete over 500 posts from Spam Bots. And please don't even mention this being a security issue with Dream Portal, as this is happening on all of my SMF Sites, without Dream Portal, everywhere. I just hope that SMF 2.1 has some kind of improvement over this. Doesn't start to happen, until I post a link to my site though, since I suppose, bots don't know it exists until than.

Quote from: Arantor on January 26, 2015, 05:01:20 PM
This is why we set up anti spam Q&A with good questions before we turn registration on...

You need to learn how to implement spam control properly if your plagued like so. Ive got multiple SMF installs and never have this kind of problem. Q&A has worked wonders and also no captcha turned on because its pointless.

Arantor · January 26, 2015, 06:25:23 PM

Especially since in 2.1 I added other stealth measures to combat spam.

austin.bollinger · January 28, 2015, 06:33:16 AM

Arantor · January 28, 2015, 06:38:03 AM

There is not a 'security team' per se, however there are people around in the ecosystem actively involved that are *very* familiar with security issues. Including people that hold Zend certification and over a decade of PHP experience.

If you feel there is a legitimate security concern, please send an email to security at simplemachines.org where it will be looked at and investigated.

margarett · January 28, 2015, 09:10:39 AM

Putting it in another perspective: there are no known security issues in SMF. Even the last ones that were patched all require a compromised admin account or a deliberately "dangerous" action by an admin (in which case all bets are off anyway). So there is nothing to "harden"

If you are interested in helping SMF's development, our github repo is the place to start

Arantor · January 28, 2015, 09:18:36 AM

There are hardening things that can be done above and beyond, but these all fall into the realm of preventative rather than corrective measures.

* Arantor has a plan for a new paid mod

Joshua Dickerson · January 30, 2015, 01:56:49 PM

Quote from: Antes on January 26, 2015, 06:52:17 AM
One thing I'm strongly against yet I'm truly sorry to say but most of the people in SMF (includes some of current developers) don't want to understand, depending on 3rd party too much makes your line of work a lot harder. You start to wait fixes from other people, because you expand the things you are using, which trust me every single new component added to your software not just designed for one thing, increase the risk of getting exposed to different type of vulnerability. So instead taking whole bootstrap & bootstrap rtl, I think its better to sit down and write your own CSS.

I used to agree but then I changed my ways. That is the antithesis of the idea of open source. You make it open source so anyone can find and fix issues and then release that change. Yeah, you might become complacent with checking your third party software but I'm willing to bet you wouldn't be checking that part of your own software anyway. At least someone out there is an expert in that area and you don't have to be. So, you can focus your time on being an expert of your area - thus potentially decreasing issues with it. If you want to fix an issue and the third party software is open source, you can contribute to it. If it follows good programming guidelines, you should be able to distribute your change in your software and not have to worry about forwards compatibility.

Kindred · January 30, 2015, 02:53:23 PM

That is a really big "IF" right there... and I would estimated that 90% or more would actually NOT fall into that category

Antes · January 30, 2015, 03:07:32 PM

Actually if you outsource too much, in this case which is what you say is take everything from its expert, not only you wait fixes but also you load a lot more than you need.

Joshua Dickerson · January 30, 2015, 03:34:13 PM

Quote from: Kindred on January 30, 2015, 02:53:23 PM
That is a really big "IF" right there... and I would estimated that 90% or more would actually NOT fall into that category

What's a big if?

Quote from: Antes on January 30, 2015, 03:07:32 PM
Actually if you outsource too much, in this case which is what you say is take everything from its expert, not only you wait fixes but also you load a lot more than you need.

I used to be overly concerned with that. My entire outlook on development has changed. I used to be the guy that wanted to get every drop of performance, but that comes at a huge cost for making good software. Watch for the 90% issues and grab the low-hanging fruit when you can but focus on writing good code and making software people want to use and develop. If performance is that big of a concern, there are plenty of things you can change to make an application like SMF way faster without writing code.

Kindred · January 30, 2015, 03:38:53 PM

Quote from: Joshua Dickerson on January 30, 2015, 03:34:13 PM
Quote from: Kindred on January 30, 2015, 02:53:23 PM
That is a really big "IF" right there... and I would estimated that 90% or more would actually NOT fall into that category
What's a big if?

Quote from: Joshua Dickerson on January 30, 2015, 01:56:49 PM
If it follows good programming guidelines, you should be able to distribute your change in your software and not have to worry about forwards compatibility.

Antes · January 30, 2015, 04:44:20 PM

When I was searching a new news fader (slider), I see many projects left to dead. Its way too hard to find proper projects which gets some update - open license. Finding the balance is very important in my eyes. If you take a look at SMF 2.1, each outsourced material doing exactly what its asked for (excluding jQuery because its a main dependency for every component).

SoLoGHoST · January 30, 2015, 04:48:52 PM

I'm confused about outsourcing? You mean with a CDN? Also, if you want bare minimum bootstrap, you can customize it and download it just like jQueryUI. Just download only what you need. Add to SMF install, no need to outsource, can be packaged with SMF. In any case, not my call. I just feel that maybe you are wasting valuable time on parts of a product (like Joshua already stated), for very little gain, when you could take advantage of open source code (Bootstrap modals, slideshows, tabs, etc.) that many have already discovered works flawlessly. This would allow your developers to focus on the very heart and soul of what SMF should be.

row
col-xs-{grid size part}
col-s-{grid size part}
col-md-{grid size part}
col-lg-{grid size part}
col-offset-md-{grid size part}

These are all classes that can make your job tons easier... and there's soooo many more!

For example:

Code Select

<div class="row">
    <div class="col-xs-24 col-md-12">Hello, I'm on Left Side in Large devices, and my own row in small devices.</div>
    <div class="col-xs-24 col-md-12">Hello, I'm on Right Side in Large devices, and underneath previous div in small devices.</div>
</div>

"row" class automatically clears element. Many great looking sites built using bootstrap ( http://discoverphl.com , http://libertydiscountfuel.com , http://www.thinkitfirst.com just to name a few that I'm familiar with ). Why rebuild something that has been built with a solid foundation already? Because you don't want to rely on other 3rd party software? This is something you are already doing in SMF anyways. I seriously doubt CSS can cause a huge security risk as much as jQuery does. Many people I work with surprised that Forum software is even still around. SMF has a good chance at maintaining it, but new cutting-edge technologies are making Forum software not so much appealing anymore. Why is HTML 5 not implemented? Especially since HTML 5 has a huge advantage over 4, and has been around for quite some time now. Why is SMF just now starting to use jQuery after all of this time? How did it survive without it? Even moreso, how did it survive without responsive design for all of this time?

The only answer I can think of is, Good People, Good Core, and Good Support!

Antes · January 30, 2015, 04:52:07 PM

CDN is also outsourcing but not the way we are talking it. Bootstrap is not gonna be part of SMF 2.1, maybe for 3.0 but I'm not going to decide that.

http://www.businessdictionary.com/definition/outsourcing.html

Joshua Dickerson · January 30, 2015, 05:30:26 PM

Quote from: Kindred on January 30, 2015, 03:38:53 PM
Quote from: Joshua Dickerson on January 30, 2015, 03:34:13 PM
Quote from: Kindred on January 30, 2015, 02:53:23 PM
That is a really big "IF" right there... and I would estimated that 90% or more would actually NOT fall into that category
What's a big if?

Quote from: Joshua Dickerson on January 30, 2015, 01:56:49 PM
If it follows good programming guidelines, you should be able to distribute your change in your software and not have to worry about forwards compatibility.

Well, you're responsible for finding good software to use.

Antes, so it's already built. Use it in the release you want and you can always change it later. Or, you can continue development with a fork or contributions. That's my point.

Powerbob · April 03, 2015, 03:03:05 AM

Very quiet here

Last post is January 31st.

News:

Some updates on SMF 2.1