News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Installer glitch?

Started by Sir Osis of Liver, January 30, 2020, 06:13:15 PM

Previous topic - Next topic

Sir Osis of Liver

install.php in 2.0.17 package displays odd default settings for database parameters.  What's up with that?
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

shawnb61

Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Sir Osis of Liver

I'll have to run it again, hold on ........

Database name:  smf_e91zg
Table prefix:  xtc_

Values change with every refresh.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

shawnb61

No, not a glitch.  Part of 2.0.16.  It's even highlighted near the top of the changelog.  You can override the defaults if desired.
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Sir Osis of Liver

Why was this done?  It would be confusing to new users because the database name and prefix are already created before install is run, and they'll see different values when they run it, and they change every time they run it.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

shawnb61

Users can override them, exactly as they would need to today. 

The reason is security.  In general, the less an outsider knows about your environment config the better. 
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Sir Osis of Liver

Don't see the point to that, and it will cause confusion for users.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Illori

Quote from: Sir Osis of Liver on January 31, 2020, 09:37:19 PM
Don't see the point to that, and it will cause confusion for users.


it has not to date. i dont think users actually know what a database prefix is and why it may be confusing.

Sir Osis of Liver

Well, it confuses me.  Why would you want to display a random database name and prefix?    If they use the default settings, database won't connect, and most won't know what to do.  Doesn't make sense.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

shawnb61

There were always defaults provided.   They can be overwritten by the user when needed - just like in the past. The only difference is that now the db & prefix are randomized.
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Sir Osis of Liver

Old defaults were smf and smf_ , I think that's a lot less confusing, and don't see the purpose of changing it.  If anything, the db name should be blank.  You're dealing with users who've never seen this before, it should be as simple and obvious as possible.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Illori

i believe it was said somewhere in the team boards that this had something to do with making the cookie for the users more secure. i am not sure exactly how that works though.

Sir Osis of Liver

<sigh>  A bad solution for a non-problem. :P
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Illori

Quote from: Sir Osis of Liver on February 02, 2020, 04:53:23 PM
<sigh>  A bad solution for a non-problem. :P


how can you say it is a non-problem when you are not aware of the issue at hand?

Sir Osis of Liver

Have there been any problems with insecure cookies?  I've never seen one.  Some of the forum owners I've dealt with would go brain dead if they saw this in an install.  Would be interested in knowing what prompted the change.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Illori

you know our policy we dont share security issues with the public.

Kindred

it's not a bad solution -- and it's not a non-problem.

Just because you don't like it doesn't mean that it was a bad idea or that it wasn't needed.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Sir Osis of Liver

As I'm sure you're aware, one of the major problems in software development is that developers at some point lose the ability to see their software from the viewpoint of the typical user.  It's less a question of personal preference than a different point of view.  In the end, its the users who matter, not the devs (ref. Win 8.0).
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Kindred

:P   I'm not a developer.


And - from the standpoint of a typical user -- most of them don't even consider the prefix - which makes this security update even more important.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

m4z

Quote from: Sir Osis of Liver on February 03, 2020, 11:57:59 AM
As I'm sure you're aware, one of the major problems in software development is that developers at some point lose the ability to see their software from the viewpoint of the typical user.

As I'm sure you're aware, one of the other major problems in software development is that every user thinks they're the typical user when they're not.
As I'm sure you're aware, even specifying what is "typical" can be hard when multiple components of the stack (hosting situation, OS, DB, httpd, PHP, ...) are interchangeable, and the software is targeting everybody and their dog as potential users/admins.

You're biased, because you know the deprecated way and don't like the new way. Also, you're a "poweruser".
New users, less technical users or the Average Forgetful Joe following https://wiki.simplemachines.org/smf/Installing will not care what the prefix is, and if they do, they'll change it during install.
"Faith is what you have in things that don't exist."
--Homer Simpson

Es gibt hier im Forum ein deutsches Support-Board!

Sir Osis of Liver

Kindred and I have had this discussion before, it's my feeling he's been on the inside too long to be able to view the software realistically from the outside.  That's not intended as a criticism, just an observation.  I've dealt with enough forums to have a pretty good idea how users at various levels of proficiency, or lack thereof, approach the software.  There may well be a good reason for tinkering with the installer, but I think the way it was done will be confusing to some new users.  The installer is often the first contact they have with SMF, and randomly filling the database input fields with gibberish seems a bad idea to me.  I've never seen any software or website do this.  There must be a better way to accomplish whatever this change was intended to do.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Kindred

Several other platforms do this...
And no, i am not "on the inside too long" I have helped nearly as many sites as you do, and support a bunch of sites, smf, wordpress and joomla.  So I actually do know what I am taking about.

Seriously,  as m4z says,  if they know what the prefix means,  they can/will change it. If they don't know,  then it won't matter what is used, and the random prefix is more secure for them.  Seriously,  you addres gagging into your own trap here. You've been doing it so long one way that you can't conceive that there is a reason for the change.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Sir Osis of Liver

Obviously, I don't know the reason for the change, it's been a while since I had access to team boards.  I think the database name will be more problematic than prefix, that can be random, but the name must be what the user set up in cpanel.  I don't know what they will think when they see the field filled with random text that changes when refreshed.  I can't suggest an alternate solution as I don't know why it was done, it just seems a bad way to do it.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Kindred

... and we are telling you that your perception (that this is a bad way to do it) is incorrect.

The idea was thought, reviewed, and discussed. This is actually a standard practice and has been since 2016.

Its minor... not a huge security bump, but every little bit helps.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Sir Osis of Liver

Well, I'm once again outranked and outnumbered.  It's not easy being a cranky old guy. >:(
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Advertisement: